11 жил өмнө · 9dbe30c81d
--- a/config/src/main/java/org/springframework/security/config/http/RememberMeBeanDefinitionParser.java
+++ b/config/src/main/java/org/springframework/security/config/http/RememberMeBeanDefinitionParser.java
@@ -132,12 +132,12 @@ class RememberMeBeanDefinitionParser implements BeanDefinitionParser {
 
				             }
			
 
				 
			
 
				             if (tokenValiditySet) {
			
 
				-                int tokenValidity = Integer.parseInt(tokenValiditySeconds);
			
 
				-                if (tokenValidity < 0 && isPersistent) {
			
 
				+                boolean isTokenValidityNegative = tokenValiditySeconds.startsWith("-");
			
 
				+                if (isTokenValidityNegative && isPersistent) {
			
 
				                     pc.getReaderContext().error(ATT_TOKEN_VALIDITY + " cannot be negative if using" +
			
 
				                             " a persistent remember-me token repository", source);
			
 
				                 }
			
 
				-                services.getPropertyValues().addPropertyValue("tokenValiditySeconds", tokenValidity);
			
 
				+                services.getPropertyValues().addPropertyValue("tokenValiditySeconds", tokenValiditySeconds);
			
 
				             }
			
 
				 
			
 
				             if (remembermeParameterSet) {
			
--- a/config/src/main/resources/org/springframework/security/config/spring-security-3.2.rnc
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-3.2.rnc
@@ -572,7 +572,7 @@ remember-me.attlist &=
 
				 
			
 
				 remember-me.attlist &=
			
 
				     ## The period (in seconds) for which the remember-me cookie should be valid.
			
 
				-    attribute token-validity-seconds {xsd:integer}?
			
 
				+    attribute token-validity-seconds {xsd:string}?
			
 
				 
			
 
				 remember-me.attlist &=
			
 
				     ## Reference to an AuthenticationSuccessHandler bean which should be used to handle a successful remember-me authentication.
			
--- a/config/src/main/resources/org/springframework/security/config/spring-security-3.2.xsd
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-3.2.xsd
@@ -1796,7 +1796,7 @@
 
				                 </xs:documentation>
			
 
				          </xs:annotation>
			
 
				       </xs:attribute>
			
 
				-      <xs:attribute name="token-validity-seconds" type="xs:integer">
			
 
				+      <xs:attribute name="token-validity-seconds" type="xs:string">
			
 
				          <xs:annotation>
			
 
				             <xs:documentation>The period (in seconds) for which the remember-me cookie should be valid.
			
 
				                 </xs:documentation>
			
--- a/config/src/test/groovy/org/springframework/security/config/http/RememberMeConfigTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/http/RememberMeConfigTests.groovy
@@ -17,6 +17,10 @@ package org.springframework.security.config.http
 
				 
			
 
				 import static org.springframework.security.config.ConfigTestUtils.AUTH_PROVIDER_XML
			
 
				 
			
 
				+import javax.sql.DataSource
			
 
				+
			
 
				+import org.springframework.beans.FatalBeanException
			
 
				+import org.springframework.beans.factory.config.PropertyPlaceholderConfigurer
			
 
				 import org.springframework.beans.factory.parsing.BeanDefinitionParsingException
			
 
				 import org.springframework.security.TestDataSource
			
 
				 import org.springframework.security.authentication.ProviderManager
			
@@ -26,7 +30,7 @@ import org.springframework.security.util.FieldUtils
 
				 import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler
			
 
				 import org.springframework.security.web.authentication.logout.LogoutFilter
			
 
				 import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler
			
 
				-import org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices;
			
 
				+import org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices
			
 
				 import org.springframework.security.web.authentication.rememberme.InMemoryTokenRepositoryImpl
			
 
				 import org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl
			
 
				 import org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices
			
@@ -154,6 +158,32 @@ class RememberMeConfigTests extends AbstractHttpConfigTests {
 
				         rememberMeServices().tokenValiditySeconds == -1
			
 
				     }
			
 
				 
			
 
				+    def 'remember-me@token-validity-seconds denies for persistent implementation'() {
			
 
				+        setup:
			
 
				+            httpAutoConfig () {
			
 
				+                'remember-me'('key': 'ourkey', 'token-validity-seconds':'-1', 'dataSource' : 'dataSource')
			
 
				+            }
			
 
				+            mockBean(DataSource)
			
 
				+        when:
			
 
				+            createAppContext(AUTH_PROVIDER_XML)
			
 
				+        then:
			
 
				+            thrown(FatalBeanException)
			
 
				+    }
			
 
				+
			
 
				+    def 'SEC-2165: remember-me@token-validity-seconds allows property placeholders'() {
			
 
				+        when:
			
 
				+            httpAutoConfig () {
			
 
				+                'remember-me'('key': 'ourkey', 'token-validity-seconds':'${security.rememberme.ttl}')
			
 
				+            }
			
 
				+            xml.'b:bean'(class: PropertyPlaceholderConfigurer.name) {
			
 
				+                'b:property'(name:'properties', value:'security.rememberme.ttl=30')
			
 
				+            }
			
 
				+
			
 
				+            createAppContext(AUTH_PROVIDER_XML)
			
 
				+        then:
			
 
				+            rememberMeServices().tokenValiditySeconds == 30
			
 
				+    }
			
 
				+
			
 
				     def rememberMeSecureCookieAttributeIsSetCorrectly() {
			
 
				         httpAutoConfig () {
			
 
				             'remember-me'('key': 'ourkey', 'use-secure-cookie':'true')