Announcement Announcement Module
Collapse
No announcement yet.
When does spring security remember me process its cookie? Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • When does spring security remember me process its cookie?

    Spring security 3.1.1

    So I made a custom remember me service which extends the default token based remember me service just to check if it's called or not.

    Code:
    import javax.servlet.http.HttpServletRequest;
    import javax.servlet.http.HttpServletResponse;
    import org.springframework.security.core.Authentication;
    import org.springframework.security.core.userdetails.UserDetails;
    import org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices;
    
    public class CustomTokenBasedRememberMeService extends TokenBasedRememberMeServices {
    
        @Override
        protected int calculateLoginLifetime(HttpServletRequest request, Authentication authentication) {
            System.out.println("COOKIE: Process1!");
            return super.calculateLoginLifetime(request, authentication);
        }
    
        @Override
        protected boolean isTokenExpired(long tokenExpiryTime) {
            System.out.println("COOKIE: Process2!");
            return super.isTokenExpired(tokenExpiryTime);
        }
    
        @Override
        protected String makeTokenSignature(long tokenExpiryTime, String username, String password) {
            System.out.println("COOKIE: Process3!");
            return super.makeTokenSignature(tokenExpiryTime, username, password);
        }
    
        @Override
        protected String retrievePassword(Authentication authentication) {
            System.out.println("COOKIE: Process4!");
            return super.retrievePassword(authentication);
        }
    
        @Override
        protected String retrieveUserName(Authentication authentication) {
            System.out.println("COOKIE: Process5!");
            return super.retrieveUserName(authentication);
        }
    
        @Override
        protected UserDetails processAutoLoginCookie(String[] cookieTokens, HttpServletRequest request, HttpServletResponse response) {
            System.out.println("COOKIE: Process6!");
            return super.processAutoLoginCookie(cookieTokens, request, response);
        }    
    
        @Override
        public void onLoginSuccess(HttpServletRequest request, HttpServletResponse response, Authentication successfulAuthentication) {
            System.out.println("COOKIE: Process7!");
            super.onLoginSuccess(request, response, successfulAuthentication);
        }
    }
    when a user log in it prints out:

    Code:
    INFO: COOKIE: Process7!
    INFO: COOKIE: Process5!
    INFO: COOKIE: Process4!
    INFO: COOKIE: Process1!
    INFO: COOKIE: Process3!
    which means that it calls the onLoginSuccess(), retrieveUserName(), retrievePassword(), calculateLoginLifetime(), and makeTokenSignature().

    The browser has accepted the cookie, but it's never processed ever. Even after I deleted the session, restarted the browser, etc. It's never processed, I assume processAutoLoginCookie is responsible for this but it's never called either.

    What's the condition for spring security to process the cookie?
    Last edited by william_; Aug 22nd, 2012, 10:02 AM.

  • #2
    Take a look at the RememberMeAuthenticationFilter

    Comment


    • #3
      Originally posted by Gustavoren
      well i think that you should consult somebody experienced and professional in this field , i hope your problem will surely be solved and you will get an appropriate answer for this.
      Uhh, ok.

      Originally posted by Rob Winch View Post
      A little explanation related to my question please?

      Comment


      • #4
        The title reads "When does spring security remember me process its cookie?". The RememberMeAuthenticationFilter is what utilizes the RememberMeServices to processes the remember me cookie. Add debug points to that filter and turn up debug logging to figure out what is happening.

        Comment


        • #5
          Originally posted by Rob Winch View Post
          The title reads "When does spring security remember me process its cookie?". The RememberMeAuthenticationFilter is what utilizes the RememberMeServices to processes the remember me cookie. Add debug points to that filter and turn up debug logging to figure out what is happening.
          Ok thanks, do you know what's the condition for the RememberMeAuthenticationFilter to utilize the RememberMeService? Is it when the user try to access a secured page when the session hasn't been made? Or do I have to put some configuration to each page I secured?

          Comment


          • #6
            I'm not sure if you noticed, but I provided a link to the source which should explain what it is doing. In summary, it will invoke RememberMeServices#autoLogin if the Authentication is null.

            Comment


            • #7
              Originally posted by Rob Winch View Post
              I'm not sure if you noticed, but I provided a link to the source which should explain what it is doing. In summary, it will invoke RememberMeServices#autoLogin if the Authentication is null.
              Thanks, now I could see that if SecurityContextHolder.getContext().getAuthenticati on()==null then it calls the autoLogin() method
              I can't override autoLogin() since it's declared as final. So I trust that it works just fine and I noticed that it calls the processAutoLoginCookie() method afterward. But the method is never called. So I presume either the Authentication is never null or the doFilter() method is never called in the first place. What do you think about this?

              Comment

              Working...
              X