SEC-474: Gracefully abort if username and password non-retrievable.

19 years ago · a18bd9100c
1 changed files with 5 additions and 0 deletions
--- a/core/src/main/java/org/acegisecurity/ui/rememberme/TokenBasedRememberMeServices.java
+++ b/core/src/main/java/org/acegisecurity/ui/rememberme/TokenBasedRememberMeServices.java
@ -285,6 +285,11 @@ public class TokenBasedRememberMeServices implements RememberMeServices, Initial
				@@ -285,6 +285,11 @@ public class TokenBasedRememberMeServices implements RememberMeServices, Initial
            username = successfulAuthentication.getPrincipal().toString();
            password = successfulAuthentication.getCredentials().toString();
        }
+        
+        // If unable to find a username and password, just abort as TokenBasedRememberMeServices unable to construct a valid token in this case
+        if (!StringUtils.hasLength(username) || !StringUtils.hasLength(password)) {
+        	return;
+        }

        Assert.hasLength(username);
        Assert.hasLength(password);