GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

SEC-1410: Makes sure usernames which are OpenID https identities are detected as well as http ones. 

Using ":" as the token delimiter means we accidentally mistake the URL for two tokens. This had previously been fixed for http URLs but not https ones.
3.0.x
Luke Taylor 16 years ago
parent
1719bdebeb
commit
bd635edc31
2 changed files with 21 additions and 5 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 4
      web/src/main/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServices.java
  2. 22
      web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesTests.java

4
web/src/main/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServices.java
Unescape View File

@ -168,10 +168,10 @@ public abstract class AbstractRememberMeServices implements RememberMeServices, @@ -168,10 +168,10 @@ public abstract class AbstractRememberMeServices implements RememberMeServices,
String[] tokens = StringUtils.delimitedListToStringArray(cookieAsPlainText, DELIMITER);
if (tokens[0].equalsIgnoreCase("http") && tokens[1].startsWith("//")) {
if ((tokens[0].equalsIgnoreCase("http") || tokens[0].equalsIgnoreCase("https")) && tokens[1].startsWith("//")) {
// Assume we've accidentally split a URL (OpenID identifier)
String[] newTokens = new String[tokens.length - 1];
newTokens[0] = "http:" + tokens[1];
newTokens[0] = tokens[0] + ":" + tokens[1];
System.arraycopy(tokens, 2, newTokens, 1, newTokens.length - 1);
tokens = newTokens;
}

22
web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesTests.java
Unescape View File

@ -35,21 +35,37 @@ public class AbstractRememberMeServicesTests { @@ -35,21 +35,37 @@ public class AbstractRememberMeServicesTests {
@Test
public void cookieShouldBeCorrectlyEncodedAndDecoded() {
String[] cookie = new String[] {"http://name", "cookie", "tokens", "blah"};
String[] cookie = new String[] {"name", "cookie", "tokens", "blah"};
MockRememberMeServices services = new MockRememberMeServices();
String encoded = services.encodeCookie(cookie);
// '=' aren't alowed in version 0 cookies.
// '=' aren't allowed in version 0 cookies.
assertFalse(encoded.endsWith("="));
String[] decoded = services.decodeCookie(encoded);
assertEquals(4, decoded.length);
assertEquals("http://name", decoded[0]);
assertEquals("name", decoded[0]);
assertEquals("cookie", decoded[1]);
assertEquals("tokens", decoded[2]);
assertEquals("blah", decoded[3]);
}
@Test
public void cookieWithOpenIDidentifierAsNameIsEncodedAndDecoded() throws Exception {
String[] cookie = new String[] {"http://id.openid.zz", "cookie", "tokens", "blah"};
MockRememberMeServices services = new MockRememberMeServices();
String[] decoded = services.decodeCookie(services.encodeCookie(cookie));
assertEquals(4, decoded.length);
assertEquals("http://id.openid.zz", decoded[0]);
// Check https (SEC-1410)
cookie[0] = "https://id.openid.zz";
decoded = services.decodeCookie(services.encodeCookie(cookie));
assertEquals(4, decoded.length);
assertEquals("https://id.openid.zz", decoded[0]);
}
@Test
public void autoLoginShouldReturnNullIfNoLoginCookieIsPresented() {
MockRememberMeServices services = new MockRememberMeServices();

Write Preview
Loading…
Cancel
Save