Announcement Announcement Module
Collapse
No announcement yet.
Problem with Remember Me Service in Spring Security Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Problem with Remember Me Service in Spring Security

    Hi,

    I'm trying to implement a "remember me" functionality in my website using Spring. The cookie and entry in the persistent_logins table are getting created correctly. Additionally, I can see that the correct user is being restored as the username is displayed at the top of the page.

    However, once I try to access any information for this user when they return after they were "remembered", I get a NullPointerException. It looks as though the user isn't being set in the session again.

    My applicationContext-security.xml contains the following:

    Code:
    <remember-me data-source-ref="dataSource" user-service-ref="userService"/>
    
    ...
    
    <authentication-provider user-service-ref="userService" />
    
    <jdbc-user-service id="userService" data-source-ref="dataSource" 
    role-prefix="ROLE_"
    users-by-username-query="select email as username, password, 1 as ENABLED from user where email=?" 
    authorities-by-username-query="select user.id as id, upper(role.name) as authority from user, role, users_roles where users_roles.user_fk=id and users_roles.role_fk=role.name and user.email=?"/>
    I thought it may have had something to do with users-by-username query but surely login wouldn't work correctly if this query was incorrect?

    Any help on this would be greatly appreciated.

    Thanks,
    Ger.

  • #2
    If you paste the stack trace of the NPE, that would probably help us help you

    Comment


    • #3
      Originally posted by pmularien View Post
      If you paste the stack trace of the NPE, that would probably help us help you
      Oops! My bad

      Code:
      145113440 [http-8080-3] ERROR com.ins.web.exceptions.ExceptionHandler  - Unexpected error occurred during Action, Form or JSP processing.
      java.lang.NullPointerException
      	at com.ins.web.actions.CustomerAction.getCustomerAccount(CustomerAction.java:436)
      	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      	at java.lang.reflect.Method.invoke(Method.java:597)
      	at org.apache.struts.actions.DispatchAction.dispatchMethod(DispatchAction.java:270)
      	at com.ins.web.actions.BaseAction.execute(BaseAction.java:43)
      	at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431)
      	at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236)
      	at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196)
      	at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414)
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      	at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378)
      	at org.springframework.security.intercept.web.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:109)
      	at org.springframework.security.intercept.web.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
      	at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
      	at org.springframework.security.ui.SessionFixationProtectionFilter.doFilterHttp(SessionFixationProtectionFilter.java:67)
      	at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
      	at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
      	at org.springframework.security.ui.ExceptionTranslationFilter.doFilterHttp(ExceptionTranslationFilter.java:101)
      	at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
      	at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
      	at org.springframework.security.ui.rememberme.RememberMeProcessingFilter.doFilterHttp(RememberMeProcessingFilter.java:116)
      	at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
      	at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
      	at org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter.doFilterHttp(SecurityContextHolderAwareRequestFilter.java:91)
      	at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
      	at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
      	at org.springframework.security.ui.AbstractProcessingFilter.doFilterHttp(AbstractProcessingFilter.java:277)
      	at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
      	at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
      	at org.springframework.security.ui.logout.LogoutFilter.doFilterHttp(LogoutFilter.java:89)
      	at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
      	at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
      	at org.springframework.security.context.HttpSessionContextIntegrationFilter.doFilterHttp(HttpSessionContextIntegrationFilter.java:235)
      	at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
      	at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
      	at org.springframework.security.util.FilterChainProxy.doFilter(FilterChainProxy.java:175)
      	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:236)
      	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
      	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
      	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
      	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
      	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
      	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
      	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:849)
      	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
      	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:454)
      	at java.lang.Thread.run(Thread.java:619)
      After debugging through the code I see that no user is pulled from the session in the method getCustomerAccount(). Looks as though the user object is never placed back into the session....

      Comment


      • #4
        Well, we obviously don't have access to the relevant code, so I can't confirm or deny your analysis. I'd suggest turning on debug logging for Spring Sec and see if you can't figure out what the real error is.

        Comment


        • #5
          Originally posted by pmularien View Post
          Well, we obviously don't have access to the relevant code, so I can't confirm or deny your analysis. I'd suggest turning on debug logging for Spring Sec and see if you can't figure out what the real error is.
          I've tried debugging the code but it doesn't seem to be throwing an exception until we try to pull the user from the session.

          Does the remember-me functionality add the user to the session by default?

          I've tried to extend the service by adding the following to applicationContext-services.xml
          Code:
          <beans:bean id="rememberMeProcessingFilter" class="org.springframework.security.ui.rememberme.RememberMeProcessingFilter">
          	  <custom-filter position="REMEMBER_ME_FILTER" />
          	  <beans:property name="authenticationManager" ref="authenticationManager" />
          	  <beans:property name="rememberMeServices" ref="rememberMeServices"/>
          	</beans:bean>
          	
          	<!-- Defines which remember me implementation to use - in this case using a database table to log 'remembered' tokens -->
          	<beans:bean id="rememberMeServices" class="org.springframework.security.ui.rememberme.PersistentTokenBasedRememberMeServices">
          		<beans:property name="tokenRepository" ref="jdbcTokenRepository" />
          		<beans:property name="userDetailsService" ref="userService" />
          		<beans:property name="key" value="springRocks" />
          		<beans:property name="alwaysRemember" value="false" />
          	</beans:bean>
          	
          	<!-- Uses a database table to maintain a set of persistent login data -->
          	<beans:bean id="jdbcTokenRepository" class="org.springframework.security.ui.rememberme.JdbcTokenRepositoryImpl">
          		<beans:property name="createTableOnStartup" value="false" />
          		<beans:property name="dataSource" ref="dataSource" />
          	</beans:bean>
          I can extend the PersistentTokenBasedRememberMeServices class so that I could manually add the user to the session after successful login but this approach doesn't seem to create an entry in the database for the remember me to fetch.

          What I'd like to know is: should the user object be added to the session by default? And also, do I need to configure the other remember me services myself if I just want to add some custom code to onLoginSuccess()?

          Thanks.

          Comment

          Working...
          X