Spring Security custom authentication and remember me

Asked by
I used this tutorial http://krams915.blogspot.de/2010/12/spring-security-mvc-integration-using_26.html to implement a custom authentication manager. Login and logout works fine.

Now I want to use spring security remember me authentication. Far as I know I, remember me require a userDetailService. So I implement a custom userDetailService. On the loginpage I add a checkbox with name _spring_security_remember_me. But remember me doesn't work. The remember me cookie is not set after succesfully login. I think this is a configuration problem or must I implement a custom remember me to work with custom authentication ?

<input type="checkbox" name="_spring_security_remember_me">stay signed in
My Spring-Security.xml:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
 xmlns:security="http://www.springframework.org/schema/security"
 xmlns:p="http://www.springframework.org/schema/p" 
 xmlns:jee="http://www.springframework.org/schema/jee"
 xsi:schemaLocation="http://www.springframework.org/schema/beans 
 http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
 http://www.springframework.org/schema/security 
 http://www.springframework.org/schema/security/spring-security-3.0.xsd
 http://www.springframework.org/schema/jee http://www.springframework.org/schema/jee/spring-jee-3.0.xsd">

 <security:http auto-config="false" use-expressions="true" access-denied-page="/login?error=true"
 entry-point-ref="authenticationEntryPoint" >

 <!-- Zugriff auf /login für alle erlauben --> 
 <security:intercept-url pattern="/login" access="permitAll"/>
 <!-- resources -->
 <security:intercept-url pattern="/resources/**" access="permitAll"/>
 <!--<security:intercept-url pattern="/**" access="permitAll"/> -->
 <security:intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
 <!-- Zugriff auf /admin/** einschränken -->
 <security:intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')"/>


 <security:logout 
 invalidate-session="true" 
 logout-success-url="/login?logout=true" 
 logout-url="/j_spring_security_logout"/>

 <security:custom-filter ref="blacklistFilter" before="FILTER_SECURITY_INTERCEPTOR"/>
 <security:custom-filter ref="authenticationFilter" position="FORM_LOGIN_FILTER"/>

 <!-- Session Timeout Seite setzen und
 Session Fixation Attack Protection einschalten --> 
 <security:session-management invalid-session-url="/login?timeout=true"
 session-fixation-protection="migrateSession">

 <!-- Maxmale Anzahl von Session per User (Doppelanmeldung) --> 
 <security:concurrency-control max-sessions="3"
 error-if-maximum-exceeded="false" />
 </security:session-management> 
 <security:remember-me key="myAppKey" token-validity-seconds="864000" user-service-ref="customUserDetailService"/>
 </security:http>

 <!-- custom user service -->
 <bean id="customUserDetailService" class="com.stefan.app.security.CustomUserDetailsService">
 <property name="userBean" ref="userBean" />
 </bean>

 <!-- Custom filter to deny unwanted users even though registered -->
 <bean id="blacklistFilter" class="com.stefan.app.security.filter.BlacklistFilter" />

 <!-- Custom filter for username and password. The real customization is done in the customAthenticationManager -->
 <bean id="authenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"
 p:authenticationManager-ref="customAuthenticationManager"
 p:authenticationFailureHandler-ref="customAuthenticationFailureHandler"
 p:authenticationSuccessHandler-ref="customAuthenticationSuccessHandler" />

 <!-- Custom authentication manager. In order to authenticate, username and password must not be the same -->
 <bean id="customAuthenticationManager" class="com.stefan.app.security.CustomAuthenticationManager">
 <property name="userBean" ref="userBean" />
 </bean>

 <jee:local-slsb id="userBean" jndi-name="java:global/com.stefan.auctionnsiper-ear/app.ejb/UserBean!com.stefan.app.user.UserBeanLocal"
 business-interface="com.stefan.app.user.UserBeanLocal"/>

 <!-- We just actually need to set the default failure url here -->
 <bean id="customAuthenticationFailureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"
 p:defaultFailureUrl="/login?error=true" />

 <!-- We just actually need to set the default target url here -->
 <bean id="customAuthenticationSuccessHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler"
 p:defaultTargetUrl="/products" />

 <!-- The AuthenticationEntryPoint is responsible for redirecting the user to a particular page, like a login page,
 whenever the server sends back a response requiring authentication -->
 <!-- See Spring-Security Reference 5.4.1 for more info -->
 <bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"
 p:loginFormUrl="/login"/>

 <!-- The tag below has no use but Spring Security needs it to autowire the parent property of 
 org.springframework.security.authentication.ProviderManager. Otherwise we get an error 
 A probable bug. This is still under investigation-->
 <security:authentication-manager/>
</beans> 

Best Answer

Answer by
Check:

  • http://stackoverflow.com/questions/8815277/spring-security-tokenbasedremembermeservices-cookiename-ignored
  • http://forum.springsource.org/showthread.php?130600-Spring-security-remember-me-cookie-configuration-example


Try this:

<security:http>
 ...
 <security:remember-me services-ref="rememberMeServices" />
</security:http>

<bean id="rememberMeServices" class="org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices">
 <property name="userDetailsService" ref="customUserDetailService"/>
 <property name="tokenValiditySeconds" value="864000"/>
 <property name="cookieName" value="SPRING_RM"/>
 <property name="key" value="myAppKey"/>
</bean>

Your Answer

Name:
Answer: