Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-06-25 21:42:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

SEC-298: Ensure returned cookies have a maximum age equal to the TokenBasedRememberMeServices.tokenValiditySeconds property.

Browse Source
This commit is contained in:
Ben Alex 2007-05-23 06:43:47 +00:00
parent ac3b142e4f
commit 5b8898c750
2 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
core/src/main/java/org/acegisecurity/ui/rememberme/TokenBasedRememberMeServices.java
View File

@ -292,7 +292,7 @@ public class TokenBasedRememberMeServices implements RememberMeServices, Initial
String signatureValue = DigestUtils.md5Hex(username + ":" + expiryTime + ":" + password + ":" + key); String signatureValue = DigestUtils.md5Hex(username + ":" + expiryTime + ":" + password + ":" + key);
String tokenValue = username + ":" + expiryTime + ":" + signatureValue; String tokenValue = username + ":" + expiryTime + ":" + signatureValue;
String tokenValueBase64 = new String(Base64.encodeBase64(tokenValue.getBytes())); String tokenValueBase64 = new String(Base64.encodeBase64(tokenValue.getBytes()));
response.addCookie(makeValidCookie(expiryTime, tokenValueBase64, request)); response.addCookie(makeValidCookie(tokenValueBase64, request, tokenValiditySeconds));
if (logger.isDebugEnabled()) { if (logger.isDebugEnabled()) {
logger.debug("Added remember-me cookie for user '" + username logger.debug("Added remember-me cookie for user '" + username
@ -313,9 +313,9 @@ public class TokenBasedRememberMeServices implements RememberMeServices, Initial
return cookie; return cookie;
} }
protected Cookie makeValidCookie(long expiryTime, String tokenValueBase64, HttpServletRequest request) { protected Cookie makeValidCookie(String tokenValueBase64, HttpServletRequest request, long maxAge) {
Cookie cookie = new Cookie(ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE_KEY, tokenValueBase64); Cookie cookie = new Cookie(ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE_KEY, tokenValueBase64);
cookie.setMaxAge(60 * 60 * 24 * 365 * 5); // 5 years cookie.setMaxAge(new Long(maxAge).intValue());
cookie.setPath(StringUtils.hasLength(request.getContextPath()) ? request.getContextPath() : "/"); cookie.setPath(StringUtils.hasLength(request.getContextPath()) ? request.getContextPath() : "/");
return cookie; return cookie;

4
core/src/test/java/org/acegisecurity/ui/rememberme/TokenBasedRememberMeServicesTests.java
View File

@ -363,7 +363,7 @@ public class TokenBasedRememberMeServicesTests extends TestCase {
Cookie cookie = response.getCookie(TokenBasedRememberMeServices.ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE_KEY); Cookie cookie = response.getCookie(TokenBasedRememberMeServices.ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE_KEY);
assertNotNull(cookie); assertNotNull(cookie);
assertEquals(60 * 60 * 24 * 365 * 5, cookie.getMaxAge()); // 5 years assertEquals(services.getTokenValiditySeconds(), cookie.getMaxAge());
assertTrue(Base64.isArrayByteBase64(cookie.getValue().getBytes())); assertTrue(Base64.isArrayByteBase64(cookie.getValue().getBytes()));
assertTrue(new Date().before(new Date(determineExpiryTimeFromBased64EncodedToken(cookie.getValue())))); assertTrue(new Date().before(new Date(determineExpiryTimeFromBased64EncodedToken(cookie.getValue()))));
} }
@ -383,7 +383,7 @@ public class TokenBasedRememberMeServicesTests extends TestCase {
Cookie cookie = response.getCookie(TokenBasedRememberMeServices.ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE_KEY); Cookie cookie = response.getCookie(TokenBasedRememberMeServices.ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE_KEY);
assertNotNull(cookie); assertNotNull(cookie);
assertEquals(60 * 60 * 24 * 365 * 5, cookie.getMaxAge()); // 5 years assertEquals(services.getTokenValiditySeconds(), cookie.getMaxAge());
assertTrue(Base64.isArrayByteBase64(cookie.getValue().getBytes())); assertTrue(Base64.isArrayByteBase64(cookie.getValue().getBytes()));
assertTrue(new Date().before(new Date(determineExpiryTimeFromBased64EncodedToken(cookie.getValue())))); assertTrue(new Date().before(new Date(determineExpiryTimeFromBased64EncodedToken(cookie.getValue()))));
} }