Hiya,

Using Spring Security 3.0.2, Spring 3.0.3 and Java 1.6 with Jetty 7.1.

I have remember-me set up like this:

Code:
    <sec:http use-expressions="true">
        <sec:intercept-url pattern="/foobar/login*" access="permitAll" />
        <sec:intercept-url pattern="/foobar/**" access="isAuthenticated()" />
        <sec:form-login login-page="/foobar/login" default-target-url="/foobar/search" always-use-default-target="true" login-processing-url="/cerberus" />
        <sec:session-management>
            <sec:concurrency-control max-sessions="1" />
        </sec:session-management>
        <sec:logout logout-url="/logout" logout-success-url="/foobar/login" />
        <sec:remember-me services-ref="rememberMeServices" key="FOOBAR" />
    </sec:http>

    <bean id="rememberMeServices" class="org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices">
        <property name="parameter" value="rememberMe" />
        <property name="tokenValiditySeconds" value="604800" />
        <property name="cookieName" value="FOOBAR" />
        <property name="key" value="FOOBAR" />
        <property name="userDetailsService" ref="userService" />
    </bean>
(You like my cerberus, neato ;-))

Anyway, watching the logs, I see that Spring Security is correctly finding my cookie and processing it and passing me along the chain. Eventually it arrives to my LoginController (backing the URL /foobar/login). It appears that I now have to take control and determine what to do next, i.e.,:

Code:
    @RequestMapping("/login")
    public String index(final HttpServletRequest request) {

        if (!isAnonymousLogin()) {
            return "redirect:/foobar/search";
        }
        return "login/index";
    }

    protected boolean isAnonymousLogin() {
        final SecurityContext securityContext = SecurityContextHolder.getContext();
        final Authentication authentication = securityContext.getAuthentication();
        final boolean isAnonymous = authentication instanceof AnonymousAuthenticationToken;
        LOGGER.debug("User is anonymous? {}", isAnonymous);
        return isAnonymous;
    }
The logic being if the user is Anonymous, then they don't have the a UsernamePasswordAuthenticationToken nor a RememberMeAuthenticationToken (so they don't have the cookie, nor are they already logged in).

Is this approach valid? It *smells* a bit that I'm doing something which Spring Security should do, i.e.,

Code:
<remember-me .... target-url="/foobar/search" />
This tells the remember me service to take me to the url if the remember me process compeletes successfully. Of course, if I don't put on this attribute then I can take control manually (like I'm doing presently).

Perhaps I'm missing something, perhaps I'm writing code in my LoginController that I don't need to write...

-=bootlaces=-