Spring Security - check remember me when login failed

Question

How I get remember me value when login failed and reopen the login page? Can i get the value of _spring_security_remember_me on controller?

I just need to keep the value of the checkbox when login error occurs!

Answer 1

You can try the following solution: 1. insert custom filter into spring security filter chain 2. inside this filter obtain http session and store there the value of request parameter

As we change the login form (adding another parameter) we need to customize spring representation of login form and spring login processing filter. Here is the configuration:

<authentication-manager alias="authenticationManager"/>

<beans:bean id="myFilter" class="test.MyAuthenticationProcessingFilter">
    <custom-filter position="AUTHENTICATION_PROCESSING_FILTER" />
    <beans:property name="defaultTargetUrl" value="/initialize.action"/>
    <beans:property name="authenticationFailureUrl" value="/login_failed.action"/>
    <beans:property name="authenticationManager" ref="authenticationManager"/>
    <beans:property name="alwaysUseDefaultTargetUrl" value="true"/>
    <beans:property name="filterProcessesUrl" value="/perform_login"/>
</beans:bean>

<beans:bean id="entryPoint" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
    <beans:property name="loginFormUrl" value="/login.action"/>
</beans:bean>

MyAuthenticationProcessingFilter extends spring's org.springframework.security.ui.webapp.AuthenticationProcessingFilter, wraps attemptAuthentication method obtaining request parameter and storing it inside http session. This class is written just to show the idea, for better practice browse AuthenticationProcessingFilter code for username and password parameters.

public class MyAuthenticationProcessingFilter extends AuthenticationProcessingFilter {

@Override
public Authentication attemptAuthentication(HttpServletRequest request)
        throws AuthenticationException {
    String param = request.getParameter("_spring_security_remember_me");

    HttpSession session = request.getSession();
    if (session != null || getAllowSessionCreation()) {
        session.setAttribute("_spring_security_remember_me", param);
    }

    return super.attemptAuthentication(request);
}

}

You may notice that "myFilter" and "entryPoint" beans together define parameters that are otherwise defined by element inside . You use when you want the default behavior. But in our case we use custom beans, so you should remove element completely. Now we need to tell use our beans. "myFilter" bean is passed to spring chain by using element inside bean definition:

<beans:bean id="myFilter" class="test.MyAuthenticationProcessingFilter">
    <custom-filter position="AUTHENTICATION_PROCESSING_FILTER" />
    ...
</beans:bean>

"entryPoint" is passed to using attribute:

<http entry-point-ref="entryPoint">
    ...
    <!-- no form-login here -->
</http>

Answer 2

your question is a bit unclear, or you have a wrong image of how remember me with spring security works. Read the Spring Security Reference Chapter 11 "Remember-Me Authentication"

Briefly it works this way:

• If a user log in successfully with his user name and password and have enabled the remember me checkbox, Spring Security will create a cookie that verify the user and "send" it to the user

• Not logged in User request a secured page (Authentication required) spring will check if he as a valid cookie.

  • If he has such a cookie spring security will "login" him "automatically" and show him the page
  • If he has no valid cookie spring will forward him to the login page (see above)

I hope this helps you.