From 4c44bd782f76a7a7c9982206d4063e5857915c3d Mon Sep 17 00:00:00 2001 From: Luke Taylor Date: Sun, 4 Nov 2007 12:07:49 +0000 Subject: [PATCH] SEC-588: Added extra tests to check cookie values. --- .../AbstractRememberMeServices.java | 3 +- .../AbstractRememberMeServicesTests.java | 1 - ...tentTokenBasedRememberMeServicesTests.java | 38 ++++++++++++++----- 3 files changed, 31 insertions(+), 11 deletions(-) diff --git a/core/src/main/java/org/springframework/security/ui/rememberme/AbstractRememberMeServices.java b/core/src/main/java/org/springframework/security/ui/rememberme/AbstractRememberMeServices.java index fdf29868f3..22545e1ffb 100644 --- a/core/src/main/java/org/springframework/security/ui/rememberme/AbstractRememberMeServices.java +++ b/core/src/main/java/org/springframework/security/ui/rememberme/AbstractRememberMeServices.java @@ -211,7 +211,8 @@ public abstract class AbstractRememberMeServices implements RememberMeServices { * The default is to return true if alwaysRemember is set or the configured parameter name has * been included in the request and is set to the value "true". * - * @param request the request which may include + * @param request the request submitted from an interactive login, which may include additional information + * indicating that a persistent login is desired. * @param parameter the configured remember-me parameter name. * * @return true if the request includes information indicating that a persistent login has been diff --git a/core/src/test/java/org/springframework/security/ui/rememberme/AbstractRememberMeServicesTests.java b/core/src/test/java/org/springframework/security/ui/rememberme/AbstractRememberMeServicesTests.java index 07b2f70e15..f5839d9f80 100644 --- a/core/src/test/java/org/springframework/security/ui/rememberme/AbstractRememberMeServicesTests.java +++ b/core/src/test/java/org/springframework/security/ui/rememberme/AbstractRememberMeServicesTests.java @@ -220,7 +220,6 @@ public class AbstractRememberMeServicesTests { } - private Cookie[] createLoginCookie(String cookieToken) { MockRememberMeServices services = new MockRememberMeServices(); Cookie cookie = new Cookie(AbstractRememberMeServices.SPRING_SECURITY_PERSISTENT_REMEMBER_ME_COOKIE_KEY, diff --git a/core/src/test/java/org/springframework/security/ui/rememberme/PersistentTokenBasedRememberMeServicesTests.java b/core/src/test/java/org/springframework/security/ui/rememberme/PersistentTokenBasedRememberMeServicesTests.java index 68f3fd9b0c..7a7c6e6138 100644 --- a/core/src/test/java/org/springframework/security/ui/rememberme/PersistentTokenBasedRememberMeServicesTests.java +++ b/core/src/test/java/org/springframework/security/ui/rememberme/PersistentTokenBasedRememberMeServicesTests.java @@ -19,26 +19,40 @@ public class PersistentTokenBasedRememberMeServicesTests { @Before public void setUpData() throws Exception { services = new PersistentTokenBasedRememberMeServices(); + services.setCookieName("mycookiename"); } @Test(expected = InvalidCookieException.class) public void loginIsRejectedWithWrongNumberOfCookieTokens() { - services.setCookieName("mycookiename"); services.processAutoLoginCookie(new String[] {"series", "token", "extra"}, new MockHttpServletRequest(), new MockHttpServletResponse()); } @Test(expected = RememberMeAuthenticationException.class) public void loginIsRejectedWhenNoTokenMatchingSeriesIsFound() { - services.setCookieName("mycookiename"); services.setTokenRepository(new MockTokenRepository(null)); services.processAutoLoginCookie(new String[] {"series", "token"}, new MockHttpServletRequest(), new MockHttpServletResponse()); } + @Test(expected = RememberMeAuthenticationException.class) + public void loginIsRejectedWhenTokenIsExpired() { + MockTokenRepository repo = + new MockTokenRepository(new PersistentRememberMeToken("joe", "series","token", new Date())); + services.setTokenRepository(repo); + services.setTokenValiditySeconds(1); + try { + Thread.sleep(1100); + } catch (InterruptedException e) { + } + services.setTokenRepository(repo); + + services.processAutoLoginCookie(new String[] {"series", "token"}, new MockHttpServletRequest(), + new MockHttpServletResponse()); + } + @Test(expected = CookieTheftException.class) public void cookieTheftIsDetectedWhenSeriesAndTokenDontMatch() { - services.setCookieName("mycookiename"); PersistentRememberMeToken token = new PersistentRememberMeToken("joe", "series","wrongtoken", new Date()); services.setTokenRepository(new MockTokenRepository(token)); services.processAutoLoginCookie(new String[] {"series", "token"}, new MockHttpServletRequest(), @@ -47,16 +61,18 @@ public class PersistentTokenBasedRememberMeServicesTests { @Test public void successfulAutoLoginCreatesNewTokenAndCookieWithSameSeries() { - services.setCookieName("mycookiename"); MockTokenRepository repo = new MockTokenRepository(new PersistentRememberMeToken("joe", "series","token", new Date())); services.setTokenRepository(repo); // 12 => b64 length will be 16 services.setTokenLength(12); - services.processAutoLoginCookie(new String[] {"series", "token"}, new MockHttpServletRequest(), - new MockHttpServletResponse()); + MockHttpServletResponse response = new MockHttpServletResponse(); + services.processAutoLoginCookie(new String[] {"series", "token"}, new MockHttpServletRequest(), response); assertEquals("series",repo.getStoredToken().getSeries()); assertEquals(16, repo.getStoredToken().getTokenValue().length()); + String[] cookie = services.decodeCookie(response.getCookie("mycookiename").getValue()); + assertEquals("series", cookie[0]); + assertEquals(repo.getStoredToken().getTokenValue(), cookie[1]); } @Test @@ -66,14 +82,18 @@ public class PersistentTokenBasedRememberMeServicesTests { services.setTokenRepository(repo); services.setTokenLength(12); services.setSeriesLength(12); + MockHttpServletResponse response = new MockHttpServletResponse(); services.loginSuccess(new MockHttpServletRequest(), - new MockHttpServletResponse(), new UsernamePasswordAuthenticationToken("joe","password")); + response, new UsernamePasswordAuthenticationToken("joe","password")); assertEquals(16, repo.getStoredToken().getSeries().length()); assertEquals(16, repo.getStoredToken().getTokenValue().length()); + + String[] cookie = services.decodeCookie(response.getCookie("mycookiename").getValue()); + + assertEquals(repo.getStoredToken().getSeries(), cookie[0]); + assertEquals(repo.getStoredToken().getTokenValue(), cookie[1]); } - - private class MockTokenRepository implements PersistentTokenRepository { private PersistentRememberMeToken storedToken;