Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SEC-1083: PersistentTokenBasedRememberMeServices does not clear tokens on logout. Override logout method to remove tokens for user.

This commit is contained in:
Luke Taylor 2009-03-16 08:05:02 +00:00
parent b7557d017e
commit 30748e8615
2 changed files with 32 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
core/src/main/java/org/springframework/security/ui/rememberme/PersistentTokenBasedRememberMeServices.java
View File

@ -138,6 +138,12 @@ public class PersistentTokenBasedRememberMeServices extends AbstractRememberMeSe
}
}
@Override
public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {
super.logout(request, response, authentication);
tokenRepository.removeUserTokens(authentication.getName());
}
protected String generateSeriesData() {
byte[] newSeries = new byte[seriesLength];
random.nextBytes(newSeries);

33
core/src/test/java/org/springframework/security/ui/rememberme/PersistentTokenBasedRememberMeServicesTests.java
View File

@ -1,15 +1,19 @@
package org.springframework.security.ui.rememberme;
import org.springframework.security.providers.UsernamePasswordAuthenticationToken;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import static org.junit.Assert.assertEquals;
import org.junit.Before;
import org.junit.Test;
import static org.junit.Assert.*;
import static org.springframework.security.ui.rememberme.AbstractRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY;
import java.util.Date;
import javax.servlet.http.Cookie;
import org.junit.Before;
import org.junit.Test;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.security.providers.TestingAuthenticationToken;
import org.springframework.security.providers.UsernamePasswordAuthenticationToken;
/**
* @author Luke Taylor
* @version $Id$
@ -97,6 +101,21 @@ public class PersistentTokenBasedRememberMeServicesTests {
assertEquals(repo.getStoredToken().getTokenValue(), cookie[1]);
}
@Test
public void logoutClearsUsersTokenAndCookie() throws Exception {
Cookie cookie = new Cookie("mycookiename", "somevalue");
MockHttpServletRequest request = new MockHttpServletRequest();
request.setCookies(new Cookie[] {cookie});
MockHttpServletResponse response = new MockHttpServletResponse();
MockTokenRepository repo =
new MockTokenRepository(new PersistentRememberMeToken("joe", "series","token", new Date()));
services.setTokenRepository(repo);
services.logout(request, response, new TestingAuthenticationToken("joe","somepass","SOME_AUTH"));
Cookie returnedCookie = response.getCookie("mycookiename");
assertNotNull(returnedCookie);
assertEquals(0, returnedCookie.getMaxAge());
}
private class MockTokenRepository implements PersistentTokenRepository {
private PersistentRememberMeToken storedToken;