Cwikius-Spring/spring-security
1
0
Fork 0
mirror of synced 2026-05-22 21:33:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

SEC-1217: AbstractRememberMeServices should set 'secure' attribute on remember-me cookie if in secure context. Added "useSecureCookie" configuration property and corresponding use-secure-cookie attribute in namespace.

Browse Source
This commit is contained in:
Luke Taylor
2009-09-01 16:08:20 +00:00
parent b2c2b93545
commit 2039200617
6 changed files with 1748 additions and 1682 deletions
Download Patch File Download Diff File Expand all files Collapse all files
web/src/main/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServices.java
+6
View File
@@ -55,6 +55,7 @@ public abstract class AbstractRememberMeServices implements RememberMeServices,
private boolean alwaysRemember;
private String key;
private int tokenValiditySeconds = TWO_WEEKS_S;
private boolean useSecureCookie = false;
public void afterPropertiesSet() throws Exception {
Assert.hasLength(key);
@@ -308,6 +309,7 @@ public abstract class AbstractRememberMeServices implements RememberMeServices,
Cookie cookie = new Cookie(cookieName, cookieValue);
cookie.setMaxAge(maxAge);
cookie.setPath(StringUtils.hasLength(request.getContextPath()) ? request.getContextPath() : "/");
cookie.setSecure(useSecureCookie);
response.addCookie(cookie);
}
@@ -374,6 +376,10 @@ public abstract class AbstractRememberMeServices implements RememberMeServices,
return tokenValiditySeconds;
}
public void setUseSecureCookie(boolean useSecureCookie) {
this.useSecureCookie = useSecureCookie;
}
protected AuthenticationDetailsSource getAuthenticationDetailsSource() {
return authenticationDetailsSource;
}
web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesTests.java
+17
View File
@@ -226,7 +226,24 @@ public class AbstractRememberMeServicesTests {
assertEquals("mycookie", cookie.getValue());
assertEquals("mycookiename", cookie.getName());
assertEquals("contextpath", cookie.getPath());
assertFalse(cookie.getSecure());
}
@Test
public void setCookieSetsSecureFlagIfConfigured() throws Exception {
MockHttpServletRequest request = new MockHttpServletRequest();
MockHttpServletResponse response = new MockHttpServletResponse();
request.setContextPath("contextpath");
MockRememberMeServices services = new MockRememberMeServices() {
protected String encodeCookie(String[] cookieTokens) {
return cookieTokens[0];
}
};
services.setUseSecureCookie(true);
services.setCookie(new String[] {"mycookie"}, 1000, request, response);
Cookie cookie = response.getCookie(AbstractRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY);
assertTrue(cookie.getSecure());
}
private Cookie[] createLoginCookie(String cookieToken) {