SEC-473: Reduce the number of "cookie methods" in AbstractRememberMeServices.

2008-01-29 22:28:04 +00:00 · 2008-01-29 22:28:04 +00:00 · c7754d7bee
parent 00b5c0e61b
commit c7754d7bee
4 changed files with 37 additions and 20 deletions
--- a/core/src/main/java/org/springframework/security/ui/rememberme/AbstractRememberMeServices.java
+++ b/core/src/main/java/org/springframework/security/ui/rememberme/AbstractRememberMeServices.java
@ -264,28 +264,40 @@ public abstract class AbstractRememberMeServices implements RememberMeServices,
    protected abstract UserDetails processAutoLoginCookie(String[] cookieTokens, HttpServletRequest request,
            HttpServletResponse response) throws RememberMeAuthenticationException, UsernameNotFoundException;

+    /**
+     * Sets a "cancel cookie" (with maxAge = 0) on the response to disable persistent logins.
+     *
+     * @param request
+     * @param response
+     */
    protected void cancelCookie(HttpServletRequest request, HttpServletResponse response) {
        logger.debug("Cancelling cookie");
-
-        response.addCookie(makeCancelCookie(request));
-    }
-
-    protected Cookie makeCancelCookie(HttpServletRequest request) {
        Cookie cookie = new Cookie(cookieName, null);
        cookie.setMaxAge(0);
        cookie.setPath(StringUtils.hasLength(request.getContextPath()) ? request.getContextPath() : "/");

-        return cookie;
+        response.addCookie(cookie);
    }

-    protected Cookie makeValidCookie(String value, HttpServletRequest request, int maxAge) {
-        Cookie cookie = new Cookie(cookieName, value);
+    /**
+     * Sets the cookie on the response
+     *
+     * @param tokens the tokens which will be encoded to make the cookie value.
+     * @param maxAge the value passed to {@link Cookie#setMaxAge(int)}
+     * @param request the request
+     * @param response the response to add the cookie to.
+     */
+    protected void setCookie(String[] tokens, int maxAge, HttpServletRequest request, HttpServletResponse response) {
+        String cookieValue = encodeCookie(tokens);
+        Cookie cookie = new Cookie(cookieName, cookieValue);
        cookie.setMaxAge(maxAge);
        cookie.setPath(StringUtils.hasLength(request.getContextPath()) ? request.getContextPath() : "/");
-
-        return cookie;
+        response.addCookie(cookie);
    }

+    /**
+     * Implementation of <tt>LogoutHandler</tt>. Default behaviour is to call <tt>cancelCookie()</tt>.
+     */
    public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {
        if (logger.isDebugEnabled()) {
            logger.debug( "Logout of user "
--- a/core/src/main/java/org/springframework/security/ui/rememberme/PersistentTokenBasedRememberMeServices.java
+++ b/core/src/main/java/org/springframework/security/ui/rememberme/PersistentTokenBasedRememberMeServices.java
@ -151,8 +151,7 @@ public class PersistentTokenBasedRememberMeServices extends AbstractRememberMeSe
    }

    private void addCookie(PersistentRememberMeToken token, HttpServletRequest request, HttpServletResponse response) {
-        String cookieValue = encodeCookie(new String[] {token.getSeries(), token.getTokenValue()});
-        response.addCookie(makeValidCookie(cookieValue, request, getTokenValiditySeconds()));
+        setCookie(new String[] {token.getSeries(), token.getTokenValue()},getTokenValiditySeconds(), request, response);
    }

    public void setTokenRepository(PersistentTokenRepository tokenRepository) {
--- a/core/src/main/java/org/springframework/security/ui/rememberme/TokenBasedRememberMeServices.java
+++ b/core/src/main/java/org/springframework/security/ui/rememberme/TokenBasedRememberMeServices.java
@ -162,9 +162,8 @@ public class TokenBasedRememberMeServices extends AbstractRememberMeServices {
        long expiryTime = System.currentTimeMillis() + 1000*tokenLifetime;

        String signatureValue = makeTokenSignature(expiryTime, username, password);
-        String cookieValue = encodeCookie(new String[] {username, Long.toString(expiryTime), signatureValue});

-        response.addCookie(makeValidCookie(cookieValue, request, tokenLifetime));
+        setCookie(new String[] {username, Long.toString(expiryTime), signatureValue}, tokenLifetime, request, response);

 		if (logger.isDebugEnabled()) {
 			logger.debug("Added remember-me cookie for user '" + username + "', expiry: '"
--- a/core/src/test/java/org/springframework/security/ui/rememberme/AbstractRememberMeServicesTests.java
+++ b/core/src/test/java/org/springframework/security/ui/rememberme/AbstractRememberMeServicesTests.java
@ -206,16 +206,23 @@ public class AbstractRememberMeServicesTests {
    }

    @Test
-    public void makeValidCookieUsesCorrectNamePathAndValue() {
+    public void setCookieUsesCorrectNamePathAndValue() {
        MockHttpServletRequest request = new MockHttpServletRequest();
+        MockHttpServletResponse response = new MockHttpServletResponse();
        request.setContextPath("contextpath");
-        MockRememberMeServices services = new MockRememberMeServices();
+        MockRememberMeServices services = new MockRememberMeServices() {
+            protected String encodeCookie(String[] cookieTokens) {
+                return cookieTokens[0];
+            }
+        };
        services.setCookieName("mycookiename");
-        Cookie cookie = services.makeValidCookie("mycookie", request, 1000);
+        services.setCookie(new String[] {"mycookie"}, 1000, request, response);
+        Cookie cookie = response.getCookie("mycookiename");

-        assertTrue(cookie.getValue().equals("mycookie"));
-        assertTrue(cookie.getName().equals("mycookiename"));
-        assertTrue(cookie.getPath().equals("contextpath"));
+        assertNotNull(cookie);
+        assertEquals("mycookie", cookie.getValue());
+        assertEquals("mycookiename", cookie.getName());
+        assertEquals("contextpath", cookie.getPath());

    }