SEC-473: Reduce the number of "cookie methods" in AbstractRememberMeServices.

core/src/main/java/org/springframework/security/ui/rememberme/AbstractRememberMeServices.java

@@ -264,28 +264,40 @@ public abstract class AbstractRememberMeServices implements RememberMeServices,
     protected abstract UserDetails processAutoLoginCookie(String[] cookieTokens, HttpServletRequest request,
             HttpServletResponse response) throws RememberMeAuthenticationException, UsernameNotFoundException;
 
+    /**
+     * Sets a "cancel cookie" (with maxAge = 0) on the response to disable persistent logins.
+     *
+     * @param request
+     * @param response
+     */
     protected void cancelCookie(HttpServletRequest request, HttpServletResponse response) {
         logger.debug("Cancelling cookie");
-
-        response.addCookie(makeCancelCookie(request));
-    }
-
-    protected Cookie makeCancelCookie(HttpServletRequest request) {
         Cookie cookie = new Cookie(cookieName, null);
         cookie.setMaxAge(0);
         cookie.setPath(StringUtils.hasLength(request.getContextPath()) ? request.getContextPath() : "/");
 
-        return cookie;
+        response.addCookie(cookie);
     }
 
-    protected Cookie makeValidCookie(String value, HttpServletRequest request, int maxAge) {
+    /**
-        Cookie cookie = new Cookie(cookieName, value);
+     * Sets the cookie on the response
+     *
+     * @param tokens the tokens which will be encoded to make the cookie value.
+     * @param maxAge the value passed to {@link Cookie#setMaxAge(int)}
+     * @param request the request
+     * @param response the response to add the cookie to.
+     */
+    protected void setCookie(String[] tokens, int maxAge, HttpServletRequest request, HttpServletResponse response) {
+        String cookieValue = encodeCookie(tokens);
+        Cookie cookie = new Cookie(cookieName, cookieValue);
         cookie.setMaxAge(maxAge);
         cookie.setPath(StringUtils.hasLength(request.getContextPath()) ? request.getContextPath() : "/");
-
+        response.addCookie(cookie);
-        return cookie;
     }
 
+    /**
+     * Implementation of <tt>LogoutHandler</tt>. Default behaviour is to call <tt>cancelCookie()</tt>.
+     */
     public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {
         if (logger.isDebugEnabled()) {
             logger.debug( "Logout of user "

core/src/main/java/org/springframework/security/ui/rememberme/PersistentTokenBasedRememberMeServices.java

@@ -151,8 +151,7 @@ public class PersistentTokenBasedRememberMeServices extends AbstractRememberMeSe
     }
 
     private void addCookie(PersistentRememberMeToken token, HttpServletRequest request, HttpServletResponse response) {
-        String cookieValue = encodeCookie(new String[] {token.getSeries(), token.getTokenValue()});
+        setCookie(new String[] {token.getSeries(), token.getTokenValue()},getTokenValiditySeconds(), request, response);
-        response.addCookie(makeValidCookie(cookieValue, request, getTokenValiditySeconds()));
     }
 
     public void setTokenRepository(PersistentTokenRepository tokenRepository) {

core/src/main/java/org/springframework/security/ui/rememberme/TokenBasedRememberMeServices.java

@@ -162,9 +162,8 @@ public class TokenBasedRememberMeServices extends AbstractRememberMeServices {
         long expiryTime = System.currentTimeMillis() + 1000*tokenLifetime;
 
         String signatureValue = makeTokenSignature(expiryTime, username, password);
-        String cookieValue = encodeCookie(new String[] {username, Long.toString(expiryTime), signatureValue});
 
-        response.addCookie(makeValidCookie(cookieValue, request, tokenLifetime));
+        setCookie(new String[] {username, Long.toString(expiryTime), signatureValue}, tokenLifetime, request, response);
 
 		if (logger.isDebugEnabled()) {
 			logger.debug("Added remember-me cookie for user '" + username + "', expiry: '"

core/src/test/java/org/springframework/security/ui/rememberme/AbstractRememberMeServicesTests.java

@@ -206,16 +206,23 @@ public class AbstractRememberMeServicesTests {
     }
 
     @Test
-    public void makeValidCookieUsesCorrectNamePathAndValue() {
+    public void setCookieUsesCorrectNamePathAndValue() {
         MockHttpServletRequest request = new MockHttpServletRequest();
+        MockHttpServletResponse response = new MockHttpServletResponse();
         request.setContextPath("contextpath");
-        MockRememberMeServices services = new MockRememberMeServices();
+        MockRememberMeServices services = new MockRememberMeServices() {
+            protected String encodeCookie(String[] cookieTokens) {
+                return cookieTokens[0];
+            }
+        };
         services.setCookieName("mycookiename");
-        Cookie cookie = services.makeValidCookie("mycookie", request, 1000);
+        services.setCookie(new String[] {"mycookie"}, 1000, request, response);
+        Cookie cookie = response.getCookie("mycookiename");
 
-        assertTrue(cookie.getValue().equals("mycookie"));
+        assertNotNull(cookie);
-        assertTrue(cookie.getName().equals("mycookiename"));
+        assertEquals("mycookie", cookie.getValue());
-        assertTrue(cookie.getPath().equals("contextpath"));
+        assertEquals("mycookiename", cookie.getName());
+        assertEquals("contextpath", cookie.getPath());
 
     }