Browse files

SECOAUTH-142: make session peristed tokens optional

  • Loading branch information...
1 parent 2e1eb03 commit 19ed2323467bcea6d89366de0075d256af93b8f5 @rauar rauar committed with dsyer Dec 24, 2012
View
63 ...pringframework/security/oauth/consumer/rememberme/HttpSessionOAuthRememberMeServices.java
@@ -1,34 +1,57 @@
package org.springframework.security.oauth.consumer.rememberme;
-import org.springframework.security.oauth.consumer.OAuthConsumerToken;
+import java.util.HashMap;
+import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
-import java.util.Map;
+
+import org.springframework.security.oauth.consumer.OAuthConsumerToken;
/**
- * Default implementation of the OAuth2 rememberme services. Just stores everything in the session.
+ * Default implementation of the OAuth2 rememberme services. Just stores everything in the session by default. Storing
+ * access token can be suppressed to reduce long-term expose of these tokens in the underlying HTTP session.
*
* @author Ryan Heaton
+ * @author Alex Rau
*/
public class HttpSessionOAuthRememberMeServices implements OAuthRememberMeServices {
- public static final String REMEMBERED_TOKENS_KEY = HttpSessionOAuthRememberMeServices.class.getName() + "#REMEMBERED_TOKENS";
-
- public Map<String, OAuthConsumerToken> loadRememberedTokens(HttpServletRequest request, HttpServletResponse response) {
- HttpSession session = request.getSession(false);
- Map<String, OAuthConsumerToken> rememberedTokens = null;
- if (session != null) {
- rememberedTokens = (Map<String, OAuthConsumerToken>) session.getAttribute(REMEMBERED_TOKENS_KEY);
- }
- return rememberedTokens;
- }
-
- public void rememberTokens(Map<String, OAuthConsumerToken> tokens, HttpServletRequest request, HttpServletResponse response) {
- HttpSession session = request.getSession(false);
- if (session != null) {
- session.setAttribute(REMEMBERED_TOKENS_KEY, tokens);
- }
- }
+ public static final String REMEMBERED_TOKENS_KEY = HttpSessionOAuthRememberMeServices.class.getName()
+ + "#REMEMBERED_TOKENS";
+
+ private boolean storeAccessTokens = true;
+
+ @SuppressWarnings("unchecked")
+ public Map<String, OAuthConsumerToken> loadRememberedTokens(HttpServletRequest request, HttpServletResponse response) {
+
+ HttpSession session = request.getSession(false);
+
+ if (session != null) {
+ return (Map<String, OAuthConsumerToken>) session.getAttribute(REMEMBERED_TOKENS_KEY);
+ }
+
+ return null;
+ }
+
+ public void rememberTokens(Map<String, OAuthConsumerToken> tokens, HttpServletRequest request,
+ HttpServletResponse response) {
+
+ HttpSession session = request.getSession(false);
+
+ if (session == null) {
+ return;
+ }
+
+ Map<String, OAuthConsumerToken> requestTokensOnly = new HashMap<String, OAuthConsumerToken>();
+
+ for (Map.Entry<String, OAuthConsumerToken> token : tokens.entrySet()) {
+ if (storeAccessTokens && !token.getValue().isAccessToken())
+ requestTokensOnly.put(token.getKey(), token.getValue());
+
+ }
+
+ session.setAttribute(REMEMBERED_TOKENS_KEY, requestTokensOnly);
+ }
}
View
136 ...gframework/security/oauth/consumer/rememberme/TestHttpSessionOAuthRememberMeServices.java
@@ -0,0 +1,136 @@
+/*
+ * Copyright 2008 Web Cohesion
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.oauth.consumer.rememberme;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import org.junit.Assert;
+import org.junit.Test;
+import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.mock.web.MockHttpServletResponse;
+import org.springframework.mock.web.MockHttpSession;
+import org.springframework.security.oauth.consumer.OAuthConsumerToken;
+
+/**
+ * @author Alex Rau
+ */
+public class TestHttpSessionOAuthRememberMeServices {
+
+ @Test
+ public void testEmptySession() {
+
+ MockHttpSession mockHttpSession = new MockHttpSession();
+ MockHttpServletRequest request = new MockHttpServletRequest();
+ MockHttpServletResponse response = new MockHttpServletResponse();
+
+ request.setSession(mockHttpSession);
+
+ HttpSessionOAuthRememberMeServices oAuthRememberMeService = new HttpSessionOAuthRememberMeServices();
+
+ Map<String, OAuthConsumerToken> tokens = oAuthRememberMeService.loadRememberedTokens(request, response);
+
+ Assert.assertNull(tokens);
+
+ }
+
+ @Test
+ public void testNoTokensRemembered() {
+
+ MockHttpSession mockHttpSession = new MockHttpSession();
+ MockHttpServletRequest request = new MockHttpServletRequest();
+ MockHttpServletResponse response = new MockHttpServletResponse();
+
+ request.setSession(mockHttpSession);
+
+ HttpSessionOAuthRememberMeServices oAuthRememberMeService = new HttpSessionOAuthRememberMeServices();
+
+ Map<String, OAuthConsumerToken> tokens = new HashMap<String, OAuthConsumerToken>();
+
+ oAuthRememberMeService.rememberTokens(tokens, request, response);
+
+ Assert.assertEquals(0, oAuthRememberMeService.loadRememberedTokens(request, response).size());
+
+ }
+
+ @Test
+ public void testStoreEverything() {
+
+ MockHttpSession mockHttpSession = new MockHttpSession();
+ MockHttpServletRequest request = new MockHttpServletRequest();
+ MockHttpServletResponse response = new MockHttpServletResponse();
+
+ request.setSession(mockHttpSession);
+
+ HttpSessionOAuthRememberMeServices oAuthRememberMeService = new HttpSessionOAuthRememberMeServices();
+
+ Map<String, OAuthConsumerToken> tokens = new HashMap<String, OAuthConsumerToken>();
+
+ {
+ OAuthConsumerToken token = new OAuthConsumerToken();
+ token.setAccessToken(false);
+ tokens.put("resourceID1", token);
+ }
+
+ {
+ OAuthConsumerToken token = new OAuthConsumerToken();
+ token.setAccessToken(true);
+ tokens.put("resourceID2", token);
+ }
+
+ oAuthRememberMeService.rememberTokens(tokens, request, response);
+
+ Assert.assertEquals(1, oAuthRememberMeService.loadRememberedTokens(request, response).size());
+
+ }
+
+ @Test
+ public void testStoreRequestTokensOnly() {
+
+ MockHttpSession mockHttpSession = new MockHttpSession();
+ MockHttpServletRequest request = new MockHttpServletRequest();
+ MockHttpServletResponse response = new MockHttpServletResponse();
+
+ request.setSession(mockHttpSession);
+
+ HttpSessionOAuthRememberMeServices oAuthRememberMeService = new HttpSessionOAuthRememberMeServices();
+
+ Map<String, OAuthConsumerToken> tokens = new HashMap<String, OAuthConsumerToken>();
+
+ {
+ OAuthConsumerToken token = new OAuthConsumerToken();
+ token.setAccessToken(false);
+ tokens.put("resourceID1", token);
+ }
+
+ {
+ OAuthConsumerToken token = new OAuthConsumerToken();
+ token.setAccessToken(true);
+ tokens.put("resourceID2", token);
+ }
+
+ oAuthRememberMeService.rememberTokens(tokens, request, response);
+
+ Map<String, OAuthConsumerToken> storedTokens = oAuthRememberMeService.loadRememberedTokens(request, response);
+
+ Assert.assertEquals(1, storedTokens.size());
+
+ Assert.assertNotNull(storedTokens.get("resourceID1"));
+
+ }
+
+}

0 comments on commit 19ed232

Please sign in to comment.