Wednesday, 8 January 2014

Spring Security: Remember me Example

Remember me authentication is a mechanism that allows a user to maintain his identity across multiple browser sessions. Typically, a browser session ends when we close the browser. This means that with Remember-me, a user will be able to automatically login even after he restarts the browser. It remembers the identity of the user between two different sessions.

This is typically accomplished by sending a cookie to the browser, with the cookie being detected during future sessions and causing automated login to take place. Spring Security provides the necessary hooks for these operations to take place, and has two concrete remember-me implementations.  One uses hashing to preserve the security of cookie-based tokens and the other uses a database or other persistent storage mechanism to store the generated tokens. Note that both the implementations require a UserDetailsService. 

1. Simple Hash-Based Token Approach

This approach uses hashing to achieve a useful remember-me strategy. In essence a cookie is sent to the browser upon successful interactive authentication, with the cookie being composed as follows:

base64(username + ":" + expirationTime + ":" + 
md5Hex(username + ":" + expirationTime + ":" password + ":" + key)) 

username: As identifiable to the `UserDetailsService`. 

password: That matches the one in the retrieve UserDetails. 

expirationTime: The date and time when the remember-me token expires, expressed in milliseconds .

key: A private key to prevent modification of the remember-me token.

The remember-me token is valid only for the period specified, and provided that the username, password and key does not change. To enable remember-me authentication just add the <remember-me> element into <http element>

<http> ... <remember-me key="myAppKey"/> </http>


2. Persistent Token Approach

This approach uses the database to store the generated tokens. The database that will be used should contain a persistent_logins table, created using the following SQL (or equivalent):

create table persistent_logins (username varchar(64) not null, series varchar(64) primary key, token varchar(64) not null, last_used timestamp not null)

To use this approach with the namespace configuration, you need to supply a datasource reference

<http> ... <remember-me data-source-ref="someDataSource"/> </http>

Example

The setup is the same as the one used for my previous post demonstrating the use of a custom UserDetailsService.

Only changes required are in spring-security.xml configuration. We will be using the Hash-Based token approach. 



 
  

  
  

  

  
 

 
  
 

Demo

If we try to access the URL- '/SpringSecurity/user/welcome'
Spring Security intercepts this URL and presents a login form.

Note that there exists a check-box for remember me.If we tick this check-box and login with valid credentials, a cookie named 'SPRING_SECURITY_REMEMBER_ME' is created along with the cookie storing JSessionId. 




If we delete this cookie for JSessionId, we are still able to login automatically and access the intercepted URL.

This is all because of the simple Hash-Based generated token stored inside the browser's cookie.

You can view/download the complete source code from here.

No comments:

Post a Comment