Spring Security Should commence method of CasAuthenticationEntryPoint must be a final method?

Summary

Should commence method of CasAuthenticationEntryPoint must be a final method?

If the request is from ajax after session expired, the current commence method will send code 302 to browser, and browser will try to redirect to the cas login page. BUT if the cas server is not at the same domain as the application, browser will deny the request because of same-origin policy.

In the issue #2999 , Rob Winch shows an example to solve this problem:

public class CustomLoginUrlAuthenticationEntryPoint implements LoginUrlAuthenticationEntryPoint {

   public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException)
            throws IOException, ServletException {

    if(ajaxRedirect) {
      // do ajax handling
    } else {
      loginUrlAuthenticationEntryPoint.commence(request,response,authException);
    }
}

This is nice, but the commence method of CasAuthenticationEntryPoint is final and I can not override it .

    public final void commence(final HttpServletRequest servletRequest,
            final HttpServletResponse response,
            final AuthenticationException authenticationException) throws IOException,
            ServletException {

        final String urlEncodedService = createServiceUrl(servletRequest, response);
        final String redirectUrl = createRedirectUrl(urlEncodedService);

        preCommence(servletRequest, response);

        response.sendRedirect(redirectUrl);
    }

So, maybe commence method of CasAuthenticationEntryPoint could remove the final ?

Comment From: rwinch

In general, you should favor composition over inheritance. Why do you need to override the method? Does it provide any additional value?

Comment From: silenceshell

ok, I will use composition to wrap CasAuthenticationEntryPoint. Thank you ~!