TokenBasedRememberMeServices cookiename ignored

[clintonbosch]

I have recently upgraded my spring security libraries to 3.1GA (from RC3) and have noticed that the cookieName parameter on the TokenBasedRememberMeServices bean seems to be ignored. The cookie that gets created is SPRING_SECURITY_REMEMBER_ME_COOKIE regardless of what name I inject into the cookieName parameter. This used to work in previous versions, has anybody else experienced this and have I missed something

Code:

    <bean id="rememberMeServices" class="org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices">
        <property name="userDetailsService" ref="userDetailsService"/>
        <property name="tokenValiditySeconds" value="${login.cookie.duration.seconds}"/>
        <property name="cookieName" value="${remember.me.cookie.name}"/>
        <property name="key" value="xxxxxxx"/>
    </bean>

[Rob Winch]

Can you post the rest of your Spring Security configuration?

[clintonbosch]

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schem...-beans-3.0.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schem...g-util-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">

<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="rememberMeProvider"/>
<security:authentication-provider ref="authenticationProvider"/>
</security:authentication-manager>

<bean name="userDetailsService" class="za.co.bsg.ems.server.security.SidUserDetail sService" depends-on="emfBean"/>

<bean id="rememberMeServices" class="org.springframework.security.web.authentica tion.rememberme.TokenBasedRememberMeServices">
<property name="userDetailsService" ref="userDetailsService"/>
<property name="tokenValiditySeconds" value="${login.cookie.duration.seconds}"/>
<property name="cookieName" value="${remember.me.cookie.name}"/>
<property name="key" value="springRules"/>
</bean>

<bean id="rememberMeProvider" class="org.springframework.security.authentication .RememberMeAuthenticationProvider">
<property name="key" value="springRules"/>
</bean>

<bean name="rememberMeAuthenticationFilter" class="org.springframework.security.web.authentica tion.rememberme.RememberMeAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="rememberMeServices" ref="rememberMeServices"/>
</bean>

<bean id="passwordEncoder" class="org.springframework.security.authentication .encoding.Md5PasswordEncoder"/>

<bean id="saltSource" class="org.springframework.security.authentication .dao.ReflectionSaltSource">
<property name="userPropertyToUse" value="salt"/>
</bean>

<bean id="externalAuthenticator" class="za.co.bsg.ems.server.security.LdapAuthentic ator">
<property name="enabled" value="false"/>
<property name="serverUrl" value="${support.ldap.url}"/>
<property name="principalPrefix" value="${support.ldap.principal.prefix}"/>
</bean>

<bean id="supportUserAuthenticator" class="za.co.bsg.ems.server.security.SupportUserAu thenticator">
<property name="enabled" value="true"/>
</bean>

<bean id="authenticationProvider" class="za.co.bsg.ems.server.security.SidAuthentica tionProvider">
<property name="userDetailsService" ref="userDetailsService"/>
<property name="passwordEncoder" ref="passwordEncoder"/>
<property name="saltSource" ref="saltSource"/>
<property name="externalAuthenticator" ref="externalAuthenticator"/>
<property name="supportUserAuthenticator" ref="supportUserAuthenticator"/>
</bean>

<bean name="logoutFilter" class="org.springframework.security.web.authentica tion.logout.LogoutFilter">
<constructor-arg value="/"/>
<constructor-arg>
<list>
<bean class="org.springframework.security.web.authentica tion.logout.SecurityContextLogoutHandler"/>
<ref bean="rememberMeServices"/>
<ref bean="logoutMonitor"/>
</list>
</constructor-arg>
<property name="filterProcessesUrl" value="/logout"/>
</bean>

<bean name="supportUserRollbackSecurityFilter" class="za.co.bsg.ems.server.security.SupportUserRo llbackSecurityFilter"/>

<bean name="authenticationEntryPoint" class="org.springframework.security.web.authentica tion.LoginUrlAuthenticationEntryPoint">
<property name="forceHttps" value="${use.https}"/>
<property name="loginFormUrl" value="/${login.jsp}"/>
</bean>

<security:http auto-config="false" entry-point-ref="authenticationEntryPoint">
<security:form-login login-page="/${login.jsp}"
always-use-default-target="true"
default-target-url="${login.ok}"/>
<security:remember-me/>
<security:anonymous/>
<security:intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<security:intercept-url pattern="/j_spring_security_check*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<security:intercept-url pattern="/change_password*" access="IS_AUTHENTICATED_REMEMBERED"/>
<security:intercept-url pattern="/prompt_password*" access="IS_AUTHENTICATED_REMEMBERED"/>
<security:custom-filter position="LOGOUT_FILTER" ref="logoutFilter" />
<security:custom-filter position="LAST" ref="supportUserRollbackSecurityFilter" />
</security:http>

<security:global-method-security jsr250-annotations="enabled"/>

</beans>

[Rob Winch]

The problem appears to be that you have specified the <security:remember-me/> tag and then redefined and customised the beans that the remember-me tag creates without attaching them to the FilterChain (i.e. linking them in the http block. Try removing anything you specified simply to inject your custom remember-me services (i.e. RememberMeAuthenticationFilter, RememberMeAuthenticationProvider, LogoutFilter, etc) and instead using remember-me@services-ref.

PS In the future please ensure to use the code tags when posting configuration as this makes it much easier to read.

[clintonbosch]

Duh, thanks a lot