Correct use of token based rememberMeService with custom AuthenticationHandler in Spring security

Question

I have the following config :

<security:http auto-config="false" entry-point-ref="restAuthenticationEntryPoint" use-expressions="true">
        <security:remember-me services-alias="rememberMyCompamy" key="MY-KEY" user-service-ref="myUserDetailsService"/>
        <security:custom-filter ref="loginFilter" position="FORM_LOGIN_FILTER"/>
        <!-- Adds a logout filter to Spring Security filter chain -->
        <security:logout logout-url="/logout" delete-cookies="true" invalidate-session="true" success-handler-ref="restLogoutSuccessHandler"/>
    </security:http>
    <!-- Configures the authentication entry point that returns HTTP status code 401 -->
    <bean id="restAuthenticationEntryPoint" class="uk.co.axiomtechsolutions.ipf.security.authentication.RestAuthenticationEntryPoint"/>

    <!-- Configures a custom login filter bean -->
    <bean id="loginFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
        <property name="authenticationManager" ref="authenticationManager"/>
        <property name="authenticationFailureHandler" ref="restAuthenticationFailureHandler"/>
        <property name="authenticationSuccessHandler" ref="restAuthenticationSuccessHandler"/>
        <property name="rememberMeServices" ref="rememberMyCompany"/> <!--doesn't do anything?-->
        <property name="filterProcessesUrl" value="/login"/>
        <property name="usernameParameter" value="username"/>
        <property name="passwordParameter" value="password"/>
        <property name="allowSessionCreation" value="true"/>
        <property name="postOnly" value="true"/>
    </bean>

With this code in my AuthenticationSuccesHandler, which works. I tried a few combinations and this was the only wy to get the cookie created, taken from the excellent tutorials here . However programmitically calling rememberMeservice but doesn't feel right

@Resource(name = "rememberMyCompany")
private RememberMeServices rememberMyCompany;
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
                                    Authentication authentication) throws ServletException, IOException {

    response.setStatus(HttpServletResponse.SC_NO_CONTENT);
    HttpServletRequestWrapper wrapper = new HttpServletRequestWrapper(request) {
        @Override public String getParameter(String name) {
            return "true";
        }
    };
    rememberMyCompnay.loginSuccess(wrapper, response, authentication);
    clearAuthenticationAttributes(request);
}

A token based rememberMeService is created, along with a service-alias, but I can not set up the login filter to use it unless I do the above, which doesn't feel very springy.

Answer 1

The UsernamePasswordAuthenticatonFilter will call the RememberMeServices for you, before your authentication success handler executes. Whether it does anything or not depends on whether the request contains the "remember me" parameter.

So I'm guessing you don't have that parameter in the request. It's not clear from your question exactly what you're trying to achieve - whether you realise this and want to enable remember-me for all requests or not. To always set the cookie for authenticated requests, you can set the alwaysRemember flag on the RememberMeServices. However, this isn't exposed through the namespace, so you'd have to obtain a reference to the bean and do it that way (e.g. through a post-processor), or declare the bean manually.