Can I store complete user information in cookies using spring security remember me

Question

I want to store other user information in cookies like userId with username and password. I can get username from cookies when I use spring security remember me feature.

In spring-security.xml I am using custom userDetailService and I have implemented it like

 <http>
 ......   
 <logout invalidate-session="true" 
        logout-success-url="/" 
        logout-url="/logout.htm"/>
 <remember-me user-service-ref="myUserDetailsService" key="89dqj219dn910lsAc12" token-validity-seconds="864000"/>
</http>

<authentication-manager>
        <authentication-provider user-service-ref="myUserDetailsService">
                <password-encoder ref="myEnocdePassword" >
                    <salt-source user-property="username"/>
                </password-encoder>
        </authentication-provider>
</authentication-manager>   
<beans:bean id="myEnocdePassword" class="com.mycom.myproject.utility.MyEnocdePassword" />

In MyUserDetailService.java I have code like

  @Override
public UserDetails loadUserByUsername(String username)
        throws UsernameNotFoundException, DataAccessException {

    try {

    boolean enabled = true;
    boolean accountNonExpired = true;
    boolean credentialsNonExpired = true;
    boolean accountNonLocked = true;

    com.mycom.myproject.db.mybatis.model.User domainUser = userService.getUserByName(username);




    return  new User(
            domainUser.getUsername(), 
            domainUser.getPassword(),
            enabled,
            accountNonExpired,
            credentialsNonExpired,
            accountNonLocked,
            getAuthorities(domainUser.getRoleId);

    } catch (Exception e) {
        throw new RuntimeException(e);
    }

In my controller class I can get the username by using

   String name = SecurityContextHolder.getContext().getAuthentication()
            .getName();

but I want to store other user details in cookies like userId. How I can do that? Do I need to get the user info by userDao(name) and then manually store the userinfo in cookies?

Answer 1

You don't need to do anything with cookies in this case.

As long as user is logged in (no matter how he logged in - using login form or "remember me"), you can access UserDetails of that user from SecurityContext, Spring Security takes care of it.

So, all you need is to put the requred information into UserDetails in UserDetailsService.loadUserByUsername() (use your own subclass of UserDetails, if necessary), and access it via SecurityContext:

Authentication auth = SecurityContextHolder.getContext().getAuthentication();
if (auth != null) {
    Object principal = auth.getPrincipal();  
    if (principal instanceof UserDetails) {
        UserDetails user = (UserDetails) principal;
        ... // User is logged in, now you can access its details
    }
}

In other words, when Spring Security receives a request without active session but with remember me cookie, it uses user identity from the cookie to load UserDetails and put them into SecurityContext (and into newly created session session). Later you can access these details from SecurityContext.

Answer 2

Usually there already is a Cookie! You can store the values in the Session.

If you like to store the values a long time, you can use Session-Passivation.