Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Polish remember me username check

This commit is contained in:
Eleftheria Stein 2019-08-27 15:17:40 -04:00
parent 26ae590c68
commit ad0d3e9702
2 changed files with 23 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
web/src/main/java/org/springframework/security/web/authentication/rememberme/TokenBasedRememberMeServices.java
View File

@ -21,6 +21,7 @@ import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.codec.Hex; import org.springframework.security.crypto.codec.Hex;
import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.crypto.codec.Utf8; import org.springframework.security.crypto.codec.Utf8;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils; import org.springframework.util.StringUtils;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
@ -123,10 +124,9 @@ public class TokenBasedRememberMeServices extends AbstractRememberMeServices {
UserDetails userDetails = getUserDetailsService().loadUserByUsername( UserDetails userDetails = getUserDetailsService().loadUserByUsername(
cookieTokens[0]); cookieTokens[0]);
if (userDetails == null) { Assert.notNull(userDetails, () -> "UserDetailsService " + getUserDetailsService()
throw new InvalidCookieException("Cookie token[0] contained username '" + " returned null for username " + cookieTokens[0] + ". "
+ cookieTokens[0] + "' that does not exist."); + "This is an interface contract violation");
}
// Check signature of token matches remaining details. // Check signature of token matches remaining details.
// Must do this after user lookup, as we need the DAO-derived password. // Must do this after user lookup, as we need the DAO-derived password.

19
web/src/test/java/org/springframework/security/web/authentication/rememberme/TokenBasedRememberMeServicesTests.java
View File

@ -69,6 +69,10 @@ public class TokenBasedRememberMeServicesTests {
new UsernameNotFoundException("")); new UsernameNotFoundException(""));
} }
void udsWillReturnNull() {
when(uds.loadUserByUsername(any(String.class))).thenReturn(null);
}
private long determineExpiryTimeFromBased64EncodedToken(String validToken) { private long determineExpiryTimeFromBased64EncodedToken(String validToken) {
String cookieAsPlainText = new String(Base64.decodeBase64(validToken.getBytes())); String cookieAsPlainText = new String(Base64.decodeBase64(validToken.getBytes()));
String[] cookieTokens = StringUtils.delimitedListToStringArray(cookieAsPlainText, String[] cookieTokens = StringUtils.delimitedListToStringArray(cookieAsPlainText,
@ -230,6 +234,21 @@ public class TokenBasedRememberMeServicesTests {
assertThat(returnedCookie.getMaxAge()).isZero(); assertThat(returnedCookie.getMaxAge()).isZero();
} }
@Test(expected = IllegalArgumentException.class)
public void autoLoginClearsCookieIfUserServiceMisconfigured() {
udsWillReturnNull();
Cookie cookie = new Cookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY,
generateCorrectCookieContentForToken(
System.currentTimeMillis() + 1000000, "someone", "password",
"key"));
MockHttpServletRequest request = new MockHttpServletRequest();
request.setCookies(cookie);
MockHttpServletResponse response = new MockHttpServletResponse();
services.autoLogin(request, response);
}
@Test @Test
public void autoLoginWithValidTokenAndUserSucceeds() throws Exception { public void autoLoginWithValidTokenAndUserSucceeds() throws Exception {
udsWillReturnUser(); udsWillReturnUser();