6 tahun lalu · ad0d3e9702
--- a/web/src/main/java/org/springframework/security/web/authentication/rememberme/TokenBasedRememberMeServices.java
+++ b/web/src/main/java/org/springframework/security/web/authentication/rememberme/TokenBasedRememberMeServices.java
@@ -21,6 +21,7 @@ import org.springframework.security.core.userdetails.UserDetailsService;
 
				 import org.springframework.security.crypto.codec.Hex;
			
 
				 import org.springframework.security.core.userdetails.UserDetails;
			
 
				 import org.springframework.security.crypto.codec.Utf8;
			
 
				+import org.springframework.util.Assert;
			
 
				 import org.springframework.util.StringUtils;
			
 
				 
			
 
				 import javax.servlet.http.HttpServletRequest;
			
@@ -123,10 +124,9 @@ public class TokenBasedRememberMeServices extends AbstractRememberMeServices {
 
				 		UserDetails userDetails = getUserDetailsService().loadUserByUsername(
			
 
				 				cookieTokens[0]);
			
 
				 
			
 
				-		if (userDetails == null) {
			
 
				-			throw new InvalidCookieException("Cookie token[0] contained username '"
			
 
				-					+ cookieTokens[0] + "' that does not exist.");
			
 
				-		}
			
 
				+		Assert.notNull(userDetails, () -> "UserDetailsService " + getUserDetailsService()
			
 
				+				+ " returned null for username " + cookieTokens[0] + ". "
			
 
				+				+ "This is an interface contract violation");
			
 
				 
			
 
				 		// Check signature of token matches remaining details.
			
 
				 		// Must do this after user lookup, as we need the DAO-derived password.
			
--- a/web/src/test/java/org/springframework/security/web/authentication/rememberme/TokenBasedRememberMeServicesTests.java
+++ b/web/src/test/java/org/springframework/security/web/authentication/rememberme/TokenBasedRememberMeServicesTests.java
@@ -69,6 +69,10 @@ public class TokenBasedRememberMeServicesTests {
 
				 				new UsernameNotFoundException(""));
			
 
				 	}
			
 
				 
			
 
				+	void udsWillReturnNull() {
			
 
				+		when(uds.loadUserByUsername(any(String.class))).thenReturn(null);
			
 
				+	}
			
 
				+
			
 
				 	private long determineExpiryTimeFromBased64EncodedToken(String validToken) {
			
 
				 		String cookieAsPlainText = new String(Base64.decodeBase64(validToken.getBytes()));
			
 
				 		String[] cookieTokens = StringUtils.delimitedListToStringArray(cookieAsPlainText,
			
@@ -230,6 +234,21 @@ public class TokenBasedRememberMeServicesTests {
 
				 		assertThat(returnedCookie.getMaxAge()).isZero();
			
 
				 	}
			
 
				 
			
 
				+	@Test(expected = IllegalArgumentException.class)
			
 
				+	public void autoLoginClearsCookieIfUserServiceMisconfigured() {
			
 
				+		udsWillReturnNull();
			
 
				+		Cookie cookie = new Cookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY,
			
 
				+				generateCorrectCookieContentForToken(
			
 
				+						System.currentTimeMillis() + 1000000, "someone", "password",
			
 
				+						"key"));
			
 
				+		MockHttpServletRequest request = new MockHttpServletRequest();
			
 
				+		request.setCookies(cookie);
			
 
				+
			
 
				+		MockHttpServletResponse response = new MockHttpServletResponse();
			
 
				+
			
 
				+		services.autoLogin(request, response);
			
 
				+	}
			
 
				+
			
 
				 	@Test
			
 
				 	public void autoLoginWithValidTokenAndUserSucceeds() throws Exception {
			
 
				 		udsWillReturnUser();