You should have a copy of the Auth filter now.  Also, I can confirm that there is an autoLogin field on the login form and the submit action is "cs_login".

-Kevin

Is a previous version of Tomcat 6 known to work, or are we talking a downgrade to 5.5?

Kevin,

The comment from the assigned developer is that the change took place in the 6.0.18 release of Tomcat, but he could be mistaken.  Can you please confirm that your users are not logging out ant the end of their session?  If you log out, the remember me cookie will be cleared.  Also, would it be possible to use Fire Cookie to get a dump of all of your cookies while you are logged in?

Thanks,

Austen

I can also confirm that I (and others) are not logging out first before eding the session.

I have attached a screencap of the Firecookie info coming back - see attached, and let me know what further information I can provide on that front.  Should another cookie be sent to the browser other than the ones shown?

-Kevin

Okay, so here is what I found:

1. The remember me bug with Tomcat only affects IE users and is definitely a problem only in Tomcat 6.0.18 and above.
   
2. Your authentication filter needs a small change in order for the remember me to work

There are two changes needed to make this work.  First thing that you'll need to do is inject the rememberMeServices into your Filter.  Second, after you have authenticated, you'll need to call the rememberMeServices.loginSuccess(HttpServletRequest, HttpServletResponse, Authentication).  When you do this, you must make sure that the password hash that you store in the cookie is the same as is stored in the DB, otherwise the rememberMeProcessingFilter will fail to authenticate you from the stored cookie.

Please let me know if you have any questions about this.

When you call the rememberMeServices loginSuccess method, this is saving the cookie for you.  To create the cookie, it extracts the username and password out of the Authentication object.  Here's a copy of that method:

    public void loginSuccess(HttpServletRequest request, HttpServletResponse response,
            Authentication successfulAuthentication) {
        // Exit if the principal hasn't asked to be remembered
        if (!rememberMeRequested(request, parameter)) {
            if (logger.isDebugEnabled()) {
                logger.debug("Did not send remember-me cookie (principal did not set parameter '" + this.parameter
                        + "')");
            }
 
            return;
        }
 
        // Determine username and password, ensuring empty strings
        Assert.notNull(successfulAuthentication.getPrincipal());
        Assert.notNull(successfulAuthentication.getCredentials());
 
        String username = retrieveUserName(successfulAuthentication);
        String password = retrievePassword(successfulAuthentication);
 
        // If unable to find a username and password, just abort as
        // TokenBasedRememberMeServices unable to construct a valid token in
        // this case
        if (!StringUtils.hasLength(username) || !StringUtils.hasLength(password)) {
            return;
        }
 
        long expiryTime = System.currentTimeMillis() + (tokenValiditySeconds * 1000);
 
        // construct token to put in cookie; format is:
        // username + ":" + expiryTime + ":" + Md5Hex(username + ":" +
        // expiryTime + ":" + password + ":" + key)
        String signatureValue = DigestUtils.md5Hex(username + ":" + expiryTime + ":" + password + ":" + key);
        String tokenValue = username + ":" + expiryTime + ":" + signatureValue;
        String tokenValueBase64 = new String(Base64.encodeBase64(tokenValue.getBytes()));
        response.addCookie(makeValidCookie(tokenValueBase64, request, tokenValiditySeconds));
 
        if (logger.isDebugEnabled()) {
            logger
                    .debug("Added remember-me cookie for user '" + username + "', expiry: '" + new Date(expiryTime)
                            + "'");
        }
    }

Once this cookie is established, the rememberMeProcessingFilter will attempt to log you in using the rememberMeServices autoLogin method.  Under the covers, this method will load the password for the user and created a hashed cookie to compare to the hashed cookie that is passed along in the request.  If the two match, you are authenticated and auto logged in.

Martin,

Do you need to return null here?  This is required to be non-null for the remember me services, as you have pointed out.  In order to build the cookie, it is necessary to get the credentials.  If your Authentication's principal is an instance of UserDetails, it will retrieve the password from there.  However, credentials must still be a non-null Object for this to work.  Does it create a problem in your code if you do not return null?

Thanks,

Austen

Sorry, I must have read over that a little too fast.  I spoke with a colleague on my team who is a bit more experienced with CS 2.5 SSO integrations and he recommended that you implement this as a AuthenticationProvider rather than an authentication filter.  Most SSO integrations do not have the need for the TokenBasedRememberMeServices.

Since you are just going against an external DB for authentication and using the default login page, this would be more suited to a provider.  You would want to override this spring bean and replace the first three providers with a custom rolled one.  The daoAuthenticationProvider would be a good starting reference:

<!-- List of authentication providers used by the authentication manager beans.
            Customized authentication providers can override this bean and re-define
            this list as needed.-->
    <bean id="authenticationProviderList" class="org.springframework.beans.factory.config.ListFactoryBean">
        <property name="sourceList">
            <list>
                <ref bean="jiveLdapAuthenticationProvider"/>
                <ref bean="daoAuthenticationProvider" />
                <ref bean="jiveLegacyAuthenticationProvider"/>
                <ref bean="rememberMeAuthenticationProvider"/>
                <ref bean="openfireAuthenticationProvider"/>
            </list>
        </property>
    </bean>

If you do decide to stick with the filter, you'll probably have to extend the JiveUserAuthentication to override that method to return a UsernamePasswordCredentials object.

The solutions that you mention above seem non-trivial. Sometime in the future we will be moving to an SSO, It's likely that that will remove the problems we're having with the RememberMeServices. We might have to wait for persisted logins until we finish the new SSO login.