Spring-security: remember me token working only one time
Asked Answered
C

1

10

I'm experiencing a really weird issue with spring security.

The remember-me token seems to last for only one automatic login, after that, it stops working.

1. After login:

enter image description here

2. Then, I manually delete the JSESSIONID cookie and reload the page

enter image description here

3. I delete the JSESSIONID cookie again and reload the page again.

Now, I'm logged out!

In the console I get this:

SEVERE [http-nio-8080-exec-10] org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service() for servlet [dispatcher] in context with path [] threw exception
 org.springframework.security.web.authentication.rememberme.CookieTheftException: Invalid remember-me token (Series/token) mismatch. Implies previous cookie theft attack.

I read that this might be the result of the browser issuing multiple requests at the same time, I checked (disabled all the resources, leaving only plain HTML, but to no avail)

enter image description here

Here's my configuration

@EnableWebSecurity
public class Security extends WebSecurityConfigurerAdapter {

    @Autowired
    private CustomUserDetailsService customUserDetailsService;

    @Autowired
    DataSource dataSource;

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http.authorizeRequests().antMatchers("/assets/**").permitAll();
        http.authorizeRequests().anyRequest().authenticated();

        http.formLogin().permitAll();    
        http.rememberMe().tokenRepository(persistentTokenRepository()).userDetailsService(customUserDetailsService);

        http.logout().permitAll();
    }

    @Bean
    public PersistentTokenRepository persistentTokenRepository() {
        JdbcTokenRepositoryImpl tokenRepository = new JdbcTokenRepositoryImpl();
        tokenRepository.setDataSource(dataSource);
        return tokenRepository;
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(authenticationProvider());
    }

    @Bean
    public DaoAuthenticationProvider authenticationProvider() {
        DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();
        authProvider.setUserDetailsService(customUserDetailsService);
        authProvider.setPasswordEncoder(passwordEncoder());
        return authProvider;
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder(11);
    }
}
Coom answered 12/4, 2018 at 19:19 Comment(0)
E
1

Pulling dataSource from config worked for me, try it

@Autowired
JpaConfiguration jpaConfig;

@Bean(name = "persistentTokenRepository")
public PersistentTokenRepository persistentTokenRepository() {
    JdbcTokenRepositoryImpl tokenRepository = new JdbcTokenRepositoryImpl();
    tokenRepository.setDataSource(jpaConfig.dataSource());
    return tokenRepository;
}

or you can also try to increase token validity

 @Override
    protected void configure(HttpSecurity http) throws Exception {

        http.authorizeRequests().antMatchers("/assets/**").permitAll();
        http.authorizeRequests().anyRequest().authenticated();

        http.formLogin().permitAll();    
        http.rememberMe().tokenRepository(persistentTokenRepository()).userDetailsService(customUserDetailsService)
            .tokenValiditySeconds(1209600);

        http.logout().permitAll();
    }
Ethban answered 21/4, 2018 at 0:23 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.