Spring Security 3 custom remember me

Question

i want to change remember me request parameter to override default parameter '_spring_security_remember_me' and custom my remember me service to replace <remember-me /> namespace config.

so i config my remember me service:

<bean id="rememberMeServices" class="org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices">
    <property name="key" value="MY_REMEMBER_ME_KEY" />
    <property name="cookieName" value="MY_REMEMBER_ME_COOKIE" />
    <property name="parameter" value="remember" />
    <property name="tokenValiditySeconds" value="1209600" />
    <property name="useSecureCookie" value="true" />
    <property name="userDetailsService" ref="userDetailsService" />
    <property name="alwaysRemember" value="false" />
</bean>

namespace config:

<intercept-url pattern="/secure/index" access="ROLE_ADMIN" />
<remember-me services-ref="rememberMeServices"/>

when i run application and login. i find cookie is created then i close my ie and reopen. entry the path '/secure/index', tomcat show me access is denied . but i revert to Spring Security default config , all is ok.

i debug code find

RememberMeAuthenticationFilter#doFilter
...
Authentication rememberMeAuth = rememberMeServices.autoLogin(request, response);
...
//autoLogin(request, response) method code.
String rememberMeCookie = extractRememberMeCookie(request);
...
protected String extractRememberMeCookie(HttpServletRequest request) {
    Cookie[] cookies = request.getCookies();

    if ((cookies == null) || (cookies.length == 0)) {
        return null;
    }

    for (int i = 0; i < cookies.length; i++) {
        if (cookieName.equals(cookies[i].getName())) {
            return cookies[i].getValue();
        }
    }

    return null;
}

in method extractRememberMeCookie(request), code request.getCookies() always return null when i use my custom remember me service, but i revert Spring Security default namespace <remember-me/> and do the same(clean Cookies - login - close ie - reopen - entry path '/secure/index'), i also find cookie is create . and i debug the code i find request.getCookies() return the cookie name 'SPRING_SECURITY_REMEMBER_ME_COOKIE' and authentication successfully.

need other config to remember me authentication ? but i don't know , would someone help me.

Answer 1

This is actually an old post. But I just had the issue request.getCookies() null w/ Spring 4.

I've removed useSecureCookie = true to fix it.

Answer 2

Your <remember-me /> still need key

this should be

<remember-me key="MY_REMEMBER_ME_KEY" services-ref="rememberMeServices"/>

Answer 3

As per the documentation of TokenBasedRememberMeServices,

An org.springframework.security.core.userdetails.UserDetailsService is required by this implementation, so that it can construct a valid Authentication from the returned org.springframework.security.core.userdetails.UserDetails. This is also necessary so that the user's password is available and can be checked as part of the encoded cookie.

Perhaps your configuration is incorrect/incomplete.