From a18bd9100c0410ec8b8a879b2dde74ee1589ca0f Mon Sep 17 00:00:00 2001
From: Ben Alex <ben.alex@springsource.com>
Date: Wed, 23 May 2007 06:48:42 +0000
Subject: [PATCH] SEC-474: Gracefully abort if username and password
 non-retrievable.

---
 .../ui/rememberme/TokenBasedRememberMeServices.java          | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/core/src/main/java/org/acegisecurity/ui/rememberme/TokenBasedRememberMeServices.java b/core/src/main/java/org/acegisecurity/ui/rememberme/TokenBasedRememberMeServices.java
index 1e7cf23ba1..4828cfff82 100644
--- a/core/src/main/java/org/acegisecurity/ui/rememberme/TokenBasedRememberMeServices.java
+++ b/core/src/main/java/org/acegisecurity/ui/rememberme/TokenBasedRememberMeServices.java
@@ -285,6 +285,11 @@ public class TokenBasedRememberMeServices implements RememberMeServices, Initial
             username = successfulAuthentication.getPrincipal().toString();
             password = successfulAuthentication.getCredentials().toString();
         }
+        
+        // If unable to find a username and password, just abort as TokenBasedRememberMeServices unable to construct a valid token in this case
+        if (!StringUtils.hasLength(username) || !StringUtils.hasLength(password)) {
+        	return;
+        }
 
         Assert.hasLength(username);
         Assert.hasLength(password);