Let TokenBasedRememberMeServices2
tolerate Authentication.principal
not UserDetails
#7724
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
While experimenting with tests of SSO logins, I came across a case where clicking Remember me caused a CCE because the
Authentication
had aprincipal
of typeString
rather than theUserDetails
this class currently expects. Using a debugger I found that theString
-based token was created here:I think this arose because the test was actually mistaken at that point, trying to use the
/login
form when the configured security realm was not username/password-based. ProbablyUsernamePasswordAuthenticationFilter
would not normally be used in this way. At any rate, the Javadoc forObject getPrincipal()
saysimplying that
String
andUserDetails
are the expected types (but that there might be others!); and so it would be best to tolerate anything.Testing done
Prevented a CCE in the context of original experiments (closed source). Interactive sanity test logging in to built-in security realm.
Proposed changelog entries
ClassCastException
fromTokenBasedRememberMeServices2
(not known to occur in realistic environments).Maintainer checklist
Before the changes are marked as
ready-for-merge
:upgrade-guide-needed
label is set and there is a Proposed upgrade guidelines section in the pull request title (see example).lts-candidate
to be considered (see query).