From c2e688610c635eaff6db34fe9e0594dbdfdc402d Mon Sep 17 00:00:00 2001
From: Luke Taylor <luke.taylor@springsource.com>
Date: Tue, 16 Dec 2008 23:25:44 +0000
Subject: [PATCH] SEC-1011: Introduced methods for extracting the remember-me
 cookie and for creating the returned token.

---
 .../AbstractRememberMeServices.java           | 27 ++++++++++++++-----
 1 file changed, 21 insertions(+), 6 deletions(-)

diff --git a/core/src/main/java/org/springframework/security/ui/rememberme/AbstractRememberMeServices.java b/core/src/main/java/org/springframework/security/ui/rememberme/AbstractRememberMeServices.java
index 8975d03d38..a8d331766b 100644
--- a/core/src/main/java/org/springframework/security/ui/rememberme/AbstractRememberMeServices.java
+++ b/core/src/main/java/org/springframework/security/ui/rememberme/AbstractRememberMeServices.java
@@ -107,19 +107,16 @@ public abstract class AbstractRememberMeServices implements RememberMeServices,
 
         logger.debug("Remember-me cookie accepted");
 
-        RememberMeAuthenticationToken auth = new RememberMeAuthenticationToken(key, user, user.getAuthorities());
-        auth.setDetails(authenticationDetailsSource.buildDetails(request));
-
-        return auth;
+        return createSuccessfulAuthentication(request, user);
     }
 
     /**
-     * Locates the Spring Security remember me cookie in the request.
+     * Locates the Spring Security remember me cookie in the request and returns its value.
      *
      * @param request the submitted request which is to be authenticated
      * @return the cookie value (if present), null otherwise.
      */
-    private String extractRememberMeCookie(HttpServletRequest request) {
+    protected String extractRememberMeCookie(HttpServletRequest request) {
         Cookie[] cookies = request.getCookies();
 
         if ((cookies == null) || (cookies.length == 0)) {
@@ -135,6 +132,24 @@ public abstract class AbstractRememberMeServices implements RememberMeServices,
         return null;
     }
 
+    /**
+     * Creates the final <tt>Authentication</tt> object returned from the <tt>autoLogin</tt> method.
+     * <p>
+     * By default it will create a <tt>RememberMeAuthenticationToken</tt> instance.
+     *
+     * @param request       the original request. The configured <tt>AuthenticationDetailsSource</tt> will
+     *                      use this to build the details property of the returned object.
+     * @param user          the <tt>UserDetails</tt> loaded from the <tt>UserDetailsService</tt>. This will be
+     *                      stored as the principal.
+     *
+     * @return the <tt>Authentication</tt> for the remember-me authenticated user
+     */
+    protected Authentication createSuccessfulAuthentication(HttpServletRequest request, UserDetails user) {
+        RememberMeAuthenticationToken auth = new RememberMeAuthenticationToken(key, user, user.getAuthorities());
+        auth.setDetails(authenticationDetailsSource.buildDetails(request));
+        return auth;
+    }
+
     /**
      * Decodes the cookie and splits it into a set of token strings using the ":" delimiter.
      *