Spring Security
  1. Spring Security
  2. SEC-1011

AbstractRememberMeServices#autoLogin is marked final and/or the token cannot be replaced by subclasses

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.0.4
    • Fix Version/s: 3.0.0 M1
    • Component/s: None
    • Labels:
      None

      Description

      AbstractRememberMeServices#autoLogin is marked final. This means that extending classes cannot override the authentication token handling. Either A) remove the 'final' or B) move the token generation to a protected method that can be overridden by subclasses.

      Thanks!

        Activity

        Hide
        Jon Osborn added a comment -

        Add method:

        protected Authentication createSuccessfulAuthentication( UserDetails user, GrantedAuthority[] authorities )

        { RememberMeAuthenticationToken auth = new RememberMeAuthenticationToken(key, user, user.getAuthorities()); auth.setDetails(authenticationDetailsSource.buildDetails(request)); return auth; }

        and call from autoLogin

        Show
        Jon Osborn added a comment - Add method: protected Authentication createSuccessfulAuthentication( UserDetails user, GrantedAuthority[] authorities ) { RememberMeAuthenticationToken auth = new RememberMeAuthenticationToken(key, user, user.getAuthorities()); auth.setDetails(authenticationDetailsSource.buildDetails(request)); return auth; } and call from autoLogin
        Hide
        Gediminas A. added a comment -

        Also the autoLogin method being final prevents from overriding the way the token is passed to the to RememberMeServices. For example if I want to pass the token as a URL parameter instead of the HTTP Cookie.

        To support this scenario i suggest resolution A suggested by Jon Osborn - remove the 'final'.

        Thanks
        Gediminas

        Show
        Gediminas A. added a comment - Also the autoLogin method being final prevents from overriding the way the token is passed to the to RememberMeServices. For example if I want to pass the token as a URL parameter instead of the HTTP Cookie. To support this scenario i suggest resolution A suggested by Jon Osborn - remove the 'final'. Thanks Gediminas
        Hide
        Luke Taylor added a comment -

        I've unprotected the extractRememberMeCookie method and added a createSuccessfulAuthentication one which should satisfy both requirements.

        Show
        Luke Taylor added a comment - I've unprotected the extractRememberMeCookie method and added a createSuccessfulAuthentication one which should satisfy both requirements.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Jon Osborn
          • Votes:
            1 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: