Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Use SHA256 by default in Remember Me 

Closes gh-11520
This commit is contained in:
Marcus Da Coregio 2022-07-25 10:21:25 -03:00
parent db9d60e82d
commit 0c549ee147
3 changed files with 7 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
docs/modules/ROOT/pages/servlet/authentication/rememberme.adoc
View File

@ -114,9 +114,9 @@ A `key` is shared between this authentication provider and the `TokenBasedRememb
In addition, `TokenBasedRememberMeServices` requires a `UserDetailsService`, from which it can retrieve the username and password for signature comparison purposes and generate the `RememberMeAuthenticationToken` to contain the correct `GrantedAuthority` instances.
`TokenBasedRememberMeServices` also implements Spring Security's `LogoutHandler` interface so that it can be used with `LogoutFilter` to have the cookie cleared automatically.
By default, this implementation uses the MD5 algorithm to encode the token signature.
By default, this implementation uses the SHA-256 algorithm to encode the token signature.
To verify the token signature, the algorithm retrieved from `algorithmName` is parsed and used.
If no `algorithmName` is present, the default matching algorithm will be used, which is MD5.
If no `algorithmName` is present, the default matching algorithm will be used, which is SHA-256.
You can specify different algorithms for signature encoding and for signature matching, this allows users to safely upgrade to a different encoding algorithm while still able to verify old ones if there is no `algorithmName` present.
To do that you can specify your customized `TokenBasedRememberMeServices` as a Bean and use it in the configuration.

4
web/src/main/java/org/springframework/security/web/authentication/rememberme/TokenBasedRememberMeServices.java
View File

@ -94,9 +94,9 @@ import org.springframework.util.StringUtils;
*/
public class TokenBasedRememberMeServices extends AbstractRememberMeServices {
private static final RememberMeTokenAlgorithm DEFAULT_MATCHING_ALGORITHM = RememberMeTokenAlgorithm.MD5;
private static final RememberMeTokenAlgorithm DEFAULT_MATCHING_ALGORITHM = RememberMeTokenAlgorithm.SHA256;
private static final RememberMeTokenAlgorithm DEFAULT_ENCODING_ALGORITHM = RememberMeTokenAlgorithm.MD5;
private static final RememberMeTokenAlgorithm DEFAULT_ENCODING_ALGORITHM = RememberMeTokenAlgorithm.SHA256;
private final RememberMeTokenAlgorithm encodingAlgorithm;

6
web/src/test/java/org/springframework/security/web/authentication/rememberme/TokenBasedRememberMeServicesTests.java
View File

@ -407,7 +407,7 @@ public class TokenBasedRememberMeServicesTests {
assertThat(cookie.getMaxAge()).isEqualTo(this.services.getTokenValiditySeconds());
assertThat(CodecTestUtils.isBase64(cookie.getValue().getBytes())).isTrue();
assertThat(new Date().before(new Date(determineExpiryTimeFromBased64EncodedToken(cookie.getValue())))).isTrue();
assertThat("MD5").isEqualTo(determineAlgorithmNameFromBase64EncodedToken(cookie.getValue()));
assertThat("SHA256").isEqualTo(determineAlgorithmNameFromBase64EncodedToken(cookie.getValue()));
}
@Test
@ -459,11 +459,11 @@ public class TokenBasedRememberMeServicesTests {
}
@Test
public void constructorWhenNoEncodingAlgorithmSpecifiedThenMd5() {
public void constructorWhenNoEncodingAlgorithmSpecifiedThenSha256() {
TokenBasedRememberMeServices rememberMeServices = new TokenBasedRememberMeServices("key", this.uds);
RememberMeTokenAlgorithm encodingAlgorithm = (RememberMeTokenAlgorithm) ReflectionTestUtils
.getField(rememberMeServices, "encodingAlgorithm");
assertThat(encodingAlgorithm).isSameAs(RememberMeTokenAlgorithm.MD5);
assertThat(encodingAlgorithm).isSameAs(RememberMeTokenAlgorithm.SHA256);
}
}