SEC-1410: Makes sure usernames which are OpenID https identities are detected as well as http ones.
Using ":" as the token delimiter means we accidentally mistake the URL for two tokens. This had previously been fixed for http URLs but not https ones.
This commit is contained in:
parent
1719bdebeb
commit
bd635edc31
|
@ -168,10 +168,10 @@ public abstract class AbstractRememberMeServices implements RememberMeServices,
|
|||
|
||||
String[] tokens = StringUtils.delimitedListToStringArray(cookieAsPlainText, DELIMITER);
|
||||
|
||||
if (tokens[0].equalsIgnoreCase("http") && tokens[1].startsWith("//")) {
|
||||
if ((tokens[0].equalsIgnoreCase("http") || tokens[0].equalsIgnoreCase("https")) && tokens[1].startsWith("//")) {
|
||||
// Assume we've accidentally split a URL (OpenID identifier)
|
||||
String[] newTokens = new String[tokens.length - 1];
|
||||
newTokens[0] = "http:" + tokens[1];
|
||||
newTokens[0] = tokens[0] + ":" + tokens[1];
|
||||
System.arraycopy(tokens, 2, newTokens, 1, newTokens.length - 1);
|
||||
tokens = newTokens;
|
||||
}
|
||||
|
|
|
@ -35,21 +35,37 @@ public class AbstractRememberMeServicesTests {
|
|||
|
||||
@Test
|
||||
public void cookieShouldBeCorrectlyEncodedAndDecoded() {
|
||||
String[] cookie = new String[] {"http://name", "cookie", "tokens", "blah"};
|
||||
String[] cookie = new String[] {"name", "cookie", "tokens", "blah"};
|
||||
MockRememberMeServices services = new MockRememberMeServices();
|
||||
|
||||
String encoded = services.encodeCookie(cookie);
|
||||
// '=' aren't alowed in version 0 cookies.
|
||||
// '=' aren't allowed in version 0 cookies.
|
||||
assertFalse(encoded.endsWith("="));
|
||||
String[] decoded = services.decodeCookie(encoded);
|
||||
|
||||
assertEquals(4, decoded.length);
|
||||
assertEquals("http://name", decoded[0]);
|
||||
assertEquals("name", decoded[0]);
|
||||
assertEquals("cookie", decoded[1]);
|
||||
assertEquals("tokens", decoded[2]);
|
||||
assertEquals("blah", decoded[3]);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void cookieWithOpenIDidentifierAsNameIsEncodedAndDecoded() throws Exception {
|
||||
String[] cookie = new String[] {"http://id.openid.zz", "cookie", "tokens", "blah"};
|
||||
MockRememberMeServices services = new MockRememberMeServices();
|
||||
|
||||
String[] decoded = services.decodeCookie(services.encodeCookie(cookie));
|
||||
assertEquals(4, decoded.length);
|
||||
assertEquals("http://id.openid.zz", decoded[0]);
|
||||
|
||||
// Check https (SEC-1410)
|
||||
cookie[0] = "https://id.openid.zz";
|
||||
decoded = services.decodeCookie(services.encodeCookie(cookie));
|
||||
assertEquals(4, decoded.length);
|
||||
assertEquals("https://id.openid.zz", decoded[0]);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void autoLoginShouldReturnNullIfNoLoginCookieIsPresented() {
|
||||
MockRememberMeServices services = new MockRememberMeServices();
|
||||
|
|
Loading…
Reference in New Issue