Polish remember me username check

Author: eleftherias

web/src/main/java/org/springframework/security/web/authentication/rememberme/TokenBasedRememberMeServices.java

@@ -21,6 +21,7 @@
 import org.springframework.security.crypto.codec.Hex;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.crypto.codec.Utf8;
+import org.springframework.util.Assert;
 import org.springframework.util.StringUtils;
 
 import javax.servlet.http.HttpServletRequest;
@@ -123,10 +124,9 @@ protected UserDetails processAutoLoginCookie(String[] cookieTokens,
 		UserDetails userDetails = getUserDetailsService().loadUserByUsername(
 				cookieTokens[0]);
 
-		if (userDetails == null) {
-			throw new InvalidCookieException("Cookie token[0] contained username '"
-					+ cookieTokens[0] + "' that does not exist.");
-		}
+		Assert.notNull(userDetails, () -> "UserDetailsService " + getUserDetailsService()
+				+ " returned null for username " + cookieTokens[0] + ". "
+				+ "This is an interface contract violation");
 
 		// Check signature of token matches remaining details.
 		// Must do this after user lookup, as we need the DAO-derived password.

web/src/test/java/org/springframework/security/web/authentication/rememberme/TokenBasedRememberMeServicesTests.java

@@ -69,6 +69,10 @@ void udsWillThrowNotFound() {
 				new UsernameNotFoundException(""));
 	}
 
+	void udsWillReturnNull() {
+		when(uds.loadUserByUsername(any(String.class))).thenReturn(null);
+	}
+
 	private long determineExpiryTimeFromBased64EncodedToken(String validToken) {
 		String cookieAsPlainText = new String(Base64.decodeBase64(validToken.getBytes()));
 		String[] cookieTokens = StringUtils.delimitedListToStringArray(cookieAsPlainText,
@@ -230,6 +234,21 @@ public void autoLoginClearsCookieIfUserNotFound() throws Exception {
 		assertThat(returnedCookie.getMaxAge()).isZero();
 	}
 
+	@Test(expected = IllegalArgumentException.class)
+	public void autoLoginClearsCookieIfUserServiceMisconfigured() {
+		udsWillReturnNull();
+		Cookie cookie = new Cookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY,
+				generateCorrectCookieContentForToken(
+						System.currentTimeMillis() + 1000000, "someone", "password",
+						"key"));
+		MockHttpServletRequest request = new MockHttpServletRequest();
+		request.setCookies(cookie);
+
+		MockHttpServletResponse response = new MockHttpServletResponse();
+
+		services.autoLogin(request, response);
+	}
+
 	@Test
 	public void autoLoginWithValidTokenAndUserSucceeds() throws Exception {
 		udsWillReturnUser();