Retrieve remember-me key from service as fallback

DevDengChao · eleftherias · commit b13f7506466f · 2019-11-07T13:55:39.000+01:00
Fixes: gh-4140
diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/RememberMeConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/RememberMeConfigurer.java
@@ -435,7 +435,11 @@ private UserDetailsService getUserDetailsService(H http) {
 	 */
 	private String getKey() {
 		if (this.key == null) {
-			this.key = UUID.randomUUID().toString();
+			if (this.rememberMeServices instanceof AbstractRememberMeServices) {
+				this.key = ((AbstractRememberMeServices) rememberMeServices).getKey();
+			} else {
+				this.key = UUID.randomUUID().toString();
+			}
 		}
 		return this.key;
 	}
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/RememberMeConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/RememberMeConfigurerTests.java
@@ -36,6 +36,7 @@
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.security.web.authentication.RememberMeServices;
 import org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter;
+import org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.MvcResult;
 
@@ -453,4 +454,36 @@ public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception
 			// @formatter:on
 		}
 	}
+
+	@Test
+	public void getWhenRememberMeCookieThenAuthenticationIsRememberMeAuthenticationTokenWithFallbackKeyConfiguration()
+			throws Exception {
+		this.spring.register(FallbackRememberMeKeyConfig.class).autowire();
+
+		MvcResult mvcResult = this.mvc.perform(post("/login")
+				.with(csrf())
+				.param("username", "user")
+				.param("password", "password")
+				.param("remember-me", "true"))
+				.andReturn();
+		Cookie rememberMeCookie = mvcResult.getResponse().getCookie("remember-me");
+
+		this.mvc.perform(get("/abc")
+				.cookie(rememberMeCookie))
+				.andExpect(authenticated().withAuthentication(auth ->
+						assertThat(auth).isInstanceOf(RememberMeAuthenticationToken.class)));
+	}
+
+	@EnableWebSecurity
+	static class FallbackRememberMeKeyConfig extends RememberMeConfig {
+
+		@Override
+		protected void configure(HttpSecurity http) throws Exception {
+			super.configure(http);
+			// @formatter:off
+			http.rememberMe()
+					.rememberMeServices(new TokenBasedRememberMeServices("key", userDetailsService()));
+			// @formatter:on
+		}
+	}
 }

Original file line number	Diff line number	Diff line change
`@@ -435,7 +435,11 @@ private UserDetailsService getUserDetailsService(H http) {`
`435`	`435`	`*/`
`436`	`436`	`private String getKey() {`
`437`	`437`	`if (this.key == null) {`
`438`		`- this.key = UUID.randomUUID().toString();`
	`438`	`+ if (this.rememberMeServices instanceof AbstractRememberMeServices) {`
	`439`	`+ this.key = ((AbstractRememberMeServices) rememberMeServices).getKey();`
	`440`	`+ } else {`
	`441`	`+ this.key = UUID.randomUUID().toString();`
	`442`	`+ }`
`439`	`443`	`}`
`440`	`444`	`return this.key;`
`441`	`445`	`}`