SEC-1011: AbstractRememberMeServices#autoLogin is marked final and/or the token cannot be replaced by subclasses #1256

Closed
spring-issuemaster opened this Issue Oct 15, 2008 · 3 comments

1 participant

@spring-issuemaster

Jon Osborn (Migrated from SEC-1011) said:

AbstractRememberMeServices#autoLogin is marked final. This means that extending classes cannot override the authentication token handling. Either A) remove the ‘final’ or B) move the token generation to a protected method that can be overridden by subclasses.

Thanks!

@spring-issuemaster

Jon Osborn said:

Add method:

protected Authentication createSuccessfulAuthentication( UserDetails user, GrantedAuthority[] authorities ) {
RememberMeAuthenticationToken auth = new RememberMeAuthenticationToken(key, user, user.getAuthorities());
auth.setDetails(authenticationDetailsSource.buildDetails(request));
return auth;
}

and call from autoLogin

@spring-issuemaster

Gediminas A. said:

Also the autoLogin method being final prevents from overriding the way the token is passed to the to RememberMeServices. For example if I want to pass the token as a URL parameter instead of the HTTP Cookie.

To support this scenario i suggest resolution A suggested by Jon Osborn – remove the ‘final’.

Thanks
Gediminas

@spring-issuemaster

Luke Taylor said:

I’ve unprotected the extractRememberMeCookie method and added a createSuccessfulAuthentication one which should satisfy both requirements.

@spring-issuemaster spring-issuemaster added this to the 3.0.0 M1 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment