From c261975be0ea9380d0cc633548235786bec4dbf3 Mon Sep 17 00:00:00 2001 From: Adrien SAUVEZ Date: Fri, 13 May 2016 13:31:18 -0500 Subject: [PATCH] Set cookie domain for cancel remember-me Fixes gh-3871 --- .../rememberme/AbstractRememberMeServices.java | 4 +++- .../rememberme/AbstractRememberMeServicesTests.java | 6 ++++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/web/src/main/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServices.java b/web/src/main/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServices.java index 91ca6a8b2d..56283d3990 100644 --- a/web/src/main/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServices.java +++ b/web/src/main/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServices.java @@ -364,7 +364,9 @@ public abstract class AbstractRememberMeServices implements RememberMeServices, Cookie cookie = new Cookie(cookieName, null); cookie.setMaxAge(0); cookie.setPath(getCookiePath(request)); - + if (cookieDomain != null) { + cookie.setDomain(cookieDomain); + } response.addCookie(cookie); } diff --git a/web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesTests.java b/web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesTests.java index c7e95893e5..946335a009 100644 --- a/web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesTests.java +++ b/web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesTests.java @@ -253,6 +253,8 @@ public class AbstractRememberMeServicesTests { @Test public void logoutShouldCancelCookie() throws Exception { MockRememberMeServices services = new MockRememberMeServices(uds); + services.setCookieDomain("spring.io"); + MockHttpServletRequest request = new MockHttpServletRequest(); request.setContextPath("contextpath"); request.setCookies(createLoginCookie("cookie:1:2")); @@ -265,6 +267,10 @@ public class AbstractRememberMeServicesTests { services.logout(request, response, null); assertCookieCancelled(response); + + Cookie returnedCookie = response.getCookie( + AbstractRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY); + assertThat(returnedCookie.getDomain()).isEqualTo("spring.io"); } @Test(expected = CookieTheftException.class)