SEC-1081: Fix for PersistentTokenBasedRememberMeServices int overflow problem.

17 years ago · 271fbb7ddf
2 changed files with 3 additions and 1 deletions
--- a/web/src/main/java/org/springframework/security/web/authentication/rememberme/PersistentTokenBasedRememberMeServices.java
+++ b/web/src/main/java/org/springframework/security/web/authentication/rememberme/PersistentTokenBasedRememberMeServices.java
@ -92,7 +92,7 @@ public class PersistentTokenBasedRememberMeServices extends AbstractRememberMeSe
				@@ -92,7 +92,7 @@ public class PersistentTokenBasedRememberMeServices extends AbstractRememberMeSe
                    "Invalid remember-me token (Series/token) mismatch. Implies previous cookie theft attack."));
        }

-        if (token.getDate().getTime() + getTokenValiditySeconds()*1000 < System.currentTimeMillis()) {
+        if (token.getDate().getTime() + getTokenValiditySeconds()*1000L < System.currentTimeMillis()) {
            throw new RememberMeAuthenticationException("Remember-me login has expired");
        }

--- a/web/src/test/java/org/springframework/security/web/authentication/rememberme/PersistentTokenBasedRememberMeServicesTests.java
+++ b/web/src/test/java/org/springframework/security/web/authentication/rememberme/PersistentTokenBasedRememberMeServicesTests.java
@ -30,6 +30,8 @@ public class PersistentTokenBasedRememberMeServicesTests {
				@@ -30,6 +30,8 @@ public class PersistentTokenBasedRememberMeServicesTests {
    public void setUpData() throws Exception {
        services = new PersistentTokenBasedRememberMeServices();
        services.setCookieName("mycookiename");
+        // Default to 100 days (see SEC-1081).
+        services.setTokenValiditySeconds(100*24*60*60);
        services.setUserDetailsService(
                new AbstractRememberMeServicesTests.MockUserDetailsService(AbstractRememberMeServicesTests.joe, false));
    }