Announcement Announcement Module
No announcement yet.
Remember-me Service Auto-Login Handler Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Remember-me Service Auto-Login Handler


    In my app I read a custom cookie (containing user settings) after each successful login event. I'm currently using a custom AuthenticationSuccessHandler for this, which works fine. Unfortunately I cannot use this approach, though, when I want to use a RememberMeService.

    I had a look at the AbstractRememberMeServices implementation, but it unfortunately does not provide a clean hook I can use after the successful authentication object was created. AutoLogin is final and createSuccessfulAuthentication does not pass on the HttpServletResponse.

    I could misuse the createSuccessfulAuthentication method for my needs (although changing of cookies would not work), but I hope there's a cleaner way of doing this?

  • #2
    What about an after returning aspect for the remember me service? That way you have access to all you need...


    • #3
      Have you looked into overriding RememberMeAuthenticationFilter#onSuccessfulAuthent ication with an implementation of that method that delegates to your AuthenticationSuccessHandler? Similar to Marten's suggestion, you could write a composite implementation of RememberMeServices that delegates to another implementation, if it is successful process the cookie with the AuthenticationSuccessHandler.


      • #4
        How could I forget . Indeed overridding/extending the RememberMeFilter and implement the onSuccesfulAuthentication would be even better/easier then writing an Aspect.


        • #5
          Thanks guys.

          I'll probably go for a custom RemembeMeFilter implementation and will extend the UsernamePasswordAuthenticationFilter as well, so that both filters call the same "onSuccesfulWebAuthentication" hook.


          • #6
            Just as a follow up, if anybody has the same problem.

            I ended up writing a custom RememberMeFilter and for the form based login used a AuthenticationSuccessHandler, which both delegate to a custom handler class in the case of a successful interactive login or successful auto login. Although this was all quite straight forward it involved quite some bit of work, because with a custom RememberMeFilter you have to unroll the sec:form-login and sec:remember-me namespace.

            IMHO things would be rather easy, if this would be provided out of the box, because I could imagine, that this use case (i.e., "reading HTTP request related info after a successful login and storing things in the HTTP session") is not that rare.

            After looking at the source a bit I'm wondering, whether it would be possible to extend Spring Security, that UsernamePasswordAuthenticationFilter and RememberMeAuthenticationFilter publish an AuthenticationEvent that includes the HTTP request and HTTP response as well as the authentication result? This would make things dead simple.