Spring Security Remember Me – Persistent Token Approach

This tutorial will show you how to remember your credentials for a specific time period for auto-login without providing any login credentials into the login form.

Remember-me or persistent-login authentication refers to web sites being able to remember the identity of a principal between sessions. This is typically accomplished by sending a cookie to the browser, with the cookie being detected during future sessions and causing automated login to take place. Spring Security provides the necessary hooks for these operations to take place, and has two concrete remember-me implementations. One uses hashing to preserve the security of cookie-based tokens and the other uses a database or other persistent storage mechanism to store the generated tokens.

In my previous tutorial I have shown  but this example uses database storage to store generated tokens for Remember Me login implementation.

Please read any one of the tutorials Spring Security Form based Authentication – XML ConfigurationSpring Security Form based Authentication – AnnotationsSpring Security – JDBC Authentication , Spring Security – JDBC Authentication using UserDetailsService       before proceeding to implement the Remember Me functionality into the Spring Security Form Based Login.

Now do the following changes in three places – in WebMvcConfig.java, in the method configure() of WebSecurityConfig.java and in login.jsp page.

Changes in WebMvcConfig.java

Add below bean for persistent token repository

Changes in the method configure() of WebSecurityConfig.java

Add the below code snippets for Remember Me configuration

The above configuration is persistent token approach and this approach is more robust as opposed to simple hash based token approach, which is exposed to a security threat, because a captured remember-me token will be usable from any user agent until such time as the token expires and is usually not recommended.

Changes in login.jsp page

Add the below code snippets into the login form

We provided an option, usually checkbox, to the user to select Remember Me and if a user checks it then after successful login, spring application sends a remember-me cookie to the browser in addition to session cookie. Once the session cookie is expired, then if user accesses the secure page, it will automatically be logged-in using remember-me cookie.

Create the persistent_logins table in MySQL database

Now when you try to access the admin page you will be redirected to login page and you will see the Remember Me checkbox for next time auto-login. So once you login with checkbox checked and next time when you hit the direct URL http://localhost:8080/spring-security-annotations/admin into the browser you will automatically be redirected to the admin page and you are no longer required to login using credentials. Or even if you click on the link Go to Administrator page from home page, you will be automatically redirected to the admin page.

When you login selecting the Remember Me checkbox then you will see a row has been inserted into the table persistent_logins and it looks similar to the below

spring security remember me persistent token

Thanks for reading.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.