Security Session in spring. Stay logged in

Question

I'm currently trying to implement an login-mechanism to my spring web application and I'm a little bit confused about the security concepts which are used in spring.

If I access a page requiring login, it is correctly redirecing to the login page. After login the actual page is visible (good so far).

Code for this

    <security:http use-expressions="true" auto-config="true">
    <security:intercept-url pattern="/login" access="permitAll" />
    <security:intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
        <security:form-login login-page="/login" default-target-url="/welcome"
            authentication-failure-url="/loginfailed" />
        <security:logout logout-success-url="/logout" />
        <security:remember-me/>
     </security:http>

However, if I access the same page again I need to login AGAIN. So I need some kind of security-session. I already tried and read lots of things about remember-me and session-management but couldn't find out how to do it.

Can somebody please give me some directions, the appropriate chapter in the spring documentation or a keyword?

Login Form

<form name='f' action="<c:url value='j_spring_security_check' />"
        method='POST'>

        <table>
            <tr>
                <td>User:</td>
                <td><input type='text' name='j_username' value=''>
                </td>
            </tr>
            <tr>
                <td>Password:</td>
                <td><input type='password' name='j_password' />
                </td>
            </tr>
            <tr>
                <td colspan='2'><input name="submit" type="submit"
                    value="submit" />
                </td>
            </tr>
            <tr>
                <td colspan='2'><input name="reset" type="reset" />
                </td>
            </tr>
        </table>

    </form>

LoginController.java

@RequestMapping(value="/login", method = RequestMethod.GET)
    public String login(ModelMap model) {

        return "login";

    }

    @RequestMapping(value="/loginfailed", method = RequestMethod.GET)
    public String loginerror(ModelMap model) {

        model.addAttribute("error", "true");
        return "login";

    }

    @RequestMapping(value="/logout", method = RequestMethod.GET)
    public String logout(ModelMap model) {

        return "login";

    }

Answer 1

It's quite mysterious why the security session is not maintained for the second request after the login, because your config looks fine. Some logs would be useful to troubleshoot this issue. Enable trace level logging on org.springframework.security and share the logs after reproducing the problem.

A comment would have been enough to say this so far, but I also wanted to clarify the configuration and usage of the remember-me feature, because you had some problem there too.

The remember-me service should work with the simple configuration that you have in your original question. As you didn't specify a data-source-ref on <remember-me>, a simpler and less secure implementation will be applied which doesn't persist the tokens that were issued to the client.

It's not mandatory, but by configuring the data-source-ref you could gain some additional security: you would be able to warn the user if his remember-me token (cookie) had been stolen and used by an attacker to log in to your site with the user's identity. This is worthwhile enough to consider investing the additional effort.

Now the important thing: an under-documented feature of the remember-me service is that the client has to explicitly ask the server to remember his login by sending a request parameter with the name _spring_security_remember_me. So you'll have to insert something like the following snippet into your login form.

<p>
    <label for="_spring_security_remember_me">Remember-me</label>
    <input id="_spring_security_remember_me" 
           name="_spring_security_remember_me" type="checkbox"/>
</p>

The remember-me service won't do anything without this. (For the sake of completeness: there is an alternative option to set the alwaysRemember flag on the remember-me service, but that's a bit inconvenient, because this configuration point isn't exposed by the security namespace)

Answer 2

You'll need to this to your security definition in conf file:

<security:remember-me services-alias="rememberMeService" data-source-ref="dataSource" user-service-ref="userService"/>
</security:http>

and create a persistnet logins table

create table persistent_logins (username varchar(64) not null, series varchar(64) primary key, token varchar(64) not null, last_used timestamp not null)

But I am now repeating the Official docs