Hacks using Programmatic Security for a SpringMVC application

[boomkap]

Glad to give it a read. Which resource should I be reading? I need to understand the configuration as well as the implementation classes.

This document http://static.springsource.org/sprin...member-me.html does not really help me. Is there another resource you are referring to?

[thobson]

Check out the source code for AbstractAuthenticationProcessingFilter, especially the methods successfulAuthentication and unsuccessfulAuthentication, you will see how they call rememberMeServices.

[boomkap]

I did check out the source code. Let me see if I understand the workflow.

Lets assume I want to use the default TokenBasedRememberMe service. In my controller, I need to first initialize the TokenBasedRememberMe object. After I authenticate the user programmatically, I call rememberMeServices.loginSuccess(request, response, authResult) so it can drop the cookie in the response object. Simple enough so far.

Now on subsequent requests the TokenBasedRememberMeServices intercepts the call to check for the cookie and look for the identifiable user. If the user session is not located on the server, the TokenBasedRememberMeService needs to create a new session that represents the user. To do this, it needs to check whether the password for the user may have changed since the last visit. To do this it needs a UserDetailsService to compare the password with the password it had stored in the cookie.
If there is a match, it creates a session object and everything proceeds as normal.
If there is no match, it sends the user to the Login form so the process can start again.

From a containers perspective, all I need to do is tell it that I need to use a RememberMe service, define which one (in this case TokenBasedRememberMeServices) and the UserDetailsService that goes along with this.

Is this the general flow, or am I missing anything?

[thobson]

That's broadly correct, at least in the context of the TokenBasedRememberMeServices. Personally I would recommend using the PersistentTokenBasedRememberMeServices as it's more secure but the choice is yours.

[boomkap]

Thanks a lot. Will try and implement this and see how it goes. .

[boomkap]

In a Stateless cloud environment such as Heroku, how would Authentication work? Heroku does not support session affinity and as a result with a RememberMe impl, that users auth status will eventually end up on many dynos.