Announcement Announcement Module
No announcement yet.
Accessing single Remember-me cookie between different webapps inside tomcat Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Accessing single Remember-me cookie between different webapps inside tomcat

    Hi Spring Gurus,

    I had one problem while using <security:remember-me key="some" /> in my application. I had two spring security webapps running in tomcat. Both has login page. If user enters in one application the login page should be shown. Once he successfully logged in remember me cookie is setting and from the next time onwards the user can able to enter into that particular application without asking for username and password. My problem is if the same user enters into the second application it again prompts for username and password the second application. But i don't want that process. I need the remember-me cookie set by one application available to the other applications which uses the same remember-me.
    I am really stuck up in this. Can anyone provide guidance in this. It is urgent please.

    I am herewith pasting my applicationContext-security.xml file.

    <?xml version="1.0" encoding="UTF-8"?>
    <beans:beans xmlns=""
        <global-method-security pre-post-annotations="enabled">
        <http use-expressions="true" auto-config='false'>
            <intercept-url pattern="/secure/extreme/**" access="hasRole('ROLE_SUPERVISOR')"/>
            <intercept-url pattern="/secure/**" access="isAuthenticated()" />
            <intercept-url pattern="/**" access="permitAll" />
            <form-login login-page='/login.jsp' default-target-url='/index.jsp' always-use-default-target='true' />
            <logout />
            <remember-me key="someKey" token-validity-seconds="864000" /> 
            <concurrent-session-control max-sessions="1" exception-if-maximum-exceeded="true"/>
                <password-encoder hash="md5"/>
                    <user name="rod" password="a564de63c2d0da68cf47586ee05984d7" authorities="ROLE_SUPERVISOR, ROLE_USER, ROLE_TELLER" />
                    <user name="dianne" password="65d15fe9156f9c4bbffd98085992a44e" authorities="ROLE_USER,ROLE_TELLER" />
                    <user name="scott" password="2b58af6dddbd072ed27ffc86725d7d3a" authorities="ROLE_USER" />
                    <user name="peter" password="22b5c9accc6e1ba628cedc63a72d57f8" authorities="ROLE_USER" />


  • #2
    Can anyone please suggest some way on this.



    • #3
      Take a look at the base class AbstractRememberMeServices

      Take a look at the base class for the remember me service : AbstractRememberMeServices in package

      Hint: You can reuse a cookie if the cookie's domain is set appropriately,and both sites are in the same domain. This will require creating a class that extends AbstractRememberMeServices and implements logic that sets the cookie's domain.

      If for example your cookie's domain was set to in a custom class. If one of your tomcat sites was and the other tomcat site was then your tomcat sites could share this cookie and the user would only be forced to login once if Remember Me security was implemented on both sites.


      • #4
        Hi djdrisco,

        Thanks for your reply. I had done exactly what you said. Instead of creating a new class i had extracted the class file from the jar and modified the code to set the cookie path to root and rebuild the jar. Now it is working. Instead if i extends that class in my java file what are the changes i have to do in applicationContext-security.xml file. The file will look like i posted in the first post.