Announcement Announcement Module
No announcement yet.
Post Remember Me - Is there a better way? Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Post Remember Me - Is there a better way?


    Using Spring Security 3.0.2, Spring 3.0.3 and Java 1.6 with Jetty 7.1.

    I have remember-me set up like this:

        <sec:http use-expressions="true">
            <sec:intercept-url pattern="/foobar/login*" access="permitAll" />
            <sec:intercept-url pattern="/foobar/**" access="isAuthenticated()" />
            <sec:form-login login-page="/foobar/login" default-target-url="/foobar/search" always-use-default-target="true" login-processing-url="/cerberus" />
                <sec:concurrency-control max-sessions="1" />
            <sec:logout logout-url="/logout" logout-success-url="/foobar/login" />
            <sec:remember-me services-ref="rememberMeServices" key="FOOBAR" />
        <bean id="rememberMeServices" class="">
            <property name="parameter" value="rememberMe" />
            <property name="tokenValiditySeconds" value="604800" />
            <property name="cookieName" value="FOOBAR" />
            <property name="key" value="FOOBAR" />
            <property name="userDetailsService" ref="userService" />
    (You like my cerberus, neato ;-))

    Anyway, watching the logs, I see that Spring Security is correctly finding my cookie and processing it and passing me along the chain. Eventually it arrives to my LoginController (backing the URL /foobar/login). It appears that I now have to take control and determine what to do next, i.e.,:

        public String index(final HttpServletRequest request) {
            if (!isAnonymousLogin()) {
                return "redirect:/foobar/search";
            return "login/index";
        protected boolean isAnonymousLogin() {
            final SecurityContext securityContext = SecurityContextHolder.getContext();
            final Authentication authentication = securityContext.getAuthentication();
            final boolean isAnonymous = authentication instanceof AnonymousAuthenticationToken;
            LOGGER.debug("User is anonymous? {}", isAnonymous);
            return isAnonymous;
    The logic being if the user is Anonymous, then they don't have the a UsernamePasswordAuthenticationToken nor a RememberMeAuthenticationToken (so they don't have the cookie, nor are they already logged in).

    Is this approach valid? It *smells* a bit that I'm doing something which Spring Security should do, i.e.,

    <remember-me .... target-url="/foobar/search" />
    This tells the remember me service to take me to the url if the remember me process compeletes successfully. Of course, if I don't put on this attribute then I can take control manually (like I'm doing presently).

    Perhaps I'm missing something, perhaps I'm writing code in my LoginController that I don't need to write...