SEC-2119: Polish remember-me@rememberme-parameter

- Change form-parameter to rememerme-parameter
  - Use rnc file for generating the xsd
  - Add test for deafult value of rememberme parameter

config/src/main/java/org/springframework/security/config/http/RememberMeBeanDefinitionParser.java

@@ -49,7 +49,7 @@ class RememberMeBeanDefinitionParser implements BeanDefinitionParser {
     static final String ATT_SUCCESS_HANDLER_REF = "authentication-success-handler-ref";
     static final String ATT_TOKEN_VALIDITY = "token-validity-seconds";
     static final String ATT_SECURE_COOKIE = "use-secure-cookie";
-    static final String ATT_FORM_PARAMETER = "form-parameter";
+    static final String ATT_FORM_REMEMBERME_PARAMETER = "rememberme-parameter";
 
     protected final Log logger = LogFactory.getLog(getClass());
     private final String key;
@@ -73,7 +73,7 @@ class RememberMeBeanDefinitionParser implements BeanDefinitionParser {
         String rememberMeServicesRef = element.getAttribute(ATT_SERVICES_REF);
         String tokenValiditySeconds = element.getAttribute(ATT_TOKEN_VALIDITY);
         String useSecureCookie = element.getAttribute(ATT_SECURE_COOKIE);
-        String formParameter = element.getAttribute(ATT_FORM_PARAMETER);
+        String remembermeParameter = element.getAttribute(ATT_FORM_REMEMBERME_PARAMETER);
         Object source = pc.extractSource(element);
 
         RootBeanDefinition services = null;
@@ -84,12 +84,12 @@ class RememberMeBeanDefinitionParser implements BeanDefinitionParser {
         boolean userServiceSet = StringUtils.hasText(userServiceRef);
         boolean useSecureCookieSet = StringUtils.hasText(useSecureCookie);
         boolean tokenValiditySet = StringUtils.hasText(tokenValiditySeconds);
-        boolean formParameterSet = StringUtils.hasText(formParameter);
+        boolean remembermeParameterSet = StringUtils.hasText(remembermeParameter);
 
-        if (servicesRefSet && (dataSourceSet || tokenRepoSet || userServiceSet || tokenValiditySet || useSecureCookieSet || formParameterSet)) {
+        if (servicesRefSet && (dataSourceSet || tokenRepoSet || userServiceSet || tokenValiditySet || useSecureCookieSet || remembermeParameterSet)) {
             pc.getReaderContext().error(ATT_SERVICES_REF + " can't be used in combination with attributes "
                     + ATT_TOKEN_REPOSITORY + "," + ATT_DATA_SOURCE + ", " + ATT_USER_SERVICE_REF + ", " + ATT_TOKEN_VALIDITY
-                    + ", " + ATT_SECURE_COOKIE + " or " + ATT_FORM_PARAMETER, source);
+                    + ", " + ATT_SECURE_COOKIE + " or " + ATT_FORM_REMEMBERME_PARAMETER, source);
         }
 
         if (dataSourceSet && tokenRepoSet) {
@@ -140,8 +140,8 @@ class RememberMeBeanDefinitionParser implements BeanDefinitionParser {
                 services.getPropertyValues().addPropertyValue("tokenValiditySeconds", tokenValidity);
             }
 
-            if (formParameterSet) {
-                services.getPropertyValues().addPropertyValue("parameter", formParameter);
+            if (remembermeParameterSet) {
+                services.getPropertyValues().addPropertyValue("parameter", remembermeParameter);
             }
 
             services.setSource(source);

config/src/main/resources/org/springframework/security/config/spring-security-3.2.rnc

@@ -577,7 +577,9 @@ remember-me.attlist &=
 remember-me.attlist &=
     ## Reference to an AuthenticationSuccessHandler bean which should be used to handle a successful remember-me authentication.
     attribute authentication-success-handler-ref {xsd:token}?
-
+remember-me.attlist &=
+    ## The name of the request parameter which toggles remember-me authentication. Defaults to '_spring_security_remember_me'.
+    attribute rememberme-parameter {xsd:token}?
 
 token-repository-ref =
     ## Reference to a PersistentTokenRepository bean for use with the persistent token remember-me implementation.

config/src/main/resources/org/springframework/security/config/spring-security-3.2.xsd

@@ -1801,9 +1801,10 @@
                 </xs:documentation>
          </xs:annotation>
       </xs:attribute>
-      <xs:attribute name="form-parameter" type="xs:token">
+      <xs:attribute name="rememberme-parameter" type="xs:token">
          <xs:annotation>
-              <xs:documentation>The name of the request parameter which toggles remember-me authentication. Defaults to '_spring_security_remember_me'.
+            <xs:documentation>The name of the request parameter which toggles remember-me authentication. Defaults to
+                '_spring_security_remember_me'.
                 </xs:documentation>
          </xs:annotation>
       </xs:attribute>

config/src/test/groovy/org/springframework/security/config/http/RememberMeConfigTests.groovy

@@ -26,6 +26,7 @@ import org.springframework.security.util.FieldUtils
 import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler
 import org.springframework.security.web.authentication.logout.LogoutFilter
 import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler
+import org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices;
 import org.springframework.security.web.authentication.rememberme.InMemoryTokenRepositoryImpl
 import org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl
 import org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices
@@ -213,10 +214,20 @@ class RememberMeConfigTests extends AbstractHttpConfigTests {
         notThrown BeanDefinitionParsingException
     }
 
+    def 'Default form-parameter is correct'() {
+        httpAutoConfig () {
+            'remember-me'()
+        }
+
+        createAppContext(AUTH_PROVIDER_XML)
+        expect:
+        rememberMeServices().parameter == AbstractRememberMeServices.DEFAULT_PARAMETER
+    }
+
     // SEC-2119
     def 'Custom form-parameter is supported'() {
         httpAutoConfig () {
-            'remember-me'('form-parameter': 'ourParam')
+            'remember-me'('rememberme-parameter': 'ourParam')
         }
 
         createAppContext(AUTH_PROVIDER_XML)
@@ -227,7 +238,7 @@ class RememberMeConfigTests extends AbstractHttpConfigTests {
     def 'form-parameter cannot be used together with services-ref'() {
         when:
         httpAutoConfig () {
-            'remember-me'('form-parameter': 'ourParam', 'services-ref': 'ourService')
+            'remember-me'('rememberme-parameter': 'ourParam', 'services-ref': 'ourService')
         }
         createAppContext(AUTH_PROVIDER_XML)
         then:

docs/manual/src/docbook/appendix-namespace.xml

@@ -842,7 +842,7 @@
                         <classname>PersistentTokenBasedRememberMeServices</classname> will be used and configured with a
                         <classname>JdbcTokenRepositoryImpl</classname> instance. </para>
                 </section>
-                <section xml:id="nsa-remember-me-form-parameter">
+                <section xml:id="nsa-remember-me-rememberme-parameter">
                     <title><literal>form-parameter</literal></title>
                     <para>The name of the request parameter which toggles remember-me authentication. Defaults to "_spring_security_remember_me".
                         Maps to the "parameter" property of <classname>AbstractRememberMeServices</classname>.</para>