SpringSecurity – RememberMe Authentication & Basic Authentication

Preface

In Spring Security, you can enable RememberMe Authentication for persistent login. This is achieved via the exchange of a RememberMe cookie between server and client. The configuration presented here shows how this can be accomplished using the Spring Security “form-login” (or equivalent). Shortly, in order to ask for the RememberMe cookie/mechanism from the server, the client must post the parameter “_spring_security_remember_me” along with the login credentials; the RememberMe authentication mechanism is thus tightly related to that parameter and thus to a login form.

In a recent project (a webservices project), I had to establish a persistent login along with a Basic authentication across multiple platforms using the Remember Me cookie approach using Spring Security. The difficulty is to configure Spring Security to send back to client the Remember Me cookie on successful authentication with Basic Authentication credentials (no login form and thus no request parameter “_spring_security_remember_me”).

Here the configuration that allows you to achieved this.

The Basic Authentication entry point configuration

You have to (re-)declare the Basic Authentication entry point and filter:

<http auto-config="false" entry-point-ref="basicAuthenticationEntryPoint">
   <intercept-url pattern="/**" access="ROLE_USER" />
   <remember-me key="mykey" services-ref="rememberMeServices" />
   <custom-filter position="BASIC_AUTH_FILTER" ref="basicAuthenticationFilter" />
</http>

<beans:bean id="basicAuthenticationFilter"
   class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter">
	<beans:property name="rememberMeServices" ref="rememberMeServices" />
	<beans:property name="authenticationManager" ref="authenticationManager" />
	<beans:property name="authenticationEntryPoint" ref="basicAuthenticationEntryPoint" />
</beans:bean>

<beans:bean id="basicAuthenticationEntryPoint"
   class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint">
	<beans:property name="realmName" value="Webservices" />
</beans:bean>

This XML configuration comes in replacement to the following classical configuration:

<http auto-config="true">
   <intercept-url pattern="/**" access="ROLE_USER" />
   <remember-me key="mykey" services-ref="rememberMeServices" />
   <basic-auth />
</http>

In the first configuration above, we disabled the form login (remember that it is a webservices project where authentication is done via Basic Authentication). In order to enable the Remember Me authentication along with that Basic authentication on successful login, we had to:

  1. Disable any default login form and http-basic configuration through the “http” attribute
    auto-config="false"
  2. Define an entry point (there must be at least one) through the “http” attribute
    entry-point-ref="basicAuthenticationEntryPoint"

    This is the entry point Spring loads when using “http-basic”

  3. Define the Basic Authentication filter
    <custom-filter position="BASIC_AUTH_FILTER" ref="basicAuthenticationFilter" />

    This again is the default filter Spring loads when using “http-basic” with the difference here that we are referencing the Remember me service bean to support remember on successful authentication

The rest of the configuration file (download file here) is no more that classical Spring Security Remember Me authentication configuration.

This was tested with Spring Security 3.0.x and 4.x.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s