This method will be called whenever the
SecurityContextHolder
does not contain an
Authentication
and the Acegi Security system wishes to provide an implementation with an opportunity to authenticate the request using remember-me capabilities. Acegi Security makes no attempt whatsoever to determine whether the browser has requested remember-me services or presented a valid cookie. Such determinations are left to the implementation. If a browser has presented an unauthorised cookie for whatever reason, it should be silently ignored and invalidated using the
HttpServletResponse
object.
The returned Authentication
must be acceptable to {@link org.acegisecurity.AuthenticationManager} or {@link org.acegisecurity.providers.AuthenticationProvider} definedby the web application. It is recommended {@link org.acegisecurity.providers.rememberme.RememberMeAuthenticationToken} be used in most cases, as it has acorresponding authentication provider.
@param request to look for a remember-me token within
@param response to change, cancel or modify the remember-me token
@return a valid authentication object, or
null
if the request should not be authenticated