Spring WebFlux + Security - do we have the "remember-me" feature?

Question

When I develop a non-reactive application and use rememberMe feature in authentication, I just extending WebSecurityConfigurerAdapter class and overriding configure(HttpSecurity httpSecurity) method. In that case, I have a rememberMe() method in a httpSecurity object.

But there is a difference when I use Spring WebFlux. As far as I know, all I have to do is defining a SecurityWebFilterChain bean using the instance of ServerHttpSecurity class, by invoking chain like:

serverHttpSecurity.authorizeExchange()
                .anyExchange().authenticated()
                .and()
                .httpBasic()
                .build();

But there is no method to handle rememberMe cookie here like in the HttpSecurity object where I could handle it in that way:

httpSecurity.authorizeRequests()
                .anyRequest().authenticated()
                .and()
                .httpBasic()
                .and()
                .rememberMe()

Do you know any solution?

Did you find anything on this? – user1578872 Apr 11 '20 at 21:00 — user1578872, Apr 11 '20 at 21:00

V. Mokrecov · Answer 1 · 2020-04-12T18:20:55.530

2

Unfortunately, it seems impossible to do this.

There is an old issue on github and unfortunately, it is not known when it is going to be solved.

The comments recommend using a longer session expiration and offloading the sessions into an external data store (i.e. Redis). This way, you can store information in a database instead of in cookies.

They recommend using the Spring Session project.

edited Apr 12 '20 at 18:20

answered Apr 12 '20 at 18:11

V. Mokrecov

1,014
1
11
20

I am using JWT and dont want to use external session storage like redis or any other storage. So Spring session is not an option for me. – user1578872 Apr 12 '20 at 18:26
Maybe here - https://stackoverflow.com/questions/23603801/handling-expiry-remember-me-functionality-with-jwt there is an answer to your question, i.e. perhaps you should make infinite sessions together with jwt and implement the algorithm described by the link. – V. Mokrecov Apr 12 '20 at 20:25

score 0 · Answer 2 · answered Apr 14 '20 at 02:00

0

The comments say that using a longer session expiration and offloading the sessions into an external data store (i.e. Redis). This way, you can store information in a database instead of in cookies.

They say use the Spring Session project.

answered Apr 14 '20 at 02:00

Ваыб Юфйзщ

1

1

Not sure this is an answer – bichito Apr 14 '20 at 02:10

Spring WebFlux + Security - do we have the "remember-me" feature?

2 Answers2