Remember-me no longer works after moving from 2.0 to 3.0.1.RELEASE
I had been working with a small test project using spring-sec 2 and spring 2.5.6 to learn spring security. I had a basic setup working, including working 'remember-me' configured with defaults. I have just moved to spring-sec-3.0.1.RELEASE and spring-3.0.RELEASE and everything works EXCEPT remember-me. I used the docs and the contacts sample app to convert the config to 3.0 - now I can see that a cookie IS being set in the server logs:
1699060847@qtp-327325694-0 2010-01-21 13:16:37,810 DEBUG [TokenBasedRememberMeServices:onLoginSuccess] Added remember-me cookie for user 'user', expiry: 'Thu Feb 04 13:16:37 PST 2010'
I can also see the cookie when I 'show cookies' from the browser.
However, when I close the browser, reopen it, and attempt to navigate to a secure page, I am always prompted to login. There is no entry in the log indicating that the remember-me cookie is ever processed.
My security configh looks like this:
The filters in web.xml are configured as such:Code:<security:http auto-config="true" access-denied-page="/login.html?login_error=1"> <security:intercept-url pattern="/methods/*" access="ROLE_USER"/> <security:intercept-url pattern="/main.html" access="ROLE_USER"/> <security:intercept-url pattern="/login.html" access="IS_AUTHENTICATED_ANONYMOUSLY" /> <security:intercept-url pattern="/home.html" access="IS_AUTHENTICATED_ANONYMOUSLY" /> <security:form-login login-page="/login.html" authentication-failure-url="/login.html?login_error=1" default-target-url="/main.html"/> <security:logout logout-success-url="/home.html"/> <security:remember-me /> </security:http> <security:authentication-manager> <security:authentication-provider> <security:password-encoder hash="md5"/> <security:user-service> <security:user name="admin" password="70448f05afcfa5006cd384c52c3317b2" authorities="ROLE_ADMIN, ROLE_USER" /> <security:user name="user" password="d5598909146844d313a806e2cec6b38d" authorities="ROLE_USER" /> </security:user-service> </security:authentication-provider> </security:authentication-manager>
I am using a custom login form like this:Code:<filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
I must be missing some configuration of 3.0.1 but I simply can't figure out what, it seems like I've got 'remember-me' only half configured, how do you make spring-sec-3 pay attention to the cookie once it is set?Code:<form name="f" action="<c:url value='j_spring_security_check'/>" method="POST"> <h2>Please log in:</h2> <table cellpadding="3"> <tr><td>User:</td><td><input id="j_username" type="text" name="j_username" value="<c:if test='${not empty param.login_error}'><c:out value='${SPRING_SECURITY_LAST_USERNAME}'/></c:if>"/></td></tr> <tr><td>Password:</td><td><input type="password" name="j_password"></td></tr> <tr><td align="right"><input type="checkbox" name="_spring_security_remember_me"> </td><td>Don't ask for my password for two weeks</td></tr> <tr><td colspan="2" align="center"> </td></tr> </table> <div style="text-align: center; width:100%; margin: auto"><input name="submit" type="submit"> <input name="reset" type="reset"></div> </form>
Thanks in advance for any help.
