alwaysRememberMe ignored on custom rememberme Spring Security 3

**mschipperheyn** · Jan 14th, 2010, 05:12 AM

Hi,

I have a custom remembermanager that is configured like so:

PHP Code:


    <http>

[...]

        <intercept-url pattern="/**" access="ROLE_ANONYMOUS,ROLE_USER,ROLE_ADMIN,ROLE_VENDOR" />

        <form-login always-use-default-target="false"

            default-target-url="/index.html" authentication-failure-url="/login.html"

            login-page="/login.html" login-processing-url="/login_security_check" />

    

        <logout logout-url="/logout.html" logout-success-url="/index.html"

            invalidate-session="true" />

        <anonymous granted-authority="ROLE_ANONYMOUS" />

        <remember-me services-ref="rememberMeServices" key="${msa.security.key}" />

    </http>



     <beans:bean id="rememberMeServices"

        class="nl.project.service.impl.RememberMeManagerImpl">

        <beans:property name="userDetailsService" ref="usorManager" />

        <beans:property name="key"

            value="${msa.security.key}" />

        <beans:property name="parameter" value="rememberMe" />

        <beans:property name="userDao" ref="usorDao" />

        <beans:property name="alwaysRemember" value="true" />

    </beans:bean>

The custom remember me is to ensure that some session variables are being set onLoginSuccess and processAutoLoginCookie. Set up like so:

PHP Code:


    public void onLoginSuccess(

            HttpServletRequest request,

            HttpServletResponse response,

            Authentication authentication) {

        super.onLoginSuccess(request, response, authentication);

        Usor user = userDao.getUserByEmail(authentication.getPrincipal()

                .toString());

        if (user != null) {

            request.getSession(true).setAttribute(MSA.USER_KEY, user);

            request.getSession().setAttribute(MSA.COUNTRY_KEY,

                    user.getAddress().getCountry());

        }

    }



    public UserDetails processAutoLoginCookie(

            String[] cookieTokens,

            HttpServletRequest request,

            HttpServletResponse response

            

            ) {

        UserDetails det = super

                .processAutoLoginCookie(cookieTokens, request, response);

        if (det != null) {

            Usor user = userDao.getUserByEmail(det.getUsername());

            if (user != null) {

                request.getSession(true).setAttribute(MSA.USER_KEY, user);

                request.getSession().setAttribute(MSA.COUNTRY_KEY,

                        user.getAddress().getCountry());

            }

        }

        return det;

    }

When I examine the remember me cookie that is being set by Spring, I see thay it uses the default 14 days expiry delay. When alwaysRemember is set to true, I would expect something in the distant future.

Any ideas?

Kind regards,

Marc

**Luke Taylor** · Jan 14th, 2010, 11:34 AM

You're misunderstanding the function of "alwaysRemember". It affects whether the cookie is set, not how long for. Check the Javadoc or the code for more info.

**mschipperheyn** · Jan 15th, 2010, 02:31 AM

Javadoc description of the function is empty :-)

Thanks for clearing this up for me.

Marc

Thread: alwaysRememberMe ignored on custom rememberme Spring Security 3

Thread Tools

Display

alwaysRememberMe ignored on custom rememberme Spring Security 3

:-)

Tags for this Thread

Posting Permissions