remember me result is ignored by spring security, and i am still redirected to the login page

Question

My Spring Security XML is as following:

    <http use-expressions="true">
        <intercept-url pattern="/login" access="isAnonymous()" requires-channel="https"/>
        <intercept-url pattern="/login/" access="isAnonymous()" requires-channel="https" />
        <intercept-url pattern="/logout-success" access="isAnonymous()" />
        <intercept-url pattern="/logout-success/" access="isAnonymous()" />     
        <intercept-url pattern="/logout" access="isAuthenticated()" />

        <intercept-url pattern="/**" access="hasRole('ROLE_SUPER_ADMIN')" />
        <form-login login-page="/login/" default-target-url="/example/Login_execute"/>
        <logout logout-url="/logout" logout-success-url="/logout-success" />
        <remember-me services-ref="rememberMeServices"/>

        <port-mappings>
            <port-mapping http="8080" https="8443"/>
        </port-mappings>        
    </http>

...

    <beans:bean id="userDetailsService" class="com.myownpackage.UserAccountServiceImpl"/>

    <beans:bean id="rememberMeServices" class="org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices">
        <beans:property name="userDetailsService" ref="userDetailsService" />
        <beans:property name="tokenRepository" ref="persistentTokenRepository" />
        <beans:property name="key" value="myownkey" />
    </beans:bean>

<beans:bean id="persistentTokenRepository" class="com.myownpackage.PersistentTokenRepositoryImpl" />  

Whenever I login and I tick the remember me, my program will save something to remember me database table (that's correct).

If I close my browser, re-open the browser, and open a page which requires authentication, my program will execute processAutoLoginCookie at PersistentTokenBasedRememberMeServices and returning correct UserDetails (that's also correct)

BUT, even so, I am still redirected to the login page.

By the way, the login page is customized, and what I do is just displaying JSP file with a form for login.

Is there any step I missed when writing the spring security XML?

Answer 1

Spring Security's "Remember Me" uses a Cookie in the client side, which is your browser.

From Spring's DOCS:

Remember-me or persistent-login authentication refers to web sites being able to remember the identity of a principal between sessions. This is typically accomplished by sending a cookie to the browser, with the cookie being detected during future sessions and causing automated login to take place. Spring Security provides the necessary hooks for these operations to take place, and has two concrete remember-me implementations. One uses hashing to preserve the security of cookie-based tokens and the other uses a database or other persistent storage mechanism to store the generated tokens.

Spring's idea is that you will be able to login automatically between different Sessions:

Server's Sessions, meaning when the Server "bounces" (goes down and then up), are handled, for example, by Persistency.

Clients' Session are handled by the browser (Cookies). The browser uses a Cookie that Spring sends, the Server verifies this Cookie and lets the user login automatically , without the need to enter credentials again.

Check the Cookies within your browser.

HTH.

Ohad.