RememberMeConfigurer does not use the key from RememberMeServices #4140

rcomblen · 2016-11-25T07:45:05Z

Summary

Using Spring Boot 1.4.2 and Spring Security 4.1.3

I want to use a custom RememberMeServices.

I need to specify the secret key in both the RememberMeServices instantiation and in the RememberMeConfigurer usage.

Actual Behavior

Usage that works:

public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
    @Value("${rememberMe.key}")
    private String rememberMeKey;

    @Autowired
    private UserDetailsService userDetailsService;

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http
            ...
            .rememberMe().key(rememberMeKey).rememberMeServices(rememberMeServices())
            ...
    }

    @Autowired
    DataSource dataSource;

    @Bean
    public PersistentTokenRepository persistentTokenRepository() {
        JdbcTokenRepositoryImpl db = new JdbcTokenRepositoryImpl();
        db.setDataSource(dataSource);
        return db;
    }

    @Bean
    public AbstractRememberMeServices rememberMeServices() {
        PersistentTokenBasedRememberMeServices rememberMeServices =
                new PersistentTokenBasedRememberMeServices(rememberMeKey, userDetailsService, persistentTokenRepository());
        rememberMeServices.setAlwaysRemember(true);
        rememberMeServices.setCookieName("remember-me");
        rememberMeServices.setTokenValiditySeconds(1209600);
        return rememberMeServices;
    }

}

I need to specify twice the remember me key:

.rememberMe().key(rememberMeKey).rememberMeServices(rememberMeServices())

and

        PersistentTokenBasedRememberMeServices rememberMeServices =
                new PersistentTokenBasedRememberMeServices(rememberMeKey, userDetailsService, persistentTokenRepository());

This because of the following snippet in RememberMeConfigurer:

@SuppressWarnings("unchecked")
@Override
public void init(H http) throws Exception {
	validateInput();
	String key = getKey();
	RememberMeServices rememberMeServices = getRememberMeServices(http, key);
	http.setSharedObject(RememberMeServices.class, rememberMeServices);
	LogoutConfigurer<H> logoutConfigurer = http.getConfigurer(LogoutConfigurer.class);
	if (logoutConfigurer != null && this.logoutHandler != null) {
		logoutConfigurer.addLogoutHandler(this.logoutHandler);
	}

	RememberMeAuthenticationProvider authenticationProvider = new RememberMeAuthenticationProvider(
			key);
	authenticationProvider = postProcess(authenticationProvider);
	http.authenticationProvider(authenticationProvider);

	initDefaultLoginFilter(http);
}

Notice that the RememberMeAuthenticationProvider is instantiated with the key field of the RememberMeConfigurer and not with the key provided to the RememberMeServices.

Expected Behavior

I would expect to need to specify the key only once, so

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http
            ...
            .rememberMe().rememberMeServices(rememberMeServices())
            ...
    }

should work.

Version

Spring Boot 1.4.2 and Spring Security 4.1.3

The text was updated successfully, but these errors were encountered:

rcomblen · 2016-11-25T08:04:09Z

This patch should do the fix

diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/RememberMeConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/RememberMeConfigurer.java
index b6fe07a..adddb8c 100644
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/RememberMeConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/RememberMeConfigurer.java
@@ -267,6 +267,11 @@ public final class RememberMeConfigurer<H extends HttpSecurityBuilder<H>>
 		validateInput();
 		String key = getKey();
 		RememberMeServices rememberMeServices = getRememberMeServices(http, key);
+        if(rememberMeServices instanceof AbstractRememberMeServices) {
+            AbstractRememberMeServices abstractRememberMeServices = (AbstractRememberMeServices) rememberMeServices;
+			key = abstractRememberMeServices.getKey();
+			this.key = key;
+        }
 		http.setSharedObject(RememberMeServices.class, rememberMeServices);
 		LogoutConfigurer<H> logoutConfigurer = http.getConfigurer(LogoutConfigurer.class);
 		if (logoutConfigurer != null && this.logoutHandler != null) {

Issue: gh-4140

This was referenced Jul 13, 2018

Override the key to avoid CookieTheftException DevDengChao/spring-security#1

Merged

Override the key to avoid CookieTheftException #5509

Merged

spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label May 7, 2019

eleftherias self-assigned this Oct 25, 2019

eleftherias added in: config An issue in spring-security-config type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged labels Oct 25, 2019

eleftherias closed this as completed in b13f750 Nov 7, 2019

eleftherias added a commit that referenced this issue Nov 7, 2019

Polish RememberMeConfigurer

1188a3b

Issue: gh-4140

eleftherias added this to the 5.3.0.M1 milestone Dec 12, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

RememberMeConfigurer does not use the key from RememberMeServices #4140

RememberMeConfigurer does not use the key from RememberMeServices #4140

rcomblen commented Nov 25, 2016

rcomblen commented Nov 25, 2016

RememberMeConfigurer does not use the key from RememberMeServices #4140

RememberMeConfigurer does not use the key from RememberMeServices #4140

Comments

rcomblen commented Nov 25, 2016

Summary

Actual Behavior

Expected Behavior

Version

rcomblen commented Nov 25, 2016