tags:

views:

187

answers:

0
Q: 

CookieTheftException with PersistentTokenBasedRememberMeServices

I'm using the PersistentTokenBasedRememberMeServices (Spring Security 2.04) in Grails App in conjunction with the OpenIDAuthenticationProcessingFilter. The configuration is as follows (This is Grails's DSL equivalent to Spring resource.xml but it should be quite easy to adapt):

customTokenRepository(JdbcTokenRepositoryImpl)
{
  dataSource = ref('dataSource')
}

rememberMeServices(PersistentTokenBasedRememberMeServices) {
    userDetailsService = ref('userDetailsService')
    key = securityConf.rememberMeKey
    cookieName = securityConf.cookieName
    alwaysRemember = securityConf.alwaysRemember
    tokenValiditySeconds = securityConf.tokenValiditySeconds
    parameter = securityConf.parameter
    tokenRepository = customTokenRepository
}

openIDAuthProvider(org.codehaus.groovy.grails.plugins.springsecurity.openid.GrailsOpenIdAuthenticationProvider) {
    userDetailsService = ref('userDetailsService')
}

openIDStore(org.openid4java.consumer.InMemoryConsumerAssociationStore)

openIDNonceVerifier(org.openid4java.consumer.InMemoryNonceVerifier, securityConf.openIdNonceMaxSeconds) // 300 seconds

openIDConsumerManager(org.openid4java.consumer.ConsumerManager) {
    nonceVerifier = openIDNonceVerifier
}

openIDConsumer(org.springframework.security.ui.openid.consumers.OpenID4JavaConsumer, openIDConsumerManager)

openIDAuthenticationProcessingFilter(org.springframework.security.ui.openid.OpenIDAuthenticationProcessingFilter) {
    authenticationManager = ref('authenticationManager')
    authenticationFailureUrl = securityConf.authenticationFailureUrl //'/login/authfail?login_error=1' // /spring_security_login?login_error
    defaultTargetUrl = securityConf.defaultTargetUrl // '/'
    filterProcessesUrl = '/j_spring_openid_security_check' // not configurable
    rememberMeServices = ref('rememberMeServices')
    consumer = openIDConsumer
    targetUrlResolver = customTargetUrlResolver
}

After a user has authenticated everything is fine until the cookie issued to him is used for the first time for example after a container restart (see here).

The very first request using the cookie seems to be always fine but after the cookie has been updated with a new date and most importantly a new token, subsequent requests will crash in here. As if the browser would still request resources using the old version of the cookie containing the old token. I'm totally baffled why this happens. Any suggestions?

related questions

Web framework programming mindset
ASP.NET - asp:xxx Controls versus standard HTML
From Desktop to Web browser considerations
Which PHP Framework will get me to a usable UI the fastest?
Best practice for integrating TDD with web application development?
How to Manage Web Development?
When is a file just a file?
Recommendations for browser add-on tools to help with development
REALLY Simple Website--How Basic Can You Go?
Convince Firefox to send an If-Modified-Since header over HTTPS
What do the getUTC* methods on the date object do?
Planning and Building a mobile enabled site for your main site.
Firebug for IE
Javascript and PHP - Login Script with hidden buttons
Firebug won't display console feeds for some of my sites
Displaying ad content from Respose.WriteFile()/ Response.ContentType
How can I detect if a browser is blocking an popup?
How to Test Web Code?
What PHP framework would you choose for a new application and why?
How do you disable browser Autocomplete on web form field / input tag?
What is Progressive Enhancement?
In HTML, how to word-break on a dash?
The Definitive Guide To Website Authentication
How do you test layout design across multiple browsers/OSs?
How much of the Web build process do you/should you automate?