Remove Servlet 2.5 and 3.0 Support for Remember Me and CSRF

Fixes: gh-6263, Fixes: gh-6262

Author: dongmyo

web/src/main/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServices.java

@@ -16,7 +16,6 @@
 package org.springframework.security.web.authentication.rememberme;
 
 import java.io.UnsupportedEncodingException;
-import java.lang.reflect.Method;
 import java.util.Base64;
 import java.net.URLDecoder;
 import java.net.URLEncoder;
@@ -46,7 +45,6 @@
 import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
 import org.springframework.security.web.authentication.logout.LogoutHandler;
 import org.springframework.util.Assert;
-import org.springframework.util.ReflectionUtils;
 import org.springframework.util.StringUtils;
 
 /**
@@ -86,16 +84,13 @@ public abstract class AbstractRememberMeServices implements RememberMeServices,
 	private String key;
 	private int tokenValiditySeconds = TWO_WEEKS_S;
 	private Boolean useSecureCookie = null;
-	private Method setHttpOnlyMethod;
 	private GrantedAuthoritiesMapper authoritiesMapper = new NullAuthoritiesMapper();
 
 	protected AbstractRememberMeServices(String key, UserDetailsService userDetailsService) {
 		Assert.hasLength(key, "key cannot be empty or null");
 		Assert.notNull(userDetailsService, "UserDetailsService cannot be null");
 		this.key = key;
 		this.userDetailsService = userDetailsService;
-		this.setHttpOnlyMethod = ReflectionUtils.findMethod(Cookie.class, "setHttpOnly",
-				boolean.class);
 	}
 
 	@Override
@@ -396,8 +391,8 @@ protected void cancelCookie(HttpServletRequest request, HttpServletResponse resp
 	 *
 	 * By default a secure cookie will be used if the connection is secure. You can set
 	 * the {@code useSecureCookie} property to {@code false} to override this. If you set
-	 * it to {@code true}, the cookie will always be flagged as secure. If Servlet 3.0 is
-	 * used, the cookie will be marked as HttpOnly.
+	 * it to {@code true}, the cookie will always be flagged as secure. By default the cookie
+	 * will be marked as HttpOnly.
 	 *
 	 * @param tokens the tokens which will be encoded to make the cookie value.
 	 * @param maxAge the value passed to {@link Cookie#setMaxAge(int)}
@@ -424,12 +419,7 @@ protected void setCookie(String[] tokens, int maxAge, HttpServletRequest request
 			cookie.setSecure(useSecureCookie);
 		}
 
-		if (setHttpOnlyMethod != null) {
-			ReflectionUtils.invokeMethod(setHttpOnlyMethod, cookie, Boolean.TRUE);
-		}
-		else if (logger.isDebugEnabled()) {
-			logger.debug("Note: Cookie will not be marked as HttpOnly because you are not using Servlet 3.0 (Cookie#setHttpOnly(boolean) was not found).");
-		}
+		cookie.setHttpOnly(true);
 
 		response.addCookie(cookie);
 	}

web/src/main/java/org/springframework/security/web/csrf/CookieCsrfTokenRepository.java

@@ -16,15 +16,13 @@
 
 package org.springframework.security.web.csrf;
 
-import java.lang.reflect.Method;
 import java.util.UUID;
 
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import org.springframework.util.Assert;
-import org.springframework.util.ReflectionUtils;
 import org.springframework.util.StringUtils;
 import org.springframework.web.util.WebUtils;
 
@@ -49,19 +47,13 @@ public final class CookieCsrfTokenRepository implements CsrfTokenRepository {
 
 	private String cookieName = DEFAULT_CSRF_COOKIE_NAME;
 
-	private final Method setHttpOnlyMethod;
-
-	private boolean cookieHttpOnly;
+	private boolean cookieHttpOnly = true;
 
 	private String cookiePath;
 
 	private String cookieDomain;
 
 	public CookieCsrfTokenRepository() {
-		this.setHttpOnlyMethod = ReflectionUtils.findMethod(Cookie.class, "setHttpOnly", boolean.class);
-		if (this.setHttpOnlyMethod != null) {
-			this.cookieHttpOnly = true;
-		}
 	}
 
 	@Override
@@ -87,9 +79,7 @@ public void saveToken(CsrfToken token, HttpServletRequest request,
 		else {
 			cookie.setMaxAge(-1);
 		}
-		if (cookieHttpOnly && setHttpOnlyMethod != null) {
-			ReflectionUtils.invokeMethod(setHttpOnlyMethod, cookie, Boolean.TRUE);
-		}
+		cookie.setHttpOnly(cookieHttpOnly);
 		if (this.cookieDomain != null && !this.cookieDomain.isEmpty()) {
 			cookie.setDomain(this.cookieDomain);
 		}
@@ -145,17 +135,11 @@ public void setCookieName(String cookieName) {
 
 	/**
 	 * Sets the HttpOnly attribute on the cookie containing the CSRF token.
-	 * The cookie will only be marked as HttpOnly if both <code>cookieHttpOnly</code> is <code>true</code> and the underlying version of Servlet is 3.0 or greater.
-	 * Defaults to <code>true</code> if the underlying version of Servlet is 3.0 or greater.
-	 * NOTE: The {@link Cookie#setHttpOnly(boolean)} was introduced in Servlet 3.0.
+	 * Defaults to <code>true</code>.
 	 *
-	 * @param cookieHttpOnly <code>true</code> sets the HttpOnly attribute, <code>false</code> does not set it (depending on Servlet version)
-	 * @throws IllegalArgumentException if <code>cookieHttpOnly</code> is <code>true</code> and the underlying version of Servlet is less than 3.0
+	 * @param cookieHttpOnly <code>true</code> sets the HttpOnly attribute, <code>false</code> does not set it
 	 */
 	public void setCookieHttpOnly(boolean cookieHttpOnly) {
-		if (cookieHttpOnly && setHttpOnlyMethod == null) {
-			throw new IllegalArgumentException("Cookie will not be marked as HttpOnly because you are using a version of Servlet less than 3.0. NOTE: The Cookie#setHttpOnly(boolean) was introduced in Servlet 3.0.");
-		}
 		this.cookieHttpOnly = cookieHttpOnly;
 	}
 

web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesServlet3Tests.java

@@ -16,8 +16,6 @@
 package org.springframework.security.web.authentication.rememberme;
 
 import static org.assertj.core.api.Assertions.assertThat;
-import static org.powermock.api.mockito.PowerMockito.spy;
-import static org.powermock.api.mockito.PowerMockito.when;
 
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
@@ -41,7 +39,6 @@
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
-import org.springframework.test.util.ReflectionTestUtils;
 import org.springframework.util.ReflectionUtils;
 import org.springframework.util.StringUtils;
 
@@ -369,17 +366,16 @@ protected String encodeCookie(String[] cookieTokens) {
 	}
 
 	@Test
-	public void setHttpOnlyIgnoredForServlet25() throws Exception {
-		spy(ReflectionUtils.class);
-		when(ReflectionUtils.findMethod(Cookie.class, "setHttpOnly",
-				boolean.class)).thenReturn(null);
+	public void setCookieSetsIsHttpOnlyFlagByDefault() throws Exception {
+		MockHttpServletRequest request = new MockHttpServletRequest();
+		MockHttpServletResponse response = new MockHttpServletResponse();
+		request.setContextPath("contextpath");
 
 		MockRememberMeServices services = new MockRememberMeServices(uds);
-		assertThat(ReflectionTestUtils.getField(services, "setHttpOnlyMethod")).isNull();
-
-		services = new MockRememberMeServices("key",
-				new MockUserDetailsService(joe, false));
-		assertThat(ReflectionTestUtils.getField(services, "setHttpOnlyMethod")).isNull();
+		services.setCookie(new String[] { "mycookie" }, 1000, request, response);
+		Cookie cookie = response.getCookie(
+				AbstractRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY);
+		assertThat(cookie.isHttpOnly()).isTrue();
 	}
 
 	// SEC-2791