SEC-2165: remember-me@token-validity-seconds can be parameterized

config/src/main/java/org/springframework/security/config/http/RememberMeBeanDefinitionParser.java

@@ -132,12 +132,12 @@ class RememberMeBeanDefinitionParser implements BeanDefinitionParser {
             }
 
             if (tokenValiditySet) {
-                int tokenValidity = Integer.parseInt(tokenValiditySeconds);
-                if (tokenValidity < 0 && isPersistent) {
+                boolean isTokenValidityNegative = tokenValiditySeconds.startsWith("-");
+                if (isTokenValidityNegative && isPersistent) {
                     pc.getReaderContext().error(ATT_TOKEN_VALIDITY + " cannot be negative if using" +
                             " a persistent remember-me token repository", source);
                 }
-                services.getPropertyValues().addPropertyValue("tokenValiditySeconds", tokenValidity);
+                services.getPropertyValues().addPropertyValue("tokenValiditySeconds", tokenValiditySeconds);
             }
 
             if (remembermeParameterSet) {

config/src/main/resources/org/springframework/security/config/spring-security-3.2.rnc

@@ -572,7 +572,7 @@ remember-me.attlist &=
 
 remember-me.attlist &=
     ## The period (in seconds) for which the remember-me cookie should be valid.
-    attribute token-validity-seconds {xsd:integer}?
+    attribute token-validity-seconds {xsd:string}?
 
 remember-me.attlist &=
     ## Reference to an AuthenticationSuccessHandler bean which should be used to handle a successful remember-me authentication.

config/src/main/resources/org/springframework/security/config/spring-security-3.2.xsd

@@ -1796,7 +1796,7 @@
                 </xs:documentation>
          </xs:annotation>
       </xs:attribute>
-      <xs:attribute name="token-validity-seconds" type="xs:integer">
+      <xs:attribute name="token-validity-seconds" type="xs:string">
          <xs:annotation>
             <xs:documentation>The period (in seconds) for which the remember-me cookie should be valid.
                 </xs:documentation>

config/src/test/groovy/org/springframework/security/config/http/RememberMeConfigTests.groovy

@@ -17,6 +17,10 @@ package org.springframework.security.config.http
 
 import static org.springframework.security.config.ConfigTestUtils.AUTH_PROVIDER_XML
 
+import javax.sql.DataSource
+
+import org.springframework.beans.FatalBeanException
+import org.springframework.beans.factory.config.PropertyPlaceholderConfigurer
 import org.springframework.beans.factory.parsing.BeanDefinitionParsingException
 import org.springframework.security.TestDataSource
 import org.springframework.security.authentication.ProviderManager
@@ -26,7 +30,7 @@ import org.springframework.security.util.FieldUtils
 import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler
 import org.springframework.security.web.authentication.logout.LogoutFilter
 import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler
-import org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices;
+import org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices
 import org.springframework.security.web.authentication.rememberme.InMemoryTokenRepositoryImpl
 import org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl
 import org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices
@@ -154,6 +158,32 @@ class RememberMeConfigTests extends AbstractHttpConfigTests {
         rememberMeServices().tokenValiditySeconds == -1
     }
 
+    def 'remember-me@token-validity-seconds denies for persistent implementation'() {
+        setup:
+            httpAutoConfig () {
+                'remember-me'('key': 'ourkey', 'token-validity-seconds':'-1', 'dataSource' : 'dataSource')
+            }
+            mockBean(DataSource)
+        when:
+            createAppContext(AUTH_PROVIDER_XML)
+        then:
+            thrown(FatalBeanException)
+    }
+
+    def 'SEC-2165: remember-me@token-validity-seconds allows property placeholders'() {
+        when:
+            httpAutoConfig () {
+                'remember-me'('key': 'ourkey', 'token-validity-seconds':'${security.rememberme.ttl}')
+            }
+            xml.'b:bean'(class: PropertyPlaceholderConfigurer.name) {
+                'b:property'(name:'properties', value:'security.rememberme.ttl=30')
+            }
+
+            createAppContext(AUTH_PROVIDER_XML)
+        then:
+            rememberMeServices().tokenValiditySeconds == 30
+    }
+
     def rememberMeSecureCookieAttributeIsSetCorrectly() {
         httpAutoConfig () {
             'remember-me'('key': 'ourkey', 'use-secure-cookie':'true')