首頁 探索 說明
註冊 登入
github
/
spring-security
镜像来自 https://github.com/spring-projects/spring-security
2
0
複刻 0
檔案 問題管理 0 Wiki
瀏覽代碼

SEC-2791: AbstractRememberMeServices sets the version

If the maxAge < 1 then the version must be 1 otherwise browsers ignore
the value.
Rob Winch 10 年之前
父節點
478a9650aa
當前提交
74f8534b17
共有 2 個文件被更改,包括 44 次插入0 次删除
分割檢視 顯示文件統計
  1. 4 0
      web/src/main/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServices.java
  2. 40 0
      web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesTests.java

+ 4 - 0
web/src/main/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServices.java
查看文件 

@@ -349,6 +349,10 @@ public abstract class AbstractRememberMeServices implements RememberMeServices,
 
         cookie.setMaxAge(maxAge);
 
         cookie.setPath(getCookiePath(request));
 
 
+        if(maxAge < 1) {
 
+            cookie.setVersion(1);
 
+        }
 
+
 
         if (useSecureCookie == null) {
 
             cookie.setSecure(request.isSecure());
 
         } else {

+ 40 - 0
web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesTests.java
查看文件 

@@ -1,5 +1,6 @@
 
 package org.springframework.security.web.authentication.rememberme;
 
 
+import static org.fest.assertions.Assertions.*;
 
 import static org.powermock.api.mockito.PowerMockito.*;
 
 import static org.junit.Assert.assertEquals;
 
 import static org.junit.Assert.assertFalse;
 
@@ -352,6 +353,45 @@ public class AbstractRememberMeServicesTests {
 
         assertNull(ReflectionTestUtils.getField(services, "setHttpOnlyMethod"));
 
     }
 
 
+    // SEC-2791
 
+    @Test
 
+    public void setCookieMaxAge0VersionSet() {
 
+        MockRememberMeServices services = new MockRememberMeServices();
 
+        MockHttpServletRequest request = new MockHttpServletRequest();
 
+        MockHttpServletResponse response = new MockHttpServletResponse();
 
+
 
+        services.setCookie(new String[] {"value"}, 0, request, response);
 
+
 
+        Cookie cookie = response.getCookie(AbstractRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY);
 
+        assertThat(cookie.getVersion()).isEqualTo(1);
 
+    }
 
+
 
+    // SEC-2791
 
+    @Test
 
+    public void setCookieMaxAgeNegativeVersionSet() {
 
+        MockRememberMeServices services = new MockRememberMeServices();
 
+        MockHttpServletRequest request = new MockHttpServletRequest();
 
+        MockHttpServletResponse response = new MockHttpServletResponse();
 
+
 
+        services.setCookie(new String[] {"value"}, -1, request, response);
 
+
 
+        Cookie cookie = response.getCookie(AbstractRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY);
 
+        assertThat(cookie.getVersion()).isEqualTo(1);
 
+    }
 
+
 
+    // SEC-2791
 
+    @Test
 
+    public void setCookieMaxAge1VersionSet() {
 
+        MockRememberMeServices services = new MockRememberMeServices();
 
+        MockHttpServletRequest request = new MockHttpServletRequest();
 
+        MockHttpServletResponse response = new MockHttpServletResponse();
 
+
 
+        services.setCookie(new String[] {"value"}, 1, request, response);
 
+
 
+        Cookie cookie = response.getCookie(AbstractRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY);
 
+        assertThat(cookie.getVersion()).isEqualTo(0);
 
+    }
 
+
 
     private Cookie[] createLoginCookie(String cookieToken) {
 
         MockRememberMeServices services = new MockRememberMeServices();
 
         Cookie cookie = new Cookie(AbstractRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY,