Spring Security Remember Me
This tutorial will show you how to remember your credentials for a specific time period for auto-login without providing any login credentials (next time onward when a user tries to login) in the login form.
Remember-me or persistent-login authentication refers to web sites being able to remember the identity of a principal between sessions. This is typically accomplished by sending a cookie to the browser, with the cookie being detected during future sessions and causing automated login to take place. Spring Security provides the necessary hooks for these operations to take place, and has two concrete remember-me implementations. One uses hashing to preserve the security of cookie-based tokens and the other uses a database or other persistent storage mechanism to store the generated tokens.
Please read any one of the tutorials Spring Security Form based Authentication – XML Configuration , Spring Security Form based Authentication – Annotations , Spring Security – JDBC Authentication , Spring Security – JDBC Authentication using UserDetailsService before proceeding to implement the Remember Me functionality into the Spring Security Form Based Login.
Now do the following changes in two places – in the method
filterChain() of WebSecurityConfig.java and in login.jsp page.
Changes in the method filterChain() of WebSecurityConfig.java
Add the below code snippets for Remember Me configuration in Spring Security part.
http.rememberMe()// configure remember me, .key("rememberKey")// key for remember me, .rememberMeParameter("remember")// remember me field name in // login form, .tokenValiditySeconds(86400);// keep for one day
filterChain() method looks like below image:
Or you can also configure in the same chain of method calls as given below:
The above configuration is simple hash-based token approach, so here hashing technique is used to create token. The token is created using username, expiration time, password and a key. After successful authentication a cookie using token value is sent to the browser. This approach has a security threat, because a captured remember-me token will be usable from any user agent until such time as the token expires and is usually not recommended.
Changes in login.jsp page
Add the below code snippets into the login form:
<tr> <td>Remember Me:</td> <td><input type='checkbox' name="remember" /></td> </tr>
So the login form looks like below image:
I provided an option, usually checkbox, to the user to select Remember Me and if a user checks it then after successful login, spring application sends a remember-me cookie to the browser in addition to session cookie. Once the session cookie is expired, then if user accesses the secure page, it will automatically be logged-in using remember-me cookie.
Now when you try to access the admin page you will be redirected to login page and you will see the Remember Me checkbox for next time auto-login. So once you login with checkbox checked and next time when you hit the direct URL http://localhost:8080/spring-security-jdbc-authentication-form-based-remember-me/admin into the browser, you will automatically be redirected to the admin page and you are no longer required to login using credentials. Or even if you click on the link Go to Administrator page from home page, you will be automatically redirected to the admin page.
Now the login form will look like the page similar to the following image: