Tuesday, October 3, 2023

How to enable RememberMe Functionality in Spring Security

Hello guys, most of the web application has login or authentication functionality where user need to enter their username and password to access functionalities provided by application. This is great from application's perspective because functionalities are protected from anonymous user but from user's perspective he would appreciated something which would not ask him/her to enter username and password every now and then. This is what remember me functionality of Spring security does. It allow you to build a web application which can remember their user and allow them to automatically login when the restart their browser or come back another day. 

This is very convenient for users but you also need to take some precautions, particularly if you are working with a web application which holds sensitive data. 

In general, the remember-me functionality only allow partial access to the application and if you have to perform any sensitive information you have to login again. 

A good example of this is Amazon.com, which remembers your name, selections, and what you liked before and shows that when you login again but ask you to re-login when you try to buy any stuff. I think, that is the right mix of both security and convenient and a model to be followed. 

In the past, I have shared 25 Spring Security interview questions as well as how to enable Spring Security and in this article, we'll learn how to enable this remember me functionality in Java application using Spring security. 

Most of the stuffs are similar to the way we enabled Http Basic authentication but this time we'll use form-login instead of http basic authentication. 

Spring security provides an out-of-box remember-me functionality, which can be enabled by adding just one tag in your security configuration file or calling a method on HttpSecurity object passed to configure() method, when you configure Spring security using Java configuration. 

In this article, I'll show you both ways to activate remember-me functionality in spring security based Java application. 


How Remember Me Functionality works in Spring Security?

Before going into technical details of how to enable remember-me functionality in your Java web application, let's first understand how exactly it works. The server provides this functionality using a cookie, which it sent to browser when a user successfully login into the application. 

This cookie contains username, password, expiration date and a hash value, which is generated using MD5 algorithm by combining username, password and expiration date/time. This whole String is then base64 encoded and written into cookie. 

Every time you access the application the cookie is sent to server for validation. The server then look at the values, extract credential and matches with what it has got. If everything matches then an Authentication object is created for user and passed back to the called. 

At this point, login is considered successfully. 

This was the general overview of how remember me works but I'll go into the more details about how exactly spring security handles the remember me requests e.g. which filters are invokend and which classes are involved in my coming post, but for now, you can check Eugen Paraschiv's Learn with Spring Security course to learn more about remember me functionality. 

And, also here is a nice diagram which explains how RememberMe functionality works in Spring Security:

How Remember Me Functionality works in Spring Security?




How to enable Remember Me functionality in Spring Security 

As I said, you should prefer Java configuration over XML configuration if you are working in a spring security version which allows that e.g. anything after spring 3.2. It's both easy and readable. 

In order to enable remember-me functionality, you need to first enable form login which you can do by calling the formLogin() method on HttpSecurity object passed to the one of the configure() method of WebSecurity class. 

Once that is done, you can further call the rememberMe() method and join the two call using and() method as shown below:

@Override
protected void configure(HttpSecurity http) throws Exception {
http
.formLogin()
.loginPage("/login")
.and()
.rememberMe()
...

}


This is enough to enable remember-me functionality with default settings e.g. with a validity of two weeks, but, if you want, you can further customize it by calling tokenValieditySeconds() method to increase the validity of remember-me functionality and changing the default key from "SpringSecured" to your application. 

For example, below snippet will increase the validity of cookie up-to 4 weeks and change the key property of Cookie to "myApp". 

@Override
protected void configure(HttpSecurity http) throws Exception {
http
.formLogin()
.loginPage("/login")
.and()
.rememberMe()
.tokenValiditySeconds(2419200)
.key("myApp")
...

}

Btw, there is one more important task is left, which will also trigger the remember-me functionality. We need to add a check-box into login.jsp to allow user to choose the remember-me functionality. We also need to add code to send this selection information to the server. 

For that, the logging request need to include a remember-me parameter. Here is what you can add into your JSP:

<input id="remember-me" name="remember-me" type="checkbox" />
<label for="remember-me" class="inline">Remember me </label>

When user check this checkbox then browser will add the "remember-me" parameter into the login request, which will then read by Spring security to trigger the remember me functionality and it will send the cookie needed for future login. 

That's what you need to enable this useful remember-me functionality in a spring security based Java web application. 

Btw, if you are not using Java configuration and still using XML files to configure Spring security then you can use tag <form-login> to enable form login and tag <remember-me> to enable the remember-me functionality. 

These tags will be available to you once you include the security namespace in your XML configuration.  You can also provide the key parameter to further customize the remember-me functionality as we did above. You can learn more about that on Spring Security MasterClass by Baeldung. 

How to enable RememberMe Functionality in Spring Security



That's all about how to enable remember-me functionality in a Spring security based Java web application. I have shown you both Java and XML configuration to enable this feature. It's pretty useful but as I have said, you need to be little bit cautious while using it, particularly for sensitive application. 

I'll talk more about how to protect sensitive part of your application and not allow access using remember-me login in next a couple of tutorials but if you can't wait, I suggest you to go through the these best Spring security Certification classes to learn more about it. 

This course provides the most comprehensive overview of spring security for protecting real world Java application.

 Other Spring Security tutorials and Resources 

Thanks for reading this article, if you like my explanation of How to enable RememberMe Functionality in Spring Security, then please share this article with your friends and colleagues. If you have any questions about feedback, then please drop a note.

P. S. - If you like to learn from free resources, then you can also check out my list of free courses to learn Spring MVC and Spring Boot online. The list contains some free courses from Udemy, Pluralsight, Coursera, and other resources to learn the Spring framework.

1 comment :

Anonymous said...

Thank you, super useful tutorial

Post a Comment