Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-06-24 21:12:18 +00:00
Code Issues Packages Projects Releases Wiki Activity

SEC-1410: Makes sure usernames which are OpenID https identities are detected as well as http ones.

Browse Source 
Using ":" as the token delimiter means we accidentally mistake the URL for two tokens. This had previously been fixed for http URLs but not https ones.
This commit is contained in:
Luke Taylor 2010-02-15 22:45:49 +00:00
parent 1719bdebeb
commit bd635edc31
2 changed files with 21 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
web/src/main/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServices.java
View File

@ -168,10 +168,10 @@ public abstract class AbstractRememberMeServices implements RememberMeServices,
String[] tokens = StringUtils.delimitedListToStringArray(cookieAsPlainText, DELIMITER); String[] tokens = StringUtils.delimitedListToStringArray(cookieAsPlainText, DELIMITER);
if (tokens[0].equalsIgnoreCase("http") && tokens[1].startsWith("//")) { if ((tokens[0].equalsIgnoreCase("http") || tokens[0].equalsIgnoreCase("https")) && tokens[1].startsWith("//")) {
// Assume we've accidentally split a URL (OpenID identifier) // Assume we've accidentally split a URL (OpenID identifier)
String[] newTokens = new String[tokens.length - 1]; String[] newTokens = new String[tokens.length - 1];
newTokens[0] = "http:" + tokens[1]; newTokens[0] = tokens[0] + ":" + tokens[1];
System.arraycopy(tokens, 2, newTokens, 1, newTokens.length - 1); System.arraycopy(tokens, 2, newTokens, 1, newTokens.length - 1);
tokens = newTokens; tokens = newTokens;
} }

22
web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesTests.java
View File

@ -35,21 +35,37 @@ public class AbstractRememberMeServicesTests {
@Test @Test
public void cookieShouldBeCorrectlyEncodedAndDecoded() { public void cookieShouldBeCorrectlyEncodedAndDecoded() {
String[] cookie = new String[] {"http://name", "cookie", "tokens", "blah"}; String[] cookie = new String[] {"name", "cookie", "tokens", "blah"};
MockRememberMeServices services = new MockRememberMeServices(); MockRememberMeServices services = new MockRememberMeServices();
String encoded = services.encodeCookie(cookie); String encoded = services.encodeCookie(cookie);
// '=' aren't alowed in version 0 cookies. // '=' aren't allowed in version 0 cookies.
assertFalse(encoded.endsWith("=")); assertFalse(encoded.endsWith("="));
String[] decoded = services.decodeCookie(encoded); String[] decoded = services.decodeCookie(encoded);
assertEquals(4, decoded.length); assertEquals(4, decoded.length);
assertEquals("http://name", decoded[0]); assertEquals("name", decoded[0]);
assertEquals("cookie", decoded[1]); assertEquals("cookie", decoded[1]);
assertEquals("tokens", decoded[2]); assertEquals("tokens", decoded[2]);
assertEquals("blah", decoded[3]); assertEquals("blah", decoded[3]);
} }
@Test
public void cookieWithOpenIDidentifierAsNameIsEncodedAndDecoded() throws Exception {
String[] cookie = new String[] {"http://id.openid.zz", "cookie", "tokens", "blah"};
MockRememberMeServices services = new MockRememberMeServices();
String[] decoded = services.decodeCookie(services.encodeCookie(cookie));
assertEquals(4, decoded.length);
assertEquals("http://id.openid.zz", decoded[0]);
// Check https (SEC-1410)
cookie[0] = "https://id.openid.zz";
decoded = services.decodeCookie(services.encodeCookie(cookie));
assertEquals(4, decoded.length);
assertEquals("https://id.openid.zz", decoded[0]);
}
@Test @Test
public void autoLoginShouldReturnNullIfNoLoginCookieIsPresented() { public void autoLoginShouldReturnNullIfNoLoginCookieIsPresented() {
MockRememberMeServices services = new MockRememberMeServices(); MockRememberMeServices services = new MockRememberMeServices();