Home Explore Help
Register Sign In
github
/
spring-security
mirror of https://github.com/spring-projects/spring-security
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

SEC-1083: PersistentTokenBasedRememberMeServices does not clear tokens on logout. Override logout method to remove tokens for user.

Luke Taylor 16 years ago
parent
b7557d017e
commit
30748e8615
2 changed files with 31 additions and 6 deletions
Split View Show Diff Stats
  1. 6 0
      core/src/main/java/org/springframework/security/ui/rememberme/PersistentTokenBasedRememberMeServices.java
  2. 25 6
      core/src/test/java/org/springframework/security/ui/rememberme/PersistentTokenBasedRememberMeServicesTests.java

+ 6 - 0
core/src/main/java/org/springframework/security/ui/rememberme/PersistentTokenBasedRememberMeServices.java
View File 

@@ -138,6 +138,12 @@ public class PersistentTokenBasedRememberMeServices extends AbstractRememberMeSe
 
         }
 
     }
 
 
+    @Override
 
+    public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {
 
+        super.logout(request, response, authentication);
 
+        tokenRepository.removeUserTokens(authentication.getName());
 
+    }
 
+
 
     protected String generateSeriesData() {
 
         byte[] newSeries = new byte[seriesLength];
 
         random.nextBytes(newSeries);

+ 25 - 6
core/src/test/java/org/springframework/security/ui/rememberme/PersistentTokenBasedRememberMeServicesTests.java
View File 

@@ -1,14 +1,18 @@
 
 package org.springframework.security.ui.rememberme;
 
 
-import org.springframework.security.providers.UsernamePasswordAuthenticationToken;
 
-import org.springframework.mock.web.MockHttpServletRequest;
 
-import org.springframework.mock.web.MockHttpServletResponse;
 
+import static org.junit.Assert.*;
 
+import static org.springframework.security.ui.rememberme.AbstractRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY;
 
+
 
+import java.util.Date;
 
+
 
+import javax.servlet.http.Cookie;
 
 
-import static org.junit.Assert.assertEquals;
 
 import org.junit.Before;
 
 import org.junit.Test;
 
-
 
-import java.util.Date;
 
+import org.springframework.mock.web.MockHttpServletRequest;
 
+import org.springframework.mock.web.MockHttpServletResponse;
 
+import org.springframework.security.providers.TestingAuthenticationToken;
 
+import org.springframework.security.providers.UsernamePasswordAuthenticationToken;
 
 
 /**
 
  * @author Luke Taylor
 
@@ -97,6 +101,21 @@ public class PersistentTokenBasedRememberMeServicesTests {
 
         assertEquals(repo.getStoredToken().getTokenValue(), cookie[1]);
 
     }
 
 
+    @Test
 
+    public void logoutClearsUsersTokenAndCookie() throws Exception {
 
+        Cookie cookie = new Cookie("mycookiename", "somevalue");
 
+        MockHttpServletRequest request = new MockHttpServletRequest();
 
+        request.setCookies(new Cookie[] {cookie});
 
+        MockHttpServletResponse response = new MockHttpServletResponse();
 
+        MockTokenRepository repo =
 
+            new MockTokenRepository(new PersistentRememberMeToken("joe", "series","token", new Date()));
 
+        services.setTokenRepository(repo);
 
+        services.logout(request, response, new TestingAuthenticationToken("joe","somepass","SOME_AUTH"));
 
+        Cookie returnedCookie = response.getCookie("mycookiename");
 
+        assertNotNull(returnedCookie);
 
+        assertEquals(0, returnedCookie.getMaxAge());
 
+    }
 
+
 
     private class MockTokenRepository implements PersistentTokenRepository {
 
         private PersistentRememberMeToken storedToken;