diff --git a/web/src/main/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServices.java b/web/src/main/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServices.java index 95abbe9438..95d60014ef 100644 --- a/web/src/main/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServices.java +++ b/web/src/main/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServices.java @@ -46,7 +46,7 @@ public abstract class AbstractRememberMeServices implements RememberMeServices, protected final MessageSourceAccessor messages = SpringSecurityMessageSource.getAccessor(); private UserDetailsService userDetailsService; - private final UserDetailsChecker userDetailsChecker = new AccountStatusUserDetailsChecker(); + private UserDetailsChecker userDetailsChecker = new AccountStatusUserDetailsChecker(); private AuthenticationDetailsSource authenticationDetailsSource = new WebAuthenticationDetailsSource(); private String cookieName = SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY; @@ -403,4 +403,18 @@ public abstract class AbstractRememberMeServices implements RememberMeServices, Assert.notNull(authenticationDetailsSource, "AuthenticationDetailsSource cannot be null"); this.authenticationDetailsSource = authenticationDetailsSource; } + + /** + * Sets the strategy to be used to validate the {@code UserDetails} object obtained for + * the user when processing a remember-me cookie to automatically log in a user. + * + * @param userDetailsChecker + * the strategy which will be passed the user object to allow it to be rejected if account should not + * be allowed to authenticate (if it is locked, for example). Defaults to a + * {@code AccountStatusUserDetailsChecker} instance. + * + */ + public void setUserDetailsChecker(UserDetailsChecker userDetailsChecker) { + this.userDetailsChecker = userDetailsChecker; + } } diff --git a/web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesTests.java b/web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesTests.java index 147247c71b..0d5cf45876 100644 --- a/web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesTests.java +++ b/web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesTests.java @@ -10,6 +10,7 @@ import javax.servlet.http.HttpServletResponse; import org.junit.Test; import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.mock.web.MockHttpServletResponse; +import org.springframework.security.authentication.AccountStatusUserDetailsChecker; import org.springframework.security.authentication.AuthenticationDetailsSource; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.core.Authentication; @@ -36,7 +37,7 @@ public class AbstractRememberMeServicesTests { new MockRememberMeServices().decodeCookie("nonBase64CookieValue%"); } - @Test + @Test public void setAndGetAreConsistent() throws Exception { MockRememberMeServices services = new MockRememberMeServices(); assertNotNull(services.getCookieName()); @@ -189,6 +190,7 @@ public class AbstractRememberMeServicesTests { @Test public void autoLoginShouldFailIfUserAccountIsLocked() { MockRememberMeServices services = new MockRememberMeServices(); + services.setUserDetailsChecker(new AccountStatusUserDetailsChecker()); User joeLocked = new User("joe", "password",false,true,true,true,joe.getAuthorities()); services.setUserDetailsService(new MockUserDetailsService(joeLocked, false));