Spring Security and custom Remember me filter: logout issue

Question

I need to define a custom RememberMeAuthenticationFilter so that I can override the onSuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response, Authentication authResult) method to put some custom logic.

I've configured the XML in order to use my custom filter:

 <security:http disable-url-rewriting="true" request-matcher-ref="excludeUrlRequestMatcher" entry-point-ref="authenticationEntryPoint">
    <security:custom-filter position="FORM_LOGIN_FILTER" ref="usernamePasswordAuthenticationFilter"/>
    <security:custom-filter position="REMEMBER_ME_FILTER" ref="extRememberMeProcessingFilter"/>

    <security:anonymous username="anonymous" granted-authority="ROLE_ANONYMOUS"/>

    <security:session-management session-authentication-strategy-ref="fixation" />

    <!-- Intercepts url HERE: removed for brevity -->

    <!--<security:form-login: using custom filter -->
            <!--login-page="/login"-->
            <!--authentication-failure-handler-ref="loginAuthenticationFailureHandler"-->
            <!--authentication-success-handler-ref="loginGuidAuthenticationSuccessHandler"/>-->


    <security:logout logout-url="/logout" success-handler-ref="logoutSuccessHandler"/>

    <security:port-mappings>
        <security:port-mapping http="#{configurationService.configuration.getProperty('tomcat.http.port')}"
                               https="#{configurationService.configuration.getProperty('tomcat.ssl.port')}"/>
        <security:port-mapping http="80" https="443"/>
        <!--security:port-mapping http="#{configurationService.configuration.getProperty('proxy.http.port')}"
            https="#{configurationService.configuration.getProperty('proxy.ssl.port')}" /-->
    </security:port-mappings>

    <security:request-cache ref="httpSessionRequestCache"/>

    <security:access-denied-handler ref="b2bAccessDeniedHandler"/>

    <!-- RememberMe: using custom filter -->
    <!--<security:remember-me key="comtestrememberme" services-ref="rememberMeServices"/>-->

</security:http>

<security:authentication-manager alias="authenticationManager">
    <security:authentication-provider ref="myAuthenticationProvider"/>
    <security:authentication-provider ref="rememberMeAuthenticationProvider"/>
</security:authentication-manager>

<bean id="myAuthenticationProvider"
      class="com.test.security.MyAuthenticationProvider">
    <property name="bruteForceAttackCounter" ref="bruteForceAttackCounter"/>
    <property name="customerService" ref="customerService"/>
    <aop:scoped-proxy/>
</bean>

<bean id="rememberMeServices"
      class="com.test.security.MyRememberMeServices">
    <property name="key" value="comtestrememberme"/>
    <property name="cookieName" value="myRememberMe"/>
    <property name="alwaysRemember" value="false"/>
    <property name="customerService" ref="customerService"/>
    <property name="useSecureCookie" value="false"/>
    <aop:scoped-proxy/>
</bean>

<bean id="rememberMeAuthenticationProvider"
      class="org.springframework.security.authentication.RememberMeAuthenticationProvider">
    <property name="key" value="comtestrememberme"/>
    <aop:scoped-proxy/>
</bean>

<bean id="usernamePasswordAuthenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
    <property name="authenticationManager" ref="authenticationManager"/>
    <property name="filterProcessesUrl" value="/j_spring_security_check"/>
    <property name="rememberMeServices" ref="rememberMeServices"/>
    <property name="authenticationSuccessHandler" ref="loginGuidAuthenticationSuccessHandler"/>
    <property name="authenticationFailureHandler" ref="loginAuthenticationFailureHandler"/>
</bean>

<bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
    <property name="loginFormUrl" value="/login"/>
</bean>

<bean id="extRememberMeProcessingFilter" class="com.test.security.filters.ExtRememberMeAuthenticationFilter">
    <property name="rememberMeServices" ref="rememberMeServices"/>
    <property name="authenticationManager" ref="authenticationManager"/>
</bean>

The remember me cookie is getting created and my custom filter is being used, but the problem is that the logout never happens.

When I click on the logout button it looks like I'm going through the authentication process again and the customer is logged in again.

If I revert back to the standard Spring Filters everything is working fine.

Have I missed something in the configuration?

spring doesnt throw error for `position="REMEMBER_ME_FILTER"`? — Thilak, May 22 '15 at 04:43

score 1 · Answer 1 · answered Dec 29 '15 at 09:52

What may be happening here is - your logout is working fine but you haven't deleted myRememberMe cookie on logout. So, when your session is getting invalidated on logout, remember me services is creating a new session by using myRememberMe cookie.

Solution: You can modify your configuration by adding delete-cookies attribute in your <security:logout> tag.

<security:logout logout-url="/logout" success-handler-ref="logoutSuccessHandler" delete-cookies="JSESSIONID,myRememberMe" />

Spring Security and custom Remember me filter: logout issue

1 Answers1