0

I have my rest web services secured with Spring Security. I'm returning the the appropriate responses (401 for failure, 200 for success, etc) via the various handlers. The client does not want to store the credentials on the device, so I cannot do true restful per-request authentication by passing the creds in the header of each request. So, I'm trying to set up the Persistant Token Approach with Remember-me.

I have the db table all set up and am able to login. The login creates the a row in the persistent_logins table of my database containing the series & token values.

My issue is twofold:

  1. What do I need to add in my successHandler class that returns the 200 response to the user to also return the token ( do I need the series value as well? )?
  2. When testing via curl, how do I set this token in the header?

Here's my successHandler class: 

public class RestAuthenticationSuccessHandler extends SimpleUrlAuthenticationSuccessHandler{

@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
                                    Authentication authentication) throws ServletException, IOException {
    response.setStatus(HttpServletResponse.SC_OK);
    clearAuthenticationAttributes(request);
}
}

Thanks in advance for any and all help!

SBerg413
  • 14,515
  • 6
  • 62
  • 88

1 Answers1

2

The PersistentTokenBasedRememberMeServices will make sure to set a cookie on the response (SPRING_SECURITY_REMEMBER_ME_COOKIE by default) that contains the series and token value encoded, so you don't need any extra code in the auth success handler for that. When testing with curl, you only need to send this cookie back.

If you don't see this cookie in the response, check if the login request contains the _spring_security_remember_me=true parameter which indicates that the client actually requested the remember-me feature, or configure the alwaysRemember property of the PersistentTokenBasedRememberMeServices which is false by default.

zagyi
  • 17,223
  • 4
  • 51
  • 48
  • Thanks for the response! I was setting the _spring_security_remember_me value to true. However, I did not know about the alwaysRemember value, so thanks for that. Figured it out though - the clearAuthenticationAttributes was killing the cookie from coming back. So removed that. – SBerg413 Feb 22 '13 at 15:31
  • 1
    How come `clearAuthenticationAttributes()` removed the cookie? Did you override it? By default it only removes the session attribute `SPRING_SECURITY_LAST_EXCEPTION`. – zagyi Feb 22 '13 at 15:35
  • I did not override clearAuthenticationAttributes. Hmmmm... not sure why it's removing it. I'll have to play around with it and see. – SBerg413 Feb 22 '13 at 15:41