Rememberme and logout : how to clean JdbcTokenRepository ?

[xcoulon]

Hello,We're using Spring Security 2.0.1 on our webapp to manager users authentication. Our customer wishes to remain connected for several days, so we decided to use the 'remember me' service provided by the framework.
So far, it's working great with the default configuration, including the storage of users tokens in database.

Here's our config file :

Code:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans>

	<!-- Configuration Spring Security 2 -->
	<http session-fixation-protection="none">
		<intercept-url pattern="/login" filters="none" />
		<!-- al other resources require login -->
		<intercept-url pattern="/**" access="ROLE_PATIENT" />
		<form-login login-page="/login" always-use-default-target="true"
			default-target-url="/navigation"
			login-processing-url="/login.form"
			authentication-failure-url="/login?error=true" />
		<logout invalidate-session="true" logout-url="/logout"
			logout-success-url="/login" />
		<remember-me token-repository-ref="tokenRepository"
			user-service-ref="userService" key="springRocks" />
	</http>

	<authentication-manager alias="authenticationManager" />

	<authentication-provider user-service-ref="userService">
		<password-encoder hash="md5">
			<salt-source user-property="username" />
		</password-encoder>
	</authentication-provider>

	<beans:bean id="authenticationProcessingFilter"
		class="org.springframework.security.ui.webapp.AuthenticationProcessingFilter">
		<custom-filter position="AUTHENTICATION_PROCESSING_FILTER" />
		<beans:property name="authenticationManager"
			ref="authenticationManager" />
		<beans:property name="authenticationFailureUrl"
			value="/widget/error" />
		<beans:property name="defaultTargetUrl" value="/widget/result" />
		<beans:property name="filterProcessesUrl" value="/widget" />
		<beans:property name="rememberMeServices"
			ref="_rememberMeServices" />
	</beans:bean>
	<beans:bean id="tokenRepository"	class="org.springframework.security.ui.rememberme.JdbcTokenRepositoryImpl">
		<beans:property name="dataSource" ref="dataSource" />
	</beans:bean>


</beans:beans>

When a users closes his browser and then reopens it, he remains connected, and when he logs out, he is disconnected for good.
But the token that was stored in the jdbc repository is not cleared :-(

What should we add to the configuration to add this behaviour ?
We fear that in production environment, the table used by the token repo might just grow and grow... with token that would eventually expire...

Also, we understood that the

Code:

<remember-me token-repository-ref="tokenRepository"
			user-service-ref="userService" key="springRocks" />

element generates a default "_rememberMeServices" bean at runtime, but we did not succeed in creating our own service to override the default values, such as token expiration (14 days by default ?)
Is there any exemple available ?


Thank you in advance and congrats' for this great framework !
Xavier

[Luke Taylor]

Can't you just add a batch process to your database that clears out stale rows after a certain period?

There is support for setting the validity period and a custom services object in the 2.0.2 roadmap.

[xcoulon]

Hello,

Ok, that's a solution we can use until the 2.0.2 version is released.

Thankx
Xavier