views:

40

answers:

1

I am trying to make use of Spring Security's <remember-me/> authentification. The line in my security context looks like this:

 <security:remember-me key="89dqj219dn910lsAc12" user-service-ref="jpaUserDetailsService"/>

Although I use my own implementation of UserDetailsService (tested & working), I have also tried with the default one running into the same issue, which is this:

  1. Logging in with "remember-me" checkbox checked, a cookie is generated as expected:

    Name: SPRING_SECURITY_REMEMBER_ME_COOKIE; Value: c2FzczoxMjg1NTIxOTI1NzY4OmIxODQ5YTE2ZDY1MDVmZDFhNWRlN2Y2NzFlMzc1MmI0; Host: localhost; Path: /webapp; Secure: No; Valid until: Sun, 26 Sep 2010 17:25:25 GMT)

  2. The browser restarted

  3. The cookie is still there

  4. Trying to access any secured page ends in "Access denied" error:

    org.springframework.security.access.AccessDeniedException: Access is denied

    Authentication object as a String: org.springframework.security.authentication.RememberMeAuthenticationToken@ffcaab94: Principal: de.myapp.businessobjects.AppUser@35c12e: Username: username; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; PersonalInformation: 32768; ; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Not granted any authorities

I am confused an do not know what goes wrong or where to start debugging. Help, please?

+1  A: 

It looks like user is successfully authenticated, but for some reason he has no authorities (i.e. roles). So, make sure that user details returned by your UserDetailsService returns proper authorities from UserDetails.getAuthorities().

axtavt
Ahh ... great hint! You are right, I forgot to test my UserDetailsService.getAuthorities() implementation - voila, it actually *is* buggy. Thanks!
O dear, I am sorry. I mocked roles but still getting a similar error: "... SessionId: null; Granted Authorities: ROLE_USER" Pitty. BTW, why is SessionId `null` anyway?
@erlord: I don't think sessionid is an issue. This looks like a regular `AccessDeniedException`, perhaps `ROLE_USER` is not enough to perform the requested action.
axtavt
If so, why does it work in first place, i.e. when logging in? The same URL works *before* restart and fails *after* ... do I have to assign roles to <remember-me/> something?