Announcement Announcement Module
Collapse
No announcement yet.
CasAuthFilter.successfulAuthentication not calling RememberMeServices.loginSuccess Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • CasAuthFilter.successfulAuthentication not calling RememberMeServices.loginSuccess

    Hi Spring Security Guys,

    I am using Spring Security 3.1.0.RC3. We are making use of RememberMeServices mechanism in order not to create proxy tickets over and over again after first proxy authentication. However, currently injected RememberMeServices bean's loginSuccess method is not called inside CasAuthenticationFilter.successfulAuthentication, which is obviously called after successful interactive authentication in overriden successfulAuthentication method of its superclass AbstractAuthenticationProcessingFilter.

    I want to ask if it is deliberate action not to call loginSuccess of RememberMeServices or is it forgotten action that needs to be performed like in super class? Should I need to open an issue in Spring Security?

    Best Regards

  • #2
    When I today downloaded 3.1.0.RELEASE, I realized that CasAuthenticationProvider makes use of statelessTicketCache. We had missed that point before. Therefore, our remember me token based solution became unnecessary. However, I still don't see any problem if you Spring Security guys, change CasAuthenticationFilter.successfulAuthentication method like below, calling rememberMeServices.loginSuccess method just before doFilter call.

    Regards

    Code:
        @Override
        protected final void successfulAuthentication(HttpServletRequest request,
                HttpServletResponse response, FilterChain chain, Authentication authResult)
                throws IOException, ServletException {
            boolean continueFilterChain = proxyTicketRequest(serviceTicketRequest(request, response),request);
            if(!continueFilterChain) {
                super.successfulAuthentication(request, response, chain, authResult);
                return;
            }
            
    
            if (logger.isDebugEnabled()) {
                logger.debug("Authentication success. Updating SecurityContextHolder to contain: " + authResult);
            }
    
            SecurityContextHolder.getContext().setAuthentication(authResult);
    
            // Fire event
            if (this.eventPublisher != null) {
                eventPublisher.publishEvent(new InteractiveAuthenticationSuccessEvent(authResult, this.getClass()));
            }
    
            getRememberMeServices().loginSuccess(request, response, authResult);
    
            chain.doFilter(request, response);
        }

    Comment


    • #3
      This leads to complications for CAS Single Logout support which cannot cleanup the remember me resources (i.e. a remember me cookie). For most usecases rememberme should be done at the CAS Server side rather than the CAS Service. This is more secure and it centralizes the remember me. For edge cases where someone wants rememberme support on the CAS Service side the users can override the method.

      Comment

      Working...
      X