SEC-993: OpenID and RememberMe broken #1245

spring-issuemaster opened this Issue Sep 29, 2008 · 1 comment


None yet

1 participant


Burt Beckwith (Migrated from SEC-993) said:

I’m trying to create a remember-me cookie with an OpenID authentication. Since OpenIDAuthenticationToken doesn’t support password, it’s causing a NullPointerException in TokenBasedRememberMeServices.retrievePassword() – it calls toString() on the null password (“return authentication.getCredentials().toString();” line 202).

How am I supposed to use cookies with OpenID? If I create my own RememberMeServices and leave out the password then anyone can create a cookie with my OpenID and log in as me.


Luke Taylor said:

Thanks for the report. I’ve updated TokenBasedRememberMeServices to return null from the retrievePassword() method if it is presented with an Authentication object which has null credentials. This will just prevent it from setting the remember-me cookie. By definition TokenBasedRMS requires a password, so you can’t use it in this scenario. Consider using the persistent token implementation instead.

@spring-issuemaster spring-issuemaster added this to the 3.0.0 M1 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment