SEC-1217: AbstractRememberMeServices should set 'secure' attribute on remember-me cookie if in secure context. Added "useSecureCookie" configuration property and corresponding use-secure-cookie attribute in namespace.

config/src/main/java/org/springframework/security/config/http/RememberMeBeanDefinitionParser.java

@@ -32,6 +32,7 @@ class RememberMeBeanDefinitionParser implements BeanDefinitionParser {
     static final String ATT_TOKEN_REPOSITORY = "token-repository-ref";
     static final String ATT_USER_SERVICE_REF = "user-service-ref";
     static final String ATT_TOKEN_VALIDITY = "token-validity-seconds";
+    static final String ATT_SECURE_COOKIE = "use-secure-cookie";
 
     protected final Log logger = LogFactory.getLog(getClass());
     private String servicesName;
@@ -94,6 +95,10 @@ class RememberMeBeanDefinitionParser implements BeanDefinitionParser {
                 services.getPropertyValues().addPropertyValue("userDetailsService", new RuntimeBeanReference(userServiceRef));
             }
 
+            if ("true".equals(element.getAttribute(ATT_SECURE_COOKIE))) {
+                services.getPropertyValues().addPropertyValue("useSecureCookie", true);
+            }
+
             if (tokenValiditySet) {
                 Integer tokenValidity = new Integer(tokenValiditySeconds);
                 if (tokenValidity.intValue() < 0 && isPersistent) {

config/src/main/resources/org/springframework/security/config/spring-security-3.0.rnc

@@ -454,6 +454,10 @@ remember-me.attlist &=
     ## Exports the internally defined RememberMeServices as a bean alias, allowing it to be used by other beans in the application context.
     attribute services-alias {xsd:token}?    
 
+remember-me.attlist &=
+    ## Determines whether the "secure" flag will be set on the remember-me cookie. If set to true, the cookie will only be submitted over HTTPS. Defaults to false.
+    attribute use-secure-cookie {boolean}?
+
 remember-me.attlist &=
     ## The period (in seconds) for which the remember-me cookie should be valid.
     attribute token-validity-seconds {xsd:integer}?

config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java

@@ -544,6 +544,7 @@ public class HttpSecurityBeanDefinitionParserTests {
         RememberMeServices rememberMeServices = getRememberMeServices();
 
         assertTrue(rememberMeServices instanceof PersistentTokenBasedRememberMeServices);
+        assertFalse((Boolean)FieldUtils.getFieldValue(getRememberMeServices(), "useSecureCookie"));
     }
 
     @Test
@@ -587,8 +588,7 @@ public class HttpSecurityBeanDefinitionParserTests {
                 "<http auto-config='true'>" +
                 "    <remember-me key='ourkey' token-validity-seconds='10000' />" +
                 "</http>" + AUTH_PROVIDER_XML);
-        assertEquals(10000, FieldUtils.getFieldValue(getRememberMeServices(),
-                "tokenValiditySeconds"));
+        assertEquals(10000, FieldUtils.getFieldValue(getRememberMeServices(), "tokenValiditySeconds"));
     }
 
     @Test
@@ -597,8 +597,16 @@ public class HttpSecurityBeanDefinitionParserTests {
                 "<http auto-config='true'>" +
                 "    <remember-me key='ourkey' token-validity-seconds='-1' />" +
                 "</http>" + AUTH_PROVIDER_XML);
-        assertEquals(-1, FieldUtils.getFieldValue(getRememberMeServices(),
-                "tokenValiditySeconds"));
+        assertEquals(-1, FieldUtils.getFieldValue(getRememberMeServices(), "tokenValiditySeconds"));
+    }
+
+    @Test
+    public void rememberMeSecureCookieAttributeIsSetCorrectly() throws Exception {
+        setContext(
+                "<http auto-config='true'>" +
+                "    <remember-me key='ourkey' use-secure-cookie='true' />" +
+                "</http>" + AUTH_PROVIDER_XML);
+        assertTrue((Boolean)FieldUtils.getFieldValue(getRememberMeServices(), "useSecureCookie"));
     }
 
     @Test(expected=BeanDefinitionParsingException.class)

web/src/main/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServices.java

@@ -55,6 +55,7 @@ public abstract class AbstractRememberMeServices implements RememberMeServices,
     private boolean alwaysRemember;
     private String key;
     private int tokenValiditySeconds = TWO_WEEKS_S;
+    private boolean useSecureCookie = false;
 
     public void afterPropertiesSet() throws Exception {
         Assert.hasLength(key);
@@ -308,6 +309,7 @@ public abstract class AbstractRememberMeServices implements RememberMeServices,
         Cookie cookie = new Cookie(cookieName, cookieValue);
         cookie.setMaxAge(maxAge);
         cookie.setPath(StringUtils.hasLength(request.getContextPath()) ? request.getContextPath() : "/");
+        cookie.setSecure(useSecureCookie);
         response.addCookie(cookie);
     }
 
@@ -374,6 +376,10 @@ public abstract class AbstractRememberMeServices implements RememberMeServices,
         return tokenValiditySeconds;
     }
 
+    public void setUseSecureCookie(boolean useSecureCookie) {
+        this.useSecureCookie = useSecureCookie;
+    }
+
     protected AuthenticationDetailsSource getAuthenticationDetailsSource() {
         return authenticationDetailsSource;
     }

web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesTests.java

@@ -226,7 +226,24 @@ public class AbstractRememberMeServicesTests {
         assertEquals("mycookie", cookie.getValue());
         assertEquals("mycookiename", cookie.getName());
         assertEquals("contextpath", cookie.getPath());
+        assertFalse(cookie.getSecure());
+    }
 
+    @Test
+    public void setCookieSetsSecureFlagIfConfigured() throws Exception {
+        MockHttpServletRequest request = new MockHttpServletRequest();
+        MockHttpServletResponse response = new MockHttpServletResponse();
+        request.setContextPath("contextpath");
+
+        MockRememberMeServices services = new MockRememberMeServices() {
+            protected String encodeCookie(String[] cookieTokens) {
+                return cookieTokens[0];
+            }
+        };
+        services.setUseSecureCookie(true);
+        services.setCookie(new String[] {"mycookie"}, 1000, request, response);
+        Cookie cookie = response.getCookie(AbstractRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY);
+        assertTrue(cookie.getSecure());
     }
 
     private Cookie[] createLoginCookie(String cookieToken) {