Announcement Announcement Module
Collapse
No announcement yet.
TokenBasedRememberMeServices cookiename ignored Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • TokenBasedRememberMeServices cookiename ignored

    I have recently upgraded my spring security libraries to 3.1GA (from RC3) and have noticed that the cookieName parameter on the TokenBasedRememberMeServices bean seems to be ignored. The cookie that gets created is SPRING_SECURITY_REMEMBER_ME_COOKIE regardless of what name I inject into the cookieName parameter. This used to work in previous versions, has anybody else experienced this and have I missed something

    Code:
        <bean id="rememberMeServices" class="org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices">
            <property name="userDetailsService" ref="userDetailsService"/>
            <property name="tokenValiditySeconds" value="${login.cookie.duration.seconds}"/>
            <property name="cookieName" value="${remember.me.cookie.name}"/>
            <property name="key" value="xxxxxxx"/>
        </bean>

  • #2
    Can you post the rest of your Spring Security configuration?

    Comment


    • #3
      <?xml version="1.0" encoding="UTF-8"?>
      <beans xmlns="http://www.springframework.org/schema/beans"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xmlns:util="http://www.springframework.org/schema/util"
      xmlns:security="http://www.springframework.org/schema/security"
      xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schem...-beans-3.0.xsd
      http://www.springframework.org/schema/util http://www.springframework.org/schem...g-util-3.0.xsd
      http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">

      <security:authentication-manager alias="authenticationManager">
      <security:authentication-provider ref="rememberMeProvider"/>
      <security:authentication-provider ref="authenticationProvider"/>
      </security:authentication-manager>

      <bean name="userDetailsService" class="za.co.bsg.ems.server.security.SidUserDetail sService" depends-on="emfBean"/>

      <bean id="rememberMeServices" class="org.springframework.security.web.authentica tion.rememberme.TokenBasedRememberMeServices">
      <property name="userDetailsService" ref="userDetailsService"/>
      <property name="tokenValiditySeconds" value="${login.cookie.duration.seconds}"/>
      <property name="cookieName" value="${remember.me.cookie.name}"/>
      <property name="key" value="springRules"/>
      </bean>

      <bean id="rememberMeProvider" class="org.springframework.security.authentication .RememberMeAuthenticationProvider">
      <property name="key" value="springRules"/>
      </bean>

      <bean name="rememberMeAuthenticationFilter" class="org.springframework.security.web.authentica tion.rememberme.RememberMeAuthenticationFilter">
      <property name="authenticationManager" ref="authenticationManager"/>
      <property name="rememberMeServices" ref="rememberMeServices"/>
      </bean>

      <bean id="passwordEncoder" class="org.springframework.security.authentication .encoding.Md5PasswordEncoder"/>

      <bean id="saltSource" class="org.springframework.security.authentication .dao.ReflectionSaltSource">
      <property name="userPropertyToUse" value="salt"/>
      </bean>

      <bean id="externalAuthenticator" class="za.co.bsg.ems.server.security.LdapAuthentic ator">
      <property name="enabled" value="false"/>
      <property name="serverUrl" value="${support.ldap.url}"/>
      <property name="principalPrefix" value="${support.ldap.principal.prefix}"/>
      </bean>

      <bean id="supportUserAuthenticator" class="za.co.bsg.ems.server.security.SupportUserAu thenticator">
      <property name="enabled" value="true"/>
      </bean>

      <bean id="authenticationProvider" class="za.co.bsg.ems.server.security.SidAuthentica tionProvider">
      <property name="userDetailsService" ref="userDetailsService"/>
      <property name="passwordEncoder" ref="passwordEncoder"/>
      <property name="saltSource" ref="saltSource"/>
      <property name="externalAuthenticator" ref="externalAuthenticator"/>
      <property name="supportUserAuthenticator" ref="supportUserAuthenticator"/>
      </bean>

      <bean name="logoutFilter" class="org.springframework.security.web.authentica tion.logout.LogoutFilter">
      <constructor-arg value="/"/>
      <constructor-arg>
      <list>
      <bean class="org.springframework.security.web.authentica tion.logout.SecurityContextLogoutHandler"/>
      <ref bean="rememberMeServices"/>
      <ref bean="logoutMonitor"/>
      </list>
      </constructor-arg>
      <property name="filterProcessesUrl" value="/logout"/>
      </bean>

      <bean name="supportUserRollbackSecurityFilter" class="za.co.bsg.ems.server.security.SupportUserRo llbackSecurityFilter"/>

      <bean name="authenticationEntryPoint" class="org.springframework.security.web.authentica tion.LoginUrlAuthenticationEntryPoint">
      <property name="forceHttps" value="${use.https}"/>
      <property name="loginFormUrl" value="/${login.jsp}"/>
      </bean>

      <security:http auto-config="false" entry-point-ref="authenticationEntryPoint">
      <security:form-login login-page="/${login.jsp}"
      always-use-default-target="true"
      default-target-url="${login.ok}"/>
      <security:remember-me/>
      <security:anonymous/>
      <security:intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
      <security:intercept-url pattern="/j_spring_security_check*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
      <security:intercept-url pattern="/change_password*" access="IS_AUTHENTICATED_REMEMBERED"/>
      <security:intercept-url pattern="/prompt_password*" access="IS_AUTHENTICATED_REMEMBERED"/>
      <security:custom-filter position="LOGOUT_FILTER" ref="logoutFilter" />
      <security:custom-filter position="LAST" ref="supportUserRollbackSecurityFilter" />
      </security:http>

      <security:global-method-security jsr250-annotations="enabled"/>

      </beans>

      Comment


      • #4
        The problem appears to be that you have specified the <security:remember-me/> tag and then redefined and customised the beans that the remember-me tag creates without attaching them to the FilterChain (i.e. linking them in the http block. Try removing anything you specified simply to inject your custom remember-me services (i.e. RememberMeAuthenticationFilter, RememberMeAuthenticationProvider, LogoutFilter, etc) and instead using remember-me@services-ref.

        PS In the future please ensure to use the code tags when posting configuration as this makes it much easier to read.

        Comment


        • #5
          Duh, thanks a lot

          Comment

          Working...
          X