When does spring security remember me process its cookie?

**william_** · Aug 22nd, 2012, 08:56 AM

Spring security 3.1.1

So I made a custom remember me service which extends the default token based remember me service just to check if it's called or not.

Code:

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices;

public class CustomTokenBasedRememberMeService extends TokenBasedRememberMeServices {

    @Override
    protected int calculateLoginLifetime(HttpServletRequest request, Authentication authentication) {
        System.out.println("COOKIE: Process1!");
        return super.calculateLoginLifetime(request, authentication);
    }

    @Override
    protected boolean isTokenExpired(long tokenExpiryTime) {
        System.out.println("COOKIE: Process2!");
        return super.isTokenExpired(tokenExpiryTime);
    }

    @Override
    protected String makeTokenSignature(long tokenExpiryTime, String username, String password) {
        System.out.println("COOKIE: Process3!");
        return super.makeTokenSignature(tokenExpiryTime, username, password);
    }

    @Override
    protected String retrievePassword(Authentication authentication) {
        System.out.println("COOKIE: Process4!");
        return super.retrievePassword(authentication);
    }

    @Override
    protected String retrieveUserName(Authentication authentication) {
        System.out.println("COOKIE: Process5!");
        return super.retrieveUserName(authentication);
    }

    @Override
    protected UserDetails processAutoLoginCookie(String[] cookieTokens, HttpServletRequest request, HttpServletResponse response) {
        System.out.println("COOKIE: Process6!");
        return super.processAutoLoginCookie(cookieTokens, request, response);
    }    

    @Override
    public void onLoginSuccess(HttpServletRequest request, HttpServletResponse response, Authentication successfulAuthentication) {
        System.out.println("COOKIE: Process7!");
        super.onLoginSuccess(request, response, successfulAuthentication);
    }
}

when a user log in it prints out:

Code:

INFO: COOKIE: Process7!
INFO: COOKIE: Process5!
INFO: COOKIE: Process4!
INFO: COOKIE: Process1!
INFO: COOKIE: Process3!

which means that it calls the onLoginSuccess(), retrieveUserName(), retrievePassword(), calculateLoginLifetime(), and makeTokenSignature().

The browser has accepted the cookie, but it's never processed ever. Even after I deleted the session, restarted the browser, etc. It's never processed, I assume processAutoLoginCookie is responsible for this but it's never called either.

What's the condition for spring security to process the cookie?

**Rob Winch** · Aug 24th, 2012, 10:50 AM

Take a look at the RememberMeAuthenticationFilter

**william_** · Aug 26th, 2012, 10:27 PM

Originally Posted by Gustavoren

well i think that you should consult somebody experienced and professional in this field , i hope your problem will surely be solved and you will get an appropriate answer for this.

Uhh, ok.

Originally Posted by Rob Winch

Take a look at the RememberMeAuthenticationFilter

A little explanation related to my question please?

**Rob Winch** · Aug 27th, 2012, 10:16 AM

The title reads "When does spring security remember me process its cookie?". The RememberMeAuthenticationFilter is what utilizes the RememberMeServices to processes the remember me cookie. Add debug points to that filter and turn up debug logging to figure out what is happening.

**william_** · Aug 27th, 2012, 10:36 PM

Originally Posted by Rob Winch

The title reads "When does spring security remember me process its cookie?". The RememberMeAuthenticationFilter is what utilizes the RememberMeServices to processes the remember me cookie. Add debug points to that filter and turn up debug logging to figure out what is happening.

Ok thanks, do you know what's the condition for the RememberMeAuthenticationFilter to utilize the RememberMeService? Is it when the user try to access a secured page when the session hasn't been made? Or do I have to put some configuration to each page I secured?

**Rob Winch** · Aug 28th, 2012, 08:57 AM

I'm not sure if you noticed, but I provided a link to the source which should explain what it is doing. In summary, it will invoke RememberMeServices#autoLogin if the Authentication is null.

**william_** · Sep 3rd, 2012, 02:35 AM

Originally Posted by Rob Winch

I'm not sure if you noticed, but I provided a link to the source which should explain what it is doing. In summary, it will invoke RememberMeServices#autoLogin if the Authentication is null.

Thanks, now I could see that if SecurityContextHolder.getContext().getAuthenticati on()==null then it calls the autoLogin() method
I can't override autoLogin() since it's declared as final. So I trust that it works just fine and I noticed that it calls the processAutoLoginCookie() method afterward. But the method is never called. So I presume either the Authentication is never null or the doFilter() method is never called in the first place. What do you think about this?

Thread: When does spring security remember me process its cookie?

Thread Tools

Display

When does spring security remember me process the cookie?

Tags for this Thread

Posting Permissions