Results 1 to 2 of 2

Thread: Persistent Tokens and Domain question

  1. Sep 10th, 2012, 04:18 PM #1
    epaisley
    epaisley is offline Junior Member
    Join Date
    Jul 2011
    Posts
    12

    Default Persistent Tokens and Domain question

    I've implemented "Remember Me" with a Persistent Token store in a SQL SERVER database.

    I have 2 apps running on the same domain.

    www.mywebsite.com/app1
    www.mywebsite.com/app2

    I share the security-context.xml file between the 2 apps and they are running on the same JVM.

    I noticed with the remember me functionality that it is creating cookies for www.mywebsite.com with a Path value of app1. Because this happens I'm not logged into app2 automatically.

    When I log into app2, I notice in the db table that a second entry is entered and another spring security cookie is created for app2, only it has a Path value of app2.

    Is there a way for SpringSecurity to create the cookie at the www.mywebsite.com level with a Path of "/" so all the apps can see it?

    I would like the user to only have to login in Once to the "site" and have access to all the applications.

    Here is the security xml:
    Code:
    <?xml version="1.0" encoding="UTF-8" ?> 
<beans:beans xmlns="http://www.springframework.org/schema/security"
  xmlns:beans="http://www.springframework.org/schema/beans"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://www.springframework.org/schema/beans
           http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
           http://www.springframework.org/schema/security
           http://www.springframework.org/schema/security/spring-security-3.1.xsd">
         
  <http auto-config="true" create-session="never">
    <intercept-url pattern="/**" access="ROLE_USER" />  
    <remember-me key="MySecurityKey" data-source-ref="mySecurityDS" /> 
  </http>        
           
<!-- authentication manager and password hashing -->
 <authentication-manager>
    <authentication-provider>
      <user-service>
        <user name="jimi" password="jimispassword" authorities="ROLE_USER, ROLE_ADMIN" />
        <user name="bob" password="bobspassword" authorities="ROLE_USER" />
      </user-service>
    </authentication-provider>
  </authentication-manager>

	<beans:bean id="mySecurityDS"
		class="org.springframework.jndi.JndiObjectFactoryBean">
		<beans:property name="jndiName"
			value="java:comp/env/jdbc/SecurityDataTable" />
	</beans:bean>


</beans:beans>
    Last edited by epaisley; Sep 10th, 2012 at 04:31 PM. Reason: Added xml snippet
    Reply With Quote Reply With Quote
  2. Sep 11th, 2012, 06:38 PM #2
    epaisley
    epaisley is offline Junior Member
    Join Date
    Jul 2011
    Posts
    12

    Default Success

    I got this work, but needed to write my own RememberMe Service. I extended PersistentTokenBasedRememberMeServices and overrided the setCookie method to set the path as /


    Code:
    package com.company.spring.security.custom.rememberme;

import java.lang.reflect.Method;

import javax.servlet.http.Cookie;

import org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices;
import org.springframework.util.ReflectionUtils;

public class CustomDomainCookieRememberMe extends PersistentTokenBasedRememberMeServices  {

	   
																			   //This allows us to name or own cookie and "hide" the face we are using spring security
	    private Boolean useSecureCookie = null;
	    private Method setHttpOnlyMethod;
	    private String cookiePathForSecurity = "/";  //This is what allows "Single Sign On".  The path of the cookie is set to the 
	    											 //top domain (website.org) or just /.  If the app is in the path 
	                                                 //the cookie is only available to that app
	
	
    @Override
	protected void setCookie(java.lang.String[] tokens,
            int maxAge,
            javax.servlet.http.HttpServletRequest request,
            javax.servlet.http.HttpServletResponse response)
    {
    	/*
    	System.out.println("Dumping Cookies");
    	for (int i = 0; i < tokens.length; i++) {
			String theCookie = tokens[i];
			
			System.out.println("string: " + theCookie);
		}
    	*/
    	 String cookieValue = encodeCookie(tokens);
         Cookie cookie = new Cookie(getCookieName(), cookieValue);
         cookie.setMaxAge(maxAge);  //I think we can overwrite this with our own
         cookie.setPath(cookiePathForSecurity);

         if (useSecureCookie == null) {
             cookie.setSecure(request.isSecure());
         } else {
             cookie.setSecure(useSecureCookie);
         }

         if(setHttpOnlyMethod != null) {
             ReflectionUtils.invokeMethod(setHttpOnlyMethod, cookie, Boolean.TRUE);
         }

         response.addCookie(cookie);
    	
    }
	
}
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules