SEC-1242: Injecting NullRememberMeService Throws ClassCastException #1490

Closed
spring-issuemaster opened this Issue Sep 11, 2009 · 3 comments

1 participant

@spring-issuemaster

Nick Padgett (Migrated from SEC-1242) said:

Caused by: java.lang.ClassCastException: org.springframework.security.web.authentication.NullRememberMeServices cannot be cast to org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices
    at org.springframework.security.config.http.UserDetailsServiceInjectionBeanPostProcessor.postProcessBeforeInitialization(UserDetailsServiceInjectionBeanPostProcessor.java:54)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyBeanPostProcessorsBeforeInitialization(AbstractAutowireCapableBeanFactory.java:393)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1386)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:511)
    ... 46 more
    <security:http ...>
                ...
        <security:remember-me services-ref="rememberMeServices" />
        ...
    </security:http>

    <bean id="rememberMeServices"
        class="org.springframework.security.web.authentication.NullRememberMeServices" />
@spring-issuemaster

Luke Taylor said:

Can you explain what you're trying to achieve with this configuration please?

@spring-issuemaster

Nick Padgett said:

This configuration was an artifact from using Spring Security 2.0.x and OAuth for Spring Security. For one reason or another, when I integrated Oauth for Spring Security, the RememberMeService's default value of NullRememberMeServices was being overwritten with a null value. The null value caused an exception to be thrown when Spring Security instantiated. I injected a NullRememberMeServices to avoid the exception.

However, regardless of what I am doing, that is not the issue. The issue is that NullRememberMeServices is being cast to an AbstractRememberMeServices without first being tested to see if it is an instance of AbstractRememberMeServices, which it is not. The only reason it is being cast to a AbstractRememberMeServices is to inject a UserDetailsService. What this means is anyone who implements the RememberMeServices interface and does not extend AbstractRememberMeServices will receive a class cast exception.

The code should be modified to test if the class is an instance of AbstractRememberMeServices first, and if it is not, do not inject the UserDetailsService. This will fix my issue as well as let people create their own custom implementation of RememberMeServices that does not extend AbstractRememberMeServices.

@spring-issuemaster

Luke Taylor said:

I was just curious why you were enabling remember-me and then injecting a NullRememberMeServices.

I've added a check as to whether the RememberMeServices is an instance of AbstractRememberMeServices before attempting to inject the UserDetailsService, which should remove the casting issue.

@spring-issuemaster spring-issuemaster added this to the 3.0.0 RC1 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment