Reputation: 3819
When does spring security remember me process the cookie?
Spring security 3.1.1
So I made a custom remember me service which extends the default token based remember me service just to check if it's called or not.
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices;
public class CustomTokenBasedRememberMeService extends TokenBasedRememberMeServices {
@Override
protected int calculateLoginLifetime(HttpServletRequest request, Authentication authentication) {
System.out.println("COOKIE: Process1!");
return super.calculateLoginLifetime(request, authentication);
}
@Override
protected boolean isTokenExpired(long tokenExpiryTime) {
System.out.println("COOKIE: Process2!");
return super.isTokenExpired(tokenExpiryTime);
}
@Override
protected String makeTokenSignature(long tokenExpiryTime, String username, String password) {
System.out.println("COOKIE: Process3!");
return super.makeTokenSignature(tokenExpiryTime, username, password);
}
@Override
protected String retrievePassword(Authentication authentication) {
System.out.println("COOKIE: Process4!");
return super.retrievePassword(authentication);
}
@Override
protected String retrieveUserName(Authentication authentication) {
System.out.println("COOKIE: Process5!");
return super.retrieveUserName(authentication);
}
@Override
protected UserDetails processAutoLoginCookie(String[] cookieTokens, HttpServletRequest request, HttpServletResponse response) {
System.out.println("COOKIE: Process6!");
return super.processAutoLoginCookie(cookieTokens, request, response);
}
@Override
public void onLoginSuccess(HttpServletRequest request, HttpServletResponse response, Authentication successfulAuthentication) {
System.out.println("COOKIE: Process7!");
super.onLoginSuccess(request, response, successfulAuthentication);
}
}
when I log in it prints out:
INFO: COOKIE: Process7!
INFO: COOKIE: Process5!
INFO: COOKIE: Process4!
INFO: COOKIE: Process1!
INFO: COOKIE: Process3!
which means that it calls the onLoginSuccess(), retrieveUserName(), retrievePassword(), calculateLoginLifetime(), and makeTokenSignature().
The browser has accepted the cookie, but it's never processed ever. Even after I deleted the session, restarted the browser, etc. It's never processed, I assume processAutoLoginCookie is responsible for this but it's never called either.
What's the condition for spring security to process the cookie?
Upvotes: 1
Views: 2059
Answers (1)
Reputation: 8839
In your case, you work with TokenBasedRememberMeServices. The processing happens in the parent, in AbstractRememberMeServices. It happens on its autoLogin() method.
This method is called by RememberMeAuthenticationFilter.doFilter(). The filter keeps as a member the rememberServices and calls its autoLogin(). So it does not really matter whether you work with PersistentTokenBasedRememberMeServicesor with TokenBasedRememberMeServices, the Cookie processing is the same and handled by the parent.
Upvotes: 1
Related Questions
- Spring Security "Remember Me" cookie gets deleted on browser closed event
- Spring security: remember-me cookie is created in the browser but password is not saving
- Spring security 'remember me' cookie not avaiable in first request
- How to use Remember me in spring security for custom authentication
- Spring Security RememberMe Services with Session Cookie
- spring security remember me authentication
- Spring Security: How to clear `remember me` cookie programmatically?
- Spring RememberMe processAutoLoginCookie
- Remember-Me with Spring Security, various questions
- How does Remember Me work in Spring Security?