Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
[FIXED JENKINS-16278] Fixed RememberMe cookie signature generation (b…
…ugfix on SECURITY-49)

New cookie signature generation was not implemented in creation of RememberMe cookie, but only in its verification.
Fixed by new override TokenBasedRememberMeServices2.loginSuccess
  • Loading branch information
Hendrik Millner committed Jan 15, 2013
1 parent 9ab5271 commit 91bbae3
Showing 1 changed file with 38 additions and 0 deletions.
Expand Up @@ -23,10 +23,17 @@
*/
package hudson.security;

import java.util.Date;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import jenkins.security.HMACConfidentialKey;
import org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices;
import org.acegisecurity.userdetails.UserDetails;
import org.acegisecurity.Authentication;
import org.apache.commons.codec.binary.Base64;
import org.springframework.util.Assert;

/**
* {@link TokenBasedRememberMeServices} with modification so as not to rely
Expand All @@ -51,6 +58,37 @@ protected String retrievePassword(Authentication successfulAuthentication) {
return "N/A";
}

@Override
public void loginSuccess(HttpServletRequest request, HttpServletResponse response,
Authentication successfulAuthentication) {
// Exit if the principal hasn't asked to be remembered
if (!rememberMeRequested(request, getParameter())) {
if (logger.isDebugEnabled()) {
logger.debug("Did not send remember-me cookie (principal did not set parameter '" +
getParameter() + "')");
}

return;
}

Assert.notNull(successfulAuthentication.getPrincipal());
Assert.notNull(successfulAuthentication.getCredentials());
Assert.isInstanceOf(UserDetails.class, successfulAuthentication.getPrincipal());

long expiryTime = System.currentTimeMillis() + (tokenValiditySeconds * 1000);
String username = ((UserDetails) successfulAuthentication.getPrincipal()).getUsername();

String signatureValue = makeTokenSignature(expiryTime, (UserDetails)successfulAuthentication.getPrincipal());
String tokenValue = username + ":" + expiryTime + ":" + signatureValue;
String tokenValueBase64 = new String(Base64.encodeBase64(tokenValue.getBytes()));
response.addCookie(makeValidCookie(tokenValueBase64, request, tokenValiditySeconds));

if (logger.isDebugEnabled()) {
logger.debug("Added remember-me cookie for user '" + username + "', expiry: '" + new Date(expiryTime)
+ "'");
}
}

/**
* Used to compute the token signature securely.
*/
Expand Down

0 comments on commit 91bbae3

Please sign in to comment.