Set Spring RememberMe Cookie Domain after Authentication

Question

Is there some way that I can set the domain of the Spring Security RememberMe cookie after the user has authenticated. The change in API in version 3.1.4 makes subclassing and overriding the setCookie() method impractical. Also at that point, I don't have the authentication information I need to determine which domain I want to set the cookie to.

Basically the system has two types of users and I want to set the cookie domain based on which type of user has logged in so that they can only use the remember-me authentication to get access to their user specific areas.

I'm trying to get the cookie out of the HttpServletRequest once the user has authenticated and then modifying the domain, then adding the cookie back into the HttpServletResponse but its not working. The cookie that appears in the browser still has the root domain attached too it.

Is there an easier way of doing what I'm trying to do? It all feels like there should already be functionality somewhere to do this. Would it be possible to instead redirect in my CustomPersistentTokenBasedRememberMeService class? I know which area the user needs to be redirected too based on if an exception is thrown or not.

Answer 1

I ended up following the suggestion of this post: Spring Security RememberMe success handler or url filtering and implemented an AuthenticationSuccessHandler that I passed to both my form login config and my remember me config.

<http>
    <form-login ... authentication-success-handler-ref="customAuthenticationSuccessHandler"/>
    <remember-me authentication-success-handler-ref="customAuthenticationSuccessHandler"/>
</http>

<beans:bean id="customAuthenticationSuccessHandler"
class="foo.bar.CustomAuthenticationSuccessHandler" />

and then at the end of my overridden onAuthenticationSuccess in my CustomAuthenticationSuccesshandler I just put:

response.sendRedirect(response.encodeRedirectURL(redirectAddress));

and it works like a charm