Polish remember me username check

7 years ago · ad0d3e9702
2 changed files with 23 additions and 4 deletions
--- a/web/src/main/java/org/springframework/security/web/authentication/rememberme/TokenBasedRememberMeServices.java
+++ b/web/src/main/java/org/springframework/security/web/authentication/rememberme/TokenBasedRememberMeServices.java
@ -21,6 +21,7 @@ import org.springframework.security.core.userdetails.UserDetailsService;
				@@ -21,6 +21,7 @@ import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.crypto.codec.Hex;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.crypto.codec.Utf8;
+import org.springframework.util.Assert;
 import org.springframework.util.StringUtils;

 import javax.servlet.http.HttpServletRequest;
@ -123,10 +124,9 @@ public class TokenBasedRememberMeServices extends AbstractRememberMeServices {
				@@ -123,10 +124,9 @@ public class TokenBasedRememberMeServices extends AbstractRememberMeServices {
 		UserDetails userDetails = getUserDetailsService().loadUserByUsername(
 				cookieTokens[0]);

-		if (userDetails == null) {
-			throw new InvalidCookieException("Cookie token[0] contained username '"
-					+ cookieTokens[0] + "' that does not exist.");
-		}
+		Assert.notNull(userDetails, () -> "UserDetailsService " + getUserDetailsService()
+				+ " returned null for username " + cookieTokens[0] + ". "
+				+ "This is an interface contract violation");

 		// Check signature of token matches remaining details.
 		// Must do this after user lookup, as we need the DAO-derived password.
--- a/web/src/test/java/org/springframework/security/web/authentication/rememberme/TokenBasedRememberMeServicesTests.java
+++ b/web/src/test/java/org/springframework/security/web/authentication/rememberme/TokenBasedRememberMeServicesTests.java
@ -69,6 +69,10 @@ public class TokenBasedRememberMeServicesTests {
				@@ -69,6 +69,10 @@ public class TokenBasedRememberMeServicesTests {
 				new UsernameNotFoundException(""));
 	}

+	void udsWillReturnNull() {
+		when(uds.loadUserByUsername(any(String.class))).thenReturn(null);
+	}
+
 	private long determineExpiryTimeFromBased64EncodedToken(String validToken) {
 		String cookieAsPlainText = new String(Base64.decodeBase64(validToken.getBytes()));
 		String[] cookieTokens = StringUtils.delimitedListToStringArray(cookieAsPlainText,
@ -230,6 +234,21 @@ public class TokenBasedRememberMeServicesTests {
				@@ -230,6 +234,21 @@ public class TokenBasedRememberMeServicesTests {
 		assertThat(returnedCookie.getMaxAge()).isZero();
 	}

+	@Test(expected = IllegalArgumentException.class)
+	public void autoLoginClearsCookieIfUserServiceMisconfigured() {
+		udsWillReturnNull();
+		Cookie cookie = new Cookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY,
+				generateCorrectCookieContentForToken(
+						System.currentTimeMillis() + 1000000, "someone", "password",
+						"key"));
+		MockHttpServletRequest request = new MockHttpServletRequest();
+		request.setCookies(cookie);
+
+		MockHttpServletResponse response = new MockHttpServletResponse();
+
+		services.autoLogin(request, response);
+	}
+
 	@Test
 	public void autoLoginWithValidTokenAndUserSucceeds() throws Exception {
 		udsWillReturnUser();