SEC-2119: Add a 'form-parameter' attribute to <remember-me>

This change extends the namespace configuration of <remember-me>
with a 'form-parameter' attribute. The introduced attribute sets
the 'parameter' property of  AbstractRememberMeServices.

This enables overriding the default value of
'_spring_security_remember_me' using the namespace configuration.

config/src/main/java/org/springframework/security/config/http/RememberMeBeanDefinitionParser.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2012 the original author or authors.
+ * Copyright 2002-2013 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -38,6 +38,7 @@ import org.w3c.dom.Element;
  * @author Luke Taylor
  * @author Ben Alex
  * @author Rob Winch
+ * @author Oliver Becker
  */
 class RememberMeBeanDefinitionParser implements BeanDefinitionParser {
     static final String ATT_DATA_SOURCE = "data-source-ref";
@@ -48,6 +49,7 @@ class RememberMeBeanDefinitionParser implements BeanDefinitionParser {
     static final String ATT_SUCCESS_HANDLER_REF = "authentication-success-handler-ref";
     static final String ATT_TOKEN_VALIDITY = "token-validity-seconds";
     static final String ATT_SECURE_COOKIE = "use-secure-cookie";
+    static final String ATT_FORM_PARAMETER = "form-parameter";
 
     protected final Log logger = LogFactory.getLog(getClass());
     private final String key;
@@ -70,6 +72,8 @@ class RememberMeBeanDefinitionParser implements BeanDefinitionParser {
         String successHandlerRef = element.getAttribute(ATT_SUCCESS_HANDLER_REF);
         String rememberMeServicesRef = element.getAttribute(ATT_SERVICES_REF);
         String tokenValiditySeconds = element.getAttribute(ATT_TOKEN_VALIDITY);
+        String useSecureCookie = element.getAttribute(ATT_SECURE_COOKIE);
+        String formParameter = element.getAttribute(ATT_FORM_PARAMETER);
         Object source = pc.extractSource(element);
 
         RootBeanDefinition services = null;
@@ -78,11 +82,14 @@ class RememberMeBeanDefinitionParser implements BeanDefinitionParser {
         boolean tokenRepoSet = StringUtils.hasText(tokenRepository);
         boolean servicesRefSet = StringUtils.hasText(rememberMeServicesRef);
         boolean userServiceSet = StringUtils.hasText(userServiceRef);
+        boolean useSecureCookieSet = StringUtils.hasText(useSecureCookie);
         boolean tokenValiditySet = StringUtils.hasText(tokenValiditySeconds);
+        boolean formParameterSet = StringUtils.hasText(formParameter);
 
-        if (servicesRefSet && (dataSourceSet || tokenRepoSet || userServiceSet || tokenValiditySet)) {
+        if (servicesRefSet && (dataSourceSet || tokenRepoSet || userServiceSet || tokenValiditySet || useSecureCookieSet || formParameterSet)) {
             pc.getReaderContext().error(ATT_SERVICES_REF + " can't be used in combination with attributes "
-                    + ATT_TOKEN_REPOSITORY + "," + ATT_DATA_SOURCE + ", " + ATT_USER_SERVICE_REF + " or " + ATT_TOKEN_VALIDITY, source);
+                    + ATT_TOKEN_REPOSITORY + "," + ATT_DATA_SOURCE + ", " + ATT_USER_SERVICE_REF + ", " + ATT_TOKEN_VALIDITY
+                    + ", " + ATT_SECURE_COOKIE + " or " + ATT_FORM_PARAMETER, source);
         }
 
         if (dataSourceSet && tokenRepoSet) {
@@ -120,8 +127,7 @@ class RememberMeBeanDefinitionParser implements BeanDefinitionParser {
             services.getConstructorArgumentValues().addGenericArgumentValue(uds);
             // tokenRepo is already added if it is a PersistentTokenBasedRememberMeServices
 
-            String useSecureCookie = element.getAttribute(ATT_SECURE_COOKIE);
-            if (StringUtils.hasText(useSecureCookie)) {
+            if (useSecureCookieSet) {
                 services.getPropertyValues().addPropertyValue("useSecureCookie", Boolean.valueOf(useSecureCookie));
             }
 
@@ -133,6 +139,11 @@ class RememberMeBeanDefinitionParser implements BeanDefinitionParser {
                 }
                 services.getPropertyValues().addPropertyValue("tokenValiditySeconds", tokenValidity);
             }
+
+            if (formParameterSet) {
+                services.getPropertyValues().addPropertyValue("parameter", formParameter);
+            }
+
             services.setSource(source);
             servicesName = pc.getReaderContext().generateBeanName(services);
             pc.registerBeanComponent(new BeanComponentDefinition(services, servicesName));

config/src/main/resources/org/springframework/security/config/spring-security-3.2.xsd

@@ -1801,6 +1801,12 @@
                 </xs:documentation>
          </xs:annotation>
       </xs:attribute>
+      <xs:attribute name="form-parameter" type="xs:token">
+          <xs:annotation>
+              <xs:documentation>The name of the request parameter which toggles remember-me authentication. Defaults to '_spring_security_remember_me'.
+              </xs:documentation>
+          </xs:annotation>
+      </xs:attribute>
   </xs:attributeGroup>
   <xs:attributeGroup name="token-repository-ref">
       <xs:attribute name="token-repository-ref" use="required" type="xs:token">
@@ -2312,4 +2318,4 @@
          <xs:enumeration value="LAST"/>
       </xs:restriction>
   </xs:simpleType>
-</xs:schema>
+</xs:schema>

config/src/test/groovy/org/springframework/security/config/http/RememberMeConfigTests.groovy

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2012 the original author or authors.
+ * Copyright 2002-2013 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -36,6 +36,7 @@ import org.springframework.security.web.authentication.rememberme.TokenBasedReme
  *
  * @author Luke Taylor
  * @author Rob Winch
+ * @author Oliver Becker
  */
 class RememberMeConfigTests extends AbstractHttpConfigTests {
 
@@ -212,6 +213,27 @@ class RememberMeConfigTests extends AbstractHttpConfigTests {
         notThrown BeanDefinitionParsingException
     }
 
+    // SEC-2119
+    def 'Custom form-parameter is supported'() {
+        httpAutoConfig () {
+            'remember-me'('form-parameter': 'ourParam')
+        }
+
+        createAppContext(AUTH_PROVIDER_XML)
+        expect:
+        rememberMeServices().parameter == 'ourParam'
+    }
+
+    def 'form-parameter cannot be used together with services-ref'() {
+        when:
+        httpAutoConfig () {
+            'remember-me'('form-parameter': 'ourParam', 'services-ref': 'ourService')
+        }
+        createAppContext(AUTH_PROVIDER_XML)
+        then:
+        BeanDefinitionParsingException e = thrown()
+    }
+
     def rememberMeServices() {
         getFilter(RememberMeAuthenticationFilter.class).getRememberMeServices()
     }

core/src/test/java/org/springframework/security/authentication/jaas/memory/InMemoryConfigurationTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2010 the original author or authors.
+ * Copyright 2010-2013 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

docs/manual/src/docbook/appendix-namespace.xml

@@ -842,6 +842,11 @@
                         <classname>PersistentTokenBasedRememberMeServices</classname> will be used and configured with a
                         <classname>JdbcTokenRepositoryImpl</classname> instance. </para>
                 </section>
+                <section xml:id="nsa-remember-me-form-parameter">
+                    <title><literal>form-parameter</literal></title>
+                    <para>The name of the request parameter which toggles remember-me authentication. Defaults to "_spring_security_remember_me".
+                        Maps to the "parameter" property of <classname>AbstractRememberMeServices</classname>.</para>
+                </section>
                 <section xml:id="nsa-remember-me-key">
                     <title><literal>key</literal></title>
                     <para>Maps to the "key" property of