CasAuthFilter.successfulAuthentication not calling RememberMeServices.loginSuccess

[ksevindik]

Hi Spring Security Guys,

I am using Spring Security 3.1.0.RC3. We are making use of RememberMeServices mechanism in order not to create proxy tickets over and over again after first proxy authentication. However, currently injected RememberMeServices bean's loginSuccess method is not called inside CasAuthenticationFilter.successfulAuthentication, which is obviously called after successful interactive authentication in overriden successfulAuthentication method of its superclass AbstractAuthenticationProcessingFilter.

I want to ask if it is deliberate action not to call loginSuccess of RememberMeServices or is it forgotten action that needs to be performed like in super class? Should I need to open an issue in Spring Security?

Best Regards

[ksevindik]

When I today downloaded 3.1.0.RELEASE, I realized that CasAuthenticationProvider makes use of statelessTicketCache. We had missed that point before. Therefore, our remember me token based solution became unnecessary. However, I still don't see any problem if you Spring Security guys, change CasAuthenticationFilter.successfulAuthentication method like below, calling rememberMeServices.loginSuccess method just before doFilter call.

Regards

Code:

    @Override
    protected final void successfulAuthentication(HttpServletRequest request,
            HttpServletResponse response, FilterChain chain, Authentication authResult)
            throws IOException, ServletException {
        boolean continueFilterChain = proxyTicketRequest(serviceTicketRequest(request, response),request);
        if(!continueFilterChain) {
            super.successfulAuthentication(request, response, chain, authResult);
            return;
        }
        

        if (logger.isDebugEnabled()) {
            logger.debug("Authentication success. Updating SecurityContextHolder to contain: " + authResult);
        }

        SecurityContextHolder.getContext().setAuthentication(authResult);

        // Fire event
        if (this.eventPublisher != null) {
            eventPublisher.publishEvent(new InteractiveAuthenticationSuccessEvent(authResult, this.getClass()));
        }

        getRememberMeServices().loginSuccess(request, response, authResult);

        chain.doFilter(request, response);
    }

[Rob Winch]

This leads to complications for CAS Single Logout support which cannot cleanup the remember me resources (i.e. a remember me cookie). For most usecases rememberme should be done at the CAS Server side rather than the CAS Service. This is more secure and it centralizes the remember me. For edge cases where someone wants rememberme support on the CAS Service side the users can override the method.