Spring Security
  1. Spring Security
  2. SEC-1242

Injecting NullRememberMeService Throws ClassCastException

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.0 M2
    • Fix Version/s: 3.0.0 RC1
    • Component/s: None
    • Labels:
      None

      Description

      Caused by: java.lang.ClassCastException: org.springframework.security.web.authentication.NullRememberMeServices cannot be cast to org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices
      	at org.springframework.security.config.http.UserDetailsServiceInjectionBeanPostProcessor.postProcessBeforeInitialization(UserDetailsServiceInjectionBeanPostProcessor.java:54)
      	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyBeanPostProcessorsBeforeInitialization(AbstractAutowireCapableBeanFactory.java:393)
      	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1386)
      	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:511)
      	... 46 more
      
      	<security:http ...>
                      ...
      		<security:remember-me services-ref="rememberMeServices" />
      		...
      	</security:http>
      
      	<bean id="rememberMeServices"
      		class="org.springframework.security.web.authentication.NullRememberMeServices" />
      

        Activity

        Hide
        Luke Taylor added a comment -

        Can you explain what you're trying to achieve with this configuration please?

        Show
        Luke Taylor added a comment - Can you explain what you're trying to achieve with this configuration please?
        Hide
        Nick Padgett added a comment -

        This configuration was an artifact from using Spring Security 2.0.x and OAuth for Spring Security. For one reason or another, when I integrated Oauth for Spring Security, the RememberMeService's default value of NullRememberMeServices was being overwritten with a null value. The null value caused an exception to be thrown when Spring Security instantiated. I injected a NullRememberMeServices to avoid the exception.

        However, regardless of what I am doing, that is not the issue. The issue is that NullRememberMeServices is being cast to an AbstractRememberMeServices without first being tested to see if it is an instance of AbstractRememberMeServices, which it is not. The only reason it is being cast to a AbstractRememberMeServices is to inject a UserDetailsService. What this means is anyone who implements the RememberMeServices interface and does not extend AbstractRememberMeServices will receive a class cast exception.

        The code should be modified to test if the class is an instance of AbstractRememberMeServices first, and if it is not, do not inject the UserDetailsService. This will fix my issue as well as let people create their own custom implementation of RememberMeServices that does not extend AbstractRememberMeServices.

        Show
        Nick Padgett added a comment - This configuration was an artifact from using Spring Security 2.0.x and OAuth for Spring Security. For one reason or another, when I integrated Oauth for Spring Security, the RememberMeService's default value of NullRememberMeServices was being overwritten with a null value. The null value caused an exception to be thrown when Spring Security instantiated. I injected a NullRememberMeServices to avoid the exception. However, regardless of what I am doing, that is not the issue. The issue is that NullRememberMeServices is being cast to an AbstractRememberMeServices without first being tested to see if it is an instance of AbstractRememberMeServices, which it is not. The only reason it is being cast to a AbstractRememberMeServices is to inject a UserDetailsService. What this means is anyone who implements the RememberMeServices interface and does not extend AbstractRememberMeServices will receive a class cast exception. The code should be modified to test if the class is an instance of AbstractRememberMeServices first, and if it is not, do not inject the UserDetailsService. This will fix my issue as well as let people create their own custom implementation of RememberMeServices that does not extend AbstractRememberMeServices.
        Hide
        Luke Taylor added a comment -

        I was just curious why you were enabling remember-me and then injecting a NullRememberMeServices.

        I've added a check as to whether the RememberMeServices is an instance of AbstractRememberMeServices before attempting to inject the UserDetailsService, which should remove the casting issue.

        Show
        Luke Taylor added a comment - I was just curious why you were enabling remember-me and then injecting a NullRememberMeServices. I've added a check as to whether the RememberMeServices is an instance of AbstractRememberMeServices before attempting to inject the UserDetailsService, which should remove the casting issue.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Nick Padgett
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: