Accessing single Remember-me cookie between different webapps inside tomcat

[jaibabu]

Hi Spring Gurus,

I had one problem while using <security:remember-me key="some" /> in my application. I had two spring security webapps running in tomcat. Both has login page. If user enters in one application the login page should be shown. Once he successfully logged in remember me cookie is setting and from the next time onwards the user can able to enter into that particular application without asking for username and password. My problem is if the same user enters into the second application it again prompts for username and password the second application. But i don't want that process. I need the remember-me cookie set by one application available to the other applications which uses the same remember-me.
I am really stuck up in this. Can anyone provide guidance in this. It is urgent please.

I am herewith pasting my applicationContext-security.xml file.

Code:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">

    <global-method-security pre-post-annotations="enabled">
    </global-method-security>

    <http use-expressions="true" auto-config='false'>
        <intercept-url pattern="/secure/extreme/**" access="hasRole('ROLE_SUPERVISOR')"/>
        <intercept-url pattern="/secure/**" access="isAuthenticated()" />
        <intercept-url pattern="/**" access="permitAll" />
        <form-login login-page='/login.jsp' default-target-url='/index.jsp' always-use-default-target='true' />

        <logout />
        <remember-me key="someKey" token-validity-seconds="864000" /> 
        <concurrent-session-control max-sessions="1" exception-if-maximum-exceeded="true"/>
    </http>
    <authentication-manager>
        <authentication-provider>
            <password-encoder hash="md5"/>
            <user-service>
                <user name="rod" password="a564de63c2d0da68cf47586ee05984d7" authorities="ROLE_SUPERVISOR, ROLE_USER, ROLE_TELLER" />
                <user name="dianne" password="65d15fe9156f9c4bbffd98085992a44e" authorities="ROLE_USER,ROLE_TELLER" />
                <user name="scott" password="2b58af6dddbd072ed27ffc86725d7d3a" authorities="ROLE_USER" />
                <user name="peter" password="22b5c9accc6e1ba628cedc63a72d57f8" authorities="ROLE_USER" />
            </user-service>
        </authentication-provider>
    </authentication-manager>

</beans:beans>

Thanks
Jai

[jaibabu]

Hello,
Can anyone please suggest some way on this.

thanks
Jai

[djdrisco]

Take a look at the base class for the remember me service : AbstractRememberMeServices in package org.springframework.security.ui.rememberme.

Hint: You can reuse a cookie if the cookie's domain is set appropriately,and both sites are in the same domain. This will require creating a class that extends AbstractRememberMeServices and implements logic that sets the cookie's domain.

If for example your cookie's domain was set to springsource.org in a custom class. If one of your tomcat sites was blogs.springsource.org and the other tomcat site was forum.springsource.org then your tomcat sites could share this cookie and the user would only be forced to login once if Remember Me security was implemented on both sites.

[jaibabu]

Hi djdrisco,

Thanks for your reply. I had done exactly what you said. Instead of creating a new class i had extracted the class file from the jar and modified the code to set the cookie path to root and rebuild the jar. Now it is working. Instead if i extends that class in my java file what are the changes i have to do in applicationContext-security.xml file. The file will look like i posted in the first post.

Thanks
Jai