SEC-1356: Modify AbstractRememberMeService to check the cookie path as well as the name when extracting it from the incoming request.

This makes things consistent with the cookie setting methods. If someone wants to share a cookie between multiple applications then they should modify the cookie extraction and setting methods to use a less-specific path.
16 years ago · 6eff4d90b7
1 changed files with 11 additions and 3 deletions
--- a/web/src/main/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServices.java
+++ b/web/src/main/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServices.java
@ -109,6 +109,7 @@ public abstract class AbstractRememberMeServices implements RememberMeServices,
				@@ -109,6 +109,7 @@ public abstract class AbstractRememberMeServices implements RememberMeServices,

    /**
     * Locates the Spring Security remember me cookie in the request and returns its value.
+     * The cookie is searched for by name and also by matching the context path to the cookie path.
     *
     * @param request the submitted request which is to be authenticated
     * @return the cookie value (if present), null otherwise.
@ -120,8 +121,10 @@ public abstract class AbstractRememberMeServices implements RememberMeServices,
				@@ -120,8 +121,10 @@ public abstract class AbstractRememberMeServices implements RememberMeServices,
            return null;
        }

+        String requiredPath = getCookiePath(request);
+
        for (int i = 0; i < cookies.length; i++) {
-            if (cookieName.equals(cookies[i].getName())) {
+            if (cookieName.equals(cookies[i].getName()) && requiredPath.equals(cookies[i].getPath())) {
                return cookies[i].getValue();
            }
        }
@ -129,6 +132,11 @@ public abstract class AbstractRememberMeServices implements RememberMeServices,
				@@ -129,6 +132,11 @@ public abstract class AbstractRememberMeServices implements RememberMeServices,
        return null;
    }

+    private String getCookiePath(HttpServletRequest request) {
+        String contextPath = request.getContextPath();
+        return contextPath.length() > 0 ? contextPath : "/";
+    }
+
    /**
     * Creates the final <tt>Authentication</tt> object returned from the <tt>autoLogin</tt> method.
     * <p>
@ -295,7 +303,7 @@ public abstract class AbstractRememberMeServices implements RememberMeServices,
				@@ -295,7 +303,7 @@ public abstract class AbstractRememberMeServices implements RememberMeServices,
        logger.debug("Cancelling cookie");
        Cookie cookie = new Cookie(cookieName, null);
        cookie.setMaxAge(0);
-        cookie.setPath(StringUtils.hasLength(request.getContextPath()) ? request.getContextPath() : "/");
+        cookie.setPath(getCookiePath(request));

        response.addCookie(cookie);
    }
@ -312,7 +320,7 @@ public abstract class AbstractRememberMeServices implements RememberMeServices,
				@@ -312,7 +320,7 @@ public abstract class AbstractRememberMeServices implements RememberMeServices,
        String cookieValue = encodeCookie(tokens);
        Cookie cookie = new Cookie(cookieName, cookieValue);
        cookie.setMaxAge(maxAge);
-        cookie.setPath(StringUtils.hasLength(request.getContextPath()) ? request.getContextPath() : "/");
+        cookie.setPath(getCookiePath(request));
        cookie.setSecure(useSecureCookie);
        response.addCookie(cookie);
    }