SEC-3019: Java Config for Http Basic supports Rememberme

config/src/main/java/org/springframework/security/config/annotation/web/configurers/HttpBasicConfigurer.java

@@ -29,6 +29,7 @@ import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.security.web.authentication.DelegatingAuthenticationEntryPoint;
 import org.springframework.security.web.authentication.HttpStatusEntryPoint;
+import org.springframework.security.web.authentication.RememberMeServices;
 import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
 import org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint;
 import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
@@ -65,6 +66,7 @@ import org.springframework.web.accept.HeaderContentNegotiationStrategy;
  *
  * <ul>
  * <li>{@link AuthenticationManager}</li>
+ * <li>{@link RememberMeServices}</li>
  * </ul>
  *
  * @author Rob Winch
@@ -177,6 +179,10 @@ public final class HttpBasicConfigurer<B extends HttpSecurityBuilder<B>> extends
 			basicAuthenticationFilter
 					.setAuthenticationDetailsSource(authenticationDetailsSource);
 		}
+		RememberMeServices rememberMeServices = http.getSharedObject(RememberMeServices.class);
+		if(rememberMeServices != null) {
+			basicAuthenticationFilter.setRememberMeServices(rememberMeServices);
+		}
 		basicAuthenticationFilter = postProcess(basicAuthenticationFilter);
 		http.addFilter(basicAuthenticationFilter);
 	}

config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/HttpBasicConfigurerTests.groovy

@@ -24,6 +24,7 @@ import org.springframework.security.config.annotation.web.configuration.EnableWe
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
 import org.springframework.security.web.AuthenticationEntryPoint
 import org.springframework.security.web.access.ExceptionTranslationFilter
+import org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter;
 import org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint
 import org.springframework.security.web.authentication.www.BasicAuthenticationFilter
 
@@ -130,4 +131,29 @@ class HttpBasicConfigurerTests extends BaseSpringSpec {
 				.inMemoryAuthentication()
 		}
 	}
+
+	def "SEC-3019: Basic Authentication uses RememberMe Config"() {
+		when:
+			loadConfig(BasicUsesRememberMeConfig)
+		then:
+			findFilter(BasicAuthenticationFilter).rememberMeServices == findFilter(RememberMeAuthenticationFilter).rememberMeServices
+	}
+
+	@EnableWebSecurity
+	@Configuration
+	static class BasicUsesRememberMeConfig extends WebSecurityConfigurerAdapter {
+
+		@Override
+		protected void configure(HttpSecurity http) throws Exception {
+			http
+				.httpBasic().and()
+				.rememberMe()
+		}
+
+		@Override
+		protected void configure(AuthenticationManagerBuilder auth) throws Exception {
+			auth
+				.inMemoryAuthentication()
+		}
+	}
 }

docs/manual/src/docs/asciidoc/index.adoc

@@ -3047,7 +3047,10 @@ create table persistent_logins (username varchar(64) not null,
 
 [[remember-me-impls]]
 === Remember-Me Interfaces and Implementations
-Remember-me authentication is not used with basic authentication, given it is often not used with `HttpSession` s. Remember-me is used with `UsernamePasswordAuthenticationFilter`, and is implemented via hooks in the `AbstractAuthenticationProcessingFilter` superclass. The hooks will invoke a concrete `RememberMeServices` at the appropriate times. The interface looks like this:
+Remember-me is used with `UsernamePasswordAuthenticationFilter`, and is implemented via hooks in the `AbstractAuthenticationProcessingFilter` superclass.
+It is also used within `BasicAuthenticationFilter`.
+The hooks will invoke a concrete `RememberMeServices` at the appropriate times.
+The interface looks like this:
 
 [source,java]
 ----