SEC-2119: Add a 'form-parameter' attribute to <remember-me>

config/src/main/java/org/springframework/security/config/SecurityNamespaceHandler.java

@@ -1,5 +1,23 @@
+/*
+ * Copyright 2009-2013 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package org.springframework.security.config;
 
+import java.util.HashMap;
+import java.util.Map;
+
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.springframework.beans.factory.config.BeanDefinition;
@@ -28,8 +46,6 @@
 import org.w3c.dom.Element;
 import org.w3c.dom.Node;
 
-import java.util.*;
-
 /**
  * Parses elements from the "security" namespace (http://www.springframework.org/schema/security).
  *
@@ -180,7 +196,7 @@ private boolean namespaceMatchesVersion(Element element) {
 
     private boolean matchesVersionInternal(Element element) {
         String schemaLocation = element.getAttributeNS("http://www.w3.org/2001/XMLSchema-instance", "schemaLocation");
-        return schemaLocation.matches("(?m).*spring-security-3\\.1.*.xsd.*")
+        return schemaLocation.matches("(?m).*spring-security-3\\.2.*.xsd.*")
                  || schemaLocation.matches("(?m).*spring-security.xsd.*")
                  || !schemaLocation.matches("(?m).*spring-security.*");
     }

config/src/main/java/org/springframework/security/config/http/RememberMeBeanDefinitionParser.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2012 the original author or authors.
+ * Copyright 2002-2013 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -38,6 +38,7 @@
  * @author Luke Taylor
  * @author Ben Alex
  * @author Rob Winch
+ * @author Oliver Becker
  */
 class RememberMeBeanDefinitionParser implements BeanDefinitionParser {
     static final String ATT_DATA_SOURCE = "data-source-ref";
@@ -48,6 +49,7 @@ class RememberMeBeanDefinitionParser implements BeanDefinitionParser {
     static final String ATT_SUCCESS_HANDLER_REF = "authentication-success-handler-ref";
     static final String ATT_TOKEN_VALIDITY = "token-validity-seconds";
     static final String ATT_SECURE_COOKIE = "use-secure-cookie";
+    static final String ATT_FORM_PARAMETER = "form-parameter";
 
     protected final Log logger = LogFactory.getLog(getClass());
     private final String key;
@@ -70,6 +72,8 @@ public BeanDefinition parse(Element element, ParserContext pc) {
         String successHandlerRef = element.getAttribute(ATT_SUCCESS_HANDLER_REF);
         String rememberMeServicesRef = element.getAttribute(ATT_SERVICES_REF);
         String tokenValiditySeconds = element.getAttribute(ATT_TOKEN_VALIDITY);
+        String useSecureCookie = element.getAttribute(ATT_SECURE_COOKIE);
+        String formParameter = element.getAttribute(ATT_FORM_PARAMETER);
         Object source = pc.extractSource(element);
 
         RootBeanDefinition services = null;
@@ -78,11 +82,14 @@ public BeanDefinition parse(Element element, ParserContext pc) {
         boolean tokenRepoSet = StringUtils.hasText(tokenRepository);
         boolean servicesRefSet = StringUtils.hasText(rememberMeServicesRef);
         boolean userServiceSet = StringUtils.hasText(userServiceRef);
+        boolean useSecureCookieSet = StringUtils.hasText(useSecureCookie);
         boolean tokenValiditySet = StringUtils.hasText(tokenValiditySeconds);
+        boolean formParameterSet = StringUtils.hasText(formParameter);
 
-        if (servicesRefSet && (dataSourceSet || tokenRepoSet || userServiceSet || tokenValiditySet)) {
+        if (servicesRefSet && (dataSourceSet || tokenRepoSet || userServiceSet || tokenValiditySet || useSecureCookieSet || formParameterSet)) {
             pc.getReaderContext().error(ATT_SERVICES_REF + " can't be used in combination with attributes "
-                    + ATT_TOKEN_REPOSITORY + "," + ATT_DATA_SOURCE + ", " + ATT_USER_SERVICE_REF + " or " + ATT_TOKEN_VALIDITY, source);
+                    + ATT_TOKEN_REPOSITORY + "," + ATT_DATA_SOURCE + ", " + ATT_USER_SERVICE_REF + ", " + ATT_TOKEN_VALIDITY
+                    + ", " + ATT_SECURE_COOKIE + " or " + ATT_FORM_PARAMETER, source);
         }
 
         if (dataSourceSet && tokenRepoSet) {
@@ -120,8 +127,7 @@ public BeanDefinition parse(Element element, ParserContext pc) {
             services.getConstructorArgumentValues().addGenericArgumentValue(uds);
             // tokenRepo is already added if it is a PersistentTokenBasedRememberMeServices
 
-            String useSecureCookie = element.getAttribute(ATT_SECURE_COOKIE);
-            if (StringUtils.hasText(useSecureCookie)) {
+            if (useSecureCookieSet) {
                 services.getPropertyValues().addPropertyValue("useSecureCookie", Boolean.valueOf(useSecureCookie));
             }
 
@@ -133,6 +139,11 @@ public BeanDefinition parse(Element element, ParserContext pc) {
                 }
                 services.getPropertyValues().addPropertyValue("tokenValiditySeconds", tokenValidity);
             }
+
+            if (formParameterSet) {
+                services.getPropertyValues().addPropertyValue("parameter", formParameter);
+            }
+
             services.setSource(source);
             servicesName = pc.getReaderContext().generateBeanName(services);
             pc.registerBeanComponent(new BeanComponentDefinition(services, servicesName));

config/src/main/resources/META-INF/spring.schemas

@@ -1,4 +1,5 @@
-http\://www.springframework.org/schema/security/spring-security.xsd=org/springframework/security/config/spring-security-3.1.xsd
+http\://www.springframework.org/schema/security/spring-security.xsd=org/springframework/security/config/spring-security-3.2.xsd
+http\://www.springframework.org/schema/security/spring-security-3.2.xsd=org/springframework/security/config/spring-security-3.2.xsd
 http\://www.springframework.org/schema/security/spring-security-3.1.xsd=org/springframework/security/config/spring-security-3.1.xsd
 http\://www.springframework.org/schema/security/spring-security-3.0.3.xsd=org/springframework/security/config/spring-security-3.0.3.xsd
 http\://www.springframework.org/schema/security/spring-security-3.0.xsd=org/springframework/security/config/spring-security-3.0.xsd

config/src/main/resources/org/springframework/security/config/spring-security-3.2.xsd

@@ -1800,6 +1800,12 @@
                 </xs:documentation>
          </xs:annotation>
       </xs:attribute>
+      <xs:attribute name="form-parameter" type="xs:token">
+          <xs:annotation>
+              <xs:documentation>The name of the request parameter which toggles remember-me authentication. Defaults to '_spring_security_remember_me'.
+              </xs:documentation>
+          </xs:annotation>
+      </xs:attribute>
   </xs:attributeGroup>
   <xs:attributeGroup name="token-repository-ref">
       <xs:attribute name="token-repository-ref" use="required" type="xs:token">
@@ -2311,4 +2317,4 @@
          <xs:enumeration value="LAST"/>
       </xs:restriction>
   </xs:simpleType>
-</xs:schema>
+</xs:schema>

config/src/test/groovy/org/springframework/security/config/http/RememberMeConfigTests.groovy

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2012 the original author or authors.
+ * Copyright 2002-2013 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -36,6 +36,7 @@ import org.springframework.security.web.authentication.rememberme.TokenBasedReme
  *
  * @author Luke Taylor
  * @author Rob Winch
+ * @author Oliver Becker
  */
 class RememberMeConfigTests extends AbstractHttpConfigTests {
 
@@ -212,6 +213,27 @@ class RememberMeConfigTests extends AbstractHttpConfigTests {
         notThrown BeanDefinitionParsingException
     }
 
+    // SEC-2119
+    def 'Custom form-parameter is supported'() {
+        httpAutoConfig () {
+            'remember-me'('form-parameter': 'ourParam')
+        }
+
+        createAppContext(AUTH_PROVIDER_XML)
+        expect:
+        rememberMeServices().parameter == 'ourParam'
+    }
+
+    def 'form-parameter cannot be used together with services-ref'() {
+        when:
+        httpAutoConfig () {
+            'remember-me'('form-parameter': 'ourParam', 'services-ref': 'ourService')
+        }
+        createAppContext(AUTH_PROVIDER_XML)
+        then:
+        BeanDefinitionParsingException e = thrown()
+    }
+
     def rememberMeServices() {
         getFilter(RememberMeAuthenticationFilter.class).getRememberMeServices()
     }

config/src/test/java/org/springframework/security/config/util/InMemoryXmlApplicationContext.java

@@ -1,3 +1,18 @@
+/*
+ * Copyright 2009-2013 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package org.springframework.security.config.util;
 
 import org.springframework.beans.factory.support.DefaultListableBeanFactory;
@@ -25,11 +40,11 @@ public class InMemoryXmlApplicationContext extends AbstractXmlApplicationContext
     Resource inMemoryXml;
 
     public InMemoryXmlApplicationContext(String xml) {
-        this(xml, "3.1", null);
+        this(xml, "3.2", null);
     }
 
     public InMemoryXmlApplicationContext(String xml, ApplicationContext parent) {
-        this(xml, "3.1", parent);
+        this(xml, "3.2", parent);
     }
 
     public InMemoryXmlApplicationContext(String xml, String secVersion, ApplicationContext parent) {

core/src/test/java/org/springframework/security/authentication/jaas/memory/InMemoryConfigurationTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2010 the original author or authors.
+ * Copyright 2010-2013 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

docs/manual/src/docbook/appendix-namespace.xml

@@ -842,6 +842,11 @@
                         <classname>PersistentTokenBasedRememberMeServices</classname> will be used and configured with a
                         <classname>JdbcTokenRepositoryImpl</classname> instance. </para>
                 </section>
+                <section xml:id="nsa-remember-me-form-parameter">
+                    <title><literal>form-parameter</literal></title>
+                    <para>The name of the request parameter which toggles remember-me authentication. Defaults to "_spring_security_remember_me".
+                        Maps to the "parameter" property of <classname>AbstractRememberMeServices</classname>.</para>
+                </section>
                 <section xml:id="nsa-remember-me-key">
                     <title><literal>key</literal></title>
                     <para>Maps to the "key" property of