SEC-1011: AbstractRememberMeServices#autoLogin is marked final and/or the token cannot be replaced by subclasses #1256

spring-issuemaster opened this Issue Oct 15, 2008 · 3 comments


None yet

1 participant


Jon Osborn (Migrated from SEC-1011) said:

AbstractRememberMeServices#autoLogin is marked final. This means that extending classes cannot override the authentication token handling. Either A) remove the ‘final’ or B) move the token generation to a protected method that can be overridden by subclasses.



Jon Osborn said:

Add method:

protected Authentication createSuccessfulAuthentication( UserDetails user, GrantedAuthority[] authorities ) {
RememberMeAuthenticationToken auth = new RememberMeAuthenticationToken(key, user, user.getAuthorities());
return auth;

and call from autoLogin


Gediminas A. said:

Also the autoLogin method being final prevents from overriding the way the token is passed to the to RememberMeServices. For example if I want to pass the token as a URL parameter instead of the HTTP Cookie.

To support this scenario i suggest resolution A suggested by Jon Osborn – remove the ‘final’.



Luke Taylor said:

I’ve unprotected the extractRememberMeCookie method and added a createSuccessfulAuthentication one which should satisfy both requirements.

@spring-issuemaster spring-issuemaster added this to the 3.0.0 M1 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment