From 271fbb7ddfe50d9c34e603984aea8803e4bc7d82 Mon Sep 17 00:00:00 2001 From: Luke Taylor Date: Mon, 20 Apr 2009 09:08:35 +0000 Subject: [PATCH] SEC-1081: Fix for PersistentTokenBasedRememberMeServices int overflow problem. --- .../rememberme/PersistentTokenBasedRememberMeServices.java | 2 +- .../rememberme/PersistentTokenBasedRememberMeServicesTests.java | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/web/src/main/java/org/springframework/security/web/authentication/rememberme/PersistentTokenBasedRememberMeServices.java b/web/src/main/java/org/springframework/security/web/authentication/rememberme/PersistentTokenBasedRememberMeServices.java index 5597d16ee0..e88b1dc8b3 100644 --- a/web/src/main/java/org/springframework/security/web/authentication/rememberme/PersistentTokenBasedRememberMeServices.java +++ b/web/src/main/java/org/springframework/security/web/authentication/rememberme/PersistentTokenBasedRememberMeServices.java @@ -92,7 +92,7 @@ public class PersistentTokenBasedRememberMeServices extends AbstractRememberMeSe "Invalid remember-me token (Series/token) mismatch. Implies previous cookie theft attack.")); } - if (token.getDate().getTime() + getTokenValiditySeconds()*1000 < System.currentTimeMillis()) { + if (token.getDate().getTime() + getTokenValiditySeconds()*1000L < System.currentTimeMillis()) { throw new RememberMeAuthenticationException("Remember-me login has expired"); } diff --git a/web/src/test/java/org/springframework/security/web/authentication/rememberme/PersistentTokenBasedRememberMeServicesTests.java b/web/src/test/java/org/springframework/security/web/authentication/rememberme/PersistentTokenBasedRememberMeServicesTests.java index c7062d93c9..2126d5a550 100644 --- a/web/src/test/java/org/springframework/security/web/authentication/rememberme/PersistentTokenBasedRememberMeServicesTests.java +++ b/web/src/test/java/org/springframework/security/web/authentication/rememberme/PersistentTokenBasedRememberMeServicesTests.java @@ -30,6 +30,8 @@ public class PersistentTokenBasedRememberMeServicesTests { public void setUpData() throws Exception { services = new PersistentTokenBasedRememberMeServices(); services.setCookieName("mycookiename"); + // Default to 100 days (see SEC-1081). + services.setTokenValiditySeconds(100*24*60*60); services.setUserDetailsService( new AbstractRememberMeServicesTests.MockUserDetailsService(AbstractRememberMeServicesTests.joe, false)); }