From 9eb34fe51cddc63ce053ecfe7a3f0fd022d52608 Mon Sep 17 00:00:00 2001 From: Oliver Becker Date: Fri, 1 Mar 2013 16:22:18 -0600 Subject: [PATCH] SEC-2119: Add a 'form-parameter' attribute to This change extends the namespace configuration of with a 'form-parameter' attribute. The introduced attribute sets the 'parameter' property of AbstractRememberMeServices. This enables overriding the default value of '_spring_security_remember_me' using the namespace configuration. --- .../http/RememberMeBeanDefinitionParser.java | 21 ++++++++++++---- .../security/config/spring-security-3.2.xsd | 8 ++++++- .../config/http/RememberMeConfigTests.groovy | 24 ++++++++++++++++++- .../memory/InMemoryConfigurationTests.java | 2 +- .../manual/src/docbook/appendix-namespace.xml | 5 ++++ 5 files changed, 52 insertions(+), 8 deletions(-) diff --git a/config/src/main/java/org/springframework/security/config/http/RememberMeBeanDefinitionParser.java b/config/src/main/java/org/springframework/security/config/http/RememberMeBeanDefinitionParser.java index 5c78ff5e81..b3aeeb2ac8 100644 --- a/config/src/main/java/org/springframework/security/config/http/RememberMeBeanDefinitionParser.java +++ b/config/src/main/java/org/springframework/security/config/http/RememberMeBeanDefinitionParser.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2012 the original author or authors. + * Copyright 2002-2013 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -38,6 +38,7 @@ import org.w3c.dom.Element; * @author Luke Taylor * @author Ben Alex * @author Rob Winch + * @author Oliver Becker */ class RememberMeBeanDefinitionParser implements BeanDefinitionParser { static final String ATT_DATA_SOURCE = "data-source-ref"; @@ -48,6 +49,7 @@ class RememberMeBeanDefinitionParser implements BeanDefinitionParser { static final String ATT_SUCCESS_HANDLER_REF = "authentication-success-handler-ref"; static final String ATT_TOKEN_VALIDITY = "token-validity-seconds"; static final String ATT_SECURE_COOKIE = "use-secure-cookie"; + static final String ATT_FORM_PARAMETER = "form-parameter"; protected final Log logger = LogFactory.getLog(getClass()); private final String key; @@ -70,6 +72,8 @@ class RememberMeBeanDefinitionParser implements BeanDefinitionParser { String successHandlerRef = element.getAttribute(ATT_SUCCESS_HANDLER_REF); String rememberMeServicesRef = element.getAttribute(ATT_SERVICES_REF); String tokenValiditySeconds = element.getAttribute(ATT_TOKEN_VALIDITY); + String useSecureCookie = element.getAttribute(ATT_SECURE_COOKIE); + String formParameter = element.getAttribute(ATT_FORM_PARAMETER); Object source = pc.extractSource(element); RootBeanDefinition services = null; @@ -78,11 +82,14 @@ class RememberMeBeanDefinitionParser implements BeanDefinitionParser { boolean tokenRepoSet = StringUtils.hasText(tokenRepository); boolean servicesRefSet = StringUtils.hasText(rememberMeServicesRef); boolean userServiceSet = StringUtils.hasText(userServiceRef); + boolean useSecureCookieSet = StringUtils.hasText(useSecureCookie); boolean tokenValiditySet = StringUtils.hasText(tokenValiditySeconds); + boolean formParameterSet = StringUtils.hasText(formParameter); - if (servicesRefSet && (dataSourceSet || tokenRepoSet || userServiceSet || tokenValiditySet)) { + if (servicesRefSet && (dataSourceSet || tokenRepoSet || userServiceSet || tokenValiditySet || useSecureCookieSet || formParameterSet)) { pc.getReaderContext().error(ATT_SERVICES_REF + " can't be used in combination with attributes " - + ATT_TOKEN_REPOSITORY + "," + ATT_DATA_SOURCE + ", " + ATT_USER_SERVICE_REF + " or " + ATT_TOKEN_VALIDITY, source); + + ATT_TOKEN_REPOSITORY + "," + ATT_DATA_SOURCE + ", " + ATT_USER_SERVICE_REF + ", " + ATT_TOKEN_VALIDITY + + ", " + ATT_SECURE_COOKIE + " or " + ATT_FORM_PARAMETER, source); } if (dataSourceSet && tokenRepoSet) { @@ -120,8 +127,7 @@ class RememberMeBeanDefinitionParser implements BeanDefinitionParser { services.getConstructorArgumentValues().addGenericArgumentValue(uds); // tokenRepo is already added if it is a PersistentTokenBasedRememberMeServices - String useSecureCookie = element.getAttribute(ATT_SECURE_COOKIE); - if (StringUtils.hasText(useSecureCookie)) { + if (useSecureCookieSet) { services.getPropertyValues().addPropertyValue("useSecureCookie", Boolean.valueOf(useSecureCookie)); } @@ -133,6 +139,11 @@ class RememberMeBeanDefinitionParser implements BeanDefinitionParser { } services.getPropertyValues().addPropertyValue("tokenValiditySeconds", tokenValidity); } + + if (formParameterSet) { + services.getPropertyValues().addPropertyValue("parameter", formParameter); + } + services.setSource(source); servicesName = pc.getReaderContext().generateBeanName(services); pc.registerBeanComponent(new BeanComponentDefinition(services, servicesName)); diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-3.2.xsd b/config/src/main/resources/org/springframework/security/config/spring-security-3.2.xsd index b6dbc83d96..6ab72e4c04 100644 --- a/config/src/main/resources/org/springframework/security/config/spring-security-3.2.xsd +++ b/config/src/main/resources/org/springframework/security/config/spring-security-3.2.xsd @@ -1801,6 +1801,12 @@ + + + The name of the request parameter which toggles remember-me authentication. Defaults to '_spring_security_remember_me'. + + + @@ -2312,4 +2318,4 @@ - \ No newline at end of file + diff --git a/config/src/test/groovy/org/springframework/security/config/http/RememberMeConfigTests.groovy b/config/src/test/groovy/org/springframework/security/config/http/RememberMeConfigTests.groovy index 17ab017019..e408aeedbe 100644 --- a/config/src/test/groovy/org/springframework/security/config/http/RememberMeConfigTests.groovy +++ b/config/src/test/groovy/org/springframework/security/config/http/RememberMeConfigTests.groovy @@ -1,5 +1,5 @@ /* - * Copyright 2002-2012 the original author or authors. + * Copyright 2002-2013 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -36,6 +36,7 @@ import org.springframework.security.web.authentication.rememberme.TokenBasedReme * * @author Luke Taylor * @author Rob Winch + * @author Oliver Becker */ class RememberMeConfigTests extends AbstractHttpConfigTests { @@ -212,6 +213,27 @@ class RememberMeConfigTests extends AbstractHttpConfigTests { notThrown BeanDefinitionParsingException } + // SEC-2119 + def 'Custom form-parameter is supported'() { + httpAutoConfig () { + 'remember-me'('form-parameter': 'ourParam') + } + + createAppContext(AUTH_PROVIDER_XML) + expect: + rememberMeServices().parameter == 'ourParam' + } + + def 'form-parameter cannot be used together with services-ref'() { + when: + httpAutoConfig () { + 'remember-me'('form-parameter': 'ourParam', 'services-ref': 'ourService') + } + createAppContext(AUTH_PROVIDER_XML) + then: + BeanDefinitionParsingException e = thrown() + } + def rememberMeServices() { getFilter(RememberMeAuthenticationFilter.class).getRememberMeServices() } diff --git a/core/src/test/java/org/springframework/security/authentication/jaas/memory/InMemoryConfigurationTests.java b/core/src/test/java/org/springframework/security/authentication/jaas/memory/InMemoryConfigurationTests.java index 02688d7eb1..74abd4472f 100644 --- a/core/src/test/java/org/springframework/security/authentication/jaas/memory/InMemoryConfigurationTests.java +++ b/core/src/test/java/org/springframework/security/authentication/jaas/memory/InMemoryConfigurationTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2010 the original author or authors. + * Copyright 2010-2013 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/docs/manual/src/docbook/appendix-namespace.xml b/docs/manual/src/docbook/appendix-namespace.xml index 88efb40deb..644c09ef87 100644 --- a/docs/manual/src/docbook/appendix-namespace.xml +++ b/docs/manual/src/docbook/appendix-namespace.xml @@ -842,6 +842,11 @@ PersistentTokenBasedRememberMeServices will be used and configured with a JdbcTokenRepositoryImpl instance. +
+ <literal>form-parameter</literal> + The name of the request parameter which toggles remember-me authentication. Defaults to "_spring_security_remember_me". + Maps to the "parameter" property of AbstractRememberMeServices. +
<literal>key</literal> Maps to the "key" property of