Nick Padgett (Migrated from SEC-1242) said:
Caused by: java.lang.ClassCastException: org.springframework.security.web.authentication.NullRememberMeServices cannot be cast to org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices
... 46 more
<security:remember-me services-ref="rememberMeServices" />
Luke Taylor said:
Can you explain what you're trying to achieve with this configuration please?
Nick Padgett said:
This configuration was an artifact from using Spring Security 2.0.x and OAuth for Spring Security. For one reason or another, when I integrated Oauth for Spring Security, the RememberMeService's default value of NullRememberMeServices was being overwritten with a null value. The null value caused an exception to be thrown when Spring Security instantiated. I injected a NullRememberMeServices to avoid the exception.
However, regardless of what I am doing, that is not the issue. The issue is that NullRememberMeServices is being cast to an AbstractRememberMeServices without first being tested to see if it is an instance of AbstractRememberMeServices, which it is not. The only reason it is being cast to a AbstractRememberMeServices is to inject a UserDetailsService. What this means is anyone who implements the RememberMeServices interface and does not extend AbstractRememberMeServices will receive a class cast exception.
The code should be modified to test if the class is an instance of AbstractRememberMeServices first, and if it is not, do not inject the UserDetailsService. This will fix my issue as well as let people create their own custom implementation of RememberMeServices that does not extend AbstractRememberMeServices.
I was just curious why you were enabling remember-me and then injecting a NullRememberMeServices.
I've added a check as to whether the RememberMeServices is an instance of AbstractRememberMeServices before attempting to inject the UserDetailsService, which should remove the casting issue.