Skip to content

RememberMeConfigurer does not use the key from RememberMeServices #4140

New issue
New issue
Closed
Closed
RememberMeConfigurer does not use the key from RememberMeServices#4140
Assignees
eleftherias
Labels
in: configAn issue in spring-security-configtype: enhancementA general enhancement
Milestone
 
5.3.0.M1
@rcomblen

Description

@rcomblen
rcomblen
opened on Nov 25, 2016

Summary

Using Spring Boot 1.4.2 and Spring Security 4.1.3

I want to use a custom RememberMeServices.

I need to specify the secret key in both the RememberMeServices instantiation and in the RememberMeConfigurer usage.

Actual Behavior

Usage that works:

public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
    @Value("${rememberMe.key}")
    private String rememberMeKey;

    @Autowired
    private UserDetailsService userDetailsService;

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http
            ...
            .rememberMe().key(rememberMeKey).rememberMeServices(rememberMeServices())
            ...
    }

    @Autowired
    DataSource dataSource;

    @Bean
    public PersistentTokenRepository persistentTokenRepository() {
        JdbcTokenRepositoryImpl db = new JdbcTokenRepositoryImpl();
        db.setDataSource(dataSource);
        return db;
    }

    @Bean
    public AbstractRememberMeServices rememberMeServices() {
        PersistentTokenBasedRememberMeServices rememberMeServices =
                new PersistentTokenBasedRememberMeServices(rememberMeKey, userDetailsService, persistentTokenRepository());
        rememberMeServices.setAlwaysRemember(true);
        rememberMeServices.setCookieName("remember-me");
        rememberMeServices.setTokenValiditySeconds(1209600);
        return rememberMeServices;
    }

}

I need to specify twice the remember me key:

.rememberMe().key(rememberMeKey).rememberMeServices(rememberMeServices())

and

        PersistentTokenBasedRememberMeServices rememberMeServices =
                new PersistentTokenBasedRememberMeServices(rememberMeKey, userDetailsService, persistentTokenRepository());

This because of the following snippet in RememberMeConfigurer:

@SuppressWarnings("unchecked")
@Override
public void init(H http) throws Exception {
	validateInput();
	String key = getKey();
	RememberMeServices rememberMeServices = getRememberMeServices(http, key);
	http.setSharedObject(RememberMeServices.class, rememberMeServices);
	LogoutConfigurer<H> logoutConfigurer = http.getConfigurer(LogoutConfigurer.class);
	if (logoutConfigurer != null && this.logoutHandler != null) {
		logoutConfigurer.addLogoutHandler(this.logoutHandler);
	}

	RememberMeAuthenticationProvider authenticationProvider = new RememberMeAuthenticationProvider(
			key);
	authenticationProvider = postProcess(authenticationProvider);
	http.authenticationProvider(authenticationProvider);

	initDefaultLoginFilter(http);
}

Notice that the RememberMeAuthenticationProvider is instantiated with the key field of the RememberMeConfigurer and not with the key provided to the RememberMeServices.

Expected Behavior

I would expect to need to specify the key only once, so

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http
            ...
            .rememberMe().rememberMeServices(rememberMeServices())
            ...
    }

should work.

Version

Spring Boot 1.4.2 and Spring Security 4.1.3

Metadata

Metadata

Assignees

Labels

in: configAn issue in spring-security-configtype: enhancementA general enhancement

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions