Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Revert SEC-1356. 

Checking the path of a submitted cookie will never work as the path is not sent by the browser, so will be null.
This commit is contained in:
Luke Taylor 2010-01-19 21:51:16 +00:00
parent 1a7f71fc0f
commit 0c10efbbf8
3 changed files with 7 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
web/src/main/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServices.java
View File

@ -121,10 +121,8 @@ public abstract class AbstractRememberMeServices implements RememberMeServices,
return null;
}
String requiredPath = getCookiePath(request);
for (int i = 0; i < cookies.length; i++) {
if (cookieName.equals(cookies[i].getName()) && requiredPath.equals(cookies[i].getPath())) {
if (cookieName.equals(cookies[i].getName())) {
return cookies[i].getValue();
}
}
@ -132,11 +130,6 @@ public abstract class AbstractRememberMeServices implements RememberMeServices,
return null;
}
private String getCookiePath(HttpServletRequest request) {
String contextPath = request.getContextPath();
return contextPath.length() > 0 ? contextPath : "/";
}
/**
* Creates the final <tt>Authentication</tt> object returned from the <tt>autoLogin</tt> method.
* <p>
@ -325,6 +318,11 @@ public abstract class AbstractRememberMeServices implements RememberMeServices,
response.addCookie(cookie);
}
private String getCookiePath(HttpServletRequest request) {
String contextPath = request.getContextPath();
return contextPath.length() > 0 ? contextPath : "/";
}
/**
* Implementation of <tt>LogoutHandler</tt>. Default behaviour is to call <tt>cancelCookie()</tt>.
*/

2
web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesTests.java
View File

@ -249,7 +249,7 @@ public class AbstractRememberMeServicesTests {
MockRememberMeServices services = new MockRememberMeServices();
Cookie cookie = new Cookie(AbstractRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY,
services.encodeCookie(StringUtils.delimitedListToStringArray(cookieToken, ":")));
cookie.setPath("/");
return new Cookie[] {cookie};
}

25
web/src/test/java/org/springframework/security/web/authentication/rememberme/TokenBasedRememberMeServicesTests.java
View File

@ -109,7 +109,6 @@ public class TokenBasedRememberMeServicesTests {
@Test
public void autoLoginIgnoresUnrelatedCookie() throws Exception {
Cookie cookie = new Cookie("unrelated_cookie", "foobar");
cookie.setPath("/");
MockHttpServletRequest request = new MockHttpServletRequest();
request.setCookies(new Cookie[] {cookie});
MockHttpServletResponse response = new MockHttpServletResponse();
@ -120,27 +119,10 @@ public class TokenBasedRememberMeServicesTests {
assertNull(response.getCookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY));
}
// SEC-1356
@Test
public void autoLoginIgnoresCookieWithWrongPath() throws Exception {
Cookie cookie = new Cookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY, "foobar");
cookie.setPath("/");
MockHttpServletRequest request = new MockHttpServletRequest();
request.setContextPath("not_root");
request.setCookies(new Cookie[] {cookie});
MockHttpServletResponse response = new MockHttpServletResponse();
Authentication result = services.autoLogin(request, response);
assertNull(result);
assertNull(response.getCookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY));
}
@Test
public void autoLoginReturnsNullForExpiredCookieAndClearsCookie() throws Exception {
Cookie cookie = new Cookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY,
generateCorrectCookieContentForToken(System.currentTimeMillis() - 1000000, "someone", "password", "key"));
cookie.setPath("/");
MockHttpServletRequest request = new MockHttpServletRequest();
request.setCookies(new Cookie[] {cookie});
@ -156,7 +138,6 @@ public class TokenBasedRememberMeServicesTests {
public void autoLoginReturnsNullAndClearsCookieIfMissingThreeTokensInCookieValue() throws Exception {
Cookie cookie = new Cookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY,
new String(Base64.encodeBase64("x".getBytes())));
cookie.setPath("/");
MockHttpServletRequest request = new MockHttpServletRequest();
request.setCookies(new Cookie[] {cookie});
@ -172,7 +153,6 @@ public class TokenBasedRememberMeServicesTests {
public void autoLoginClearsNonBase64EncodedCookie() throws Exception {
Cookie cookie = new Cookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY,
"NOT_BASE_64_ENCODED");
cookie.setPath("/");
MockHttpServletRequest request = new MockHttpServletRequest();
request.setCookies(new Cookie[] {cookie});
@ -190,7 +170,6 @@ public class TokenBasedRememberMeServicesTests {
Cookie cookie = new Cookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY,
generateCorrectCookieContentForToken(System.currentTimeMillis() + 1000000, "someone", "password",
"WRONG_KEY"));
cookie.setPath("/");
MockHttpServletRequest request = new MockHttpServletRequest();
request.setCookies(new Cookie[] {cookie});
@ -207,8 +186,6 @@ public class TokenBasedRememberMeServicesTests {
public void autoLoginClearsCookieIfTokenDoesNotContainANumberInCookieValue() throws Exception {
Cookie cookie = new Cookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY,
new String(Base64.encodeBase64("username:NOT_A_NUMBER:signature".getBytes())));
cookie.setPath("/");
MockHttpServletRequest request = new MockHttpServletRequest();
request.setCookies(new Cookie[] {cookie});
@ -225,7 +202,6 @@ public class TokenBasedRememberMeServicesTests {
jmock.checking(udsWillThrowNotFound);
Cookie cookie = new Cookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY,
generateCorrectCookieContentForToken(System.currentTimeMillis() + 1000000, "someone", "password", "key"));
cookie.setPath("/");
MockHttpServletRequest request = new MockHttpServletRequest();
request.setCookies(new Cookie[] {cookie});
@ -243,7 +219,6 @@ public class TokenBasedRememberMeServicesTests {
jmock.checking(udsWillReturnUser);
Cookie cookie = new Cookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY,
generateCorrectCookieContentForToken(System.currentTimeMillis() + 1000000, "someone", "password", "key"));
cookie.setPath("/");
MockHttpServletRequest request = new MockHttpServletRequest();
request.setCookies(new Cookie[] {cookie});