From 9dbe30c81d4a6da68e494854408138d72c3a46b0 Mon Sep 17 00:00:00 2001 From: Rob Winch Date: Fri, 15 Nov 2013 14:58:53 -0600 Subject: [PATCH] SEC-2165: remember-me@token-validity-seconds can be parameterized --- .../http/RememberMeBeanDefinitionParser.java | 6 ++-- .../security/config/spring-security-3.2.rnc | 2 +- .../security/config/spring-security-3.2.xsd | 2 +- .../config/http/RememberMeConfigTests.groovy | 32 ++++++++++++++++++- 4 files changed, 36 insertions(+), 6 deletions(-) diff --git a/config/src/main/java/org/springframework/security/config/http/RememberMeBeanDefinitionParser.java b/config/src/main/java/org/springframework/security/config/http/RememberMeBeanDefinitionParser.java index a0e2501f1e..737c7818d9 100644 --- a/config/src/main/java/org/springframework/security/config/http/RememberMeBeanDefinitionParser.java +++ b/config/src/main/java/org/springframework/security/config/http/RememberMeBeanDefinitionParser.java @@ -132,12 +132,12 @@ class RememberMeBeanDefinitionParser implements BeanDefinitionParser { } if (tokenValiditySet) { - int tokenValidity = Integer.parseInt(tokenValiditySeconds); - if (tokenValidity < 0 && isPersistent) { + boolean isTokenValidityNegative = tokenValiditySeconds.startsWith("-"); + if (isTokenValidityNegative && isPersistent) { pc.getReaderContext().error(ATT_TOKEN_VALIDITY + " cannot be negative if using" + " a persistent remember-me token repository", source); } - services.getPropertyValues().addPropertyValue("tokenValiditySeconds", tokenValidity); + services.getPropertyValues().addPropertyValue("tokenValiditySeconds", tokenValiditySeconds); } if (remembermeParameterSet) { diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-3.2.rnc b/config/src/main/resources/org/springframework/security/config/spring-security-3.2.rnc index 40641a4084..4bf7519ae1 100644 --- a/config/src/main/resources/org/springframework/security/config/spring-security-3.2.rnc +++ b/config/src/main/resources/org/springframework/security/config/spring-security-3.2.rnc @@ -572,7 +572,7 @@ remember-me.attlist &= remember-me.attlist &= ## The period (in seconds) for which the remember-me cookie should be valid. - attribute token-validity-seconds {xsd:integer}? + attribute token-validity-seconds {xsd:string}? remember-me.attlist &= ## Reference to an AuthenticationSuccessHandler bean which should be used to handle a successful remember-me authentication. diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-3.2.xsd b/config/src/main/resources/org/springframework/security/config/spring-security-3.2.xsd index 756b2a9adf..d60cd056c6 100644 --- a/config/src/main/resources/org/springframework/security/config/spring-security-3.2.xsd +++ b/config/src/main/resources/org/springframework/security/config/spring-security-3.2.xsd @@ -1796,7 +1796,7 @@ - + The period (in seconds) for which the remember-me cookie should be valid. diff --git a/config/src/test/groovy/org/springframework/security/config/http/RememberMeConfigTests.groovy b/config/src/test/groovy/org/springframework/security/config/http/RememberMeConfigTests.groovy index 197b729956..67a276ed4d 100644 --- a/config/src/test/groovy/org/springframework/security/config/http/RememberMeConfigTests.groovy +++ b/config/src/test/groovy/org/springframework/security/config/http/RememberMeConfigTests.groovy @@ -17,6 +17,10 @@ package org.springframework.security.config.http import static org.springframework.security.config.ConfigTestUtils.AUTH_PROVIDER_XML +import javax.sql.DataSource + +import org.springframework.beans.FatalBeanException +import org.springframework.beans.factory.config.PropertyPlaceholderConfigurer import org.springframework.beans.factory.parsing.BeanDefinitionParsingException import org.springframework.security.TestDataSource import org.springframework.security.authentication.ProviderManager @@ -26,7 +30,7 @@ import org.springframework.security.util.FieldUtils import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler import org.springframework.security.web.authentication.logout.LogoutFilter import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler -import org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices; +import org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices import org.springframework.security.web.authentication.rememberme.InMemoryTokenRepositoryImpl import org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl import org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices @@ -154,6 +158,32 @@ class RememberMeConfigTests extends AbstractHttpConfigTests { rememberMeServices().tokenValiditySeconds == -1 } + def 'remember-me@token-validity-seconds denies for persistent implementation'() { + setup: + httpAutoConfig () { + 'remember-me'('key': 'ourkey', 'token-validity-seconds':'-1', 'dataSource' : 'dataSource') + } + mockBean(DataSource) + when: + createAppContext(AUTH_PROVIDER_XML) + then: + thrown(FatalBeanException) + } + + def 'SEC-2165: remember-me@token-validity-seconds allows property placeholders'() { + when: + httpAutoConfig () { + 'remember-me'('key': 'ourkey', 'token-validity-seconds':'${security.rememberme.ttl}') + } + xml.'b:bean'(class: PropertyPlaceholderConfigurer.name) { + 'b:property'(name:'properties', value:'security.rememberme.ttl=30') + } + + createAppContext(AUTH_PROVIDER_XML) + then: + rememberMeServices().tokenValiditySeconds == 30 + } + def rememberMeSecureCookieAttributeIsSetCorrectly() { httpAutoConfig () { 'remember-me'('key': 'ourkey', 'use-secure-cookie':'true')