Spring Security Remember Me

Remember me is a feature that allows a user to access into application without re-login. User's login session terminates after closing the browser and if user again access the application by opening browser, it prompts for login.

But we can avoid this re-login by using remember me feature. It stores user's identity into the Cookie or database and use to identity the user.

We are implementing this into the following example. Lets see an example.

Create a Maven Project

First create a maven project and provide the project details.

Initially, project looks like this:

Spring Security Configuration

Configure the project to implement spring security. It requires following four Java files. First create a package com.javatpoint and put all the files into this.

// AppConfig.java

package com.javatpoint;
import org.springframework.context.annotation.Bean;  
import org.springframework.context.annotation.ComponentScan;  
import org.springframework.context.annotation.Configuration;  
import org.springframework.web.servlet.config.annotation.EnableWebMvc;  
import org.springframework.web.servlet.view.InternalResourceViewResolver;  
import org.springframework.web.servlet.view.JstlView;  
@EnableWebMvc  
@Configuration  
@ComponentScan({ "com.javatpoint.controller.*" })  
public class AppConfig {  
    @Bean  
    public InternalResourceViewResolver viewResolver() {  
        InternalResourceViewResolver viewResolver  
                          = new InternalResourceViewResolver();  
        viewResolver.setViewClass(JstlView.class);  
        viewResolver.setPrefix("/WEB-INF/views/");  
        viewResolver.setSuffix(".jsp");  
        return viewResolver;  
    }  
} 

// MvcWebApplicationInitializer.java

package com.javatpoint;  
import org.springframework.web.servlet.support.AbstractAnnotationConfigDispatcherServletInitializer;  
public class MvcWebApplicationInitializer extends  
        AbstractAnnotationConfigDispatcherServletInitializer {  
    @Override  
    protected Class<?>[] getRootConfigClasses() {  
        return new Class[] { WebSecurityConfig.class };  
    }  
    @Override  
    protected Class<?>[] getServletConfigClasses() {  
        // TODO Auto-generated method stub  
        return null;  
    }  
    @Override  
    protected String[] getServletMappings() {  
        return new String[] { "/" };  
    }  
}

// SecurityWebApplicationInitializer.java

package com.javatpoint;  
import org.springframework.security.web.context.*;        
	public class SecurityWebApplicationInitializer  
        extends AbstractSecurityWebApplicationInitializer {  
    }

// WebSecurityConfig.java

In this class, we are creating user and authenticating as well. The rememberMe() method inside the configure() method is responsible to remember and store user identity.

package com.javatpoint;
import org.springframework.context.annotation.*;    
import org.springframework.security.config.annotation.web.builders.HttpSecurity;  
import org.springframework.security.config.annotation.web.configuration.*;  
import org.springframework.security.core.userdetails.*;  
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;  
@EnableWebSecurity  
@ComponentScan("com.javatpoint")  
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {  
@Bean  
public UserDetailsService userDetailsService() {  
    InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();  
    manager.createUser(User.withDefaultPasswordEncoder()
    .username("admin").password("admin123").roles("ADMIN").build());  
    return manager;  
}  
  
@Override  
protected void configure(HttpSecurity http) throws Exception {  
	
	  http.authorizeRequests().
	  antMatchers("/index", "/user","/").permitAll()
	  .antMatchers("/admin").authenticated()
	  .and()
	  .formLogin()
	  .loginPage("/login")
	  .and()
	  .rememberMe()
	  .key("rem-me-key")
	  .rememberMeParameter("remember") // it is name of checkbox at login page
	  .rememberMeCookieName("rememberlogin") // it is name of the cookie
	  .tokenValiditySeconds(100) // remember for number of seconds
	  .and()
	  .logout()
	  .logoutRequestMatcher(new AntPathRequestMatcher("/logout"));  
}  
}

Controller

Create a controller HomeController inside the com.javatpoint.controller package. See the controller code.

// HomeController.java

package com.javatpoint.controller;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
@Controller
public class HomeController {
	@RequestMapping(value = "/", method = RequestMethod.GET)
	public String index() {
		return "index";
	}
	@RequestMapping(value = "/login", method = RequestMethod.GET)
	public String login() {
		return "login";
	}
	@RequestMapping(value = "/admin", method = RequestMethod.GET)
	public String admin() {
		return "admin";
	}
}

View

Create view (JSP pages) to produce output to the browser.

// index.jsp

<html>  
<head>    
<title>Home Page</title>  
</head>  
<body>  
Welcome to Javatpoint! <br> <br>
<a href="admin">Admin login</a>  
</body>  
</html>

// admin.jsp

<html>  
<head>  
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">  
<title>Home Page</title>  
</head>  
<body>  
Welcome Admin! ?
<a href="logout">logout</a>  
</body>  
</html>  

// login.jsp

This is our custom login page in which we added remember me check box. See the code.

<%@ taglib
    prefix="c"
    uri="http://java.sun.com/jsp/jstl/core" 
%>
<c:url value="/login" var="loginUrl"/>
<form action="${loginUrl}" method="post">       
	<c:if test="${param.error != null}">        
		<p>
			Invalid username and password.
		</p>
	</c:if>
	<c:if test="${param.logout != null}">       
		<p>
			You have been logged out.
		</p>
	</c:if>
	<p>
		<label for="username">Username</label>
		<input type="text" id="username" name="username"/>	
	</p>
	<p>
		<label for="password">Password</label>
		<input type="password" id="password" name="password"/>	
	</p>
	<p>
		<label for="remember"> Remember me</label>
		<input type="checkbox" name="remember" />
	</p>
	<input type="hidden"                        
		name="${_csrf.parameterName}"
		value="${_csrf.token}"/>
	<button type="submit" class="btn">Log in</button>
</form>

Project Dependencies

Following is our pom.xml file that contains all required dependencies.

// pom.xml

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
  <modelVersion>4.0.0</modelVersion>
  <groupId>com.javatpoint</groupId>
  <artifactId>springrememberme</artifactId>
  <version>0.0.1-SNAPSHOT</version>
  <packaging>war</packaging>
  <properties>  
    <maven.compiler.target>1.8</maven.compiler.target>  
    <maven.compiler.source>1.8</maven.compiler.source>  
</properties>  
<dependencies>  
  <dependency>  
            <groupId>org.springframework</groupId>  
            <artifactId>spring-webmvc</artifactId>  
            <version>5.0.2.RELEASE</version>  
        </dependency>  
        <dependency>  
        <groupId>org.springframework.security</groupId>  
        <artifactId>spring-security-web</artifactId>  
        <version>5.0.0.RELEASE</version>  
    </dependency>  
<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-core</artifactId>
    <version>5.0.4.RELEASE</version>
</dependency>
    <!-- https://mvnrepository.com/artifact/org.springframework.security/spring-security-config -->
<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-config</artifactId>
    <version>5.0.4.RELEASE</version>
</dependency>
    
      
        <!-- https://mvnrepository.com/artifact/javax.servlet/javax.servlet-api -->  
<dependency>  
    <groupId>javax.servlet</groupId>  
    <artifactId>javax.servlet-api</artifactId>  
    <version>3.1.0</version>  
    <scope>provided</scope>  
</dependency>  
<dependency>  
    <groupId>javax.servlet</groupId>  
    <artifactId>jstl</artifactId>  
    <version>1.2</version>  
</dependency>  
</dependencies>  
  <build>  
    <plugins>  
        <plugin>  
            <groupId>org.apache.maven.plugins</groupId>  
            <artifactId>maven-war-plugin</artifactId>  
            <version>2.6</version>  
            <configuration>  
                <failOnMissingWebXml>false</failOnMissingWebXml>  
            </configuration>  
        </plugin>  
    </plugins>  
</build>  
</project>

Project Structure

After adding all the files the project structure looks like this:

Run Server

Output:

Click on Admin login link and login.

See, we have clicked on remember me check box.

Copy the URL: http://localhost:8080/springrememberme/admin and close the browser completely. After a second open browser and paste the copied URL.

See, it does not ask for login and land us on the same page. Because we did check remember me button during login.

Next TopicSpring Security at Method Level

← prev next →