Announcement Announcement Module
Collapse
No announcement yet.
Remember Me option not working Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Remember Me option not working

    I am trying to setup 'Remember Me' option in my web page. While creating cookie there are no issues but when I close and open browser I am seeing below error: ( Cookie token[2] contained signature 'xxx' but expected 'yyy')

    Code:
    DEBUG-org.springframework.security.ui.rememberme.AbstractRememberMeServices.autoLogin(79) | 
    Remember-me cookie detected
    INFO-com.test.MyAuthenticationService.loadUserByUsername(33) | In loadUserByUsername[[email protected]]
    .....//stuff related to loading user details from database
    
    03 14 14:29:08 DEBUG-org.springframework.security.ui.rememberme.AbstractRememberMeServices.cancelCookie(273) | 
    Cancelling cookie
    03 14 14:29:08 DEBUG-org.springframework.security.ui.rememberme.AbstractRememberMeServices.autoLogin(96) | 
    Invalid remember-me cookie: Cookie token[2] contained signature 'f51faa7b1fba4a78fdd75558d13e128e' but expected 'a231154d9e61d5d5695ff97e2a76d1d2'
    Here is security-context.xml contents:
    Code:
    <bean id="rememberMeProscessingFilter" class="org.springframework.security.ui.rememberme.RememberMeProcessingFilter">
        <security:custom-filter position="REMEMBER_ME_FILTER" />
        <property name="rememberMeServices" ref="rememberMeServices" />
        <property name="authenticationManager" ref="myAuthenticationManager" />
      </bean>
    
      <bean id="rememberMeServices" class="com.test.RememberMeService">
        <property name="key"><value>test</value></property>
        <property name="tokenValiditySeconds"><value>1209600</value></property>
        <property name="userDetailsService" ref="myAuthenticationManager" />
      </bean>

  • #2
    Its hard to say w/out seeing the implementation of RememberMeService. One thing to check is that myAuthenticationManager returns consistent values for the User's username and password. If they are not the same at as when the remember me token was created, authentication will fail when using TokenBasedRememberMeServices.

    Comment


    • #3
      Hi Rob thanks for your reply. Here is the code for MyRememberMeService:
      Code:
      public class MyRememberMeService extends TokenBasedRememberMeServices {
      
      	public MyRememberMeService() throws Exception {
      		super();
      	}
      
      	@Override
      	protected void setCookie(String[] tokens, int maxAge,
      			HttpServletRequest request, HttpServletResponse response) {
      		String cookieValue = encodeCookie(tokens);
      		Cookie cookie = new Cookie(getCookieName(), cookieValue);
      		cookie.setMaxAge(1209600);
      		cookie.setPath("/");
      		cookie.setSecure(false);
      		response.addCookie(cookie);
      	}
      }
      And here is my auth manager code: ( "my_password" is a hard coded string)
      Code:
      public class MyAuthManager implements UserDetailsService,AuthenticationManager  {
      
             public UserDetails loadUserByUsername(String userName)
      			throws UsernameNotFoundException, DataAccessException {
      		MyUserDetails myUserDetails = null;
      		try {
      			myUserDetails = myUserService.createAuthenticatedUser(userName, "my_password");
      
      			Authentication authorizedUser = new UsernamePasswordAuthenticationToken(myUserDetails ,
      					"my_password", myUserDetails.getAuthorities());
      
      			SecurityContextHolder.getContext().setAuthentication(authorizedUser);
      
      		} catch (ServicePortalException ex) {
      			throw new UsernameNotFoundException(ex.getMessage());
      
      		}
      		return user;
      	}
      
      	.............//rest of the code
      
      }

      Comment


      • #4
        I think I found the problem, it is with hard coded password ( "my_password" ). At the time of remember me cookie creation time password was different from "my_password".

        Question is, how to implement loadByUserName() method without hard coding dummy password. Do we have to implement our own service which returns password for given user name and then create Authentication object(using new UsernamePasswordAuthenticationToken()...)? (I don't feel safe to have a service which returns password for a given username)

        Any suggestions?

        Comment


        • #5
          I'm not sure I understand why you are hesitant to return a password in the service. The password is not included in the cookie, so no one will be able to access it. The username is included in the cookie, for this reason (among others), you might consider using the Persistent Token Approach.

          Comment


          • #6
            Thanks Rob for the reply. Looks like "Persistent Token Approach" is better suited in our case, we will go with that.

            Comment

            Working...
            X