SEC-1011: AbstractRememberMeServices#autoLogin is marked final and/or the token cannot be replaced by subclasses #1256

Closed
spring-issuemaster opened this Issue Oct 15, 2008 · 3 comments

Comments

Projects
None yet
1 participant

Jon Osborn(Migrated from SEC-1011) said:

AbstractRememberMeServices#autoLogin is marked final. This means that extending classes cannot override the authentication token handling. Either A) remove the ‘final’ or B) move the token generation to a protected method that can be overridden by subclasses.

Thanks!

Jon Osborn said:

Add method:

protected Authentication createSuccessfulAuthentication( UserDetails user, GrantedAuthority[] authorities ) {
RememberMeAuthenticationToken auth = new RememberMeAuthenticationToken(key, user, user.getAuthorities());
auth.setDetails(authenticationDetailsSource.buildDetails(request));
return auth;
}

and call from autoLogin

Gediminas A. said:

Also the autoLogin method being final prevents from overriding the way the token is passed to the to RememberMeServices. For example if I want to pass the token as a URL parameter instead of the HTTP Cookie.

To support this scenario i suggest resolution A suggested by Jon Osborn – remove the ‘final’.

Thanks
Gediminas

Luke Taylor said:

I’ve unprotected the extractRememberMeCookie method and added a createSuccessfulAuthentication one which should satisfy both requirements.

spring-issuemaster added this to the 3.0.0 M1 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment