Spring Security RememberMeAuthenticationFilter will not call chain.doFilter(request, response) when he has successHandler

Describe the bug RememberMeAuthenticationFilter will not call chain.doFilter(request, response) when he has successHandler

To Reproduce

http.rememberMe()
                    .rememberMeParameter(xxx)
                    .userDetailsService(xxx)
                    .tokenRepository(xxx)
                    .tokenValiditySeconds(securityBoostProperties.getRememberMeSeconds())
                    .authenticationSuccessHandler(new AuthenticationSuccessHandler(){
                        @Override
                        public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authentication) throws IOException, ServletException {
                            //writeTenantAfterAuthSuccessHandler.onHandle(request,response,authentication);
                            chain.doFilter(request, response);
                        }
                        @Override
                        public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException{
                        }
                    });

Expected behavior

RememberMeAuthenticationFilter will call chain.doFilter(request, response) whether he has successHandler or not.

Sample

** How to fix the bug **

I have read the source code , I think some code in RememberMeAuthenticationFilter.java is not correct.

if (this.successHandler != null) {
  this.successHandler.onAuthenticationSuccess(request, response, rememberMeAuth);
  return;
}

the above code is in the line 126 of RememberMeAuthenticationFilter.java

if (this.successHandler != null) {
  this.successHandler.onAuthenticationSuccess(request, response, rememberMeAuth,chain);
  return;
}

I think the right code is like that. Thank you very much!

Comment From: YangSiJun528

The observed behavior is not an bug. It is the expected operation of RememberMeAuthenticationFilter. When an AuthenticationSuccessHandler is configured, the filter triggers the handler, leading to an immediate return from the doFilter() method. This allows the application to redirect the user to a specific URL, regardless of the original request. Consequently, chain.doFilter(request, response) is not invoked.

This behavior is documented in the official documentation. Thank you.

Comment From: jzheaux

Thanks for reaching out, @fishedee, and thank you for the link to the documentation, @YangSiJun528.

RememberMeAuthenticationFilter is intended as a terminating filter in the same way as UsernamePasswordAuthenticationFilter.

If you'd like some support for how to best proceed with your given use case, please consider posting a question to StackOverflow. Link it here on this ticket, and I'll be happy to take a further look over there.