0

I'm trying to implement the Remember Me functionality that is part of Spring 3.1 to allow customers to automatically log in when they have previously selected that option in the login form. Here is my actual implementation:

In spring-security-config.xml:

<security:http auto-config="false" entry-point-ref="myEntryPoint" request-matcher="regex" disable-url-rewriting="true">
    ...
    <security:remember-me key="mykey" authentication-success-handler-ref="rememberMeAuthenticationSuccessHandler"/>
</security:http>

<security:authentication-manager alias="authenticationManager">
    <security:authentication-provider ref="acceleratorAuthenticationProvider" />
    <security:authentication-provider ref="rememberMeAuthenticationProvider"/>
 </security:authentication-manager>

    <bean id="rememberMeAuthenticationSuccessHandler" class="uk.co.portaltech.qlaccelerator.storefront.security.RememberMeAuthenticationSuccessHandler" scope="tenant">
    <property name="myCookieStrategy" ref="myCookieStrategy" />
    <property name="customerFacade" ref="customerFacade" />
</bean>

    <bean id="rememberMeAuthenticationProvider" class="org.springframework.security.authentication.RememberMeAuthenticationProvider">
    <property name="key" value="myKey" />
</bean>

My login.jsp contains the spring rememeber me checkbox:

<form:checkbox id="_spring_security_remember_me" class="rememberMe" path="_spring_security_remember_me" />

When I access the site the first time (over HTTP session) it doesn't log me in automatically but as soon as I click on the login button (over HTTPS session) it automatically logs me in.

Is this the way it is supposed to work or am I missing something in the configuration to let Spring log me in when I access the site?

Shaun the Sheep
  • 22,353
  • 1
  • 72
  • 100
filippo.derosa84
  • 126
  • 1
  • 2
  • 14
  • Just to be clearer, what I need to do is to force the customer's login even accessing non secured page, because when accessing secure pages the Remember Me functionality is working fine (login form skipped and user automatically logged in). – filippo.derosa84 Mar 18 '14 at 12:31

2 Answers2

0

remember me lets the app remember the user across sessions. meaning, if the server bounces or if the user closed his browser and reopened it. in these cases, the user will not be asked again for his credentials.

in your case that you describe, the user (you) enter his credentials, and only then logs in? what is "automatically" means?

htlpful links:

remember me result is ignored by spring security, and i am still redirected to the login page

Configuring remember-me in spring security

Community
  • 1
  • 1
OhadR
  • 8,276
  • 3
  • 47
  • 53
  • "Automatically" means exactly what you said "if the user closed his browser and reopened it". The problem is that because the cookie is marked as "secure" when I reopen the browser on the site homepage (over HTTP) the user is not automatically logged in, while if I click on the /login url (over HTTPS) on at this point the user is logged in without asking credentials. – filippo.derosa84 Mar 18 '14 at 11:27
0

Check if the remember-me cookie is flagged as "secure" (look in your browser's cookie list). If so, it won't be sent over HTTP connections, which would explain what you see.

The default is to create a secure cookie if the request is over HTTPS. You can change this using the useSecureCookie property of the RememberMeServices implementation you are using.

Shaun the Sheep
  • 22,353
  • 1
  • 72
  • 100