Announcement Announcement Module
Collapse
No announcement yet.
Persistent Tokens and Domain question Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Persistent Tokens and Domain question

    I've implemented "Remember Me" with a Persistent Token store in a SQL SERVER database.

    I have 2 apps running on the same domain.

    www.mywebsite.com/app1
    www.mywebsite.com/app2

    I share the security-context.xml file between the 2 apps and they are running on the same JVM.

    I noticed with the remember me functionality that it is creating cookies for www.mywebsite.com with a Path value of app1. Because this happens I'm not logged into app2 automatically.

    When I log into app2, I notice in the db table that a second entry is entered and another spring security cookie is created for app2, only it has a Path value of app2.

    Is there a way for SpringSecurity to create the cookie at the www.mywebsite.com level with a Path of "/" so all the apps can see it?

    I would like the user to only have to login in Once to the "site" and have access to all the applications.

    Here is the security xml:
    Code:
    <?xml version="1.0" encoding="UTF-8" ?> 
    <beans:beans xmlns="http://www.springframework.org/schema/security"
      xmlns:beans="http://www.springframework.org/schema/beans"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://www.springframework.org/schema/beans
               http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
               http://www.springframework.org/schema/security
               http://www.springframework.org/schema/security/spring-security-3.1.xsd">
             
      <http auto-config="true" create-session="never">
        <intercept-url pattern="/**" access="ROLE_USER" />  
        <remember-me key="MySecurityKey" data-source-ref="mySecurityDS" /> 
      </http>        
               
    <!-- authentication manager and password hashing -->
     <authentication-manager>
        <authentication-provider>
          <user-service>
            <user name="jimi" password="jimispassword" authorities="ROLE_USER, ROLE_ADMIN" />
            <user name="bob" password="bobspassword" authorities="ROLE_USER" />
          </user-service>
        </authentication-provider>
      </authentication-manager>
    
    	<beans:bean id="mySecurityDS"
    		class="org.springframework.jndi.JndiObjectFactoryBean">
    		<beans:property name="jndiName"
    			value="java:comp/env/jdbc/SecurityDataTable" />
    	</beans:bean>
    
    
    </beans:beans>
    Last edited by epaisley; Sep 10th, 2012, 04:31 PM. Reason: Added xml snippet

  • #2
    Success

    I got this work, but needed to write my own RememberMe Service. I extended PersistentTokenBasedRememberMeServices and overrided the setCookie method to set the path as /


    Code:
    package com.company.spring.security.custom.rememberme;
    
    import java.lang.reflect.Method;
    
    import javax.servlet.http.Cookie;
    
    import org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices;
    import org.springframework.util.ReflectionUtils;
    
    public class CustomDomainCookieRememberMe extends PersistentTokenBasedRememberMeServices  {
    
    	   
    																			   //This allows us to name or own cookie and "hide" the face we are using spring security
    	    private Boolean useSecureCookie = null;
    	    private Method setHttpOnlyMethod;
    	    private String cookiePathForSecurity = "/";  //This is what allows "Single Sign On".  The path of the cookie is set to the 
    	    											 //top domain (website.org) or just /.  If the app is in the path 
    	                                                 //the cookie is only available to that app
    	
    	
        @Override
    	protected void setCookie(java.lang.String[] tokens,
                int maxAge,
                javax.servlet.http.HttpServletRequest request,
                javax.servlet.http.HttpServletResponse response)
        {
        	/*
        	System.out.println("Dumping Cookies");
        	for (int i = 0; i < tokens.length; i++) {
    			String theCookie = tokens[i];
    			
    			System.out.println("string: " + theCookie);
    		}
        	*/
        	 String cookieValue = encodeCookie(tokens);
             Cookie cookie = new Cookie(getCookieName(), cookieValue);
             cookie.setMaxAge(maxAge);  //I think we can overwrite this with our own
             cookie.setPath(cookiePathForSecurity);
    
             if (useSecureCookie == null) {
                 cookie.setSecure(request.isSecure());
             } else {
                 cookie.setSecure(useSecureCookie);
             }
    
             if(setHttpOnlyMethod != null) {
                 ReflectionUtils.invokeMethod(setHttpOnlyMethod, cookie, Boolean.TRUE);
             }
    
             response.addCookie(cookie);
        	
        }
    	
    }

    Comment

    Working...
    X