Spring security remember me issue

Question

I'm using spring security in my app. Now I'm trying to make remember me functionality work correctly. Here is my spring-security.xml:

<?xml version="1.0" encoding="UTF-8"?>

<beans:beans xmlns="http://www.springframework.org/schema/security"
             xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xmlns:context="http://www.springframework.org/schema/context"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
             http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
             http://www.springframework.org/schema/context
                           http://www.springframework.org/schema/context/spring-context-3.1.xsd
                        http://www.springframework.org/schema/security
                        http://www.springframework.org/schema/security/spring-security-3.1.xsd">

    <context:component-scan base-package="core"/>

    <http auto-config="false" use-expressions="true">
        <intercept-url pattern="/views/**" access="permitAll"/>
        <form-login authentication-failure-handler-ref="loginFailure"
                    authentication-success-handler-ref="loginSuccess"/>
        <remember-me key="key"/>
        <logout
                invalidate-session="true"
                delete-cookies="true"/>

    </http>


    <authentication-manager>
        <authentication-provider>
            <password-encoder hash="md5"/>
            <jdbc-user-service data-source-ref="ds"
                               users-by-username-query="SELECT email, password, enabled FROM tuser WHERE email=?"
                               authorities-by-username-query="SELECT tuser, role_id FROM user_role WHERE tuser=?"/>
        </authentication-provider>
    </authentication-manager>

    <global-method-security pre-post-annotations="enabled" secured-annotations="enabled" />

</beans:beans>

and here is my app code. jsp:

<form:form method="POST">

        <table>
            <tr>
                <td>User:</td>
                <td>
                    <input type="text" id="j_username"/>
                </td>
            </tr>
            <tr>
                <td>Password:</td>
                <td>
                    <input type="password" id="j_password"/>
                </td>
            </tr>
            <tr>
                <td>
                    <input type="checkbox" id="_spring_security_remember_me"/>
                </td>
                <td>
                    <s:message code="RememberMe"/>
                </td>
            </tr>
            <tr>
                <td colspan='2'>
                    <input id="loginBtn" name="submit" type="button" onclick="ajaxLogin()" value="Войти"/>
                </td>
            </tr>
        </table>

    </form:form>

and javascript that makes ajax login:

function ajaxLogin() {
    $("#errorText").css('display', 'none');
    $('#loginBtn').attr('disabled', 'true');

    var user_name = $("#j_username").val();
    var user_pass = $("#j_password").val();
    var rememberMe = $("#_spring_security_remember_me").prop("checked");

    $.ajax({
        url:"../../j_spring_security_check",
        data:{ j_username:user_name, j_password:user_pass, _spring_security_remember_me:rememberMe},
        type:"POST",
        beforeSend:function (xhr) {

            xhr.setRequestHeader("login-ajax", "true");
        },
        success:function (result) {

            if (result == "ok") {
                window.location.reload()
            } else {
                $("#errorText").css('display', 'block');
            }

        },
        error:function (XMLHttpRequest, textStatus, errorThrown) {
            return false;
        }
    })
    ;
}

The problem is that spring remembers user even if I do not check the remeber me option in the login form. If I remove from config file, it doesn't remember. Does the presence of this parameter makes spring behave like this? How can I control the remember me function? Thanks in advance!

Answer 1

property delete-cookies="true" in tag logout

<logout delete-cookies="true"/>

is not a boolean type it is comma separated list of cookies file name

in tag remember me

<remember-me/>

exist property token-validity-seconds which determines how many second your token is valid

e.g.

<remember-me key="key" token-validity-seconds="2419200" />   

means one month

perhaps when you login first time and after this logout your token is not deleted and still exist, but when you remove tag

<remember-me/>

it not work and everything is correct