SEC-2826: Add remember-me-cookie attribute in xml namespace

2025-05-31 01:02:14 +00:00 · 2015-01-31 23:18:47 +09:00 · 2015-01-31 23:18:47 +09:00 · 67cd8465c3
commit 67cd8465c3
parent d2fd852711
5 changed files with 51 additions and 4 deletions
--- a/config/src/main/java/org/springframework/security/config/http/RememberMeBeanDefinitionParser.java
+++ b/config/src/main/java/org/springframework/security/config/http/RememberMeBeanDefinitionParser.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2013 the original author or authors.
+ * Copyright 2002-2015 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -50,6 +50,7 @@ class RememberMeBeanDefinitionParser implements BeanDefinitionParser {
    static final String ATT_TOKEN_VALIDITY = "token-validity-seconds";
    static final String ATT_SECURE_COOKIE = "use-secure-cookie";
    static final String ATT_FORM_REMEMBERME_PARAMETER = "remember-me-parameter";
+    static final String ATT_REMEMBERME_COOKIE = "remember-me-cookie";

    protected final Log logger = LogFactory.getLog(getClass());
    private final String key;
@ -74,6 +75,7 @@ class RememberMeBeanDefinitionParser implements BeanDefinitionParser {
        String tokenValiditySeconds = element.getAttribute(ATT_TOKEN_VALIDITY);
        String useSecureCookie = element.getAttribute(ATT_SECURE_COOKIE);
        String remembermeParameter = element.getAttribute(ATT_FORM_REMEMBERME_PARAMETER);
+        String remembermeCookie = element.getAttribute(ATT_REMEMBERME_COOKIE);
        Object source = pc.extractSource(element);

        RootBeanDefinition services = null;
@ -85,11 +87,12 @@ class RememberMeBeanDefinitionParser implements BeanDefinitionParser {
        boolean useSecureCookieSet = StringUtils.hasText(useSecureCookie);
        boolean tokenValiditySet = StringUtils.hasText(tokenValiditySeconds);
        boolean remembermeParameterSet = StringUtils.hasText(remembermeParameter);
+        boolean remembermeCookieSet = StringUtils.hasText(remembermeCookie);

-        if (servicesRefSet && (dataSourceSet || tokenRepoSet || userServiceSet || tokenValiditySet || useSecureCookieSet || remembermeParameterSet)) {
+        if (servicesRefSet && (dataSourceSet || tokenRepoSet || userServiceSet || tokenValiditySet || useSecureCookieSet || remembermeParameterSet || remembermeCookieSet)) {
            pc.getReaderContext().error(ATT_SERVICES_REF + " can't be used in combination with attributes "
                    + ATT_TOKEN_REPOSITORY + "," + ATT_DATA_SOURCE + ", " + ATT_USER_SERVICE_REF + ", " + ATT_TOKEN_VALIDITY
-                    + ", " + ATT_SECURE_COOKIE + " or " + ATT_FORM_REMEMBERME_PARAMETER, source);
+                    + ", " + ATT_SECURE_COOKIE + ", " + ATT_FORM_REMEMBERME_PARAMETER + " or " + ATT_REMEMBERME_COOKIE, source);
        }

        if (dataSourceSet && tokenRepoSet) {
@ -144,6 +147,10 @@ class RememberMeBeanDefinitionParser implements BeanDefinitionParser {
                services.getPropertyValues().addPropertyValue("parameter", remembermeParameter);
            }

+            if (remembermeCookieSet) {
+                services.getPropertyValues().addPropertyValue("cookieName", remembermeCookie);
+            }
+
            services.setSource(source);
            servicesName = pc.getReaderContext().generateBeanName(services);
            pc.registerBeanComponent(new BeanComponentDefinition(services, servicesName));
--- a/config/src/main/resources/org/springframework/security/config/spring-security-4.0.rnc
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-4.0.rnc
@ -586,6 +586,9 @@ remember-me.attlist &=
 remember-me.attlist &=
    ## The name of the request parameter which toggles remember-me authentication. Defaults to '_spring_security_remember_me'.
    attribute remember-me-parameter {xsd:token}?
+remember-me.attlist &=
+    ## The name of cookie which store the token for remember-me authentication. Defaults to 'SPRING_SECURITY_REMEMBER_ME_COOKIE'.
+    attribute remember-me-cookie {xsd:token}?

 token-repository-ref =
    ## Reference to a PersistentTokenRepository bean for use with the persistent token remember-me implementation.
--- a/config/src/main/resources/org/springframework/security/config/spring-security-4.0.xsd
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-4.0.xsd
@ -1827,6 +1827,13 @@
                </xs:documentation>
         </xs:annotation>
      </xs:attribute>
+      <xs:attribute name="remember-me-cookie" type="xs:token">
+          <xs:annotation>
+              <xs:documentation>The name of cookie which store the token for remember-me authentication. Defaults to
+                  'SPRING_SECURITY_REMEMBER_ME_COOKIE'.
+              </xs:documentation>
+          </xs:annotation>
+      </xs:attribute>
  </xs:attributeGroup>
  <xs:attributeGroup name="token-repository-ref">
      <xs:attribute name="token-repository-ref" use="required" type="xs:token">
--- a/config/src/test/groovy/org/springframework/security/config/http/RememberMeConfigTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/http/RememberMeConfigTests.groovy
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2013 the original author or authors.
+ * Copyright 2002-2015 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -277,6 +277,31 @@ class RememberMeConfigTests extends AbstractHttpConfigTests {
        BeanDefinitionParsingException e = thrown()
    }

+    // SEC-2826
+    def 'Custom remember-me-cookie is supported'() {
+        httpAutoConfig () {
+            'remember-me'('remember-me-cookie': 'ourCookie')
+        }
+
+        createAppContext(AUTH_PROVIDER_XML)
+        expect:
+        rememberMeServices().cookieName == 'ourCookie'
+    }
+
+    // SEC-2826
+    def 'remember-me-cookie cannot be used together with services-ref'() {
+        when:
+        httpAutoConfig () {
+            'remember-me'('remember-me-cookie': 'ourCookie', 'services-ref': 'ourService')
+        }
+
+        createAppContext(AUTH_PROVIDER_XML)
+        then:
+        BeanDefinitionParsingException e = thrown()
+        expect:
+        e.message == 'Configuration problem: services-ref can\'t be used in combination with attributes token-repository-ref,data-source-ref, user-service-ref, token-validity-seconds, use-secure-cookie, remember-me-parameter or remember-me-cookie\nOffending resource: null'
+    }
+
    def rememberMeServices() {
        getFilter(RememberMeAuthenticationFilter.class).getRememberMeServices()
    }
--- a/docs/manual/src/docs/asciidoc/index.adoc
+++ b/docs/manual/src/docs/asciidoc/index.adoc
@ -7594,6 +7594,11 @@ A reference to a `DataSource` bean. If this is set, `PersistentTokenBasedRemembe
 The name of the request parameter which toggles remember-me authentication. Defaults to "_spring_security_remember_me". Maps to the "parameter" property of `AbstractRememberMeServices`.


+[[nsa-remember-me-remember-me-cookie]]
+* **remember-me-cookie**
+The name of cookie which store the token for remember-me authentication. Defaults to "SPRING_SECURITY_REMEMBER_ME_COOKIE". Maps to the "cookieName" property of `AbstractRememberMeServices`.
+
+
 [[nsa-remember-me-key]]
 * **key**
 Maps to the "key" property of `AbstractRememberMeServices`. Should be set to a unique value to ensure that remember-me cookies are only valid within the one application  footnote:[