Problem with Remember Me Service in Spring Security

**ger** · Mar 16th, 2010, 06:57 AM

Hi,

I'm trying to implement a "remember me" functionality in my website using Spring. The cookie and entry in the persistent_logins table are getting created correctly. Additionally, I can see that the correct user is being restored as the username is displayed at the top of the page.

However, once I try to access any information for this user when they return after they were "remembered", I get a NullPointerException. It looks as though the user isn't being set in the session again.

My applicationContext-security.xml contains the following:

Code:

<remember-me data-source-ref="dataSource" user-service-ref="userService"/>

...

<authentication-provider user-service-ref="userService" />

<jdbc-user-service id="userService" data-source-ref="dataSource" 
role-prefix="ROLE_"
users-by-username-query="select email as username, password, 1 as ENABLED from user where email=?" 
authorities-by-username-query="select user.id as id, upper(role.name) as authority from user, role, users_roles where users_roles.user_fk=id and users_roles.role_fk=role.name and user.email=?"/>

I thought it may have had something to do with users-by-username query but surely login wouldn't work correctly if this query was incorrect?

Any help on this would be greatly appreciated.

Thanks,
Ger.

**pmularien** · Mar 16th, 2010, 08:42 AM

If you paste the stack trace of the NPE, that would probably help us help you

**ger** · Mar 18th, 2010, 04:34 AM

Originally Posted by pmularien

If you paste the stack trace of the NPE, that would probably help us help you

Oops! My bad

Code:

145113440 [http-8080-3] ERROR com.ins.web.exceptions.ExceptionHandler  - Unexpected error occurred during Action, Form or JSP processing.
java.lang.NullPointerException
	at com.ins.web.actions.CustomerAction.getCustomerAccount(CustomerAction.java:436)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:597)
	at org.apache.struts.actions.DispatchAction.dispatchMethod(DispatchAction.java:270)
	at com.ins.web.actions.BaseAction.execute(BaseAction.java:43)
	at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431)
	at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236)
	at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196)
	at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378)
	at org.springframework.security.intercept.web.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:109)
	at org.springframework.security.intercept.web.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
	at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
	at org.springframework.security.ui.SessionFixationProtectionFilter.doFilterHttp(SessionFixationProtectionFilter.java:67)
	at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
	at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
	at org.springframework.security.ui.ExceptionTranslationFilter.doFilterHttp(ExceptionTranslationFilter.java:101)
	at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
	at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
	at org.springframework.security.ui.rememberme.RememberMeProcessingFilter.doFilterHttp(RememberMeProcessingFilter.java:116)
	at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
	at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
	at org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter.doFilterHttp(SecurityContextHolderAwareRequestFilter.java:91)
	at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
	at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
	at org.springframework.security.ui.AbstractProcessingFilter.doFilterHttp(AbstractProcessingFilter.java:277)
	at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
	at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
	at org.springframework.security.ui.logout.LogoutFilter.doFilterHttp(LogoutFilter.java:89)
	at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
	at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
	at org.springframework.security.context.HttpSessionContextIntegrationFilter.doFilterHttp(HttpSessionContextIntegrationFilter.java:235)
	at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
	at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
	at org.springframework.security.util.FilterChainProxy.doFilter(FilterChainProxy.java:175)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:236)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:849)
	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:454)
	at java.lang.Thread.run(Thread.java:619)

After debugging through the code I see that no user is pulled from the session in the method getCustomerAccount(). Looks as though the user object is never placed back into the session....

**pmularien** · Mar 18th, 2010, 07:44 AM

Well, we obviously don't have access to the relevant code, so I can't confirm or deny your analysis. I'd suggest turning on debug logging for Spring Sec and see if you can't figure out what the real error is.

**ger** · Mar 22nd, 2010, 10:51 AM

Originally Posted by pmularien

Well, we obviously don't have access to the relevant code, so I can't confirm or deny your analysis. I'd suggest turning on debug logging for Spring Sec and see if you can't figure out what the real error is.

I've tried debugging the code but it doesn't seem to be throwing an exception until we try to pull the user from the session.

Does the remember-me functionality add the user to the session by default?

I've tried to extend the service by adding the following to applicationContext-services.xml

Code:

<beans:bean id="rememberMeProcessingFilter" class="org.springframework.security.ui.rememberme.RememberMeProcessingFilter">
	  <custom-filter position="REMEMBER_ME_FILTER" />
	  <beans:property name="authenticationManager" ref="authenticationManager" />
	  <beans:property name="rememberMeServices" ref="rememberMeServices"/>
	</beans:bean>
	
	<!-- Defines which remember me implementation to use - in this case using a database table to log 'remembered' tokens -->
	<beans:bean id="rememberMeServices" class="org.springframework.security.ui.rememberme.PersistentTokenBasedRememberMeServices">
		<beans:property name="tokenRepository" ref="jdbcTokenRepository" />
		<beans:property name="userDetailsService" ref="userService" />
		<beans:property name="key" value="springRocks" />
		<beans:property name="alwaysRemember" value="false" />
	</beans:bean>
	
	<!-- Uses a database table to maintain a set of persistent login data -->
	<beans:bean id="jdbcTokenRepository" class="org.springframework.security.ui.rememberme.JdbcTokenRepositoryImpl">
		<beans:property name="createTableOnStartup" value="false" />
		<beans:property name="dataSource" ref="dataSource" />
	</beans:bean>

I can extend the PersistentTokenBasedRememberMeServices class so that I could manually add the user to the session after successful login but this approach doesn't seem to create an entry in the database for the remember me to fetch.

What I'd like to know is: should the user object be added to the session by default? And also, do I need to configure the other remember me services myself if I just want to add some custom code to onLoginSuccess()?

Thanks.

Thread: Problem with Remember Me Service in Spring Security

Thread Tools

Display

Problem with Remember Me Service in Spring Security

Tags for this Thread

Posting Permissions