spring-projects · eleftherias · Nov 7, 2019 · Jul 13, 2018 · Jul 13, 2018 · Jul 14, 2018
diff --git a/.../org/springframework/security/config/annotation/web/configurers/RememberMeConfigurer.java b/.../org/springframework/security/config/annotation/web/configurers/RememberMeConfigurer.java
@@ -435,7 +435,11 @@ private UserDetailsService getUserDetailsService(H http) {
 	 */
 	private String getKey() {
 		if (this.key == null) {
-			this.key = UUID.randomUUID().toString();
+			if (this.rememberMeServices instanceof AbstractRememberMeServices) {
+				this.key = ((AbstractRememberMeServices) rememberMeServices).getKey();
+			} else {
+				this.key = UUID.randomUUID().toString();
+			}
 		}
 		return this.key;
 	}

diff --git a/...springframework/security/config/annotation/web/configurers/RememberMeConfigurerTests.java b/...springframework/security/config/annotation/web/configurers/RememberMeConfigurerTests.java
@@ -36,6 +36,7 @@
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.security.web.authentication.RememberMeServices;
 import org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter;
+import org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.MvcResult;
 
@@ -453,4 +454,36 @@ public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception
 			// @formatter:on
 		}
 	}
+
+	@Test
+	public void getWhenRememberMeCookieThenAuthenticationIsRememberMeAuthenticationTokenWithFallbackKeyConfiguration()
+			throws Exception {
+		this.spring.register(FallbackRememberMeKeyConfig.class).autowire();
+
+		MvcResult mvcResult = this.mvc.perform(post("/login")
+				.with(csrf())
+				.param("username", "user")
+				.param("password", "password")
+				.param("remember-me", "true"))
+				.andReturn();
+		Cookie rememberMeCookie = mvcResult.getResponse().getCookie("remember-me");
+
+		this.mvc.perform(get("/abc")
+				.cookie(rememberMeCookie))
+				.andExpect(authenticated().withAuthentication(auth ->
+						assertThat(auth).isInstanceOf(RememberMeAuthenticationToken.class)));
+	}
+
+	@EnableWebSecurity
+	static class FallbackRememberMeKeyConfig extends RememberMeConfig {
+
+		@Override
+		protected void configure(HttpSecurity http) throws Exception {
+			super.configure(http);
+			// @formatter:off
+			http.rememberMe()
+					.rememberMeServices(new TokenBasedRememberMeServices("key", userDetailsService()));
+			// @formatter:on
+		}
+	}
 }