SEC-1410: Makes sure usernames which are OpenID https identities are detected as well as http ones.

Using ":" as the token delimiter means we accidentally mistake the URL for two tokens. This had previously been fixed for http URLs but not https ones.

web/src/main/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServices.java

@@ -168,10 +168,10 @@ public abstract class AbstractRememberMeServices implements RememberMeServices,
 
         String[] tokens = StringUtils.delimitedListToStringArray(cookieAsPlainText, DELIMITER);
 
-        if (tokens[0].equalsIgnoreCase("http") && tokens[1].startsWith("//")) {
+        if ((tokens[0].equalsIgnoreCase("http") || tokens[0].equalsIgnoreCase("https")) && tokens[1].startsWith("//")) {
             // Assume we've accidentally split a URL (OpenID identifier)
             String[] newTokens = new String[tokens.length - 1];
-            newTokens[0] = "http:" + tokens[1];
+            newTokens[0] = tokens[0] + ":" + tokens[1];
             System.arraycopy(tokens, 2, newTokens, 1, newTokens.length - 1);
             tokens = newTokens;
         }

web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesTests.java

@@ -35,21 +35,37 @@ public class AbstractRememberMeServicesTests {
 
     @Test
     public void cookieShouldBeCorrectlyEncodedAndDecoded() {
-        String[] cookie = new String[] {"http://name", "cookie", "tokens", "blah"};
+        String[] cookie = new String[] {"name", "cookie", "tokens", "blah"};
         MockRememberMeServices services = new MockRememberMeServices();
 
         String encoded = services.encodeCookie(cookie);
-        // '=' aren't alowed in version 0 cookies.
+        // '=' aren't allowed in version 0 cookies.
         assertFalse(encoded.endsWith("="));
         String[] decoded = services.decodeCookie(encoded);
 
         assertEquals(4, decoded.length);
-        assertEquals("http://name", decoded[0]);
+        assertEquals("name", decoded[0]);
         assertEquals("cookie", decoded[1]);
         assertEquals("tokens", decoded[2]);
         assertEquals("blah", decoded[3]);
     }
 
+    @Test
+    public void cookieWithOpenIDidentifierAsNameIsEncodedAndDecoded() throws Exception {
+        String[] cookie = new String[] {"http://id.openid.zz", "cookie", "tokens", "blah"};
+        MockRememberMeServices services = new MockRememberMeServices();
+
+        String[] decoded = services.decodeCookie(services.encodeCookie(cookie));
+        assertEquals(4, decoded.length);
+        assertEquals("http://id.openid.zz", decoded[0]);
+
+        // Check https (SEC-1410)
+        cookie[0] = "https://id.openid.zz";
+        decoded = services.decodeCookie(services.encodeCookie(cookie));
+        assertEquals(4, decoded.length);
+        assertEquals("https://id.openid.zz", decoded[0]);
+    }
+
     @Test
     public void autoLoginShouldReturnNullIfNoLoginCookieIsPresented() {
         MockRememberMeServices services = new MockRememberMeServices();