Jul 19th, 2010, 12:15 PM
Remember-me Service Auto-Login Handler
In my app I read a custom cookie (containing user settings) after each successful login event. I'm currently using a custom AuthenticationSuccessHandler for this, which works fine. Unfortunately I cannot use this approach, though, when I want to use a RememberMeService.
I had a look at the AbstractRememberMeServices implementation, but it unfortunately does not provide a clean hook I can use after the successful authentication object was created. AutoLogin is final and createSuccessfulAuthentication does not pass on the HttpServletResponse.
I could misuse the createSuccessfulAuthentication method for my needs (although changing of cookies would not work), but I hope there's a cleaner way of doing this?
Jul 19th, 2010, 01:49 PM
What about an after returning aspect for the remember me service? That way you have access to all you need...
Jul 19th, 2010, 02:34 PM
Have you looked into overriding RememberMeAuthenticationFilter#onSuccessfulAuthent ication with an implementation of that method that delegates to your AuthenticationSuccessHandler? Similar to Marten's suggestion, you could write a composite implementation of RememberMeServices that delegates to another implementation, if it is successful process the cookie with the AuthenticationSuccessHandler.
Jul 20th, 2010, 12:16 AM
How could I forget . Indeed overridding/extending the RememberMeFilter and implement the onSuccesfulAuthentication would be even better/easier then writing an Aspect.
Jul 20th, 2010, 03:20 AM
I'll probably go for a custom RemembeMeFilter implementation and will extend the UsernamePasswordAuthenticationFilter as well, so that both filters call the same "onSuccesfulWebAuthentication" hook.
Jul 23rd, 2010, 05:23 AM
Just as a follow up, if anybody has the same problem.
I ended up writing a custom RememberMeFilter and for the form based login used a AuthenticationSuccessHandler, which both delegate to a custom handler class in the case of a successful interactive login or successful auto login. Although this was all quite straight forward it involved quite some bit of work, because with a custom RememberMeFilter you have to unroll the sec:form-login and sec:remember-me namespace.
IMHO things would be rather easy, if this would be provided out of the box, because I could imagine, that this use case (i.e., "reading HTTP request related info after a successful login and storing things in the HTTP session") is not that rare.
After looking at the source a bit I'm wondering, whether it would be possible to extend Spring Security, that UsernamePasswordAuthenticationFilter and RememberMeAuthenticationFilter publish an AuthenticationEvent that includes the HTTP request and HTTP response as well as the authentication result? This would make things dead simple.
Tags for this Thread