SEC-2119: Polish remember-me@rememberme-parameter

- Change form-parameter to rememerme-parameter - Use rnc file for generating the xsd - Add test for deafult value of rememberme parameter
2013-03-01 16:31:39 -06:00 · 2013-03-01 16:31:39 -06:00 · b014020955
parent 9eb34fe51c
commit b014020955
5 changed files with 31 additions and 17 deletions
--- a/config/src/main/java/org/springframework/security/config/http/RememberMeBeanDefinitionParser.java
+++ b/config/src/main/java/org/springframework/security/config/http/RememberMeBeanDefinitionParser.java
@ -49,7 +49,7 @@ class RememberMeBeanDefinitionParser implements BeanDefinitionParser {
    static final String ATT_SUCCESS_HANDLER_REF = "authentication-success-handler-ref";
    static final String ATT_TOKEN_VALIDITY = "token-validity-seconds";
    static final String ATT_SECURE_COOKIE = "use-secure-cookie";
-    static final String ATT_FORM_PARAMETER = "form-parameter";
+    static final String ATT_FORM_REMEMBERME_PARAMETER = "rememberme-parameter";
    protected final Log logger = LogFactory.getLog(getClass());
    private final String key;
@ -73,7 +73,7 @@ class RememberMeBeanDefinitionParser implements BeanDefinitionParser {
        String rememberMeServicesRef = element.getAttribute(ATT_SERVICES_REF);
        String tokenValiditySeconds = element.getAttribute(ATT_TOKEN_VALIDITY);
        String useSecureCookie = element.getAttribute(ATT_SECURE_COOKIE);
-        String formParameter = element.getAttribute(ATT_FORM_PARAMETER);
+        String remembermeParameter = element.getAttribute(ATT_FORM_REMEMBERME_PARAMETER);
        Object source = pc.extractSource(element);
        RootBeanDefinition services = null;
@ -84,12 +84,12 @@ class RememberMeBeanDefinitionParser implements BeanDefinitionParser {
        boolean userServiceSet = StringUtils.hasText(userServiceRef);
        boolean useSecureCookieSet = StringUtils.hasText(useSecureCookie);
        boolean tokenValiditySet = StringUtils.hasText(tokenValiditySeconds);
-        boolean formParameterSet = StringUtils.hasText(formParameter);
+        boolean remembermeParameterSet = StringUtils.hasText(remembermeParameter);
-        if (servicesRefSet && (dataSourceSet || tokenRepoSet || userServiceSet || tokenValiditySet || useSecureCookieSet || formParameterSet)) {
+        if (servicesRefSet && (dataSourceSet || tokenRepoSet || userServiceSet || tokenValiditySet || useSecureCookieSet || remembermeParameterSet)) {
            pc.getReaderContext().error(ATT_SERVICES_REF + " can't be used in combination with attributes "
                    + ATT_TOKEN_REPOSITORY + "," + ATT_DATA_SOURCE + ", " + ATT_USER_SERVICE_REF + ", " + ATT_TOKEN_VALIDITY
-                    + ", " + ATT_SECURE_COOKIE + " or " + ATT_FORM_PARAMETER, source);
+                    + ", " + ATT_SECURE_COOKIE + " or " + ATT_FORM_REMEMBERME_PARAMETER, source);
        }
        if (dataSourceSet && tokenRepoSet) {
@ -140,8 +140,8 @@ class RememberMeBeanDefinitionParser implements BeanDefinitionParser {
                services.getPropertyValues().addPropertyValue("tokenValiditySeconds", tokenValidity);
            }
-            if (formParameterSet) {
+            if (remembermeParameterSet) {
-                services.getPropertyValues().addPropertyValue("parameter", formParameter);
+                services.getPropertyValues().addPropertyValue("parameter", remembermeParameter);
            }
            services.setSource(source);
--- a/config/src/main/resources/org/springframework/security/config/spring-security-3.2.rnc
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-3.2.rnc
@ -577,7 +577,9 @@ remember-me.attlist &=
 remember-me.attlist &=
    ## Reference to an AuthenticationSuccessHandler bean which should be used to handle a successful remember-me authentication.
    attribute authentication-success-handler-ref {xsd:token}?
-
+remember-me.attlist &=
    ## The name of the request parameter which toggles remember-me authentication. Defaults to '_spring_security_remember_me'.
    attribute rememberme-parameter {xsd:token}?
 token-repository-ref =
    ## Reference to a PersistentTokenRepository bean for use with the persistent token remember-me implementation.
--- a/config/src/main/resources/org/springframework/security/config/spring-security-3.2.xsd
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-3.2.xsd
@ -1801,11 +1801,12 @@
                </xs:documentation>
         </xs:annotation>
      </xs:attribute>
-      <xs:attribute name="form-parameter" type="xs:token">
+      <xs:attribute name="rememberme-parameter" type="xs:token">
-          <xs:annotation>
+         <xs:annotation>
-              <xs:documentation>The name of the request parameter which toggles remember-me authentication. Defaults to '_spring_security_remember_me'.
+            <xs:documentation>The name of the request parameter which toggles remember-me authentication. Defaults to
-              </xs:documentation>
+                '_spring_security_remember_me'.
-          </xs:annotation>
+                </xs:documentation>
         </xs:annotation>
      </xs:attribute>
  </xs:attributeGroup>
  <xs:attributeGroup name="token-repository-ref">
--- a/config/src/test/groovy/org/springframework/security/config/http/RememberMeConfigTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/http/RememberMeConfigTests.groovy
@ -26,6 +26,7 @@ import org.springframework.security.util.FieldUtils
 import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler
 import org.springframework.security.web.authentication.logout.LogoutFilter
 import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler
 import org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices;
 import org.springframework.security.web.authentication.rememberme.InMemoryTokenRepositoryImpl
 import org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl
 import org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices
@ -213,10 +214,20 @@ class RememberMeConfigTests extends AbstractHttpConfigTests {
        notThrown BeanDefinitionParsingException
    }
    def 'Default form-parameter is correct'() {
        httpAutoConfig () {
            'remember-me'()
        }
        createAppContext(AUTH_PROVIDER_XML)
        expect:
        rememberMeServices().parameter == AbstractRememberMeServices.DEFAULT_PARAMETER
    }
    // SEC-2119
    def 'Custom form-parameter is supported'() {
        httpAutoConfig () {
-            'remember-me'('form-parameter': 'ourParam')
+            'remember-me'('rememberme-parameter': 'ourParam')
        }
        createAppContext(AUTH_PROVIDER_XML)
@ -227,7 +238,7 @@ class RememberMeConfigTests extends AbstractHttpConfigTests {
    def 'form-parameter cannot be used together with services-ref'() {
        when:
        httpAutoConfig () {
-            'remember-me'('form-parameter': 'ourParam', 'services-ref': 'ourService')
+            'remember-me'('rememberme-parameter': 'ourParam', 'services-ref': 'ourService')
        }
        createAppContext(AUTH_PROVIDER_XML)
        then:
--- a/docs/manual/src/docbook/appendix-namespace.xml
+++ b/docs/manual/src/docbook/appendix-namespace.xml
@ -842,7 +842,7 @@
                        <classname>PersistentTokenBasedRememberMeServices</classname> will be used and configured with a
                        <classname>JdbcTokenRepositoryImpl</classname> instance. </para>
                </section>
-                <section xml:id="nsa-remember-me-form-parameter">
+                <section xml:id="nsa-remember-me-rememberme-parameter">
                    <title><literal>form-parameter</literal></title>
                    <para>The name of the request parameter which toggles remember-me authentication. Defaults to "_spring_security_remember_me".
                        Maps to the "parameter" property of <classname>AbstractRememberMeServices</classname>.</para>