Remember-me authentication is not used with basic
authentication, given it is often not used with
HttpSession
s. Remember-me is used with
AuthenticationProcessingFilter
, and is implemented
via hooks in the AbstractProcessingFilter
superclass. The hooks will invoke a concrete
RememberMeServices
at the appropriate times. The
interface looks like this:
Authentication autoLogin(HttpServletRequest request, HttpServletResponse response); void loginFail(HttpServletRequest request, HttpServletResponse response); void loginSuccess(HttpServletRequest request, HttpServletResponse response, Authentication successfulAuthentication);
Please refer to the JavaDocs for a fuller discussion on what the
methods do, although note at this stage that
AbstractProcessingFilter
only calls the
loginFail()
and loginSuccess()
methods. The autoLogin()
method is called by
RememberMeProcessingFilter
whenever the
SecurityContextHolder
does not contain an
Authentication
. This interface therefore provides
the underlying remember-me implementation with sufficient
notification of authentication-related events, and delegates to the
implementation whenever a candidate web request might contain a cookie
and wish to be remembered. This design allows any number of remember-me implementation
strategies. We've seen above that Spring Security provides
two implementations. We'll look at thes in turn.
This implementation supports the simpler approach described in the section called “Simple Hash-Based Token Approach”.
TokenBasedRememberMeServices
generates a
RememberMeAuthenticationToken
, which is processed
by RememberMeAuthenticationProvider
. A
key
is shared between this authentication provider
and the TokenBasedRememberMeServices
. In addition,
TokenBasedRememberMeServices
requires A
UserDetailsService from which it can retrieve the username and
password for signature comparison purposes, and generate the
RememberMeAuthenticationToken
to contain the
correct GrantedAuthority
[]s. Some sort of logout
command should be provided by the application that invalidates the cookie if
the user requests this. TokenBasedRememberMeServices
also implements Spring Security's
LogoutHandler
interface so can be used with LogoutFilter
to have the cookie cleared automatically.
The beans required in an application context to enable remember-me services are as follows:
<bean id="rememberMeProcessingFilter" class="org.springframework.security.ui.rememberme.RememberMeProcessingFilter"> <property name="rememberMeServices" ref="rememberMeServices"/> <property name="authenticationManager" ref="theAuthenticationManager" /> </bean> <bean id="rememberMeServices" class="org.springframework.security.ui.rememberme.TokenBasedRememberMeServices"> <property name="userDetailsService" ref="myUserDetailsService"/> <property name="key" value="springRocks"/> </bean> <bean id="rememberMeAuthenticationProvider" class="org.springframework.security.providers.rememberme.RememberMeAuthenticationProvider"> <property name="key" value="springRocks"/> </bean>
Don't forget to add your
RememberMeServices
implementation to your
AuthenticationProcessingFilter.setRememberMeServices()
property, include the
RememberMeAuthenticationProvider
in your
AuthenticationManager.setProviders()
list, and add
RememberMeProcessingFilter
into your
FilterChainProxy
(typically immediately after your
AuthenticationProcessingFilter
).
This class can be used in the same way as TokenBasedRememberMeServices
, but it additionally
needs to be configured with a PersistentTokenRepository
to store the tokens.
There are two standard implementations.
InMemoryTokenRepositoryImpl
which is intended for testing only.
JdbcTokenRepositoryImpl
which stores the tokens in a database.
The database schema is described above in the section called “Persistent Token Approach”.