Spring Security
  1. Spring Security
  2. SEC-1281

RememberMeAuthenticationProvider is created with default "key" parameter instead of my own specified

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.0 RC1
    • Fix Version/s: 3.0.0.RC2
    • Component/s: None
    • Labels:
      None

      Description

      I tried to define my own RememberMeService as shown

      <security:remember-me
      services-ref="rememberMeServices"
      key="$

      {app.security.key.rememberMe}"/>

      <bean id="rememberMeServices" class="org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices">
      <property name="key" value="${app.security.key.rememberMe}

      "/>
      <property name="cookieName" value="rememberme-ref"/>
      <property name="parameter" value="j_rememberme"/>
      <property name="tokenValiditySeconds" value="1209600"/>
      <property name="tokenRepository" ref="rememberMeDao"/>
      <property name="userDetailsService" ref="userDetailsDao" />
      </bean>

      But RememberMeAuthenticationProvider instance is created with default "SpringSecured" key instead of my own so RememberMeAuthenticationProvider.authenticate never succeeds.

        Activity

        Hide
        Nickolay Mazurkin added a comment -

        I've registered my own RememberMe provider

        <security:authentication-provider ref="rememberMeAuthenticationProvider"/>

        <bean id="rememberMeAuthenticationProvider" class="org.springframework.security.authentication.RememberMeAuthenticationProvider">
        <property name="key" value="$

        {app.security.key.rememberMe}

        "/>
        </bean>

        Everything works fine but as I can see there are two RememberMeAuthentication providers now - one is default in child authentication manager (with the wrong default key) and one is mine in parent authentication manager (with the right mine key).

        Show
        Nickolay Mazurkin added a comment - I've registered my own RememberMe provider <security:authentication-provider ref="rememberMeAuthenticationProvider"/> <bean id="rememberMeAuthenticationProvider" class="org.springframework.security.authentication.RememberMeAuthenticationProvider"> <property name="key" value="$ {app.security.key.rememberMe} "/> </bean> Everything works fine but as I can see there are two RememberMeAuthentication providers now - one is default in child authentication manager (with the wrong default key) and one is mine in parent authentication manager (with the right mine key).
        Hide
        Luke Taylor added a comment -

        Thanks for the report. I've updated the namespace parsing code to make sure that the selected key is used even if an external RememberMeServices is in use, which should fix the issue. If you are using the <remember-me /> element then the internally defined provider will always be created.

        Show
        Luke Taylor added a comment - Thanks for the report. I've updated the namespace parsing code to make sure that the selected key is used even if an external RememberMeServices is in use, which should fix the issue. If you are using the <remember-me /> element then the internally defined provider will always be created.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Nickolay Mazurkin
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: