How to set custom time out for remember me cookie in grails spring security?

Question

I have tokenValiditySeconds set in the Config.groovy as

grails.plugins.springsecurity.rememberMe.tokenValiditySeconds=31*24*60*60

However I want to set a different validity for all requests that comes from, say a sub-domain. I can identify domain info from the request object, but I am not able to override the tokenValiditySeconds from the CustomRememberMeService class.

By default the tokens will be valid for 14 days from the last successful authentication attempt. This can be changed using AbstractRememberMeServices.setTokenValiditySeconds(int). If this value is less than zero, the expiryTime will remain at 14 days, but the negative value will be used for the maxAge property of the cookie, meaning that it will not be stored when the browser is closed.

As per the documentation, I should be able to change the validity by using setTokenValiditySeconds(int) method but it does not have any effect.

So how to override the value set in the config file?

Thanks.

Edit:

class CustomRememberMeService extends TokenBasedRememberMeServices {
    def springSecurityService;

    public final LoggedInUserDetails customAutoLogin(HttpServletRequest request, HttpServletResponse response) {
        def cookies = request.getCookies();
        if (!cookies) return null;
        String rememberMeCookie = extractRememberMeCookie(request);
        for (int i = 0; i < cookies.length; i++) {
            Cookie c = cookies[i];
            if(c.getName().equals('remember_me') && rememberMeCookie == null) {
                rememberMeCookie = c.getValue();
            }
        }
        if (rememberMeCookie == null) return null
        logger.debug("rememberMeCookie is : ${rememberMeCookie}");

        if (rememberMeCookie.length() == 0) {
            cancelCookie(request, response);
            return null;
        }

        String[] cookieTokens = decodeCookie(rememberMeCookie);
        String username = cookieTokens[0];

        def loginContext = request.getParameter('loginContext')
        loginContext = (loginContext == null) ? "mainWeb" : loginContext

        setTokenValiditySeconds(60) // not working

        LoggedInUserDetails user = getUserDetailsService().loadUserByUsername("${username}#${request.getServerName().trim()}#${loginContext}")

        springSecurityService.reauthenticate("${username}#${request.getServerName().trim()}#${loginContext}")
    }
}

The resource.groovy file looks like:

//..
customRememberMeService(com.rwi.springsecurity.services.CustomRememberMeService) {
    userDetailsService = ref('userDetailsService')
    springSecurityService = ref('springSecurityService')
    key = "${grailsApplication.config.grails.plugins.springsecurity.rememberMe.key}"
}
customRememberMeServicesFilter(CustomRememberMeServicesFilter){
    authenticationManager = ref('authenticationManager')
    rememberMeServices = ref('rememberMeServices')
    customRememberMeService = ref('customRememberMeService')
}
//..

CustomRemeberMEService.groovy

// ..
class CustomRememberMeServicesFilter extends RememberMeAuthenticationFilter {
    def customRememberMeService;
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
        HttpServletRequest request = (HttpServletRequest) req;
        HttpServletResponse response = (HttpServletResponse) res;
        if (SecurityContextHolder.getContext().getAuthentication() == null) {
            LoggedInUserDetails rememberMeAuth = customRememberMeService.customAutoLogin(request, response);
        }   
        chain.doFilter(request, response);
    }
}

can you show your CustomRememberMyService and how you're registering it (e.g your conf/spring/resources.groovy) — ikumen, Sep 09 '13 at 16:04
user2264997: ok. I will update it. Currently I am away from the code. — , Sep 09 '13 at 16:39
The `setTokenValiditySeconds` is a configuration option, calling it in code after the cookie has been created is basically not going to do anything (at least not for the cookie that is already there). — M. Deinum, Sep 10 '13 at 08:33
M. Deinum: So how can I have a customize the cookie setting part? I think the remember me cookie is set from the `AbstractRememberMeService.groovy` class (https://github.com/spring-projects/spring-security/blob/master/web/src/main/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServices.java#L342-L361). — , Sep 10 '13 at 09:44
I had override the `setCookie()` method in my `CustomRememberMeService` class, but it still sets the `maxAge` to the value specified in the `Config.groovy` even if I pass in `maxAge` as `60`. — , Sep 10 '13 at 09:47

score 1 · Answer 1 · answered Sep 12 '13 at 12:34

1

Override the method calculateLoginLifetime, by default this will return the value as set in the configuration (it calls getTokenValiditySeconds(). By overriding this you can determine (based on the request) if the normal timeout should be passed or a custom one.

protected int calculateLoginLifetime(HttpServletRequest request, Authentication authentication) {
    if (request.getRemoteAddr().startsWith("subdomain") {
        return 15; // Or whatever you want, you could also make it configurable.
    }
    return getTokenValiditySeconds();
}

answered Sep 12 '13 at 12:34

M. Deinum

115,695
22
220
224

Thanks for replying. I will look into, but it will take quite a bit of time. Will respond after that. – Sep 12 '13 at 12:45
This is not working. It still uses the value specified in the config file. – Sep 17 '13 at 05:21
Make sure you are **only** overriding the `calculateLoginLifetime` and that your instance is also the actual instance getting used. – M. Deinum Sep 17 '13 at 05:23

How to set custom time out for remember me cookie in grails spring security?

1 Answers1