spring-mvcspring-securityremember-mepre-authentication

Spring MVC 2.5 - remember me with custom pre authentication filter


I am working on a legacy app that uses Spring Security 2.0.4. I have created a custom AbstractPreAuthenticatedProcessingFilter and PreAuthenticatedAuthenticationProvider. They create and authenticate the user based on an email address sent as a parameter in the request that comes from the customer's login server. (Not very secure I know but that's the requirements)

This all works fine but my problem is that I need to create a custom cookie once the user is authenticated so they can access the app outside the current session without having to be redirected by the login server.

I have no access to the HttpServletRepsonse object in AbstractPreAuthenticatedProcessingFilter or PreAuthenticatedAuthenticationProvider so I can't just set a cookie in the response. I can implement RememberMeServices into the AbstractPreAuthenticatedProcessingFilter class but I'm not sure if this is the right way to go about it.

Can anyone point me into the right direction? Do I need to create custom remember me functionality? All I want to do is set a cookie (if one doesn't already exist) once the user is authenticated. Then for future requests, I can verify the cookie in the AbstractPreAuthenticatedProcessingFilter and return an authenticated principal.


Solution

  • Fixed without creating any new filters or messing with remember-me (which really doesn't have much to do with pre authentication)

    I simply overrode: AbstractPreAuthenticatedProcessingFilter#successfulAuthentication This gives me access to the HttpServletRepsonse and it only fires on successful authentication.