GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Revert SEC-1356. 

Checking the path of a submitted cookie will never work as the path is not sent by the browser, so will be null.
3.0.x
Luke Taylor 16 years ago
parent
1a7f71fc0f
commit
0c10efbbf8
3 changed files with 7 additions and 34 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 14
      web/src/main/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServices.java
  2. 2
      web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesTests.java
  3. 25
      web/src/test/java/org/springframework/security/web/authentication/rememberme/TokenBasedRememberMeServicesTests.java

14
web/src/main/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServices.java
Unescape View File

@ -121,10 +121,8 @@ public abstract class AbstractRememberMeServices implements RememberMeServices,
return null; return null;
} }
String requiredPath = getCookiePath(request);
for (int i = 0; i < cookies.length; i++) { for (int i = 0; i < cookies.length; i++) {
if (cookieName.equals(cookies[i].getName()) && requiredPath.equals(cookies[i].getPath())) { if (cookieName.equals(cookies[i].getName())) {
return cookies[i].getValue(); return cookies[i].getValue();
} }
} }
@ -132,11 +130,6 @@ public abstract class AbstractRememberMeServices implements RememberMeServices,
return null; return null;
} }
private String getCookiePath(HttpServletRequest request) {
String contextPath = request.getContextPath();
return contextPath.length() > 0 ? contextPath : "/";
}
/** /**
* Creates the final <tt>Authentication</tt> object returned from the <tt>autoLogin</tt> method. * Creates the final <tt>Authentication</tt> object returned from the <tt>autoLogin</tt> method.
* <p> * <p>
@ -325,6 +318,11 @@ public abstract class AbstractRememberMeServices implements RememberMeServices,
response.addCookie(cookie); response.addCookie(cookie);
} }
private String getCookiePath(HttpServletRequest request) {
String contextPath = request.getContextPath();
return contextPath.length() > 0 ? contextPath : "/";
}
/** /**
* Implementation of <tt>LogoutHandler</tt>. Default behaviour is to call <tt>cancelCookie()</tt>. * Implementation of <tt>LogoutHandler</tt>. Default behaviour is to call <tt>cancelCookie()</tt>.
*/ */

2
web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesTests.java
Unescape View File

@ -249,7 +249,7 @@ public class AbstractRememberMeServicesTests {
MockRememberMeServices services = new MockRememberMeServices(); MockRememberMeServices services = new MockRememberMeServices();
Cookie cookie = new Cookie(AbstractRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY, Cookie cookie = new Cookie(AbstractRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY,
services.encodeCookie(StringUtils.delimitedListToStringArray(cookieToken, ":"))); services.encodeCookie(StringUtils.delimitedListToStringArray(cookieToken, ":")));
cookie.setPath("/");
return new Cookie[] {cookie}; return new Cookie[] {cookie};
} }

25
web/src/test/java/org/springframework/security/web/authentication/rememberme/TokenBasedRememberMeServicesTests.java
Unescape View File

@ -109,7 +109,6 @@ public class TokenBasedRememberMeServicesTests {
@Test @Test
public void autoLoginIgnoresUnrelatedCookie() throws Exception { public void autoLoginIgnoresUnrelatedCookie() throws Exception {
Cookie cookie = new Cookie("unrelated_cookie", "foobar"); Cookie cookie = new Cookie("unrelated_cookie", "foobar");
cookie.setPath("/");
MockHttpServletRequest request = new MockHttpServletRequest(); MockHttpServletRequest request = new MockHttpServletRequest();
request.setCookies(new Cookie[] {cookie}); request.setCookies(new Cookie[] {cookie});
MockHttpServletResponse response = new MockHttpServletResponse(); MockHttpServletResponse response = new MockHttpServletResponse();
@ -120,27 +119,10 @@ public class TokenBasedRememberMeServicesTests {
assertNull(response.getCookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY)); assertNull(response.getCookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY));
} }
// SEC-1356
@Test
public void autoLoginIgnoresCookieWithWrongPath() throws Exception {
Cookie cookie = new Cookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY, "foobar");
cookie.setPath("/");
MockHttpServletRequest request = new MockHttpServletRequest();
request.setContextPath("not_root");
request.setCookies(new Cookie[] {cookie});
MockHttpServletResponse response = new MockHttpServletResponse();
Authentication result = services.autoLogin(request, response);
assertNull(result);
assertNull(response.getCookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY));
}
@Test @Test
public void autoLoginReturnsNullForExpiredCookieAndClearsCookie() throws Exception { public void autoLoginReturnsNullForExpiredCookieAndClearsCookie() throws Exception {
Cookie cookie = new Cookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY, Cookie cookie = new Cookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY,
generateCorrectCookieContentForToken(System.currentTimeMillis() - 1000000, "someone", "password", "key")); generateCorrectCookieContentForToken(System.currentTimeMillis() - 1000000, "someone", "password", "key"));
cookie.setPath("/");
MockHttpServletRequest request = new MockHttpServletRequest(); MockHttpServletRequest request = new MockHttpServletRequest();
request.setCookies(new Cookie[] {cookie}); request.setCookies(new Cookie[] {cookie});
@ -156,7 +138,6 @@ public class TokenBasedRememberMeServicesTests {
public void autoLoginReturnsNullAndClearsCookieIfMissingThreeTokensInCookieValue() throws Exception { public void autoLoginReturnsNullAndClearsCookieIfMissingThreeTokensInCookieValue() throws Exception {
Cookie cookie = new Cookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY, Cookie cookie = new Cookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY,
new String(Base64.encodeBase64("x".getBytes()))); new String(Base64.encodeBase64("x".getBytes())));
cookie.setPath("/");
MockHttpServletRequest request = new MockHttpServletRequest(); MockHttpServletRequest request = new MockHttpServletRequest();
request.setCookies(new Cookie[] {cookie}); request.setCookies(new Cookie[] {cookie});
@ -172,7 +153,6 @@ public class TokenBasedRememberMeServicesTests {
public void autoLoginClearsNonBase64EncodedCookie() throws Exception { public void autoLoginClearsNonBase64EncodedCookie() throws Exception {
Cookie cookie = new Cookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY, Cookie cookie = new Cookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY,
"NOT_BASE_64_ENCODED"); "NOT_BASE_64_ENCODED");
cookie.setPath("/");
MockHttpServletRequest request = new MockHttpServletRequest(); MockHttpServletRequest request = new MockHttpServletRequest();
request.setCookies(new Cookie[] {cookie}); request.setCookies(new Cookie[] {cookie});
@ -190,7 +170,6 @@ public class TokenBasedRememberMeServicesTests {
Cookie cookie = new Cookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY, Cookie cookie = new Cookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY,
generateCorrectCookieContentForToken(System.currentTimeMillis() + 1000000, "someone", "password", generateCorrectCookieContentForToken(System.currentTimeMillis() + 1000000, "someone", "password",
"WRONG_KEY")); "WRONG_KEY"));
cookie.setPath("/");
MockHttpServletRequest request = new MockHttpServletRequest(); MockHttpServletRequest request = new MockHttpServletRequest();
request.setCookies(new Cookie[] {cookie}); request.setCookies(new Cookie[] {cookie});
@ -207,8 +186,6 @@ public class TokenBasedRememberMeServicesTests {
public void autoLoginClearsCookieIfTokenDoesNotContainANumberInCookieValue() throws Exception { public void autoLoginClearsCookieIfTokenDoesNotContainANumberInCookieValue() throws Exception {
Cookie cookie = new Cookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY, Cookie cookie = new Cookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY,
new String(Base64.encodeBase64("username:NOT_A_NUMBER:signature".getBytes()))); new String(Base64.encodeBase64("username:NOT_A_NUMBER:signature".getBytes())));
cookie.setPath("/");
MockHttpServletRequest request = new MockHttpServletRequest(); MockHttpServletRequest request = new MockHttpServletRequest();
request.setCookies(new Cookie[] {cookie}); request.setCookies(new Cookie[] {cookie});
@ -225,7 +202,6 @@ public class TokenBasedRememberMeServicesTests {
jmock.checking(udsWillThrowNotFound); jmock.checking(udsWillThrowNotFound);
Cookie cookie = new Cookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY, Cookie cookie = new Cookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY,
generateCorrectCookieContentForToken(System.currentTimeMillis() + 1000000, "someone", "password", "key")); generateCorrectCookieContentForToken(System.currentTimeMillis() + 1000000, "someone", "password", "key"));
cookie.setPath("/");
MockHttpServletRequest request = new MockHttpServletRequest(); MockHttpServletRequest request = new MockHttpServletRequest();
request.setCookies(new Cookie[] {cookie}); request.setCookies(new Cookie[] {cookie});
@ -243,7 +219,6 @@ public class TokenBasedRememberMeServicesTests {
jmock.checking(udsWillReturnUser); jmock.checking(udsWillReturnUser);
Cookie cookie = new Cookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY, Cookie cookie = new Cookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY,
generateCorrectCookieContentForToken(System.currentTimeMillis() + 1000000, "someone", "password", "key")); generateCorrectCookieContentForToken(System.currentTimeMillis() + 1000000, "someone", "password", "key"));
cookie.setPath("/");
MockHttpServletRequest request = new MockHttpServletRequest(); MockHttpServletRequest request = new MockHttpServletRequest();
request.setCookies(new Cookie[] {cookie}); request.setCookies(new Cookie[] {cookie});

Write Preview
Loading…
Cancel
Save