SEC-2119: Polish remember-me@rememberme-parameter
- Change form-parameter to rememerme-parameter - Use rnc file for generating the xsd - Add test for deafult value of rememberme parameter
This commit is contained in:
parent
9eb34fe51c
commit
b014020955
|
@ -49,7 +49,7 @@ class RememberMeBeanDefinitionParser implements BeanDefinitionParser {
|
||||||
static final String ATT_SUCCESS_HANDLER_REF = "authentication-success-handler-ref";
|
static final String ATT_SUCCESS_HANDLER_REF = "authentication-success-handler-ref";
|
||||||
static final String ATT_TOKEN_VALIDITY = "token-validity-seconds";
|
static final String ATT_TOKEN_VALIDITY = "token-validity-seconds";
|
||||||
static final String ATT_SECURE_COOKIE = "use-secure-cookie";
|
static final String ATT_SECURE_COOKIE = "use-secure-cookie";
|
||||||
static final String ATT_FORM_PARAMETER = "form-parameter";
|
static final String ATT_FORM_REMEMBERME_PARAMETER = "rememberme-parameter";
|
||||||
|
|
||||||
protected final Log logger = LogFactory.getLog(getClass());
|
protected final Log logger = LogFactory.getLog(getClass());
|
||||||
private final String key;
|
private final String key;
|
||||||
|
@ -73,7 +73,7 @@ class RememberMeBeanDefinitionParser implements BeanDefinitionParser {
|
||||||
String rememberMeServicesRef = element.getAttribute(ATT_SERVICES_REF);
|
String rememberMeServicesRef = element.getAttribute(ATT_SERVICES_REF);
|
||||||
String tokenValiditySeconds = element.getAttribute(ATT_TOKEN_VALIDITY);
|
String tokenValiditySeconds = element.getAttribute(ATT_TOKEN_VALIDITY);
|
||||||
String useSecureCookie = element.getAttribute(ATT_SECURE_COOKIE);
|
String useSecureCookie = element.getAttribute(ATT_SECURE_COOKIE);
|
||||||
String formParameter = element.getAttribute(ATT_FORM_PARAMETER);
|
String remembermeParameter = element.getAttribute(ATT_FORM_REMEMBERME_PARAMETER);
|
||||||
Object source = pc.extractSource(element);
|
Object source = pc.extractSource(element);
|
||||||
|
|
||||||
RootBeanDefinition services = null;
|
RootBeanDefinition services = null;
|
||||||
|
@ -84,12 +84,12 @@ class RememberMeBeanDefinitionParser implements BeanDefinitionParser {
|
||||||
boolean userServiceSet = StringUtils.hasText(userServiceRef);
|
boolean userServiceSet = StringUtils.hasText(userServiceRef);
|
||||||
boolean useSecureCookieSet = StringUtils.hasText(useSecureCookie);
|
boolean useSecureCookieSet = StringUtils.hasText(useSecureCookie);
|
||||||
boolean tokenValiditySet = StringUtils.hasText(tokenValiditySeconds);
|
boolean tokenValiditySet = StringUtils.hasText(tokenValiditySeconds);
|
||||||
boolean formParameterSet = StringUtils.hasText(formParameter);
|
boolean remembermeParameterSet = StringUtils.hasText(remembermeParameter);
|
||||||
|
|
||||||
if (servicesRefSet && (dataSourceSet || tokenRepoSet || userServiceSet || tokenValiditySet || useSecureCookieSet || formParameterSet)) {
|
if (servicesRefSet && (dataSourceSet || tokenRepoSet || userServiceSet || tokenValiditySet || useSecureCookieSet || remembermeParameterSet)) {
|
||||||
pc.getReaderContext().error(ATT_SERVICES_REF + " can't be used in combination with attributes "
|
pc.getReaderContext().error(ATT_SERVICES_REF + " can't be used in combination with attributes "
|
||||||
+ ATT_TOKEN_REPOSITORY + "," + ATT_DATA_SOURCE + ", " + ATT_USER_SERVICE_REF + ", " + ATT_TOKEN_VALIDITY
|
+ ATT_TOKEN_REPOSITORY + "," + ATT_DATA_SOURCE + ", " + ATT_USER_SERVICE_REF + ", " + ATT_TOKEN_VALIDITY
|
||||||
+ ", " + ATT_SECURE_COOKIE + " or " + ATT_FORM_PARAMETER, source);
|
+ ", " + ATT_SECURE_COOKIE + " or " + ATT_FORM_REMEMBERME_PARAMETER, source);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (dataSourceSet && tokenRepoSet) {
|
if (dataSourceSet && tokenRepoSet) {
|
||||||
|
@ -140,8 +140,8 @@ class RememberMeBeanDefinitionParser implements BeanDefinitionParser {
|
||||||
services.getPropertyValues().addPropertyValue("tokenValiditySeconds", tokenValidity);
|
services.getPropertyValues().addPropertyValue("tokenValiditySeconds", tokenValidity);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (formParameterSet) {
|
if (remembermeParameterSet) {
|
||||||
services.getPropertyValues().addPropertyValue("parameter", formParameter);
|
services.getPropertyValues().addPropertyValue("parameter", remembermeParameter);
|
||||||
}
|
}
|
||||||
|
|
||||||
services.setSource(source);
|
services.setSource(source);
|
||||||
|
|
|
@ -577,7 +577,9 @@ remember-me.attlist &=
|
||||||
remember-me.attlist &=
|
remember-me.attlist &=
|
||||||
## Reference to an AuthenticationSuccessHandler bean which should be used to handle a successful remember-me authentication.
|
## Reference to an AuthenticationSuccessHandler bean which should be used to handle a successful remember-me authentication.
|
||||||
attribute authentication-success-handler-ref {xsd:token}?
|
attribute authentication-success-handler-ref {xsd:token}?
|
||||||
|
remember-me.attlist &=
|
||||||
|
## The name of the request parameter which toggles remember-me authentication. Defaults to '_spring_security_remember_me'.
|
||||||
|
attribute rememberme-parameter {xsd:token}?
|
||||||
|
|
||||||
token-repository-ref =
|
token-repository-ref =
|
||||||
## Reference to a PersistentTokenRepository bean for use with the persistent token remember-me implementation.
|
## Reference to a PersistentTokenRepository bean for use with the persistent token remember-me implementation.
|
||||||
|
|
|
@ -1801,9 +1801,10 @@
|
||||||
</xs:documentation>
|
</xs:documentation>
|
||||||
</xs:annotation>
|
</xs:annotation>
|
||||||
</xs:attribute>
|
</xs:attribute>
|
||||||
<xs:attribute name="form-parameter" type="xs:token">
|
<xs:attribute name="rememberme-parameter" type="xs:token">
|
||||||
<xs:annotation>
|
<xs:annotation>
|
||||||
<xs:documentation>The name of the request parameter which toggles remember-me authentication. Defaults to '_spring_security_remember_me'.
|
<xs:documentation>The name of the request parameter which toggles remember-me authentication. Defaults to
|
||||||
|
'_spring_security_remember_me'.
|
||||||
</xs:documentation>
|
</xs:documentation>
|
||||||
</xs:annotation>
|
</xs:annotation>
|
||||||
</xs:attribute>
|
</xs:attribute>
|
||||||
|
|
|
@ -26,6 +26,7 @@ import org.springframework.security.util.FieldUtils
|
||||||
import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler
|
import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler
|
||||||
import org.springframework.security.web.authentication.logout.LogoutFilter
|
import org.springframework.security.web.authentication.logout.LogoutFilter
|
||||||
import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler
|
import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler
|
||||||
|
import org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices;
|
||||||
import org.springframework.security.web.authentication.rememberme.InMemoryTokenRepositoryImpl
|
import org.springframework.security.web.authentication.rememberme.InMemoryTokenRepositoryImpl
|
||||||
import org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl
|
import org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl
|
||||||
import org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices
|
import org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices
|
||||||
|
@ -213,10 +214,20 @@ class RememberMeConfigTests extends AbstractHttpConfigTests {
|
||||||
notThrown BeanDefinitionParsingException
|
notThrown BeanDefinitionParsingException
|
||||||
}
|
}
|
||||||
|
|
||||||
|
def 'Default form-parameter is correct'() {
|
||||||
|
httpAutoConfig () {
|
||||||
|
'remember-me'()
|
||||||
|
}
|
||||||
|
|
||||||
|
createAppContext(AUTH_PROVIDER_XML)
|
||||||
|
expect:
|
||||||
|
rememberMeServices().parameter == AbstractRememberMeServices.DEFAULT_PARAMETER
|
||||||
|
}
|
||||||
|
|
||||||
// SEC-2119
|
// SEC-2119
|
||||||
def 'Custom form-parameter is supported'() {
|
def 'Custom form-parameter is supported'() {
|
||||||
httpAutoConfig () {
|
httpAutoConfig () {
|
||||||
'remember-me'('form-parameter': 'ourParam')
|
'remember-me'('rememberme-parameter': 'ourParam')
|
||||||
}
|
}
|
||||||
|
|
||||||
createAppContext(AUTH_PROVIDER_XML)
|
createAppContext(AUTH_PROVIDER_XML)
|
||||||
|
@ -227,7 +238,7 @@ class RememberMeConfigTests extends AbstractHttpConfigTests {
|
||||||
def 'form-parameter cannot be used together with services-ref'() {
|
def 'form-parameter cannot be used together with services-ref'() {
|
||||||
when:
|
when:
|
||||||
httpAutoConfig () {
|
httpAutoConfig () {
|
||||||
'remember-me'('form-parameter': 'ourParam', 'services-ref': 'ourService')
|
'remember-me'('rememberme-parameter': 'ourParam', 'services-ref': 'ourService')
|
||||||
}
|
}
|
||||||
createAppContext(AUTH_PROVIDER_XML)
|
createAppContext(AUTH_PROVIDER_XML)
|
||||||
then:
|
then:
|
||||||
|
|
|
@ -842,7 +842,7 @@
|
||||||
<classname>PersistentTokenBasedRememberMeServices</classname> will be used and configured with a
|
<classname>PersistentTokenBasedRememberMeServices</classname> will be used and configured with a
|
||||||
<classname>JdbcTokenRepositoryImpl</classname> instance. </para>
|
<classname>JdbcTokenRepositoryImpl</classname> instance. </para>
|
||||||
</section>
|
</section>
|
||||||
<section xml:id="nsa-remember-me-form-parameter">
|
<section xml:id="nsa-remember-me-rememberme-parameter">
|
||||||
<title><literal>form-parameter</literal></title>
|
<title><literal>form-parameter</literal></title>
|
||||||
<para>The name of the request parameter which toggles remember-me authentication. Defaults to "_spring_security_remember_me".
|
<para>The name of the request parameter which toggles remember-me authentication. Defaults to "_spring_security_remember_me".
|
||||||
Maps to the "parameter" property of <classname>AbstractRememberMeServices</classname>.</para>
|
Maps to the "parameter" property of <classname>AbstractRememberMeServices</classname>.</para>
|
||||||
|
|
Loading…
Reference in New Issue