GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

SEC-2791: AbstractRememberMeServices sets the version 

If the maxAge < 1 then the version must be 1 otherwise browsers ignore
the value.
pull/69/merge
Rob Winch 11 years ago
parent
1a00c397a4
commit
1a35292750
2 changed files with 44 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 4
      web/src/main/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServices.java
  2. 40
      web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesTests.java

4
web/src/main/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServices.java
Unescape View File

@ -341,6 +341,10 @@ public abstract class AbstractRememberMeServices implements RememberMeServices, @@ -341,6 +341,10 @@ public abstract class AbstractRememberMeServices implements RememberMeServices,
cookie.setMaxAge(maxAge);
cookie.setPath(getCookiePath(request));
if(maxAge < 1) {
cookie.setVersion(1);
}
if (useSecureCookie == null) {
cookie.setSecure(request.isSecure());
} else {

40
web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesTests.java
Unescape View File

@ -1,5 +1,6 @@ @@ -1,5 +1,6 @@
package org.springframework.security.web.authentication.rememberme;
import static org.fest.assertions.Assertions.*;
import static org.powermock.api.mockito.PowerMockito.*;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
@ -353,6 +354,45 @@ public class AbstractRememberMeServicesTests { @@ -353,6 +354,45 @@ public class AbstractRememberMeServicesTests {
assertNull(ReflectionTestUtils.getField(services, "setHttpOnlyMethod"));
}
// SEC-2791
@Test
public void setCookieMaxAge0VersionSet() {
MockRememberMeServices services = new MockRememberMeServices();
MockHttpServletRequest request = new MockHttpServletRequest();
MockHttpServletResponse response = new MockHttpServletResponse();
services.setCookie(new String[] {"value"}, 0, request, response);
Cookie cookie = response.getCookie(AbstractRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY);
assertThat(cookie.getVersion()).isEqualTo(1);
}
// SEC-2791
@Test
public void setCookieMaxAgeNegativeVersionSet() {
MockRememberMeServices services = new MockRememberMeServices();
MockHttpServletRequest request = new MockHttpServletRequest();
MockHttpServletResponse response = new MockHttpServletResponse();
services.setCookie(new String[] {"value"}, -1, request, response);
Cookie cookie = response.getCookie(AbstractRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY);
assertThat(cookie.getVersion()).isEqualTo(1);
}
// SEC-2791
@Test
public void setCookieMaxAge1VersionSet() {
MockRememberMeServices services = new MockRememberMeServices();
MockHttpServletRequest request = new MockHttpServletRequest();
MockHttpServletResponse response = new MockHttpServletResponse();
services.setCookie(new String[] {"value"}, 1, request, response);
Cookie cookie = response.getCookie(AbstractRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY);
assertThat(cookie.getVersion()).isEqualTo(0);
}
private Cookie[] createLoginCookie(String cookieToken) {
MockRememberMeServices services = new MockRememberMeServices(uds);
Cookie cookie = new Cookie(AbstractRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY,

Write Preview
Loading…
Cancel
Save