Inicio Explorar Axuda
Rexistro Iniciar sesión
github
/
spring-security
réplica de https://github.com/spring-projects/spring-security
2
0
Fork 0
Ficheiros Incidencias 0 Wiki
Explorar o código

SEC-2165: remember-me@token-validity-seconds can be parameterized

Rob Winch %!s(int64=11) %!d(string=hai) anos
pai
2d2f91484d
achega
9dbe30c81d
Modificáronse 4 ficheiros con 36 adicións e 6 borrados
Dividir vista Mostrar estatísticas de Diff
  1. 3 3
      config/src/main/java/org/springframework/security/config/http/RememberMeBeanDefinitionParser.java
  2. 1 1
      config/src/main/resources/org/springframework/security/config/spring-security-3.2.rnc
  3. 1 1
      config/src/main/resources/org/springframework/security/config/spring-security-3.2.xsd
  4. 31 1
      config/src/test/groovy/org/springframework/security/config/http/RememberMeConfigTests.groovy

+ 3 - 3
config/src/main/java/org/springframework/security/config/http/RememberMeBeanDefinitionParser.java
Ver ficheiro 

@@ -132,12 +132,12 @@ class RememberMeBeanDefinitionParser implements BeanDefinitionParser {
 
             }
 
 
             if (tokenValiditySet) {
 
-                int tokenValidity = Integer.parseInt(tokenValiditySeconds);
 
-                if (tokenValidity < 0 && isPersistent) {
 
+                boolean isTokenValidityNegative = tokenValiditySeconds.startsWith("-");
 
+                if (isTokenValidityNegative && isPersistent) {
 
                     pc.getReaderContext().error(ATT_TOKEN_VALIDITY + " cannot be negative if using" +
 
                             " a persistent remember-me token repository", source);
 
                 }
 
-                services.getPropertyValues().addPropertyValue("tokenValiditySeconds", tokenValidity);
 
+                services.getPropertyValues().addPropertyValue("tokenValiditySeconds", tokenValiditySeconds);
 
             }
 
 
             if (remembermeParameterSet) {

+ 1 - 1
config/src/main/resources/org/springframework/security/config/spring-security-3.2.rnc
Ver ficheiro 

@@ -572,7 +572,7 @@ remember-me.attlist &=
 
 
 remember-me.attlist &=
 
     ## The period (in seconds) for which the remember-me cookie should be valid.
 
-    attribute token-validity-seconds {xsd:integer}?
 
+    attribute token-validity-seconds {xsd:string}?
 
 
 remember-me.attlist &=
 
     ## Reference to an AuthenticationSuccessHandler bean which should be used to handle a successful remember-me authentication.

+ 1 - 1
config/src/main/resources/org/springframework/security/config/spring-security-3.2.xsd
Ver ficheiro 

@@ -1796,7 +1796,7 @@
 
                 </xs:documentation>
 
          </xs:annotation>
 
       </xs:attribute>
 
-      <xs:attribute name="token-validity-seconds" type="xs:integer">
 
+      <xs:attribute name="token-validity-seconds" type="xs:string">
 
          <xs:annotation>
 
             <xs:documentation>The period (in seconds) for which the remember-me cookie should be valid.
 
                 </xs:documentation>

+ 31 - 1
config/src/test/groovy/org/springframework/security/config/http/RememberMeConfigTests.groovy
Ver ficheiro 

@@ -17,6 +17,10 @@ package org.springframework.security.config.http
 
 
 import static org.springframework.security.config.ConfigTestUtils.AUTH_PROVIDER_XML
 
 
+import javax.sql.DataSource
 
+
 
+import org.springframework.beans.FatalBeanException
 
+import org.springframework.beans.factory.config.PropertyPlaceholderConfigurer
 
 import org.springframework.beans.factory.parsing.BeanDefinitionParsingException
 
 import org.springframework.security.TestDataSource
 
 import org.springframework.security.authentication.ProviderManager
 
@@ -26,7 +30,7 @@ import org.springframework.security.util.FieldUtils
 
 import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler
 
 import org.springframework.security.web.authentication.logout.LogoutFilter
 
 import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler
 
-import org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices;
 
+import org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices
 
 import org.springframework.security.web.authentication.rememberme.InMemoryTokenRepositoryImpl
 
 import org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl
 
 import org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices
 
@@ -154,6 +158,32 @@ class RememberMeConfigTests extends AbstractHttpConfigTests {
 
         rememberMeServices().tokenValiditySeconds == -1
 
     }
 
 
+    def 'remember-me@token-validity-seconds denies for persistent implementation'() {
 
+        setup:
 
+            httpAutoConfig () {
 
+                'remember-me'('key': 'ourkey', 'token-validity-seconds':'-1', 'dataSource' : 'dataSource')
 
+            }
 
+            mockBean(DataSource)
 
+        when:
 
+            createAppContext(AUTH_PROVIDER_XML)
 
+        then:
 
+            thrown(FatalBeanException)
 
+    }
 
+
 
+    def 'SEC-2165: remember-me@token-validity-seconds allows property placeholders'() {
 
+        when:
 
+            httpAutoConfig () {
 
+                'remember-me'('key': 'ourkey', 'token-validity-seconds':'${security.rememberme.ttl}')
 
+            }
 
+            xml.'b:bean'(class: PropertyPlaceholderConfigurer.name) {
 
+                'b:property'(name:'properties', value:'security.rememberme.ttl=30')
 
+            }
 
+
 
+            createAppContext(AUTH_PROVIDER_XML)
 
+        then:
 
+            rememberMeServices().tokenValiditySeconds == 30
 
+    }
 
+
 
     def rememberMeSecureCookieAttributeIsSetCorrectly() {
 
         httpAutoConfig () {
 
             'remember-me'('key': 'ourkey', 'use-secure-cookie':'true')