Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-06-01 09:42:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

SEC-2165: remember-me@token-validity-seconds can be parameterized

Browse Source
This commit is contained in:
Rob Winch 2013-11-15 14:58:53 -06:00
parent 2d2f91484d
commit 9dbe30c81d
4 changed files with 36 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
config/src/main/java/org/springframework/security/config/http/RememberMeBeanDefinitionParser.java
View File

@ -132,12 +132,12 @@ class RememberMeBeanDefinitionParser implements BeanDefinitionParser {
} }
if (tokenValiditySet) { if (tokenValiditySet) {
int tokenValidity = Integer.parseInt(tokenValiditySeconds); boolean isTokenValidityNegative = tokenValiditySeconds.startsWith("-");
if (tokenValidity < 0 && isPersistent) { if (isTokenValidityNegative && isPersistent) {
pc.getReaderContext().error(ATT_TOKEN_VALIDITY + " cannot be negative if using" + pc.getReaderContext().error(ATT_TOKEN_VALIDITY + " cannot be negative if using" +
" a persistent remember-me token repository", source); " a persistent remember-me token repository", source);
} }
services.getPropertyValues().addPropertyValue("tokenValiditySeconds", tokenValidity); services.getPropertyValues().addPropertyValue("tokenValiditySeconds", tokenValiditySeconds);
} }
if (remembermeParameterSet) { if (remembermeParameterSet) {

2
config/src/main/resources/org/springframework/security/config/spring-security-3.2.rnc
View File

@ -572,7 +572,7 @@ remember-me.attlist &=
remember-me.attlist &= remember-me.attlist &=
## The period (in seconds) for which the remember-me cookie should be valid. ## The period (in seconds) for which the remember-me cookie should be valid.
attribute token-validity-seconds {xsd:integer}? attribute token-validity-seconds {xsd:string}?
remember-me.attlist &= remember-me.attlist &=
## Reference to an AuthenticationSuccessHandler bean which should be used to handle a successful remember-me authentication. ## Reference to an AuthenticationSuccessHandler bean which should be used to handle a successful remember-me authentication.

2
config/src/main/resources/org/springframework/security/config/spring-security-3.2.xsd
View File

@ -1796,7 +1796,7 @@
</xs:documentation> </xs:documentation>
</xs:annotation> </xs:annotation>
</xs:attribute> </xs:attribute>
<xs:attribute name="token-validity-seconds" type="xs:integer"> <xs:attribute name="token-validity-seconds" type="xs:string">
<xs:annotation> <xs:annotation>
<xs:documentation>The period (in seconds) for which the remember-me cookie should be valid. <xs:documentation>The period (in seconds) for which the remember-me cookie should be valid.
</xs:documentation> </xs:documentation>

32
config/src/test/groovy/org/springframework/security/config/http/RememberMeConfigTests.groovy
View File

@ -17,6 +17,10 @@ package org.springframework.security.config.http
import static org.springframework.security.config.ConfigTestUtils.AUTH_PROVIDER_XML import static org.springframework.security.config.ConfigTestUtils.AUTH_PROVIDER_XML
import javax.sql.DataSource
import org.springframework.beans.FatalBeanException
import org.springframework.beans.factory.config.PropertyPlaceholderConfigurer
import org.springframework.beans.factory.parsing.BeanDefinitionParsingException import org.springframework.beans.factory.parsing.BeanDefinitionParsingException
import org.springframework.security.TestDataSource import org.springframework.security.TestDataSource
import org.springframework.security.authentication.ProviderManager import org.springframework.security.authentication.ProviderManager
@ -26,7 +30,7 @@ import org.springframework.security.util.FieldUtils
import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler
import org.springframework.security.web.authentication.logout.LogoutFilter import org.springframework.security.web.authentication.logout.LogoutFilter
import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler
import org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices; import org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices
import org.springframework.security.web.authentication.rememberme.InMemoryTokenRepositoryImpl import org.springframework.security.web.authentication.rememberme.InMemoryTokenRepositoryImpl
import org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl import org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl
import org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices import org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices
@ -154,6 +158,32 @@ class RememberMeConfigTests extends AbstractHttpConfigTests {
rememberMeServices().tokenValiditySeconds == -1 rememberMeServices().tokenValiditySeconds == -1
} }
def 'remember-me@token-validity-seconds denies for persistent implementation'() {
setup:
httpAutoConfig () {
'remember-me'('key': 'ourkey', 'token-validity-seconds':'-1', 'dataSource' : 'dataSource')
}
mockBean(DataSource)
when:
createAppContext(AUTH_PROVIDER_XML)
then:
thrown(FatalBeanException)
}
def 'SEC-2165: remember-me@token-validity-seconds allows property placeholders'() {
when:
httpAutoConfig () {
'remember-me'('key': 'ourkey', 'token-validity-seconds':'${security.rememberme.ttl}')
}
xml.'b:bean'(class: PropertyPlaceholderConfigurer.name) {
'b:property'(name:'properties', value:'security.rememberme.ttl=30')
}
createAppContext(AUTH_PROVIDER_XML)
then:
rememberMeServices().tokenValiditySeconds == 30
}
def rememberMeSecureCookieAttributeIsSetCorrectly() { def rememberMeSecureCookieAttributeIsSetCorrectly() {
httpAutoConfig () { httpAutoConfig () {
'remember-me'('key': 'ourkey', 'use-secure-cookie':'true') 'remember-me'('key': 'ourkey', 'use-secure-cookie':'true')