SEC-949: Added the option of specifying -1 as the token-validity-seconds value in order to set the cookie maxAge to expire when the browser closes.

This commit is contained in:
Luke Taylor 2008-12-17 00:14:48 +00:00
parent c2e688610c
commit db5f1e69f1
8 changed files with 112 additions and 47 deletions

View File

@ -98,7 +98,12 @@ public class RememberMeBeanDefinitionParser implements BeanDefinitionParser {
}
if (tokenValiditySet) {
services.getPropertyValues().addPropertyValue("tokenValiditySeconds", new Integer(tokenValiditySeconds));
Integer tokenValidity = new Integer(tokenValiditySeconds);
if (tokenValidity.intValue() < 0 && isPersistent) {
parserContext.getReaderContext().error(ATT_TOKEN_VALIDITY + " cannot be negative if using" +
" a persistent remember-me token repository", source);
}
services.getPropertyValues().addPropertyValue("tokenValiditySeconds", tokenValidity);
}
services.setSource(source);
services.getPropertyValues().addPropertyValue(ATT_KEY, key);

View File

@ -36,6 +36,7 @@ public abstract class AbstractRememberMeServices implements RememberMeServices,
public static final String SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY = "SPRING_SECURITY_REMEMBER_ME_COOKIE";
public static final String DEFAULT_PARAMETER = "_spring_security_remember_me";
public static final int TWO_WEEKS_S = 1209600;
private static final String DELIMITER = ":";
@ -52,7 +53,7 @@ public abstract class AbstractRememberMeServices implements RememberMeServices,
private String parameter = DEFAULT_PARAMETER;
private boolean alwaysRemember;
private String key;
private int tokenValiditySeconds = 1209600; // 14 days
private int tokenValiditySeconds = TWO_WEEKS_S;
public void afterPropertiesSet() throws Exception {
Assert.hasLength(key);

View File

@ -1,17 +1,18 @@
package org.springframework.security.ui.rememberme;
import org.springframework.security.Authentication;
import org.springframework.security.userdetails.UserDetails;
import org.springframework.dao.DataAccessException;
import org.apache.commons.codec.binary.Base64;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.Date;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.codec.binary.Base64;
import org.springframework.dao.DataAccessException;
import org.springframework.security.Authentication;
import org.springframework.security.userdetails.UserDetails;
import org.springframework.util.Assert;
/**
* {@link RememberMeServices} implementation based on Barry Jaspan's
* <a href="http://jaspan.com/improved_persistent_login_cookie_best_practice">Improved Persistent Login Cookie
@ -164,4 +165,10 @@ public class PersistentTokenBasedRememberMeServices extends AbstractRememberMeSe
public void setTokenLength(int tokenLength) {
this.tokenLength = tokenLength;
}
@Override
public void setTokenValiditySeconds(int tokenValiditySeconds) {
Assert.isTrue(tokenValiditySeconds > 0, "tokenValiditySeconds must be positive for this implementation");
super.setTokenValiditySeconds(tokenValiditySeconds);
}
}

View File

@ -68,7 +68,9 @@ import java.util.Date;
* require a more secure remember-me approach (see {@link PersistentTokenBasedRememberMeServices}).
* <p>
* By default the tokens will be valid for 14 days from the last successful authentication attempt. This can be changed
* using {@link #setTokenValiditySeconds(int)}.
* using {@link #setTokenValiditySeconds(int)}. If this value is less than zero, the <tt>expiryTime</tt> will remain at
* 14 days, but the negative value will be used for the <tt>maxAge</tt> property of the cookie, meaning that it will
* not be stored when the browser is closed.
*
*
* @author Ben Alex
@ -147,7 +149,9 @@ public class TokenBasedRememberMeServices extends AbstractRememberMeServices {
}
int tokenLifetime = calculateLoginLifetime(request, successfulAuthentication);
long expiryTime = System.currentTimeMillis() + 1000L*tokenLifetime;
long expiryTime = System.currentTimeMillis();
// SEC-949
expiryTime += 1000L* (tokenLifetime < 0 ? TWO_WEEKS_S : tokenLifetime);
String signatureValue = makeTokenSignature(expiryTime, username, password);

View File

@ -16,7 +16,7 @@ path-type =
attribute path-type {"ant" | "regex"}
port =
## Specifies an IP port number. Used to configure an embedded LDAP server, for example.
attribute port { xsd:integer }
attribute port { xsd:positiveInteger }
url =
## Specifies a URL.
attribute url { xsd:string }
@ -258,6 +258,10 @@ http.attlist &=
http.attlist &=
## Allows the access denied page to be set (the user will be redirected here if an AccessDeniedException is raised).
attribute access-denied-page {xsd:string}?
http.attlist &=
##
attribute disable-url-rewriting {boolean}?
intercept-url =
## Specifies the access attributes and/or filter list for a particular set of URLs.
@ -389,8 +393,8 @@ remember-me.attlist &=
user-service-ref?
remember-me.attlist &=
## The period (in seconds) for which the remember-me cookie should be valid.
attribute token-validity-seconds {xsd:positiveInteger}?
## The period (in seconds) for which the remember-me cookie should be valid. If set to a negative value
attribute token-validity-seconds {xsd:integer}?
token-repository-ref =
## Reference to a PersistentTokenRepository bean for use with the persistent token remember-me implementation.

View File

@ -51,7 +51,7 @@
</xs:attribute>
</xs:attributeGroup>
<xs:attributeGroup name="port">
<xs:attribute name="port" use="required" type="xs:integer">
<xs:attribute name="port" use="required" type="xs:positiveInteger">
<xs:annotation>
<xs:documentation>Specifies an IP port number. Used to configure an embedded LDAP
server, for example.</xs:documentation>
@ -206,7 +206,7 @@
<xs:documentation>Specifies a URL.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="port" type="xs:integer">
<xs:attribute name="port" type="xs:positiveInteger">
<xs:annotation>
<xs:documentation>Specifies an IP port number. Used to configure an embedded LDAP
server, for example.</xs:documentation>
@ -890,6 +890,11 @@
here if an AccessDeniedException is raised).</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="disable-url-rewriting" type="security:boolean">
<xs:annotation>
<xs:documentation> </xs:documentation>
</xs:annotation>
</xs:attribute>
</xs:attributeGroup>
<xs:attributeGroup name="intercept-url.attlist">
<xs:attribute name="pattern" use="required" type="xs:string">
@ -1187,10 +1192,10 @@
Id</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="token-validity-seconds" type="xs:positiveInteger">
<xs:attribute name="token-validity-seconds" type="xs:integer">
<xs:annotation>
<xs:documentation>The period (in seconds) for which the remember-me cookie should be
valid. </xs:documentation>
valid. If set to a negative value</xs:documentation>
</xs:annotation>
</xs:attribute>
</xs:attributeGroup>

View File

@ -370,11 +370,11 @@ public class HttpSecurityBeanDefinitionParserTests {
@Test
public void rememberMeServiceWorksWithTokenRepoRef() {
setContext(
"<http auto-config='true'>" +
" <remember-me token-repository-ref='tokenRepo'/>" +
"</http>" +
"<b:bean id='tokenRepo' " +
"class='org.springframework.security.ui.rememberme.InMemoryTokenRepositoryImpl'/> " + AUTH_PROVIDER_XML);
"<http auto-config='true'>" +
" <remember-me token-repository-ref='tokenRepo'/>" +
"</http>" +
"<b:bean id='tokenRepo' " +
"class='org.springframework.security.ui.rememberme.InMemoryTokenRepositoryImpl'/> " + AUTH_PROVIDER_XML);
Object rememberMeServices = appContext.getBean(BeanIds.REMEMBER_ME_SERVICES);
assertTrue(rememberMeServices instanceof PersistentTokenBasedRememberMeServices);
@ -394,7 +394,6 @@ public class HttpSecurityBeanDefinitionParserTests {
assertTrue(rememberMeServices instanceof PersistentTokenBasedRememberMeServices);
}
@Test
public void rememberMeServiceWorksWithExternalServicesImpl() throws Exception {
setContext(
@ -426,6 +425,26 @@ public class HttpSecurityBeanDefinitionParserTests {
"tokenValiditySeconds"));
}
@Test
public void rememberMeTokenValidityAllowsNegativeValueForNonPersistentImplementation() throws Exception {
setContext(
"<http auto-config='true'>" +
" <remember-me key='ourkey' token-validity-seconds='-1' />" +
"</http>" + AUTH_PROVIDER_XML);
assertEquals(-1, FieldUtils.getFieldValue(appContext.getBean(BeanIds.REMEMBER_ME_SERVICES),
"tokenValiditySeconds"));
}
@Test(expected=BeanDefinitionParsingException.class)
public void rememberMeTokenValidityRejectsNegativeValueForPersistentImplementation() throws Exception {
setContext(
"<http auto-config='true'>" +
" <remember-me token-validity-seconds='-1' token-repository-ref='tokenRepo'/>" +
"</http>" +
"<b:bean id='tokenRepo' class='org.springframework.security.ui.rememberme.InMemoryTokenRepositoryImpl'/> " +
AUTH_PROVIDER_XML);
}
@Test
public void rememberMeServiceConfigurationParsesWithCustomUserService() {
setContext(

View File

@ -16,6 +16,7 @@
package org.springframework.security.ui.rememberme;
import static org.junit.Assert.*;
import static org.springframework.security.ui.rememberme.TokenBasedRememberMeServices.*;
import java.util.Date;
@ -102,7 +103,7 @@ public class TokenBasedRememberMeServicesTests {
Authentication result = services.autoLogin(new MockHttpServletRequest(), response);
assertNull(result);
// No cookie set
assertNull(response.getCookie(TokenBasedRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY));
assertNull(response.getCookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY));
}
@Test
@ -115,12 +116,12 @@ public class TokenBasedRememberMeServicesTests {
Authentication result = services.autoLogin(request, response);
assertNull(result);
assertNull(response.getCookie(TokenBasedRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY));
assertNull(response.getCookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY));
}
@Test
public void autoLoginReturnsNullForExpiredCookieAndClearsCookie() throws Exception {
Cookie cookie = new Cookie(TokenBasedRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY,
Cookie cookie = new Cookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY,
generateCorrectCookieContentForToken(System.currentTimeMillis() - 1000000, "someone", "password", "key"));
MockHttpServletRequest request = new MockHttpServletRequest();
request.setCookies(new Cookie[] {cookie});
@ -128,14 +129,14 @@ public class TokenBasedRememberMeServicesTests {
MockHttpServletResponse response = new MockHttpServletResponse();
assertNull(services.autoLogin(request, response));
Cookie returnedCookie = response.getCookie(TokenBasedRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY);
Cookie returnedCookie = response.getCookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY);
assertNotNull(returnedCookie);
assertEquals(0, returnedCookie.getMaxAge());
}
@Test
public void autoLoginReturnsNullAndClearsCookieIfMissingThreeTokensInCookieValue() throws Exception {
Cookie cookie = new Cookie(TokenBasedRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY,
Cookie cookie = new Cookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY,
new String(Base64.encodeBase64("x".getBytes())));
MockHttpServletRequest request = new MockHttpServletRequest();
request.setCookies(new Cookie[] {cookie});
@ -143,14 +144,14 @@ public class TokenBasedRememberMeServicesTests {
MockHttpServletResponse response = new MockHttpServletResponse();
assertNull(services.autoLogin(request, response));
Cookie returnedCookie = response.getCookie(TokenBasedRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY);
Cookie returnedCookie = response.getCookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY);
assertNotNull(returnedCookie);
assertEquals(0, returnedCookie.getMaxAge());
}
@Test
public void autoLoginClearsNonBase64EncodedCookie() throws Exception {
Cookie cookie = new Cookie(TokenBasedRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY,
Cookie cookie = new Cookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY,
"NOT_BASE_64_ENCODED");
MockHttpServletRequest request = new MockHttpServletRequest();
request.setCookies(new Cookie[] {cookie});
@ -158,7 +159,7 @@ public class TokenBasedRememberMeServicesTests {
MockHttpServletResponse response = new MockHttpServletResponse();
assertNull(services.autoLogin(request, response));
Cookie returnedCookie = response.getCookie(TokenBasedRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY);
Cookie returnedCookie = response.getCookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY);
assertNotNull(returnedCookie);
assertEquals(0, returnedCookie.getMaxAge());
}
@ -166,7 +167,7 @@ public class TokenBasedRememberMeServicesTests {
@Test
public void autoLoginClearsCookieIfSignatureBlocksDoesNotMatchExpectedValue() throws Exception {
jmock.checking(udsWillReturnUser);
Cookie cookie = new Cookie(TokenBasedRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY,
Cookie cookie = new Cookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY,
generateCorrectCookieContentForToken(System.currentTimeMillis() + 1000000, "someone", "password",
"WRONG_KEY"));
MockHttpServletRequest request = new MockHttpServletRequest();
@ -176,14 +177,14 @@ public class TokenBasedRememberMeServicesTests {
assertNull(services.autoLogin(request, response));
Cookie returnedCookie = response.getCookie(TokenBasedRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY);
Cookie returnedCookie = response.getCookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY);
assertNotNull(returnedCookie);
assertEquals(0, returnedCookie.getMaxAge());
}
@Test
public void autoLoginClearsCookieIfTokenDoesNotContainANumberInCookieValue() throws Exception {
Cookie cookie = new Cookie(TokenBasedRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY,
Cookie cookie = new Cookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY,
new String(Base64.encodeBase64("username:NOT_A_NUMBER:signature".getBytes())));
MockHttpServletRequest request = new MockHttpServletRequest();
request.setCookies(new Cookie[] {cookie});
@ -191,7 +192,7 @@ public class TokenBasedRememberMeServicesTests {
MockHttpServletResponse response = new MockHttpServletResponse();
assertNull(services.autoLogin(request, response));
Cookie returnedCookie = response.getCookie(TokenBasedRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY);
Cookie returnedCookie = response.getCookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY);
assertNotNull(returnedCookie);
assertEquals(0, returnedCookie.getMaxAge());
}
@ -199,7 +200,7 @@ public class TokenBasedRememberMeServicesTests {
@Test
public void autoLoginClearsCookieIfUserNotFound() throws Exception {
jmock.checking(udsWillThrowNotFound);
Cookie cookie = new Cookie(TokenBasedRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY,
Cookie cookie = new Cookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY,
generateCorrectCookieContentForToken(System.currentTimeMillis() + 1000000, "someone", "password", "key"));
MockHttpServletRequest request = new MockHttpServletRequest();
request.setCookies(new Cookie[] {cookie});
@ -208,7 +209,7 @@ public class TokenBasedRememberMeServicesTests {
assertNull(services.autoLogin(request, response));
Cookie returnedCookie = response.getCookie(TokenBasedRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY);
Cookie returnedCookie = response.getCookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY);
assertNotNull(returnedCookie);
assertEquals(0, returnedCookie.getMaxAge());
}
@ -216,7 +217,7 @@ public class TokenBasedRememberMeServicesTests {
@Test
public void autoLoginWithValidTokenAndUserSucceeds() throws Exception {
jmock.checking(udsWillReturnUser);
Cookie cookie = new Cookie(TokenBasedRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY,
Cookie cookie = new Cookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY,
generateCorrectCookieContentForToken(System.currentTimeMillis() + 1000000, "someone", "password", "key"));
MockHttpServletRequest request = new MockHttpServletRequest();
request.setCookies(new Cookie[] {cookie});
@ -236,7 +237,7 @@ public class TokenBasedRememberMeServicesTests {
services.setKey("d");
assertEquals("d", services.getKey());
assertEquals(TokenBasedRememberMeServices.DEFAULT_PARAMETER, services.getParameter());
assertEquals(DEFAULT_PARAMETER, services.getParameter());
services.setParameter("some_param");
assertEquals("some_param", services.getParameter());
@ -250,7 +251,7 @@ public class TokenBasedRememberMeServicesTests {
MockHttpServletResponse response = new MockHttpServletResponse();
services.loginFail(request, response);
Cookie cookie = response.getCookie(TokenBasedRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY);
Cookie cookie = response.getCookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY);
assertNotNull(cookie);
assertEquals(0, cookie.getMaxAge());
}
@ -259,12 +260,12 @@ public class TokenBasedRememberMeServicesTests {
public void loginSuccessIgnoredIfParameterNotSetOrFalse() {
TokenBasedRememberMeServices services = new TokenBasedRememberMeServices();
MockHttpServletRequest request = new MockHttpServletRequest();
request.addParameter(TokenBasedRememberMeServices.DEFAULT_PARAMETER, "false");
request.addParameter(DEFAULT_PARAMETER, "false");
MockHttpServletResponse response = new MockHttpServletResponse();
services.loginSuccess(request, response, new TestingAuthenticationToken("someone", "password","ROLE_ABC"));
Cookie cookie = response.getCookie(TokenBasedRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY);
Cookie cookie = response.getCookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY);
assertNull(cookie);
}
@ -278,7 +279,7 @@ public class TokenBasedRememberMeServicesTests {
MockHttpServletResponse response = new MockHttpServletResponse();
services.loginSuccess(request, response, new TestingAuthenticationToken("someone", "password","ROLE_ABC"));
Cookie cookie = response.getCookie(TokenBasedRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY);
Cookie cookie = response.getCookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY);
String expiryTime = services.decodeCookie(cookie.getValue())[1];
long expectedExpiryTime = 1000L * 500000000;
expectedExpiryTime += System.currentTimeMillis();
@ -297,7 +298,7 @@ public class TokenBasedRememberMeServicesTests {
MockHttpServletResponse response = new MockHttpServletResponse();
services.loginSuccess(request, response, new TestingAuthenticationToken("someone", "password","ROLE_ABC"));
Cookie cookie = response.getCookie(TokenBasedRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY);
Cookie cookie = response.getCookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY);
assertNotNull(cookie);
assertEquals(services.getTokenValiditySeconds(), cookie.getMaxAge());
assertTrue(Base64.isArrayByteBase64(cookie.getValue().getBytes()));
@ -310,4 +311,23 @@ public class TokenBasedRememberMeServicesTests {
TestingAuthenticationToken token = new TestingAuthenticationToken("username", null);
assertNull(services.retrievePassword(token));
}
// SEC-949
@Test
public void negativeValidityPeriodIsSetOnCookieButExpiryTimeRemainsAtTwoWeeks() throws Exception {
MockHttpServletRequest request = new MockHttpServletRequest();
request.addParameter(DEFAULT_PARAMETER, "true");
MockHttpServletResponse response = new MockHttpServletResponse();
services.setTokenValiditySeconds(-1);
services.loginSuccess(request, response, new TestingAuthenticationToken("someone", "password","ROLE_ABC"));
Cookie cookie = response.getCookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY);
assertNotNull(cookie);
// Check the expiry time is within 50ms of two weeks from current time
assertTrue(determineExpiryTimeFromBased64EncodedToken(cookie.getValue()) - System.currentTimeMillis() >
TWO_WEEKS_S - 50);
assertEquals(-1, cookie.getMaxAge());
assertTrue(Base64.isArrayByteBase64(cookie.getValue().getBytes()));
}
}