From f84c1e7eac95ee3187885ddea80a4ff2085c0689 Mon Sep 17 00:00:00 2001 From: Vitaly Takmazov Date: Thu, 14 Dec 2017 16:09:27 +0300 Subject: spring-security: remember-me token was not generated properly in hash filter --- .../service/security/HashParamAuthenticationFilter.java | 3 ++- juick-www/src/test/java/com/juick/www/WebAppTests.java | 14 ++++++++++++++ 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/juick-server-web/src/main/java/com/juick/service/security/HashParamAuthenticationFilter.java b/juick-server-web/src/main/java/com/juick/service/security/HashParamAuthenticationFilter.java index ed24fc00..e8ea0492 100644 --- a/juick-server-web/src/main/java/com/juick/service/security/HashParamAuthenticationFilter.java +++ b/juick-server-web/src/main/java/com/juick/service/security/HashParamAuthenticationFilter.java @@ -69,8 +69,9 @@ public class HashParamAuthenticationFilter extends OncePerRequestFilter { User user = userService.getUserByHash(hash); if (!user.isAnonymous()) { + User userWithPassword = userService.getFullyUserByName(user.getName()); Authentication authentication = new RememberMeAuthenticationToken( - ((AbstractRememberMeServices)rememberMeServices).getKey(), new JuickUser(user), JuickUser.USER_AUTHORITY); + ((AbstractRememberMeServices)rememberMeServices).getKey(), new JuickUser(userWithPassword), JuickUser.USER_AUTHORITY); SecurityContextHolder.getContext().setAuthentication(authentication); diff --git a/juick-www/src/test/java/com/juick/www/WebAppTests.java b/juick-www/src/test/java/com/juick/www/WebAppTests.java index aacfe8ce..32bad137 100644 --- a/juick-www/src/test/java/com/juick/www/WebAppTests.java +++ b/juick-www/src/test/java/com/juick/www/WebAppTests.java @@ -61,6 +61,7 @@ import org.springframework.util.FileSystemUtils; import org.springframework.web.context.WebApplicationContext; import javax.inject.Inject; +import javax.servlet.http.Cookie; import java.io.FileInputStream; import java.io.IOException; import java.io.StringWriter; @@ -75,6 +76,7 @@ import static org.hamcrest.MatcherAssert.assertThat; import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.startsWith; import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.springSecurity; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.multipart; import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post; import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.redirectedUrl; @@ -277,4 +279,16 @@ public class WebAppTests { .param("mid", String.valueOf(mid)) .param("body", "yo")).andExpect(redirectedUrl(String.format("/%s/%d#%d", ugnichName, mid, 3))); } + @Test + public void hashLoginShouldNotUseSession() throws Exception { + String hash = userService.getHashByUID(ugnich.getUid()); + MvcResult hashLoginResult = mockMvc.perform(get("/?show=my&hash=" + hash)).andExpect(status().isOk()).andReturn(); + Cookie rememberMeFromHash = hashLoginResult.getResponse().getCookie("juick-remember-me"); + MvcResult formLoginResult = mockMvc.perform(post("/login") + .param("username", ugnichName) + .param("password", ugnichPassword)).andReturn(); + Cookie rememberMeFromForm = formLoginResult.getResponse().getCookie("juick-remember-me"); + mockMvc.perform(get("/?show=my").cookie(rememberMeFromForm)).andExpect(status().isOk()); + mockMvc.perform(get("/?show=my").cookie(rememberMeFromHash)).andExpect(status().isOk()); + } } -- cgit v1.2.3