More Remember Me trouble

[Hovendal]

Spring version: 1.2.8
Acegi-security version: 1.0.3

Hi All,

I im trying to get my Remember Me service to work, but unfortunately without luck. I have a fully functional app, and updating spring/acegi is unfortunately out of scope for this release..
I am using JDBC datasource and I am user userDetailService through a Hibernate DAO. User login/logout and role security works like a charm. But for some reason i cant remember me to work... My setup is as follows:

applicationContext-acegi-security.xml

Code:

<beans>

	<bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy">
		<property name="filterInvocationDefinitionSource">
			<value>
				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
				PATTERN_TYPE_APACHE_ANT
				/**=httpSessionContextIntegrationFilter,logoutFilter,authenticationProcessingFilter,rememberMeProcessingFilter,securityContextHolderAwareRequestFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor
			</value>
		</property>
	</bean>

	<bean id="httpSessionContextIntegrationFilter" class="org.acegisecurity.context.HttpSessionContextIntegrationFilter"/>

	<bean id="logoutFilter" class="org.acegisecurity.ui.logout.LogoutFilter">
		<constructor-arg value="/acegilogin.jsp"/> <!-- URL redirected to after logout -->
		<constructor-arg>
			<list>
				<ref bean="rememberMeServices"/>
				<bean class="org.acegisecurity.ui.logout.SecurityContextLogoutHandler"/>
			</list>
		</constructor-arg>
	</bean>

    <bean id="authenticationProcessingFilter" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
		<property name="authenticationManager" ref="authenticationManager"/>
		<property name="authenticationFailureUrl" value="/acegilogin.jsp?login_error=1"/>
		<property name="defaultTargetUrl" value="/HandleSuccessfullLogin.htm"/>
		<property name="alwaysUseDefaultTargetUrl" value="true"/>
		<property name="filterProcessesUrl" value="/j_acegi_security_check"/>
		<property name="rememberMeServices" ref="rememberMeServices"/>
	</bean>
   
	<bean id="securityContextHolderAwareRequestFilter" class="org.acegisecurity.wrapper.SecurityContextHolderAwareRequestFilter"/>

	<bean id="rememberMeProcessingFilter" class="org.acegisecurity.ui.rememberme.RememberMeProcessingFilter">		
		<property name="rememberMeServices" ref="rememberMeServices"/>
		<property name="authenticationManager" ref="authenticationManager"/>
	</bean>

	<bean id="anonymousProcessingFilter" class="org.acegisecurity.providers.anonymous.AnonymousProcessingFilter">
		<property name="key" value="changeThis"/>
		<property name="userAttribute" value="anonymousUser,ROLE_ANONYMOUS"/>
	</bean>

	<bean id="exceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter">
		<property name="authenticationEntryPoint">
			<bean class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
				<property name="loginFormUrl" value="/acegilogin.jsp"/>
				<property name="forceHttps" value="false"/>
			</bean>
		</property>
		<property name="accessDeniedHandler">
			<bean class="org.acegisecurity.ui.AccessDeniedHandlerImpl">
				<property name="errorPage" value="/accessDenied.jsp"/>
			</bean>
		</property>
	</bean>

	<bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
		<property name="authenticationManager" ref="authenticationManager"/>
		<property name="accessDecisionManager">
			<bean class="org.acegisecurity.vote.AffirmativeBased">
				<property name="allowIfAllAbstainDecisions" value="false"/>
				<property name="decisionVoters">
					<list>
						<bean class="org.acegisecurity.vote.RoleVoter"/>
						<bean class="org.acegisecurity.vote.AuthenticatedVoter"/>
					</list>
				</property>
			</bean>
		</property>

        <property name="objectDefinitionSource">
          <value>
            CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
            PATTERN_TYPE_APACHE_ANT
            /acegilogin.jsp=IS_AUTHENTICATED_ANONYMOUSLY
            /adminannounce.htm=ROLE_PAGE_ADMIN_ADMINANNOUNCE
......
			/reports.htm=ROLE_PAGE_REPORTS
			/testcopyofferversion.htm=ROLE_PAGE_TESTCOPYOFFERVERSION
			/viewattachedcustomers.htm=ROLE_PAGE_VIEWATTACHEDCUSTOMERS
			/vip.htm=ROLE_PAGE_VIP
			/workdetails.htm=ROLE_PAGE_WORKDETAILS
			/zonecalculation.htm=ROLE_PAGE_ZONECALCULATION                        
          </value>
        </property>
	</bean>

	<bean id="rememberMeServices" class="org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices">
  		<property name="userDetailsService" ref="userDetailsService"/>
		<property name="key" value="someTokenName"/>
	</bean>

	<bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager">
		<property name="providers">
			<list>
				<ref local="daoAuthenticationProvider"/>
				<bean class="org.acegisecurity.providers.anonymous.AnonymousAuthenticationProvider">
					<property name="key" value="changeThis"/>
				</bean>
				<ref local="rememberMeAuthenticationProvider"/>
			</list>
		</property>
	</bean>

	<bean id="rememberMeAuthenticationProvider" class="org.acegisecurity.providers.rememberme.RememberMeAuthenticationProvider">
		<property name="key" value="someTokenName"/>
	</bean>

	<bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
		<property name="userDetailsService" ref="userDetailsService"/>
		<property name="userCache">
			<bean class="org.acegisecurity.providers.dao.cache.EhCacheBasedUserCache">
				<property name="cache">
					<bean class="org.springframework.cache.ehcache.EhCacheFactoryBean">
						<property name="cacheManager">
							<bean class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"/>
						</property>
						<property name="cacheName" value="userCache"/>
					</bean>
				</property>
			</bean>
		</property>
	</bean>

	<!-- UserDetailsService is the most commonly frequently Acegi Security interface implemented by end users -->
	<bean id="userDetailsService" class="com.issworld.simiss.service.UserService">
        <property name="simISSDao">
            <ref bean="simISSDao"/>
        </property>
	</bean>


	<!-- This bean is optional; it isn't used by any other bean as it only listens and logs -->
	<bean id="loggerListener" class="org.acegisecurity.event.authentication.LoggerListener"/>

</beans>

acegilogin.jsp

Code:

<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" %>
<%@ include file="/WEB-INF/jsp/include/top.jsp" %>
<%@ page import="org.acegisecurity.ui.AbstractProcessingFilter" %>
<%@ page import="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter" %>
<%@ page import="org.acegisecurity.AuthenticationException" %>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
    <%@ include file="/WEB-INF/jsp/include/head.jsp" %>
    <title>SimISS login</title>
</head>

<body onload="document.getElementById('j_username').focus();" class="layoutBody" id="layoutBody">

<%--
this form-login-page form is also used as the
form-error-page to ask for a login again.
--%>

<img align="top" src="image/SimISS.jpg"/>

<form action="<c:url value='j_acegi_security_check'/>" method="POST">
    <table cellpadding="6" cellspacing="0" class="innerLoginTable">
        <tr><td colspan="2"><h3>Login</h3></td></tr>
        <tr align="left" valign="middle"><td><spring:message code="login.user" text="USER"/></td><td><input class="loginput" type='text' name='j_username' <c:if test="${not empty param.login_error}"> value='<%= session.getAttribute(AuthenticationProcessingFilter.ACEGI_SECURITY_LAST_USERNAME_KEY) %>' </c:if>></td></tr>
        <tr align="left" valign="middle"><td><spring:message code="login.password" text="PASSWORD"/></td><td><input class="loginput" name='j_password' type='password'></td></tr>
        <tr align="left" valign="middle"><td><input type="checkbox" name="_acegi_security_remember_me"></td><td>Remember me</td></tr>


        <tr align="center" valign="middle"><td colspan='2'><input name="submit" type="submit" value="Logon"></td></tr>

        <c:if test="${not empty param.login_error}">
            <tr align="left" valign="middle"><td colspan='2'>
            <font color="red">
                Your login attempt was not successful, try again.<BR><BR>
                Reason: <%= ((AuthenticationException) session.getAttribute(AbstractProcessingFilter.ACEGI_SECURITY_LAST_EXCEPTION_KEY)).getMessage() %>
            </font>
            </td></tr>
        </c:if>
    </table>

</form>

<%--
<%@ include file="/WEB-INF/jsp/include/endlayouttable.html" %>
--%>

</body>
</html>

And index.jsp which redirects to acegilogin.jsp

Code:

<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" %>
<%@ include file="/WEB-INF/jsp/include.jsp" %>
<%-- Redirected because we can't set the welcome page to a virtual URL. --%>
<c:redirect url="acegilogin.jsp"/>

I can see that the cookie is being set, and it looks quite right to me. Opening a new tab, and accessing my app results in the login page. When a user has ticked "remember me" the user should be redirected to the page which succesfull login redirects to.
I can access this page directly by entering the specific URL when I have already logged in - so in some sence it is working, because I cant do this if I close/open the browser. This indicates that it is simply the session being held and allows access....
My browser setting accepts all cookies...It seems the app isnt checking too find the Cookie? Or how come this doesnt work? Do I need to add something to the JSP, or what am I missing?

Any anwers appreciated! Thanks!

Kind Regards
Hovendal

[rockygug]

Hello Hovendal,

Refer this post
http://forum.springframework.org/showthread.php?t=62369

Here you can find the config file which is working fine for me. When user logs in using remember-me, cookie getting created and if he revisits then he need not to login if expiration time is not timeout.

Difference between your approach and mine is database.

Thanks