From bc6878c1c5c6e47dedcd4fb2d95e5e85bbd11980 Mon Sep 17 00:00:00 2001
From: Luke Taylor <luke.taylor@springsource.com>
Date: Fri, 5 Dec 2008 16:36:43 +0000
Subject: [PATCH] SEC-1044: Removed remember-me functionality from http
 auto-config namespace configuration. Added explicit <remember-me> elements to
 contacts and tutorial sample configurations.

---
 .../HttpSecurityBeanDefinitionParser.java     |  2 +-
 ...HttpSecurityBeanDefinitionParserTests.java | 34 ++++++++++---------
 .../WEB-INF/applicationContext-security.xml   |  1 +
 .../WEB-INF/applicationContext-security.xml   |  1 +
 4 files changed, 21 insertions(+), 17 deletions(-)

diff --git a/core/src/main/java/org/springframework/security/config/HttpSecurityBeanDefinitionParser.java b/core/src/main/java/org/springframework/security/config/HttpSecurityBeanDefinitionParser.java
index d34c907af0..01e5cb957b 100644
--- a/core/src/main/java/org/springframework/security/config/HttpSecurityBeanDefinitionParser.java
+++ b/core/src/main/java/org/springframework/security/config/HttpSecurityBeanDefinitionParser.java
@@ -192,7 +192,7 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
         Element rememberMeElt = DomUtils.getChildElementByTagName(elt, Elements.REMEMBER_ME);
         String rememberMeServices = null;
 
-        if (rememberMeElt != null || autoConfig) {
+        if (rememberMeElt != null) {
             RememberMeBeanDefinitionParser rmbdp = new RememberMeBeanDefinitionParser();
             rmbdp.parse(rememberMeElt, pc);
             rememberMeServices = rmbdp.getServicesName();
diff --git a/core/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java b/core/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java
index fb66965c1c..b409a4e8f0 100644
--- a/core/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java
+++ b/core/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java
@@ -1,6 +1,11 @@
 package org.springframework.security.config;
 
-import static org.junit.Assert.*;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertSame;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
 import static org.springframework.security.config.ConfigTestUtils.AUTH_PROVIDER_XML;
 
 import java.lang.reflect.Method;
@@ -39,10 +44,7 @@ import org.springframework.security.ui.basicauth.BasicProcessingFilter;
 import org.springframework.security.ui.logout.LogoutFilter;
 import org.springframework.security.ui.logout.LogoutHandler;
 import org.springframework.security.ui.preauth.x509.X509PreAuthenticatedProcessingFilter;
-import org.springframework.security.ui.rememberme.NullRememberMeServices;
 import org.springframework.security.ui.rememberme.PersistentTokenBasedRememberMeServices;
-import org.springframework.security.ui.rememberme.RememberMeProcessingFilter;
-import org.springframework.security.ui.rememberme.RememberMeServices;
 import org.springframework.security.ui.webapp.AuthenticationProcessingFilter;
 import org.springframework.security.ui.webapp.DefaultLoginPageGeneratingFilter;
 import org.springframework.security.util.FieldUtils;
@@ -58,9 +60,9 @@ import org.springframework.util.ReflectionUtils;
  * @version $Id$
  */
 public class HttpSecurityBeanDefinitionParserTests {
+    private static final int AUTO_CONFIG_FILTERS = 10;
     private AbstractXmlApplicationContext appContext;
 
-
     @After
     public void closeAppContext() {
         if (appContext != null) {
@@ -83,7 +85,7 @@ public class HttpSecurityBeanDefinitionParserTests {
         checkAutoConfigFilters(filterList);
 
         assertEquals(true, FieldUtils.getFieldValue(appContext.getBean("_filterChainProxy"), "stripQueryStringFromUrls"));
-        assertEquals(true, FieldUtils.getFieldValue(filterList.get(10), "objectDefinitionSource.stripQueryStringFromUrls"));
+        assertEquals(true, FieldUtils.getFieldValue(filterList.get(AUTO_CONFIG_FILTERS-1), "objectDefinitionSource.stripQueryStringFromUrls"));
     }
 
     @Test(expected=BeanDefinitionParsingException.class)
@@ -92,7 +94,7 @@ public class HttpSecurityBeanDefinitionParserTests {
     }
 
     private void checkAutoConfigFilters(List<Filter> filterList) throws Exception {
-        assertEquals("Expected 11 filters in chain", 11, filterList.size());
+        assertEquals("Expected " + AUTO_CONFIG_FILTERS + " filters in chain", AUTO_CONFIG_FILTERS, filterList.size());
 
         Iterator<Filter> filters = filterList.iterator();
 
@@ -101,14 +103,14 @@ public class HttpSecurityBeanDefinitionParserTests {
         Object authProcFilter = filters.next();
         assertTrue(authProcFilter instanceof AuthenticationProcessingFilter);
         // Check RememberMeServices has been set on AuthenticationProcessingFilter
-        Object rms = FieldUtils.getFieldValue(authProcFilter, "rememberMeServices");
-        assertNotNull(rms);
-        assertTrue(rms instanceof RememberMeServices);
-        assertFalse(rms instanceof NullRememberMeServices);
+        //Object rms = FieldUtils.getFieldValue(authProcFilter, "rememberMeServices");
+        //assertNotNull(rms);
+        //assertTrue(rms instanceof RememberMeServices);
+        //assertFalse(rms instanceof NullRememberMeServices);
         assertTrue(filters.next() instanceof DefaultLoginPageGeneratingFilter);
         assertTrue(filters.next() instanceof BasicProcessingFilter);
         assertTrue(filters.next() instanceof SecurityContextHolderAwareRequestFilter);
-        assertTrue(filters.next() instanceof RememberMeProcessingFilter);
+        //assertTrue(filters.next() instanceof RememberMeProcessingFilter);
         assertTrue(filters.next() instanceof AnonymousProcessingFilter);
         assertTrue(filters.next() instanceof ExceptionTranslationFilter);
         assertTrue(filters.next() instanceof SessionFixationProtectionFilter);
@@ -141,7 +143,7 @@ public class HttpSecurityBeanDefinitionParserTests {
         List<Filter> allFilters = getFilters("/ImCaughtByTheUniversalMatchPattern");
         checkAutoConfigFilters(allFilters);
         assertEquals(false, FieldUtils.getFieldValue(appContext.getBean("_filterChainProxy"), "stripQueryStringFromUrls"));
-        assertEquals(false, FieldUtils.getFieldValue(allFilters.get(10), "objectDefinitionSource.stripQueryStringFromUrls"));
+        assertEquals(false, FieldUtils.getFieldValue(allFilters.get(AUTO_CONFIG_FILTERS-1), "objectDefinitionSource.stripQueryStringFromUrls"));
     }
 
     @Test
@@ -282,7 +284,7 @@ public class HttpSecurityBeanDefinitionParserTests {
                 "    </http>" + AUTH_PROVIDER_XML);
         List<Filter> filters = getFilters("/someurl");
 
-        assertEquals("Expected 12 filters in chain", 12, filters.size());
+        assertEquals("Expected " + (AUTO_CONFIG_FILTERS + 1) +"  filters in chain", AUTO_CONFIG_FILTERS + 1, filters.size());
 
         assertTrue(filters.get(0) instanceof ChannelProcessingFilter);
     }
@@ -349,7 +351,7 @@ public class HttpSecurityBeanDefinitionParserTests {
                 );
         List<Filter> filters = getFilters("/someurl");
 
-        assertEquals(14, filters.size());
+        assertEquals(AUTO_CONFIG_FILTERS + 3, filters.size());
         assertTrue(filters.get(0) instanceof MockFilter);
         assertTrue(filters.get(1) instanceof SecurityContextHolderAwareRequestFilter);
         assertTrue(filters.get(4) instanceof SecurityContextHolderAwareRequestFilter);
@@ -545,7 +547,7 @@ public class HttpSecurityBeanDefinitionParserTests {
                 "<b:bean id='entryPoint' class='org.springframework.security.MockAuthenticationEntryPoint'>" +
                 "    <b:constructor-arg value='/customlogin'/>" +
                 "</b:bean>" + AUTH_PROVIDER_XML);
-        ExceptionTranslationFilter etf = (ExceptionTranslationFilter) getFilters("/someurl").get(8);
+        ExceptionTranslationFilter etf = (ExceptionTranslationFilter) getFilters("/someurl").get(AUTO_CONFIG_FILTERS-3);
         assertTrue("ExceptionTranslationFilter should be configured with custom entry point",
                 etf.getAuthenticationEntryPoint() instanceof MockAuthenticationEntryPoint);
     }
diff --git a/samples/contacts/src/main/webapp/WEB-INF/applicationContext-security.xml b/samples/contacts/src/main/webapp/WEB-INF/applicationContext-security.xml
index 20866363d8..9c5741a0ea 100644
--- a/samples/contacts/src/main/webapp/WEB-INF/applicationContext-security.xml
+++ b/samples/contacts/src/main/webapp/WEB-INF/applicationContext-security.xml
@@ -29,6 +29,7 @@
 
         <form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?login_error=1"/>
         <logout logout-success-url="/index.jsp"/>
+        <remember-me />
     </http>
 
     <authentication-provider>
diff --git a/samples/tutorial/src/main/webapp/WEB-INF/applicationContext-security.xml b/samples/tutorial/src/main/webapp/WEB-INF/applicationContext-security.xml
index e9bfb4764e..b4e3a83f67 100644
--- a/samples/tutorial/src/main/webapp/WEB-INF/applicationContext-security.xml
+++ b/samples/tutorial/src/main/webapp/WEB-INF/applicationContext-security.xml
@@ -26,6 +26,7 @@
         <intercept-url pattern="/post.html" access="ROLE_TELLER" />
         -->
         <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
+        <remember-me />
 <!--
     Uncomment to enable X509 client authentication support
         <x509 />