diff --git a/web/src/main/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServices.java b/web/src/main/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServices.java index 47d50bfd04..e0e6b2fc01 100644 --- a/web/src/main/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServices.java +++ b/web/src/main/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServices.java @@ -15,8 +15,12 @@ */ package org.springframework.security.web.authentication.rememberme; +import java.io.UnsupportedEncodingException; import java.lang.reflect.Method; import java.util.Base64; +import java.net.URLDecoder; +import java.net.URLEncoder; +import java.nio.charset.StandardCharsets; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServletRequest; @@ -50,7 +54,7 @@ import org.springframework.util.StringUtils; * * @author Luke Taylor * @author Rob Winch - * @author Edd� Mel�ndez + * @author Edd? Mel?ndez * @since 2.0 */ public abstract class AbstractRememberMeServices implements RememberMeServices, @@ -229,13 +233,16 @@ public abstract class AbstractRememberMeServices implements RememberMeServices, String[] tokens = StringUtils.delimitedListToStringArray(cookieAsPlainText, DELIMITER); - if ((tokens[0].equalsIgnoreCase("http") || tokens[0].equalsIgnoreCase("https")) - && tokens[1].startsWith("//")) { - // Assume we've accidentally split a URL (OpenID identifier) - String[] newTokens = new String[tokens.length - 1]; - newTokens[0] = tokens[0] + ":" + tokens[1]; - System.arraycopy(tokens, 2, newTokens, 1, newTokens.length - 1); - tokens = newTokens; + for (int i = 0; i < tokens.length; i++) + { + try + { + tokens[i] = URLDecoder.decode(tokens[i], StandardCharsets.UTF_8.toString()); + } + catch (UnsupportedEncodingException e) + { + logger.error(e.getMessage(), e); + } } return tokens; @@ -250,7 +257,14 @@ public abstract class AbstractRememberMeServices implements RememberMeServices, protected String encodeCookie(String[] cookieTokens) { StringBuilder sb = new StringBuilder(); for (int i = 0; i < cookieTokens.length; i++) { - sb.append(cookieTokens[i]); + try + { + sb.append(URLEncoder.encode(cookieTokens[i], StandardCharsets.UTF_8.toString())); + } + catch (UnsupportedEncodingException e) + { + logger.error(e.getMessage(), e); + } if (i < cookieTokens.length - 1) { sb.append(DELIMITER); diff --git a/web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesTests.java b/web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesTests.java index df62c2721c..62aa379608 100644 --- a/web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesTests.java +++ b/web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesTests.java @@ -90,7 +90,7 @@ public class AbstractRememberMeServicesTests { @Test public void cookieShouldBeCorrectlyEncodedAndDecoded() throws Exception { - String[] cookie = new String[] { "name", "cookie", "tokens", "blah" }; + String[] cookie = new String[] { "name:with:colon", "cookie", "tokens", "blah" }; MockRememberMeServices services = new MockRememberMeServices(uds); String encoded = services.encodeCookie(cookie); @@ -98,7 +98,7 @@ public class AbstractRememberMeServicesTests { assertThat(encoded.endsWith("=")).isFalse(); String[] decoded = services.decodeCookie(encoded); - assertThat(decoded).containsExactly("name", "cookie", "tokens", "blah"); + assertThat(decoded).containsExactly("name:with:colon", "cookie", "tokens", "blah"); } @Test