SEC-1827: If use-secure-cookie is set to false explicitly set useSecureCookie to false on AbstractRememberMeServices

config/src/main/java/org/springframework/security/config/http/RememberMeBeanDefinitionParser.java

@@ -98,8 +98,9 @@ class RememberMeBeanDefinitionParser implements BeanDefinitionParser {
 
             services.getPropertyValues().addPropertyValue("userDetailsService", uds);
 
-            if ("true".equals(element.getAttribute(ATT_SECURE_COOKIE))) {
+            String useSecureCookie = element.getAttribute(ATT_SECURE_COOKIE);
-                services.getPropertyValues().addPropertyValue("useSecureCookie", true);
+            if (StringUtils.hasText(useSecureCookie)) {
+                services.getPropertyValues().addPropertyValue("useSecureCookie", Boolean.valueOf(useSecureCookie));
             }
 
             if (tokenValiditySet) {

config/src/test/groovy/org/springframework/security/config/http/RememberMeConfigTests.groovy

@@ -31,7 +31,7 @@ class RememberMeConfigTests extends AbstractHttpConfigTests {
 
         expect:
         rememberMeServices() instanceof PersistentTokenBasedRememberMeServices
-        !FieldUtils.getFieldValue(rememberMeServices(), "useSecureCookie")
+        FieldUtils.getFieldValue(rememberMeServices(), "useSecureCookie") == null
     }
 
     def rememberMeServiceWorksWithDataSourceRef() {
@@ -112,6 +112,17 @@ class RememberMeConfigTests extends AbstractHttpConfigTests {
         FieldUtils.getFieldValue(rememberMeServices(), "useSecureCookie")
     }
 
+    // SEC-1827
+    def rememberMeSecureCookieAttributeFalse() {
+        httpAutoConfig () {
+            'remember-me'('key': 'ourkey', 'use-secure-cookie':'false')
+        }
+
+        createAppContext(AUTH_PROVIDER_XML)
+        expect: 'useSecureCookie is false'
+        FieldUtils.getFieldValue(rememberMeServices(), "useSecureCookie") == Boolean.FALSE
+    }
+
     def 'Negative token-validity is rejected with persistent implementation'() {
         when:
         httpAutoConfig () {