SEC-591: Removed default NullRememberMeServices in RememberMeProcessingFilter

core/src/main/java/org/springframework/security/ui/rememberme/RememberMeProcessingFilter.java

@@ -18,31 +18,23 @@ package org.springframework.security.ui.rememberme;
 import org.springframework.security.Authentication;
 import org.springframework.security.AuthenticationException;
 import org.springframework.security.AuthenticationManager;
-
 import org.springframework.security.context.SecurityContextHolder;
-
 import org.springframework.security.event.authentication.InteractiveAuthenticationSuccessEvent;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-
+import org.springframework.security.ui.FilterChainOrderUtils;
+import org.springframework.security.ui.SpringSecurityFilter;
 import org.springframework.beans.factory.InitializingBean;
-
 import org.springframework.context.ApplicationEventPublisher;
 import org.springframework.context.ApplicationEventPublisherAware;
-
 import org.springframework.util.Assert;
 
-import java.io.IOException;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 
-import javax.servlet.Filter;
 import javax.servlet.FilterChain;
-import javax.servlet.FilterConfig;
 import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
 
 
 /**
@@ -64,7 +56,8 @@ import javax.servlet.http.HttpServletResponse;
  * @author Ben Alex
  * @version $Id$
  */
-public class RememberMeProcessingFilter implements Filter, InitializingBean, ApplicationEventPublisherAware {
+public class RememberMeProcessingFilter extends SpringSecurityFilter implements InitializingBean,
+        ApplicationEventPublisherAware {
     //~ Static fields/initializers =====================================================================================
 
     private static final Log logger = LogFactory.getLog(RememberMeProcessingFilter.class);
@@ -73,35 +66,20 @@ public class RememberMeProcessingFilter implements Filter, InitializingBean, App
 
     private ApplicationEventPublisher eventPublisher;
     private AuthenticationManager authenticationManager;
-    private RememberMeServices rememberMeServices = new NullRememberMeServices();
+    private RememberMeServices rememberMeServices;
 
     //~ Methods ========================================================================================================
 
     public void afterPropertiesSet() throws Exception {
 		Assert.notNull(authenticationManager, "authenticationManager must be specified");
-		Assert.notNull(this.rememberMeServices);
+		Assert.notNull(rememberMeServices, "rememberMeServices must be specified");
 	}
 
-    /**
-     * Does nothing - we rely on IoC lifecycle services instead.
-     */
-    public void destroy() {}
-
-    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
+    public void doFilterHttp(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
         throws IOException, ServletException {
-        if (!(request instanceof HttpServletRequest)) {
-            throw new ServletException("Can only process HttpServletRequest");
-        }
-
-        if (!(response instanceof HttpServletResponse)) {
-            throw new ServletException("Can only process HttpServletResponse");
-        }
-
-        HttpServletRequest httpRequest = (HttpServletRequest) request;
-        HttpServletResponse httpResponse = (HttpServletResponse) response;
 
         if (SecurityContextHolder.getContext().getAuthentication() == null) {
-            Authentication rememberMeAuth = rememberMeServices.autoLogin(httpRequest, httpResponse);
+            Authentication rememberMeAuth = rememberMeServices.autoLogin(request, response);
 
             if (rememberMeAuth != null) {
                 // Attempt authenticaton via AuthenticationManager
@@ -128,7 +106,7 @@ public class RememberMeProcessingFilter implements Filter, InitializingBean, App
                                 + rememberMeAuth + "'; invalidating remember-me token", authenticationException);
                     }
 
-                    rememberMeServices.loginFail(httpRequest, httpResponse);
+                    rememberMeServices.loginFail(request, response);
                 }
             }
 
@@ -147,15 +125,6 @@ public class RememberMeProcessingFilter implements Filter, InitializingBean, App
         return rememberMeServices;
     }
 
-    /**
-     * Does nothing - we rely on IoC lifecycle services instead.
-     *
-     * @param ignored not used
-     *
-     * @throws ServletException DOCUMENT ME!
-     */
-    public void init(FilterConfig ignored) throws ServletException {}
-
     public void setApplicationEventPublisher(ApplicationEventPublisher eventPublisher) {
         this.eventPublisher = eventPublisher;
     }
@@ -168,4 +137,7 @@ public class RememberMeProcessingFilter implements Filter, InitializingBean, App
         this.rememberMeServices = rememberMeServices;
     }
 
+    public int getOrder() {
+        return FilterChainOrderUtils.REMEMBER_ME_FILTER_ORDER;
+    }
 }

core/src/test/java/org/springframework/security/ui/rememberme/RememberMeProcessingFilterTests.java

@@ -15,22 +15,17 @@
 
 package org.springframework.security.ui.rememberme;
 
-import junit.framework.TestCase;
-
 import org.springframework.security.Authentication;
 import org.springframework.security.GrantedAuthority;
 import org.springframework.security.GrantedAuthorityImpl;
 import org.springframework.security.MockAuthenticationManager;
 import org.springframework.security.MockFilterConfig;
-
 import org.springframework.security.context.SecurityContextHolder;
-
 import org.springframework.security.providers.TestingAuthenticationToken;
-
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
 
-import java.io.IOException;
+import junit.framework.TestCase;
 
 import javax.servlet.Filter;
 import javax.servlet.FilterChain;
@@ -40,6 +35,7 @@ import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
 
 
 /**
@@ -69,10 +65,6 @@ public class RememberMeProcessingFilterTests extends TestCase {
         filter.destroy();
     }
 
-    public static void main(String[] args) {
-        junit.textui.TestRunner.run(RememberMeProcessingFilterTests.class);
-    }
-
     protected void setUp() throws Exception {
         super.setUp();
         SecurityContextHolder.clearContext();
@@ -83,10 +75,10 @@ public class RememberMeProcessingFilterTests extends TestCase {
         SecurityContextHolder.clearContext();
     }
 
-    public void testDetectsAuthenticationManagerProperty()
-        throws Exception {
+    public void testDetectsAuthenticationManagerProperty() throws Exception {
         RememberMeProcessingFilter filter = new RememberMeProcessingFilter();
         filter.setAuthenticationManager(new MockAuthenticationManager());
+        filter.setRememberMeServices(new NullRememberMeServices());
 
         filter.afterPropertiesSet();
         assertTrue(true);
@@ -101,13 +93,12 @@ public class RememberMeProcessingFilterTests extends TestCase {
         }
     }
 
-    public void testDetectsRememberMeServicesProperty()
-        throws Exception {
+    public void testDetectsRememberMeServicesProperty() throws Exception {
         RememberMeProcessingFilter filter = new RememberMeProcessingFilter();
         filter.setAuthenticationManager(new MockAuthenticationManager());
 
         // check default is NullRememberMeServices
-        assertEquals(NullRememberMeServices.class, filter.getRememberMeServices().getClass());
+        // assertEquals(NullRememberMeServices.class, filter.getRememberMeServices().getClass());
 
         // check getter/setter
         filter.setRememberMeServices(new TokenBasedRememberMeServices());