Spring Security Remember Me with Persistent Token
This tutorial will show you how to remember your credentials for a specific time period for auto-login without providing any login credentials into the login form.
Remember-me or persistent-login authentication refers to web sites being able to remember the identity of a principal between sessions. This is typically accomplished by sending a cookie to the browser, with the cookie being detected during future sessions and causing automated login to take place.
Spring Security provides the necessary hooks for these operations to take place, and has two concrete remember-me implementations. One uses hashing to preserve the security of cookie-based tokens and the other uses a database or other persistent storage mechanism to store the generated tokens.
Prerequisites
Please read tutorial Spring Security Remember Me – Form Based Login before proceeding to implement the Remember Me functionality into the Spring Security with Persistent Token approach.
Changes required for Persistent Token approach
Now do the following changes in three places – in WebMvcConfig.java, in the method filterChain() of WebSecurityConfig.java and in login.jsp page.
Changes in WebMvcConfig.java
Add below bean for persistent token repository for persistent token based Spring security for remember me functionality.
@Bean(name = "persistentTokenRepository")
public PersistentTokenRepository persistentTokenRepository() {
JdbcTokenRepositoryImpl tokenRepository = new JdbcTokenRepositoryImpl();
tokenRepository.setDataSource(dataSource());
return tokenRepository;
}Changes in the method filterChain() of WebSecurityConfig.java
Add the below code snippets for Remember Me configuration:
http// ,
.rememberMe() // configure remember me,
.tokenRepository(persistentTokenRepository) // persistent token for remember me
.key("rememberKey")// key for remember me,
.rememberMeParameter("remember")// remember me field name in login form
.tokenValiditySeconds(86400)// keep valid for one dayThe above configuration is persistent token approach and this approach is more robust as opposed to simple hash based token approach, which is exposed to a security threat, because a captured remember-me token will be usable from any user agent until such time as the token expires and is usually not recommended.
Changes in login.jsp page
Add the below code snippets into the login form:
<tr>
<td>Remember Me:</td>
<td><input type='checkbox' name="remember" /></td>
</tr>I provided an option, usually checkbox, to the user to select Remember Me and if a user checks it then after successful login, spring application sends a remember-me cookie to the browser in addition to session cookie. Once the session cookie is expired, then if user accesses the secure page, it will automatically be logged-in using remember-me cookie.
MySQL Table
An additional table in database is required to store persistent tokens for remember me functionality in spring security for persistent token based approach.
/*Table structure for table `persistent_logins` */
DROP TABLE IF EXISTS `persistent_logins`;
CREATE TABLE `persistent_logins` (
`username` varchar(64) COLLATE utf8mb4_unicode_ci NOT NULL,
`series` varchar(64) COLLATE utf8mb4_unicode_ci NOT NULL,
`token` varchar(64) COLLATE utf8mb4_unicode_ci NOT NULL,
`last_used` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
PRIMARY KEY (`series`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;How App Works
Now when you try to access the admin page you will be redirected to login page and you will see the Remember Me checkbox for next time auto-login. So once you login with checkbox checked and next time when you hit the direct URL http://localhost:8080/spring-security-annotations/admin into the browser you will automatically be redirected to the admin page and you are no longer required to login using credentials. Or even if you click on the link Go to Administrator page from home page, you will be automatically redirected to the admin page.
When you login selecting the Remember Me checkbox then you will see a row has been inserted into the table persistent_logins and it looks similar to the below the image:
