Skip to content

Override the key to avoid CookieTheftException #5509

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 13 commits into from
Nov 7, 2019
Merged

Override the key to avoid CookieTheftException #5509

merged 13 commits into from
Nov 7, 2019

Conversation

DevDengChao
Copy link
Contributor

People may confused why those token.keyhash() not equals, for they forget to config the key twice.
So, override the key for them, make it more convenient to custom RememberMeServices.
See #4140;

@DevDengChao
Override the key to avoid CookieTheftException
753bb57 
People may confused why those `token.keyhash()` not equals, for they forget to config the key twice.
So, override the key for them, make it more convenient to custom RememberMeServices.
@pivotal-issuemaster
Copy link

@XieEDeHeiShou Please sign the Contributor License Agreement!

Click here to manually synchronize the status of this Pull Request.

See the FAQ for frequently asked questions.

@pivotal-issuemaster
Copy link

@XieEDeHeiShou Thank you for signing the Contributor License Agreement!

@DevDengChao
Fix cast exception
f699901
@DevDengChao
Remove trailing whitespace
5dd4546 
Remove trailing whitespace to avoid travis CI failure.
@DevDengChao
Copy link
Contributor Author

The CI says it cannot get a jar from spring repository and then stopped with error:

* What went wrong:
Could not resolve all files for configuration ':spring-security-messaging:optional'.
> Could not download spring-websocket.jar (org.springframework:spring-websocket:5.1.0.BUILD-SNAPSHOT:20180713.230306-259)
   > Could not get resource 'https://repo.spring.io/libs-snapshot/org/springframework/spring-websocket/5.1.0.BUILD-SNAPSHOT/spring-websocket-5.1.0.BUILD-20180713.230306-259.jar'.
      > Connection reset

I checked the file manually, exists.
Hope this pr could pass.

@DevDengChao
Update README.adoc
634fdd2 
nothing else, just try trigger the CI.
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label May 7, 2019
@eleftherias eleftherias self-assigned this Oct 25, 2019
eleftherias
eleftherias suggested changes Oct 25, 2019
View reviewed changes
Copy link
Contributor

@eleftherias eleftherias left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR @XieEDeHeiShou! I have left some comments inline.
Additionally, please provide a test for this change.

@eleftherias eleftherias added status: feedback-provided Feedback has been provided and removed status: waiting-for-triage An issue we've not yet triaged labels Oct 25, 2019
eleftherias
eleftherias suggested changes Nov 4, 2019
View reviewed changes
Copy link
Contributor

@eleftherias eleftherias left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @XieEDeHeiShou, I have left one comment about the code formatting.
Also, please add an additional test for the changes to remember me.

@eleftherias
Copy link
Contributor

Thank you for the changes @XieEDeHeiShou. Please add a test for any changes in this PR.
Let me know if you need help with writing the test.

@DevDengChao
Copy link
Contributor Author

@eleftherias I'd like to provide test cases for these changes, and I do need some help, can you please guide me?

eleftherias
eleftherias suggested changes Nov 5, 2019
View reviewed changes
Copy link
Contributor

@eleftherias eleftherias left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@XieEDeHeiShou The new test will look very similar to getWhenRememberMeCookieThenAuthenticationIsRememberMeAuthenticationToken in the class RememberMeConfigurerTests.

The assertions will be the same, and only the configuration will change.
In the configuration of the new test we should set a custom rememberMeServices

.rememberMe()
	.rememberMeServices(rememberMeServices())

where rememberMeServices() can be an instance of TokenBasedRememberMeServices.

The key is that this new test should fail without the changes you have made, and pass when we add the changes from this PR.

I'm happy to provide any further guidance if you get stuck, or if this is unclear.

Additionally, I noticed an issue in the PR as it stands now, I left a comment inline.

eleftherias
eleftherias suggested changes Nov 6, 2019
View reviewed changes
Copy link
Contributor

@eleftherias eleftherias left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the quick turnaround again @XieEDeHeiShou. I have left a few more comments inline.

eleftherias
eleftherias reviewed Nov 6, 2019
View reviewed changes
Copy link
Contributor

@eleftherias eleftherias left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One more comment @XieEDeHeiShou

...rg/springframework/security/config/annotation/web/configurers/RememberMeConfigurerTests.java Outdated
@@ -189,7 +191,8 @@ protected void configure(HttpSecurity http) throws Exception {
@Bean
public UserDetailsService userDetailsService() {
return new InMemoryUserDetailsManager(
User.withDefaultPasswordEncoder()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this change necessary? User.withDefaultPasswordEncoder is deprecated, but it is acceptable to use in tests.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IDEA told me there is a warning when I commit this file, so I changed it. Should I revert this change?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, please revert this change.
The IDE is correct to show a warning, but in this specific case it is allowed.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

@DevDengChao
Revert "Fix warning"
9b1ad4e 
This reverts commit 2f529e7
@eleftherias eleftherias merged commit b13f750 into spring-projects:master Nov 7, 2019
@eleftherias
Copy link
Contributor

Thanks for the PR @XieEDeHeiShou! This is now merged into master.

@DevDengChao DevDengChao deleted the Override-RememberMeConfigurer.key branch November 7, 2019 13:05
@eleftherias eleftherias added in: config An issue in spring-security-config type: enhancement A general enhancement and removed status: feedback-provided Feedback has been provided labels Dec 12, 2019
@eleftherias eleftherias added this to the 5.3.0.M1 milestone Dec 12, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eleftherias eleftherias eleftherias requested changes

Assignees

@eleftherias eleftherias

Labels
in: config An issue in spring-security-config type: enhancement A general enhancement
Projects
None yet
Milestone
5.3.0.M1
Development

Successfully merging this pull request may close these issues.
4 participants
@DevDengChao @pivotal-issuemaster @eleftherias @spring-projects-issues