Revert SEC-1356.

Checking the path of a submitted cookie will never work as the path is not sent by the browser, so will be null.

web/src/main/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServices.java

@@ -121,10 +121,8 @@ public abstract class AbstractRememberMeServices implements RememberMeServices,
             return null;
         }
 
-        String requiredPath = getCookiePath(request);
-
         for (int i = 0; i < cookies.length; i++) {
-            if (cookieName.equals(cookies[i].getName()) && requiredPath.equals(cookies[i].getPath())) {
+            if (cookieName.equals(cookies[i].getName())) {
                 return cookies[i].getValue();
             }
         }
@@ -132,11 +130,6 @@ public abstract class AbstractRememberMeServices implements RememberMeServices,
         return null;
     }
 
-    private String getCookiePath(HttpServletRequest request) {
-        String contextPath = request.getContextPath();
-        return contextPath.length() > 0 ? contextPath : "/";
-    }
-
     /**
      * Creates the final <tt>Authentication</tt> object returned from the <tt>autoLogin</tt> method.
      * <p>
@@ -325,6 +318,11 @@ public abstract class AbstractRememberMeServices implements RememberMeServices,
         response.addCookie(cookie);
     }
 
+    private String getCookiePath(HttpServletRequest request) {
+        String contextPath = request.getContextPath();
+        return contextPath.length() > 0 ? contextPath : "/";
+    }
+
     /**
      * Implementation of <tt>LogoutHandler</tt>. Default behaviour is to call <tt>cancelCookie()</tt>.
      */

web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesTests.java

@@ -249,7 +249,7 @@ public class AbstractRememberMeServicesTests {
         MockRememberMeServices services = new MockRememberMeServices();
         Cookie cookie = new Cookie(AbstractRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY,
                 services.encodeCookie(StringUtils.delimitedListToStringArray(cookieToken, ":")));
-        cookie.setPath("/");
+
         return new Cookie[] {cookie};
     }
 

web/src/test/java/org/springframework/security/web/authentication/rememberme/TokenBasedRememberMeServicesTests.java

@@ -109,7 +109,6 @@ public class TokenBasedRememberMeServicesTests {
     @Test
     public void autoLoginIgnoresUnrelatedCookie() throws Exception {
         Cookie cookie = new Cookie("unrelated_cookie", "foobar");
-        cookie.setPath("/");
         MockHttpServletRequest request = new MockHttpServletRequest();
         request.setCookies(new Cookie[] {cookie});
         MockHttpServletResponse response = new MockHttpServletResponse();
@@ -120,27 +119,10 @@ public class TokenBasedRememberMeServicesTests {
         assertNull(response.getCookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY));
     }
 
-    // SEC-1356
-    @Test
-    public void autoLoginIgnoresCookieWithWrongPath() throws Exception {
-        Cookie cookie = new Cookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY, "foobar");
-        cookie.setPath("/");
-        MockHttpServletRequest request = new MockHttpServletRequest();
-        request.setContextPath("not_root");
-        request.setCookies(new Cookie[] {cookie});
-        MockHttpServletResponse response = new MockHttpServletResponse();
-
-        Authentication result = services.autoLogin(request, response);
-
-        assertNull(result);
-        assertNull(response.getCookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY));
-    }
-
     @Test
     public void autoLoginReturnsNullForExpiredCookieAndClearsCookie() throws Exception {
         Cookie cookie = new Cookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY,
                 generateCorrectCookieContentForToken(System.currentTimeMillis() - 1000000, "someone", "password", "key"));
-        cookie.setPath("/");
         MockHttpServletRequest request = new MockHttpServletRequest();
         request.setCookies(new Cookie[] {cookie});
 
@@ -156,7 +138,6 @@ public class TokenBasedRememberMeServicesTests {
     public void autoLoginReturnsNullAndClearsCookieIfMissingThreeTokensInCookieValue() throws Exception {
         Cookie cookie = new Cookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY,
                 new String(Base64.encodeBase64("x".getBytes())));
-        cookie.setPath("/");
         MockHttpServletRequest request = new MockHttpServletRequest();
         request.setCookies(new Cookie[] {cookie});
 
@@ -172,7 +153,6 @@ public class TokenBasedRememberMeServicesTests {
     public void autoLoginClearsNonBase64EncodedCookie() throws Exception {
         Cookie cookie = new Cookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY,
                 "NOT_BASE_64_ENCODED");
-        cookie.setPath("/");
         MockHttpServletRequest request = new MockHttpServletRequest();
         request.setCookies(new Cookie[] {cookie});
 
@@ -190,7 +170,6 @@ public class TokenBasedRememberMeServicesTests {
         Cookie cookie = new Cookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY,
                 generateCorrectCookieContentForToken(System.currentTimeMillis() + 1000000, "someone", "password",
                     "WRONG_KEY"));
-        cookie.setPath("/");
         MockHttpServletRequest request = new MockHttpServletRequest();
         request.setCookies(new Cookie[] {cookie});
 
@@ -207,8 +186,6 @@ public class TokenBasedRememberMeServicesTests {
     public void autoLoginClearsCookieIfTokenDoesNotContainANumberInCookieValue() throws Exception {
         Cookie cookie = new Cookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY,
                 new String(Base64.encodeBase64("username:NOT_A_NUMBER:signature".getBytes())));
-        cookie.setPath("/");
-
         MockHttpServletRequest request = new MockHttpServletRequest();
         request.setCookies(new Cookie[] {cookie});
 
@@ -225,7 +202,6 @@ public class TokenBasedRememberMeServicesTests {
         jmock.checking(udsWillThrowNotFound);
         Cookie cookie = new Cookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY,
                 generateCorrectCookieContentForToken(System.currentTimeMillis() + 1000000, "someone", "password", "key"));
-        cookie.setPath("/");
         MockHttpServletRequest request = new MockHttpServletRequest();
         request.setCookies(new Cookie[] {cookie});
 
@@ -243,7 +219,6 @@ public class TokenBasedRememberMeServicesTests {
         jmock.checking(udsWillReturnUser);
         Cookie cookie = new Cookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY,
                 generateCorrectCookieContentForToken(System.currentTimeMillis() + 1000000, "someone", "password", "key"));
-        cookie.setPath("/");
         MockHttpServletRequest request = new MockHttpServletRequest();
         request.setCookies(new Cookie[] {cookie});