Skip to content
Permalink
Browse files
[FIXED JENKINS-16278] Fixed RememberMe cookie signature generation (b…
…ugfix on SECURITY-49)

New cookie signature generation was not implemented in creation of RememberMe cookie, but only in its verification.
Fixed by new override TokenBasedRememberMeServices2.loginSuccess
(cherry picked from commit 91bbae3)
  • Loading branch information
Hendrik Millner authored and vjuranek committed Jan 25, 2013
1 parent 991158b commit 83c95d51bae57fc328e5b1fb080875234a1b0429
Showing with 38 additions and 0 deletions.
  1. +38 −0 core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java
@@ -23,10 +23,17 @@
*/
package hudson.security;

import java.util.Date;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import jenkins.security.HMACConfidentialKey;
import org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices;
import org.acegisecurity.userdetails.UserDetails;
import org.acegisecurity.Authentication;
import org.apache.commons.codec.binary.Base64;
import org.springframework.util.Assert;

/**
* {@link TokenBasedRememberMeServices} with modification so as not to rely
@@ -51,6 +58,37 @@ protected String retrievePassword(Authentication successfulAuthentication) {
return "N/A";
}

@Override
public void loginSuccess(HttpServletRequest request, HttpServletResponse response,
Authentication successfulAuthentication) {
// Exit if the principal hasn't asked to be remembered
if (!rememberMeRequested(request, getParameter())) {
if (logger.isDebugEnabled()) {
logger.debug("Did not send remember-me cookie (principal did not set parameter '" +
getParameter() + "')");
}

return;
}

Assert.notNull(successfulAuthentication.getPrincipal());
Assert.notNull(successfulAuthentication.getCredentials());
Assert.isInstanceOf(UserDetails.class, successfulAuthentication.getPrincipal());

long expiryTime = System.currentTimeMillis() + (tokenValiditySeconds * 1000);
String username = ((UserDetails) successfulAuthentication.getPrincipal()).getUsername();

String signatureValue = makeTokenSignature(expiryTime, (UserDetails)successfulAuthentication.getPrincipal());
String tokenValue = username + ":" + expiryTime + ":" + signatureValue;
String tokenValueBase64 = new String(Base64.encodeBase64(tokenValue.getBytes()));
response.addCookie(makeValidCookie(tokenValueBase64, request, tokenValiditySeconds));

if (logger.isDebugEnabled()) {
logger.debug("Added remember-me cookie for user '" + username + "', expiry: '" + new Date(expiryTime)
+ "'");
}
}

/**
* Used to compute the token signature securely.
*/

0 comments on commit 83c95d5

Please sign in to comment.