SEC-1217: AbstractRememberMeServices should set 'secure' attribute on remember-me cookie if in secure context. Added "useSecureCookie" configuration property and corresponding use-secure-cookie attribute in namespace.

This commit is contained in:
Luke Taylor
2009-09-01 16:08:20 +00:00
parent b2c2b93545
commit 2039200617
6 changed files with 1748 additions and 1682 deletions

View File

@@ -226,7 +226,24 @@ public class AbstractRememberMeServicesTests {
assertEquals("mycookie", cookie.getValue());
assertEquals("mycookiename", cookie.getName());
assertEquals("contextpath", cookie.getPath());
assertFalse(cookie.getSecure());
}
@Test
public void setCookieSetsSecureFlagIfConfigured() throws Exception {
MockHttpServletRequest request = new MockHttpServletRequest();
MockHttpServletResponse response = new MockHttpServletResponse();
request.setContextPath("contextpath");
MockRememberMeServices services = new MockRememberMeServices() {
protected String encodeCookie(String[] cookieTokens) {
return cookieTokens[0];
}
};
services.setUseSecureCookie(true);
services.setCookie(new String[] {"mycookie"}, 1000, request, response);
Cookie cookie = response.getCookie(AbstractRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY);
assertTrue(cookie.getSecure());
}
private Cookie[] createLoginCookie(String cookieToken) {