{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 欢心 的问题《Spring Security remember-me authentication from ht》','https://www.manongdao.com/q-1018149.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I'm using Spring Security 3.0.5 for authentication and I'm using remember-me as well. Currently, the login page is a https page and the page that I redirect to afte successfully authentication is a http page. I use to have everything under https, but we have a few things on our site which wont operate under https in IE8, so I thought I would try this route. The below debug log seems to indicate that the cookie can't be written from https to http, is there a way to accomplish this?
Debug Trace:
15:13:53,373 DEBUG UsernamePasswordAuthenticationFilter:289 - Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@b7fef7f9: Principal: com.dc.api.model.Users@470ad8; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffd148a: RemoteIpAddress: 204.17.229.254; SessionId: 1C083D7977FDD3C8D1FA94BEA6665C54; Granted Authorities: com.dc.api.model.Authority@bd4e16
15:13:53,373 DEBUG TokenBasedRememberMeServices:271 - Did not send remember-me cookie (principal did not set parameter '_spring_security_remember_me')
15:13:53,374 DEBUG TokenBasedRememberMeServices:229 - Remember-me login not requested.
15:13:53,374 DEBUG DefaultListableBeanFactory:242 - Returning cached instance of singleton bean 'eventDispatcher'
15:13:53,375 DEBUG SavedRequestAwareAuthenticationSuccessHandler:107 - Using default Url: /registered/home.html
15:13:53,375 DEBUG DefaultRedirectStrategy:36 - Redirecting to '/dreamcatcher/registered/home.html'
Spring Security Config:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans
xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd">
<context:annotation-config />
<context:component-scan base-package="dc" />
<global-method-security />
<http access-denied-page="/auth/denied.html">
<intercept-url filters="none" pattern="/javax.faces.resource/**" />
<intercept-url filters="none" pattern="/services/rest-api/1.0/**" />
<intercept-url filters="none" pattern="/preregistered/*"/>
<intercept-url
pattern="/**/*.xhtml"
access="ROLE_NONE_GETS_ACCESS" />
<intercept-url
pattern="/auth/**"
access="ROLE_ANONYMOUS,ROLE_USER" />
<intercept-url
pattern="/auth/*"
access="ROLE_ANONYMOUS" />
<intercept-url
pattern="/registered/*"
access="ROLE_USER" />
<intercept-url
pattern="/*"
access="ROLE_ANONYMOUS" />
<form-login
login-processing-url="/j_spring_security_check.html"
login-page="/auth/login.html"
default-target-url="/registered/home.html"
authentication-failure-url="/auth/login.html" />
<logout invalidate-session="true"
logout-url="/auth/logout.html"
success-handler-ref="DCLogoutSuccessHandler"/>
<anonymous username="guest" granted-authority="ROLE_ANONYMOUS"/>
<remember-me user-service-ref="userManager" key="keyvaluehere"/>
<custom-filter after="FORM_LOGIN_FILTER" ref="xmlAuthenticationFilter"/>
</http>
<!-- Configure the authentication provider -->
<authentication-manager alias="am">
<authentication-provider user-service-ref="userManager">
<password-encoder ref="passwordEncoder" />
</authentication-provider>
<authentication-provider ref="xmlAuthenticationProvider" />
</authentication-manager>
</beans:beans>
From a security point of view, it is the correct behavior, because a attacker could steal the session id/cooki used in https if the same session id/cooki is used in http too.
So there the one of the fundamental rules, to create a new session if the uses switches from http to https. So if you have a https session, use it in http and then in https again would break this rule. -- So it is a feature of Spring Security, not a Bug.
Anyway, this simplest solution woud be, making the http resources aviable under https too. So you do not need to switch back to http after the user is logged in (https).
It is possible by changing the cookie with a filter, I have answered this question here