Spring Security I found the bug of remember me.

My project uses the remember function. When I first enter the account password, the access is normal. When I close the browser and access the unauthorized methods for the second time, I will jump to the login page. This is obviously a problem, and in normal circumstances he should jump to the unauthorized prompt page. This problem cost me several days to debug, and finally found the following code

---

If (authenticationTrustResolver.isAnonymous(authentication) || authenticationTrustResolver.isRememberMe(authentication)) { Logger.debug( "Access is denied (user is " + (authenticationTrustResolver.isAnonymous(authentication) ? "anonymous" : "not fully authenticated") + "); redirecting to authentication entry point", Exception);

sendStartAuthentication( Request, Response, Chain, New InsufficientAuthenticationException( messages.getMessage( "ExceptionTranslationFilter.insufficientAuthentication", "Full authentication is required to access this resource"))); } Else { Logger.debug( "Access is denied (user is not anonymous); delegating to AccessDeniedHandler", Exception);

accessDeniedHandler.handle(request, response, (AccessDeniedException) exception); }

---

When I use the remember me function to automatically log in, authentication is an instance of RememberMeAuthenticationToken. It always enters the if logic, causing a jump to the login page. Then I look up the source code of the previous version and find that this part is after spring security 4.2. Modified, before 4.1 is like this

---

If (authenticationTrustResolver.isAnonymous(SecurityContextHolder .getContext().getAuthentication())) { Logger.debug( "Access is denied (user is anonymous); redirecting to authentication entry point", Exception);

sendStartAuthentication( Request, Response, Chain, New InsufficientAuthenticationException( "Full authentication is required to access this resource")); } Else { Logger.debug( "Access is denied (user is not anonymous); delegating to AccessDeniedHandler", Exception);

accessDeniedHandler.handle(request, response, (AccessDeniedException) exception); }

---

When my project returned to use 4.1, everything returned to normal.

Comment From: marcusdacoregio

I will close this issue since it has become stale. If someone still have the same problem in recent versions of Spring Security, please provide a minimal, reproducible sample and we can reopen this.