From f62d97b092a91b0488ed5fc072e1a222968be554 Mon Sep 17 00:00:00 2001 From: Luke Taylor Date: Tue, 12 Jan 2010 01:32:02 +0000 Subject: [PATCH] SEC-1356: Fix broken tests. Test cookies now require that the path be set in order for them to be recognised for auto-login purposes.. --- .../AbstractRememberMeServicesTests.java | 2 +- .../TokenBasedRememberMeServicesTests.java | 25 +++++++++++++++++++ 2 files changed, 26 insertions(+), 1 deletion(-) diff --git a/web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesTests.java b/web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesTests.java index 5c96845976..4e9c0a18c1 100644 --- a/web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesTests.java +++ b/web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesTests.java @@ -249,7 +249,7 @@ public class AbstractRememberMeServicesTests { MockRememberMeServices services = new MockRememberMeServices(); Cookie cookie = new Cookie(AbstractRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY, services.encodeCookie(StringUtils.delimitedListToStringArray(cookieToken, ":"))); - + cookie.setPath("/"); return new Cookie[] {cookie}; } diff --git a/web/src/test/java/org/springframework/security/web/authentication/rememberme/TokenBasedRememberMeServicesTests.java b/web/src/test/java/org/springframework/security/web/authentication/rememberme/TokenBasedRememberMeServicesTests.java index 34fb3a2f0f..4d8439311a 100644 --- a/web/src/test/java/org/springframework/security/web/authentication/rememberme/TokenBasedRememberMeServicesTests.java +++ b/web/src/test/java/org/springframework/security/web/authentication/rememberme/TokenBasedRememberMeServicesTests.java @@ -109,6 +109,7 @@ public class TokenBasedRememberMeServicesTests { @Test public void autoLoginIgnoresUnrelatedCookie() throws Exception { Cookie cookie = new Cookie("unrelated_cookie", "foobar"); + cookie.setPath("/"); MockHttpServletRequest request = new MockHttpServletRequest(); request.setCookies(new Cookie[] {cookie}); MockHttpServletResponse response = new MockHttpServletResponse(); @@ -119,10 +120,27 @@ public class TokenBasedRememberMeServicesTests { assertNull(response.getCookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY)); } + // SEC-1356 + @Test + public void autoLoginIgnoresCookieWithWrongPath() throws Exception { + Cookie cookie = new Cookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY, "foobar"); + cookie.setPath("/"); + MockHttpServletRequest request = new MockHttpServletRequest(); + request.setContextPath("not_root"); + request.setCookies(new Cookie[] {cookie}); + MockHttpServletResponse response = new MockHttpServletResponse(); + + Authentication result = services.autoLogin(request, response); + + assertNull(result); + assertNull(response.getCookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY)); + } + @Test public void autoLoginReturnsNullForExpiredCookieAndClearsCookie() throws Exception { Cookie cookie = new Cookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY, generateCorrectCookieContentForToken(System.currentTimeMillis() - 1000000, "someone", "password", "key")); + cookie.setPath("/"); MockHttpServletRequest request = new MockHttpServletRequest(); request.setCookies(new Cookie[] {cookie}); @@ -138,6 +156,7 @@ public class TokenBasedRememberMeServicesTests { public void autoLoginReturnsNullAndClearsCookieIfMissingThreeTokensInCookieValue() throws Exception { Cookie cookie = new Cookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY, new String(Base64.encodeBase64("x".getBytes()))); + cookie.setPath("/"); MockHttpServletRequest request = new MockHttpServletRequest(); request.setCookies(new Cookie[] {cookie}); @@ -153,6 +172,7 @@ public class TokenBasedRememberMeServicesTests { public void autoLoginClearsNonBase64EncodedCookie() throws Exception { Cookie cookie = new Cookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY, "NOT_BASE_64_ENCODED"); + cookie.setPath("/"); MockHttpServletRequest request = new MockHttpServletRequest(); request.setCookies(new Cookie[] {cookie}); @@ -170,6 +190,7 @@ public class TokenBasedRememberMeServicesTests { Cookie cookie = new Cookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY, generateCorrectCookieContentForToken(System.currentTimeMillis() + 1000000, "someone", "password", "WRONG_KEY")); + cookie.setPath("/"); MockHttpServletRequest request = new MockHttpServletRequest(); request.setCookies(new Cookie[] {cookie}); @@ -186,6 +207,8 @@ public class TokenBasedRememberMeServicesTests { public void autoLoginClearsCookieIfTokenDoesNotContainANumberInCookieValue() throws Exception { Cookie cookie = new Cookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY, new String(Base64.encodeBase64("username:NOT_A_NUMBER:signature".getBytes()))); + cookie.setPath("/"); + MockHttpServletRequest request = new MockHttpServletRequest(); request.setCookies(new Cookie[] {cookie}); @@ -202,6 +225,7 @@ public class TokenBasedRememberMeServicesTests { jmock.checking(udsWillThrowNotFound); Cookie cookie = new Cookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY, generateCorrectCookieContentForToken(System.currentTimeMillis() + 1000000, "someone", "password", "key")); + cookie.setPath("/"); MockHttpServletRequest request = new MockHttpServletRequest(); request.setCookies(new Cookie[] {cookie}); @@ -219,6 +243,7 @@ public class TokenBasedRememberMeServicesTests { jmock.checking(udsWillReturnUser); Cookie cookie = new Cookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY, generateCorrectCookieContentForToken(System.currentTimeMillis() + 1000000, "someone", "password", "key")); + cookie.setPath("/"); MockHttpServletRequest request = new MockHttpServletRequest(); request.setCookies(new Cookie[] {cookie});