From 883b92e7bd60568f38d339fcb6b1d3050a789f15 Mon Sep 17 00:00:00 2001 From: Luke Taylor Date: Thu, 8 May 2008 15:07:40 +0000 Subject: [PATCH] SEC-822: Converted to long arithmetic to prevent integer overflowing with long token validity periods --- .../security/ui/rememberme/TokenBasedRememberMeServices.java | 2 +- .../ui/rememberme/TokenBasedRememberMeServicesTests.java | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/core/src/main/java/org/springframework/security/ui/rememberme/TokenBasedRememberMeServices.java b/core/src/main/java/org/springframework/security/ui/rememberme/TokenBasedRememberMeServices.java index 0c2f6dac6f..3c97b8eaf2 100644 --- a/core/src/main/java/org/springframework/security/ui/rememberme/TokenBasedRememberMeServices.java +++ b/core/src/main/java/org/springframework/security/ui/rememberme/TokenBasedRememberMeServices.java @@ -152,7 +152,7 @@ public class TokenBasedRememberMeServices extends AbstractRememberMeServices { } int tokenLifetime = calculateLoginLifetime(request, successfulAuthentication); - long expiryTime = System.currentTimeMillis() + 1000*tokenLifetime; + long expiryTime = System.currentTimeMillis() + 1000L*tokenLifetime; String signatureValue = makeTokenSignature(expiryTime, username, password); diff --git a/core/src/test/java/org/springframework/security/ui/rememberme/TokenBasedRememberMeServicesTests.java b/core/src/test/java/org/springframework/security/ui/rememberme/TokenBasedRememberMeServicesTests.java index 33b1d71588..9b8e9e4c5c 100644 --- a/core/src/test/java/org/springframework/security/ui/rememberme/TokenBasedRememberMeServicesTests.java +++ b/core/src/test/java/org/springframework/security/ui/rememberme/TokenBasedRememberMeServicesTests.java @@ -342,6 +342,8 @@ public class TokenBasedRememberMeServicesTests extends TestCase { public void testLoginSuccessNormalWithNonUserDetailsBasedPrincipal() { TokenBasedRememberMeServices services = new TokenBasedRememberMeServices(); + // SEC-822 + services.setTokenValiditySeconds(5000000); MockHttpServletRequest request = new MockHttpServletRequest(); request.setRequestURI("d"); request.addParameter(TokenBasedRememberMeServices.DEFAULT_PARAMETER, "true");