Discussion :

[Lady]

Bonjour,

J'essaye d'activer la fonctionnalité "remember me" sur un de nos projets utilisant Spring mais cela ne semble pas fonctionner.

Le cookie est bien crée au login quand la case est coché mais cela ne permet pas de se relogger automatiquement la fois suivante (je test en fermant l'onglet de mon projet et en supprimant le cookie JSESSIONID).

Si quelqu'un à une piste. Voici ma configuration de security (version 3.2.5)

Code :

Sélectionner tout - Visualiser dans une fenêtre à part

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:context="http://www.springframework.org/schema/context"
       xmlns:security="http://www.springframework.org/schema/security"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
                           http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
                           http://www.springframework.org/schema/context
                           http://www.springframework.org/schema/context/spring-context-3.2.xsd
                           http://www.springframework.org/schema/security
                           http://www.springframework.org/schema/security/spring-security-3.2.xsd">
    <security:http pattern="/javax.faces.resource/**" security="none" />
 
    <security:http pattern="/pages/**" auto-config="true" use-expressions="true" entry-point-ref="authenticationEntryPoint">
        <security:intercept-url pattern="/pages/login.xhtml" access="permitAll()" />
        <security:intercept-url pattern="/pages/**" access="isAuthenticated()"/>
        <security:intercept-url pattern="/ws/**" access="hasIpAddress('127.0.0.1')" />
    </security:http>
 
    <security:http pattern="/**" auto-config="false" use-expressions="true" entry-point-ref="authenticationEntryPoint">
        <security:intercept-url pattern="/**" access="permitAll()" />
        <security:form-login login-page="/login"
                             login-processing-url="/j_spring_security_check"
                             authentication-failure-url="/login?error=login"
                             always-use-default-target="true"
                             default-target-url="/"
                             authentication-success-handler-ref="authenticationSuccessHandler" />
 
        <security:logout logout-url="/j_spring_security_logout"
                         invalidate-session="true"
                         logout-success-url="/login"  />
        <security:remember-me services-ref="rememberMeServices"/>
    </security:http>
 
    <security:authentication-manager  alias="authenticationManager">
        <security:authentication-provider ref="userDetailsAuthenticationProvider" />
    </security:authentication-manager>
 
    <bean id="userDetailsAuthenticationProvider" class="fr.xxxx.projet.authentication.UserDetailsAuthenticationProvider" />
 
    <bean id="rememberMeFilter" class=
        "org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter">
        <property name="rememberMeServices" ref="rememberMeServices"/>
        <property name="authenticationManager" ref="authenticationManager" />
    </bean>
 
    <bean id="rememberMeServices" class=
        "org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices">
        <property name="userDetailsService" ref="pmsiAnalysorUserDetailsService"/>
        <property name="key" value="aKey"/>
    </bean>
 
    <bean id="rememberMeAuthenticationProvider" class=
        "org.springframework.security.authentication.RememberMeAuthenticationProvider">
        <property name="key" value="aKey"/>
    </bean>       
 
</beans>

En vous remerciant

[tchize_]

Je suis pas expert là dedans mais

Don't forget to add your RememberMeServices implementation to your UsernamePasswordAuthenticationFilter.setRememberMeServices() property, include the RememberMeAuthenticationProvider in your AuthenticationManager.setProviders() list, and add RememberMeAuthenticationFilter into your FilterChainProxy (typically immediately after your UsernamePasswordAuthenticationFilter).

Visiblement il manque le RememberMeAuthenticationProvider dans ton security:authentication-manager

[Lady]

Bon du coup j'ai ajouté le RememberMeAuthenticationProvider dans security:authentication-manager

J'ai aussi ajouté le service dans l'authentificationFilter par contre je ne vois pas comment faire le dernier point "add RememberMeAuthenticationFilter into your FilterChainProxy (typically immediately after your UsernamePasswordAuthenticationFilter)."
Car ma filter chain n'est pas défini en XML vu que j'utilise un DelegatingFilterProxy

Code :

Sélectionner tout - Visualiser dans une fenêtre à part

1
2
3
4
5
6
7
8
9
10
11
12
    <!-- Spring security filter -->
    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
 
    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>FORWARD</dispatcher>
        <dispatcher>REQUEST</dispatcher>
    </filter-mapping>

Ma conf actuelle a du coup cette tête :

Code :

Sélectionner tout - Visualiser dans une fenêtre à part

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
 
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:context="http://www.springframework.org/schema/context"
       xmlns:security="http://www.springframework.org/schema/security"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
                           http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
                           http://www.springframework.org/schema/context
                           http://www.springframework.org/schema/context/spring-context-3.2.xsd
                           http://www.springframework.org/schema/security
                           http://www.springframework.org/schema/security/spring-security-3.2.xsd">
    <security:http pattern="/javax.faces.resource/**" security="none" />
 
    <security:http pattern="/pages/**" auto-config="true" use-expressions="true" entry-point-ref="authenticationEntryPoint">
        <security:intercept-url pattern="/pages/login.xhtml" access="permitAll()" />
        <!--<security:intercept-url pattern="/pages/redirector.xhtml" access="isAuthenticated()" />
        <security:intercept-url pattern="/pages/assembled-index.xhtml" access="isAuthenticated()" />
        <security:intercept-url pattern="/pages/metrics.xhtml" access="isAuthenticated()" />
        <security:intercept-url pattern="/pages/profile.xhtml" access="isAuthenticated()" />-->
        <security:intercept-url pattern="/pages/**" access="isAuthenticated()"/>
        <security:intercept-url pattern="/ws/**" access="hasIpAddress('127.0.0.1')" />
        <!--<security:intercept-url pattern="/pages/**" access="permitAll()" />-->
    </security:http>
 
    <security:http pattern="/**" auto-config="true" use-expressions="true" entry-point-ref="authenticationEntryPoint">
        <security:intercept-url pattern="/**" access="permitAll()" />
        <security:form-login login-page="/login"
                             login-processing-url="/j_spring_security_check"
                             authentication-failure-url="/login?error=login"
                             always-use-default-target="true"
                             default-target-url="/"
                             authentication-success-handler-ref="authenticationSuccessHandler" />
 
        <security:logout logout-url="/j_spring_security_logout"
                         invalidate-session="true"
                         logout-success-url="/login" 
                         delete-cookies="SPRING_SECURITY_REMEMBER_ME_COOKIE"   />
        <security:remember-me services-ref="rememberMeServices"/>
    </security:http>
 
    <security:authentication-manager  alias="authenticationManager">
        <security:authentication-provider ref="userDetailsAuthenticationProvider" />
        <security:authentication-provider ref="rememberMeAuthenticationProvider" />
    </security:authentication-manager>
 
    <bean id="userDetailsAuthenticationProvider" class="fr.xxxxx.myProject.authentication.UserDetailsAuthenticationProvider" />
 
    <bean id="authenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter" >
        <property name="rememberMeServices"  ref="rememberMeServices"/>
        <property name="authenticationManager" ref="authenticationManager" />
    </bean>
 
    <bean id="rememberMeFilter" class=
        "org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter">
        <property name="rememberMeServices" ref="rememberMeServices"/>
        <property name="authenticationManager" ref="authenticationManager" />
    </bean>
 
    <bean id="rememberMeServices" class=
        "org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices">
        <property name="userDetailsService" ref="pmsiAnalysorUserDetailsService"/>
        <property name="key" value="aKey"/>
    </bean>
 
    <bean id="rememberMeAuthenticationProvider" class=
        "org.springframework.security.authentication.RememberMeAuthenticationProvider">
        <property name="key" value="aKey"/>
    </bean>       
 
</beans>