SEC-2119: Polish remember-me@rememberme-parameter

- Change form-parameter to rememerme-parameter
  - Use rnc file for generating the xsd
  - Add test for deafult value of rememberme parameter
This commit is contained in:
Rob Winch 2013-03-01 16:31:39 -06:00
parent 9eb34fe51c
commit b014020955
5 changed files with 31 additions and 17 deletions

View File

@ -49,7 +49,7 @@ class RememberMeBeanDefinitionParser implements BeanDefinitionParser {
static final String ATT_SUCCESS_HANDLER_REF = "authentication-success-handler-ref"; static final String ATT_SUCCESS_HANDLER_REF = "authentication-success-handler-ref";
static final String ATT_TOKEN_VALIDITY = "token-validity-seconds"; static final String ATT_TOKEN_VALIDITY = "token-validity-seconds";
static final String ATT_SECURE_COOKIE = "use-secure-cookie"; static final String ATT_SECURE_COOKIE = "use-secure-cookie";
static final String ATT_FORM_PARAMETER = "form-parameter"; static final String ATT_FORM_REMEMBERME_PARAMETER = "rememberme-parameter";
protected final Log logger = LogFactory.getLog(getClass()); protected final Log logger = LogFactory.getLog(getClass());
private final String key; private final String key;
@ -73,7 +73,7 @@ class RememberMeBeanDefinitionParser implements BeanDefinitionParser {
String rememberMeServicesRef = element.getAttribute(ATT_SERVICES_REF); String rememberMeServicesRef = element.getAttribute(ATT_SERVICES_REF);
String tokenValiditySeconds = element.getAttribute(ATT_TOKEN_VALIDITY); String tokenValiditySeconds = element.getAttribute(ATT_TOKEN_VALIDITY);
String useSecureCookie = element.getAttribute(ATT_SECURE_COOKIE); String useSecureCookie = element.getAttribute(ATT_SECURE_COOKIE);
String formParameter = element.getAttribute(ATT_FORM_PARAMETER); String remembermeParameter = element.getAttribute(ATT_FORM_REMEMBERME_PARAMETER);
Object source = pc.extractSource(element); Object source = pc.extractSource(element);
RootBeanDefinition services = null; RootBeanDefinition services = null;
@ -84,12 +84,12 @@ class RememberMeBeanDefinitionParser implements BeanDefinitionParser {
boolean userServiceSet = StringUtils.hasText(userServiceRef); boolean userServiceSet = StringUtils.hasText(userServiceRef);
boolean useSecureCookieSet = StringUtils.hasText(useSecureCookie); boolean useSecureCookieSet = StringUtils.hasText(useSecureCookie);
boolean tokenValiditySet = StringUtils.hasText(tokenValiditySeconds); boolean tokenValiditySet = StringUtils.hasText(tokenValiditySeconds);
boolean formParameterSet = StringUtils.hasText(formParameter); boolean remembermeParameterSet = StringUtils.hasText(remembermeParameter);
if (servicesRefSet && (dataSourceSet || tokenRepoSet || userServiceSet || tokenValiditySet || useSecureCookieSet || formParameterSet)) { if (servicesRefSet && (dataSourceSet || tokenRepoSet || userServiceSet || tokenValiditySet || useSecureCookieSet || remembermeParameterSet)) {
pc.getReaderContext().error(ATT_SERVICES_REF + " can't be used in combination with attributes " pc.getReaderContext().error(ATT_SERVICES_REF + " can't be used in combination with attributes "
+ ATT_TOKEN_REPOSITORY + "," + ATT_DATA_SOURCE + ", " + ATT_USER_SERVICE_REF + ", " + ATT_TOKEN_VALIDITY + ATT_TOKEN_REPOSITORY + "," + ATT_DATA_SOURCE + ", " + ATT_USER_SERVICE_REF + ", " + ATT_TOKEN_VALIDITY
+ ", " + ATT_SECURE_COOKIE + " or " + ATT_FORM_PARAMETER, source); + ", " + ATT_SECURE_COOKIE + " or " + ATT_FORM_REMEMBERME_PARAMETER, source);
} }
if (dataSourceSet && tokenRepoSet) { if (dataSourceSet && tokenRepoSet) {
@ -140,8 +140,8 @@ class RememberMeBeanDefinitionParser implements BeanDefinitionParser {
services.getPropertyValues().addPropertyValue("tokenValiditySeconds", tokenValidity); services.getPropertyValues().addPropertyValue("tokenValiditySeconds", tokenValidity);
} }
if (formParameterSet) { if (remembermeParameterSet) {
services.getPropertyValues().addPropertyValue("parameter", formParameter); services.getPropertyValues().addPropertyValue("parameter", remembermeParameter);
} }
services.setSource(source); services.setSource(source);

View File

@ -577,7 +577,9 @@ remember-me.attlist &=
remember-me.attlist &= remember-me.attlist &=
## Reference to an AuthenticationSuccessHandler bean which should be used to handle a successful remember-me authentication. ## Reference to an AuthenticationSuccessHandler bean which should be used to handle a successful remember-me authentication.
attribute authentication-success-handler-ref {xsd:token}? attribute authentication-success-handler-ref {xsd:token}?
remember-me.attlist &=
## The name of the request parameter which toggles remember-me authentication. Defaults to '_spring_security_remember_me'.
attribute rememberme-parameter {xsd:token}?
token-repository-ref = token-repository-ref =
## Reference to a PersistentTokenRepository bean for use with the persistent token remember-me implementation. ## Reference to a PersistentTokenRepository bean for use with the persistent token remember-me implementation.

View File

@ -1801,9 +1801,10 @@
</xs:documentation> </xs:documentation>
</xs:annotation> </xs:annotation>
</xs:attribute> </xs:attribute>
<xs:attribute name="form-parameter" type="xs:token"> <xs:attribute name="rememberme-parameter" type="xs:token">
<xs:annotation> <xs:annotation>
<xs:documentation>The name of the request parameter which toggles remember-me authentication. Defaults to '_spring_security_remember_me'. <xs:documentation>The name of the request parameter which toggles remember-me authentication. Defaults to
'_spring_security_remember_me'.
</xs:documentation> </xs:documentation>
</xs:annotation> </xs:annotation>
</xs:attribute> </xs:attribute>

View File

@ -26,6 +26,7 @@ import org.springframework.security.util.FieldUtils
import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler
import org.springframework.security.web.authentication.logout.LogoutFilter import org.springframework.security.web.authentication.logout.LogoutFilter
import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler
import org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices;
import org.springframework.security.web.authentication.rememberme.InMemoryTokenRepositoryImpl import org.springframework.security.web.authentication.rememberme.InMemoryTokenRepositoryImpl
import org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl import org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl
import org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices import org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices
@ -213,10 +214,20 @@ class RememberMeConfigTests extends AbstractHttpConfigTests {
notThrown BeanDefinitionParsingException notThrown BeanDefinitionParsingException
} }
def 'Default form-parameter is correct'() {
httpAutoConfig () {
'remember-me'()
}
createAppContext(AUTH_PROVIDER_XML)
expect:
rememberMeServices().parameter == AbstractRememberMeServices.DEFAULT_PARAMETER
}
// SEC-2119 // SEC-2119
def 'Custom form-parameter is supported'() { def 'Custom form-parameter is supported'() {
httpAutoConfig () { httpAutoConfig () {
'remember-me'('form-parameter': 'ourParam') 'remember-me'('rememberme-parameter': 'ourParam')
} }
createAppContext(AUTH_PROVIDER_XML) createAppContext(AUTH_PROVIDER_XML)
@ -227,7 +238,7 @@ class RememberMeConfigTests extends AbstractHttpConfigTests {
def 'form-parameter cannot be used together with services-ref'() { def 'form-parameter cannot be used together with services-ref'() {
when: when:
httpAutoConfig () { httpAutoConfig () {
'remember-me'('form-parameter': 'ourParam', 'services-ref': 'ourService') 'remember-me'('rememberme-parameter': 'ourParam', 'services-ref': 'ourService')
} }
createAppContext(AUTH_PROVIDER_XML) createAppContext(AUTH_PROVIDER_XML)
then: then:

View File

@ -842,7 +842,7 @@
<classname>PersistentTokenBasedRememberMeServices</classname> will be used and configured with a <classname>PersistentTokenBasedRememberMeServices</classname> will be used and configured with a
<classname>JdbcTokenRepositoryImpl</classname> instance. </para> <classname>JdbcTokenRepositoryImpl</classname> instance. </para>
</section> </section>
<section xml:id="nsa-remember-me-form-parameter"> <section xml:id="nsa-remember-me-rememberme-parameter">
<title><literal>form-parameter</literal></title> <title><literal>form-parameter</literal></title>
<para>The name of the request parameter which toggles remember-me authentication. Defaults to "_spring_security_remember_me". <para>The name of the request parameter which toggles remember-me authentication. Defaults to "_spring_security_remember_me".
Maps to the "parameter" property of <classname>AbstractRememberMeServices</classname>.</para> Maps to the "parameter" property of <classname>AbstractRememberMeServices</classname>.</para>