diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/HttpBasicConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/HttpBasicConfigurer.java
index fb759e9215..d6b5bcd1da 100644
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/HttpBasicConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/HttpBasicConfigurer.java
@@ -29,6 +29,7 @@ import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.authentication.DelegatingAuthenticationEntryPoint;
import org.springframework.security.web.authentication.HttpStatusEntryPoint;
+import org.springframework.security.web.authentication.RememberMeServices;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
import org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
@@ -65,6 +66,7 @@ import org.springframework.web.accept.HeaderContentNegotiationStrategy;
*
*
* - {@link AuthenticationManager}
+ * - {@link RememberMeServices}
*
*
* @author Rob Winch
@@ -177,6 +179,10 @@ public final class HttpBasicConfigurer> extends
basicAuthenticationFilter
.setAuthenticationDetailsSource(authenticationDetailsSource);
}
+ RememberMeServices rememberMeServices = http.getSharedObject(RememberMeServices.class);
+ if(rememberMeServices != null) {
+ basicAuthenticationFilter.setRememberMeServices(rememberMeServices);
+ }
basicAuthenticationFilter = postProcess(basicAuthenticationFilter);
http.addFilter(basicAuthenticationFilter);
}
diff --git a/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/HttpBasicConfigurerTests.groovy b/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/HttpBasicConfigurerTests.groovy
index 77b1b7a26d..aa21a63bc9 100644
--- a/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/HttpBasicConfigurerTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/HttpBasicConfigurerTests.groovy
@@ -24,6 +24,7 @@ import org.springframework.security.config.annotation.web.configuration.EnableWe
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
import org.springframework.security.web.AuthenticationEntryPoint
import org.springframework.security.web.access.ExceptionTranslationFilter
+import org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter;
import org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter
@@ -130,4 +131,29 @@ class HttpBasicConfigurerTests extends BaseSpringSpec {
.inMemoryAuthentication()
}
}
+
+ def "SEC-3019: Basic Authentication uses RememberMe Config"() {
+ when:
+ loadConfig(BasicUsesRememberMeConfig)
+ then:
+ findFilter(BasicAuthenticationFilter).rememberMeServices == findFilter(RememberMeAuthenticationFilter).rememberMeServices
+ }
+
+ @EnableWebSecurity
+ @Configuration
+ static class BasicUsesRememberMeConfig extends WebSecurityConfigurerAdapter {
+
+ @Override
+ protected void configure(HttpSecurity http) throws Exception {
+ http
+ .httpBasic().and()
+ .rememberMe()
+ }
+
+ @Override
+ protected void configure(AuthenticationManagerBuilder auth) throws Exception {
+ auth
+ .inMemoryAuthentication()
+ }
+ }
}
\ No newline at end of file
diff --git a/docs/manual/src/docs/asciidoc/index.adoc b/docs/manual/src/docs/asciidoc/index.adoc
index e06bf6ec8d..571683e6be 100644
--- a/docs/manual/src/docs/asciidoc/index.adoc
+++ b/docs/manual/src/docs/asciidoc/index.adoc
@@ -3047,7 +3047,10 @@ create table persistent_logins (username varchar(64) not null,
[[remember-me-impls]]
=== Remember-Me Interfaces and Implementations
-Remember-me authentication is not used with basic authentication, given it is often not used with `HttpSession` s. Remember-me is used with `UsernamePasswordAuthenticationFilter`, and is implemented via hooks in the `AbstractAuthenticationProcessingFilter` superclass. The hooks will invoke a concrete `RememberMeServices` at the appropriate times. The interface looks like this:
+Remember-me is used with `UsernamePasswordAuthenticationFilter`, and is implemented via hooks in the `AbstractAuthenticationProcessingFilter` superclass.
+It is also used within `BasicAuthenticationFilter`.
+The hooks will invoke a concrete `RememberMeServices` at the appropriate times.
+The interface looks like this:
[source,java]
----