Skip to content
Permalink
Browse files
Merge pull request #673 from denebolar/JENKINS-16278
[FIXED JENKINS-16278] Fixed RememberMe cookie signature generation (bugfix on SECURITY-49)
Thanks
  • Loading branch information
olamy committed Jan 24, 2013
2 parents de9002b + 91bbae3 commit 4325e006d84113f8e100ec59d03f94f98a6ef3a5
Showing with 38 additions and 0 deletions.
  1. +38 −0 core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java
@@ -23,10 +23,17 @@
*/
package hudson.security;

import java.util.Date;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import jenkins.security.HMACConfidentialKey;
import org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices;
import org.acegisecurity.userdetails.UserDetails;
import org.acegisecurity.Authentication;
import org.apache.commons.codec.binary.Base64;
import org.springframework.util.Assert;

/**
* {@link TokenBasedRememberMeServices} with modification so as not to rely
@@ -51,6 +58,37 @@ protected String retrievePassword(Authentication successfulAuthentication) {
return "N/A";
}

@Override
public void loginSuccess(HttpServletRequest request, HttpServletResponse response,
Authentication successfulAuthentication) {
// Exit if the principal hasn't asked to be remembered
if (!rememberMeRequested(request, getParameter())) {
if (logger.isDebugEnabled()) {
logger.debug("Did not send remember-me cookie (principal did not set parameter '" +
getParameter() + "')");
}

return;
}

Assert.notNull(successfulAuthentication.getPrincipal());
Assert.notNull(successfulAuthentication.getCredentials());
Assert.isInstanceOf(UserDetails.class, successfulAuthentication.getPrincipal());

long expiryTime = System.currentTimeMillis() + (tokenValiditySeconds * 1000);
String username = ((UserDetails) successfulAuthentication.getPrincipal()).getUsername();

String signatureValue = makeTokenSignature(expiryTime, (UserDetails)successfulAuthentication.getPrincipal());
String tokenValue = username + ":" + expiryTime + ":" + signatureValue;
String tokenValueBase64 = new String(Base64.encodeBase64(tokenValue.getBytes()));
response.addCookie(makeValidCookie(tokenValueBase64, request, tokenValiditySeconds));

if (logger.isDebugEnabled()) {
logger.debug("Added remember-me cookie for user '" + username + "', expiry: '" + new Date(expiryTime)
+ "'");
}
}

/**
* Used to compute the token signature securely.
*/

0 comments on commit 4325e00

Please sign in to comment.