Spring-security : Remember me problème

Version imprimable

Bonjour,

J'essaye d'activer la fonctionnalité "remember me" sur un de nos projets utilisant Spring mais cela ne semble pas fonctionner.

Le cookie est bien crée au login quand la case est coché mais cela ne permet pas de se relogger automatiquement la fois suivante (je test en fermant l'onglet de mon projet et en supprimant le cookie JSESSIONID).

Si quelqu'un à une piste. Voici ma configuration de security (version 3.2.5)

Code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:context="http://www.springframework.org/schema/context"
       xmlns:security="http://www.springframework.org/schema/security"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
                           http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
                           http://www.springframework.org/schema/context
                           http://www.springframework.org/schema/context/spring-context-3.2.xsd
                           http://www.springframework.org/schema/security
                           http://www.springframework.org/schema/security/spring-security-3.2.xsd">
    <security:http pattern="/javax.faces.resource/**" security="none" />
 
    <security:http pattern="/pages/**" auto-config="true" use-expressions="true" entry-point-ref="authenticationEntryPoint">
        <security:intercept-url pattern="/pages/login.xhtml" access="permitAll()" />
        <security:intercept-url pattern="/pages/**" access="isAuthenticated()"/>
        <security:intercept-url pattern="/ws/**" access="hasIpAddress('127.0.0.1')" />
    </security:http>
 
    <security:http pattern="/**" auto-config="false" use-expressions="true" entry-point-ref="authenticationEntryPoint">
        <security:intercept-url pattern="/**" access="permitAll()" />
        <security:form-login login-page="/login"
                             login-processing-url="/j_spring_security_check"
                             authentication-failure-url="/login?error=login"
                             always-use-default-target="true"
                             default-target-url="/"
                             authentication-success-handler-ref="authenticationSuccessHandler" />
 
        <security:logout logout-url="/j_spring_security_logout"
                         invalidate-session="true"
                         logout-success-url="/login"  />
        <security:remember-me services-ref="rememberMeServices"/>
    </security:http>
 
    <security:authentication-manager  alias="authenticationManager">
        <security:authentication-provider ref="userDetailsAuthenticationProvider" />
    </security:authentication-manager>
 
    <bean id="userDetailsAuthenticationProvider" class="fr.xxxx.projet.authentication.UserDetailsAuthenticationProvider" />
 
    <bean id="rememberMeFilter" class=
        "org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter">
        <property name="rememberMeServices" ref="rememberMeServices"/>
        <property name="authenticationManager" ref="authenticationManager" />
    </bean>
 
    <bean id="rememberMeServices" class=
        "org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices">
        <property name="userDetailsService" ref="pmsiAnalysorUserDetailsService"/>
        <property name="key" value="aKey"/>
    </bean>
 
    <bean id="rememberMeAuthenticationProvider" class=
        "org.springframework.security.authentication.RememberMeAuthenticationProvider">
        <property name="key" value="aKey"/>
    </bean>       
 
</beans>

En vous remerciant :)

10/09/2015, 09h49
tchize_

Je suis pas expert là dedans mais

Citation:

Don't forget to add your RememberMeServices implementation to your UsernamePasswordAuthenticationFilter.setRememberMeServices() property, include the RememberMeAuthenticationProvider in your AuthenticationManager.setProviders() list, and add RememberMeAuthenticationFilter into your FilterChainProxy (typically immediately after your UsernamePasswordAuthenticationFilter).

Visiblement il manque le RememberMeAuthenticationProvider dans ton security:authentication-manager

Bon du coup j'ai ajouté le RememberMeAuthenticationProvider dans security:authentication-manager

J'ai aussi ajouté le service dans l'authentificationFilter par contre je ne vois pas comment faire le dernier point "add RememberMeAuthenticationFilter into your FilterChainProxy (typically immediately after your UsernamePasswordAuthenticationFilter)."
Car ma filter chain n'est pas défini en XML vu que j'utilise un DelegatingFilterProxy

Code:

1
2
3
4
5
6
7
8
9
10
11
12
    <!-- Spring security filter -->
    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
 
    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>FORWARD</dispatcher>
        <dispatcher>REQUEST</dispatcher>
    </filter-mapping>

Ma conf actuelle a du coup cette tête :

Code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
 
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:context="http://www.springframework.org/schema/context"
       xmlns:security="http://www.springframework.org/schema/security"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
                           http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
                           http://www.springframework.org/schema/context
                           http://www.springframework.org/schema/context/spring-context-3.2.xsd
                           http://www.springframework.org/schema/security
                           http://www.springframework.org/schema/security/spring-security-3.2.xsd">
    <security:http pattern="/javax.faces.resource/**" security="none" />
 
    <security:http pattern="/pages/**" auto-config="true" use-expressions="true" entry-point-ref="authenticationEntryPoint">
        <security:intercept-url pattern="/pages/login.xhtml" access="permitAll()" />
        <!--<security:intercept-url pattern="/pages/redirector.xhtml" access="isAuthenticated()" />
        <security:intercept-url pattern="/pages/assembled-index.xhtml" access="isAuthenticated()" />
        <security:intercept-url pattern="/pages/metrics.xhtml" access="isAuthenticated()" />
        <security:intercept-url pattern="/pages/profile.xhtml" access="isAuthenticated()" />-->
        <security:intercept-url pattern="/pages/**" access="isAuthenticated()"/>
        <security:intercept-url pattern="/ws/**" access="hasIpAddress('127.0.0.1')" />
        <!--<security:intercept-url pattern="/pages/**" access="permitAll()" />-->
    </security:http>
 
    <security:http pattern="/**" auto-config="true" use-expressions="true" entry-point-ref="authenticationEntryPoint">
        <security:intercept-url pattern="/**" access="permitAll()" />
        <security:form-login login-page="/login"
                             login-processing-url="/j_spring_security_check"
                             authentication-failure-url="/login?error=login"
                             always-use-default-target="true"
                             default-target-url="/"
                             authentication-success-handler-ref="authenticationSuccessHandler" />
 
        <security:logout logout-url="/j_spring_security_logout"
                         invalidate-session="true"
                         logout-success-url="/login" 
                         delete-cookies="SPRING_SECURITY_REMEMBER_ME_COOKIE"   />
        <security:remember-me services-ref="rememberMeServices"/>
    </security:http>
 
    <security:authentication-manager  alias="authenticationManager">
        <security:authentication-provider ref="userDetailsAuthenticationProvider" />
        <security:authentication-provider ref="rememberMeAuthenticationProvider" />
    </security:authentication-manager>
 
    <bean id="userDetailsAuthenticationProvider" class="fr.xxxxx.myProject.authentication.UserDetailsAuthenticationProvider" />
 
    <bean id="authenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter" >
        <property name="rememberMeServices"  ref="rememberMeServices"/>
        <property name="authenticationManager" ref="authenticationManager" />
    </bean>
 
    <bean id="rememberMeFilter" class=
        "org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter">
        <property name="rememberMeServices" ref="rememberMeServices"/>
        <property name="authenticationManager" ref="authenticationManager" />
    </bean>
 
    <bean id="rememberMeServices" class=
        "org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices">
        <property name="userDetailsService" ref="pmsiAnalysorUserDetailsService"/>
        <property name="key" value="aKey"/>
    </bean>
 
    <bean id="rememberMeAuthenticationProvider" class=
        "org.springframework.security.authentication.RememberMeAuthenticationProvider">
        <property name="key" value="aKey"/>
    </bean>       
 
</beans>