Configuring remember-me in spring security - spring-security

How can i configure remember-me service in spring security.Am using spring3.0 +hibernate3+ struts2.I have tried as below.
login.jsp
<input type="checkbox" name="_spring_security_remember_me"/>remember-me
applicationContext-security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:s="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.3.xsd">
<description>SpringSecurity安全配置</description>
<!-- http安全配置 -->
<s:http auto-config="true" use-expressions="true" >
<s:intercept-url pattern="/css/**" filters="none" />
<s:intercept-url pattern="/img/**" filters="none" />
<s:intercept-url pattern="/js/**" filters="none" />
<s:intercept-url pattern="/account/user!save*" access="hasAnyRole('ROLE_修改用户')" />
<s:intercept-url pattern="/account/user!delete*" access="hasAnyRole('ROLE_修改用户')" />
<s:intercept-url pattern="/account/user*" access="hasAnyRole('ROLE_浏览用户')" />
<s:intercept-url pattern="/account/role!save*" access="hasAnyRole('ROLE_修改角色')" />
<s:intercept-url pattern="/account/role!delete*" access="hasAnyRole('ROLE_修改角色')" />
<s:intercept-url pattern="/account/role*" access="hasAnyRole('ROLE_浏览角色')" />
<s:form-login login-page="/login.action" default-target-url="/" authentication-failure-url="/login.action?error=true" />
<s:logout logout-success-url="/" />
<s:remember-me/>
</s:http>
<!-- 认证配置, 使用userDetailsService提供的用户信息 -->
<s:authentication-manager erase-credentials="false">
<s:authentication-provider user-service-ref="userDetailsService">
<s:password-encoder hash="plaintext" />
</s:authentication-provider>
</s:authentication-manager>
<!-- 项目实现的用户查询服务 -->
<bean id="userDetailsService" class="net.top.system.service.account.UserDetailsServiceImpl" />
</beans>
But no use at all.What else i need to configure in my application.

In order to make an application that is already secured with Spring, needed to add the following to the XML:
<sec:http authentication-manager-ref="authenticationManager">
<sec:intercept-url pattern="/secure/**" access="ROLE_USER" />
<sec:form-login/>
<sec:custom-filter … />
<sec:remember-me
data-source-ref="dataSource"
user-service-ref="userDetailsService"/>
</sec:http>
Note that using “data-source” is not a "must", but it actually declares that you want to use a JDBC persistent token. (In this case, Spring works with PersistentTokenBasedRememberMeServices.) Of course the data source bean has to be declared in the XML.
As documented by Spring , a table names persistent_logins has to exist in the DB.
The “userDetailsService” is a ref to the UserService bean, where the users and passwords are declared. It can be in the XML or point to the DB as well.
In run time, Spring creates a Cookie called SPRING_SECURITY_REMEMBER_ME_COOKIE( ) . It is seen with the “JSESSION” Cookie. It we delete the JSESSION (meaning we open a brand new session, just like reopen the browser) the “remember me” cookie remembers the last login, and creates a new JSESSION.
HTH :-)

Related

How InMemoryTokenStore works with Spring Security OAuth2 and Is this the safest way from hacking perspective?

I am new to Spring Security OAuth2 using version 2.0.10.RELEASE implementation. I developed code using 'InMemoryTokenStore' and I'm impressed with the way it works (it creates access_token, 'refresh_token' etc..), but I don't have enough understanding on how it works yet. Can anyone please help to know / provide understanding on how it works?
Is 'InMemoryTokenStore' the safest implementation from hacking perspective? I also see there are many implementation provided by OAuth2 like JdbcTokenStore, JwtTokenStore,KeyStoreKeyFactory. I don't think storing access_token into the database in the great idea like JdbcTokenStore does.
Which Implementation we should follow and why ?
spring-security-oauth2.xml file
<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
xmlns:sec="http://www.springframework.org/schema/security" xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd ">
<http pattern="/oauth/token" auto-config="true" use-expressions="true" create-session="stateless" authentication-manager-ref="authenticationManager"
xmlns="http://www.springframework.org/schema/security" >
<!-- <intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" /> -->
<intercept-url pattern="/oauth/token" access="permitAll" />
<anonymous enabled="false" />
<http-basic entry-point-ref="clientAuthenticationEntryPoint" />
<custom-filter ref="clientCredentialsTokenEndpointFilter" before="BASIC_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
<!-- Added this to fix error -->
<sec:csrf disabled="true" />
</http>
<http pattern="/resources/**" auto-config="true" use-expressions="true" create-session="never" entry-point-ref="oauthAuthenticationEntryPoint"
xmlns="http://www.springframework.org/schema/security">
<anonymous enabled="false" />
<intercept-url pattern="/resources/**" method="GET" />
<!-- <intercept-url pattern="/resources/**" access="IS_AUTHENTICATED_FULLY" /> -->
<custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
<!-- Added this to fix error -->
<sec:csrf disabled="true" />
</http>
<http pattern="/logout" create-session="never" auto-config="true" use-expressions="true"
entry-point-ref="oauthAuthenticationEntryPoint"
xmlns="http://www.springframework.org/schema/security">
<anonymous enabled="false" />
<intercept-url pattern="/logout" method="GET" />
<sec:logout invalidate-session="true" logout-url="/logout" success-handler-ref="logoutSuccessHandler" />
<custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
<!-- Added this to fix error -->
<sec:csrf disabled="true" />
</http>
<bean id="logoutSuccessHandler" class="demo.oauth2.authentication.security.LogoutImpl" >
<property name="tokenstore" ref="tokenStore"></property>
</bean>
<bean id="oauthAuthenticationEntryPoint"
class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
</bean>
<bean id="clientAuthenticationEntryPoint"
class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<property name="realmName" value="springsec/client" />
<property name="typeName" value="Basic" />
</bean>
<bean id="oauthAccessDeniedHandler"
class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler">
</bean>
<bean id="clientCredentialsTokenEndpointFilter"
class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
<property name="authenticationManager" ref="authenticationManager" />
</bean>
<authentication-manager alias="authenticationManager"
xmlns="http://www.springframework.org/schema/security">
<authentication-provider user-service-ref="clientDetailsUserService" />
</authentication-manager>
<bean id="clientDetailsUserService"
class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
<constructor-arg ref="clientDetails" />
</bean>
<bean id="clientDetails" class="demo.oauth2.authentication.security.ClientDetailsServiceImpl"/>
<authentication-manager id="userAuthenticationManager"
xmlns="http://www.springframework.org/schema/security">
<authentication-provider ref="customUserAuthenticationProvider">
</authentication-provider>
</authentication-manager>
<bean id="customUserAuthenticationProvider"
class="demo.oauth2.authentication.security.CustomUserAuthenticationProvider">
</bean>
<oauth:authorization-server
client-details-service-ref="clientDetails" token-services-ref="tokenServices">
<oauth:authorization-code />
<oauth:implicit/>
<oauth:refresh-token/>
<oauth:client-credentials />
<oauth:password authentication-manager-ref="userAuthenticationManager"/>
</oauth:authorization-server>
<oauth:resource-server id="resourceServerFilter"
resource-id="springsec" token-services-ref="tokenServices" />
<!-- <bean id="tokenStore"
class="org.springframework.security.oauth2.provider.token.InMemoryTokenStore" /> -->
<bean id="tokenStore"
class="org.springframework.security.oauth2.provider.token.store.InMemoryTokenStore" />
<bean id="tokenServices"
class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
<property name="tokenStore" ref="tokenStore" />
<property name="supportRefreshToken" value="true" />
<property name="accessTokenValiditySeconds" value="300000"></property>
<property name="clientDetailsService" ref="clientDetails" />
</bean>
<mvc:annotation-driven /> <!-- Declares explicit support for annotation-driven MVC controllers #RequestMapping, #Controller -->
<mvc:default-servlet-handler />
<bean id="MyResource" class="demo.oauth2.authentication.resources.MyResource"></bean>
</beans>
You're mixing in several things together. InMemoryTokenStore, JwtTokenStore and JdbcTokenStore are only supposed to be used for different cases. There is no such a thing which of them is safer and which is not.
JwtTokenStore
JwtTokenStore encodes token-related data into the token itself. It does not make tokens persistent and requires JwtAccessTokenConverter as a translator between a JWT-encoded token
and OAuth authentication information. ("Spring Essentials" by Shameer Kunjumohamed, Hamidreza Sattari).
The important thing is that tokens are not persisted at all and validated "on the fly" based on signature.
One disadvantage is that you can't easily revoke an access token, so they normally are granted with short expiry and the revocation is handled at the refresh token. Another disadvantage is that the tokens can get quite large if you are storing a lot of user credential information in them. The JwtTokenStore is not really a "store" in the sense that it doesn't persist any data. read more
InMemoryTokenStore
InMemoryTokenStore stores tokens in server memory so it's hardly possible to share them among different servers. You'll lose all access tokens in InMemoryTokenStore when you restart your authorisation server. I'd prefer to use InMemoryTokenStore only during development and not in a production environment.
The default InMemoryTokenStore is perfectly fine for a single server (i.e. low traffic and no hot swap to a backup server in the case of failure). Most projects can start here, and maybe operate this way in development mode, to make it easy to start a server with no dependencies. read more
JdbcTokenStore
The JdbcTokenStore is the JDBC version of the same thing, which stores token data in a relational database. Use the JDBC version if you can share a database between servers, either scaled up instances of the same server if there is only one, or the Authorization and Resources Servers if there are multiple components. To use the JdbcTokenStore you need "spring-jdbc" on the classpath. read more
In case of JdbcTokenStore you're saving the tokens in real database. So you're safe in case of Authorization service restart. The tokens can be also easily shared among the servers and revoked. But you have more dependancies for database.

How to override BasicAuthenticationFilter using the schema configuration?

We use Spring Security 4.x and I want to override BasicAuthenticationFilter.
Unfortunately I was not able to find how to configure the class name for the BasicAuthenticationFilter nor in the http element neither in the http-basic element the schema configuration.
How to override BasicAuthenticationFilter using the schema configuration?
I have tried to override BasicAuthenticationFilter using the custom filter without success – the schema continue to create the default BasicAuthenticationFilter.
Added
Very strange. I configured auto-config="false but I still can see the creation of the default BasicAuthenticationFilter.
It should not be created according to the documentation http://docs.spring.io/spring-security/site/docs/4.0.x/reference/htmlsingle/#nsa-http
Added
The configuration w/o beans definitions
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:sec="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p" xmlns:oxm="http://www.springframework.org/schema/oxm"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<sec:global-method-security pre-post-annotations="enabled">
<!-- AspectJ pointcut expression that locates our "post" method and applies security that way
<protect-pointcut expression="execution(* bigbank.*Service.post*(..))" access="ROLE_TELLER"/>
-->
</sec:global-method-security>
<sec:http use-expressions="true" auto-config="true" pattern="/api/**" disable-url-rewriting="false" entry-point-ref="authenticationEntryPoint">
<sec:custom-filter ref="rememberUrlFilter" before="BASIC_AUTH_FILTER"/>
<sec:custom-filter position="PRE_AUTH_FILTER" ref="ssoFilter" />
<sec:intercept-url pattern="/api/**" access="isAuthenticated()" />
<sec:intercept-url pattern="/**" access="isAuthenticated()"/>
<sec:logout logout-url="/logout.faces" success-handler-ref="logoutSuccessHandlerImpl" />
<sec:http-basic entry-point-ref="authenticationEntryPoint"/>
<sec:csrf disabled="true"/>
<sec:headers disabled="true"/>
<!--<sec:custom-filter ref="basicAuthenticationFilter" after="BASIC_AUTH_FILTER"/>-->
<sec:custom-filter ref="localhostIntegrationFilter" after="ANONYMOUS_FILTER"/>
<sec:access-denied-handler ref="accessDeniedHandler"/>
</sec:http>
<bean class="org.primefaces.webapp.filter.FileUploadFilter" name="fileUploadFilter"/>
<sec:http use-expressions="true" auto-config="true" disable-url-rewriting="false">
<sec:custom-filter ref="fileUploadFilter" before="FIRST"/>
<sec:custom-filter ref="rememberUrlFilter" before="BASIC_AUTH_FILTER"/>
<sec:custom-filter position="PRE_AUTH_FILTER" ref="ssoFilter" />
<sec:intercept-url pattern="/pages/**" access="isAuthenticated()" />
<sec:intercept-url pattern="/login.faces" access="isAnonymous()"/>
<sec:intercept-url pattern="/js/**" access="permitAll"/>
<sec:intercept-url pattern="/css/**" access="permitAll"/>
<sec:intercept-url pattern="/images/**" access="permitAll"/>
<sec:intercept-url pattern="/img/**" access="permitAll" />
<sec:intercept-url pattern="/**" access="isAuthenticated()"/>
<sec:csrf disabled="true"/>
<sec:headers disabled="true"/>
<sec:form-login login-page="/login.faces"
login-processing-url="/j_spring_security_check"
authentication-failure-url="/login.faces"
default-target-url="/pages/defaultPage.faces"
username-parameter="j_username"
password-parameter="j_password"
authentication-failure-handler-ref="authenticationFailureHandler"
/>
<sec:logout logout-url="/logout.faces"
success-handler-ref="logoutSuccessHandlerImpl"
/>
<sec:custom-filter ref="localhostIntegrationFilter" after="ANONYMOUS_FILTER"/>
<sec:access-denied-handler ref="accessDeniedHandler"/>
</sec:http>
...
</beans>
As per the schema documentation in the xsd if you want to replace a filter you need to use the position tag:
<sec:custom-filter ref="customBasicAuth" position="BASIC_AUTH_FILTER"/>
Also if you include the <sec:http-basic element, then the default basic auth filter will be added to the filter chain.
The auto-config is a legacy attribute and can be removed (no need to set it to false)

403 errors after upgrading to Spring Security 4.0.0

I've been trying to update my project to Spring Security 4.0.0. I think I've read the migration guide quite extensively but even if I can successfully login and navigate through the pages, I get 403 errors on every Ajax requests. Everything is working fine with 3.2.7.
This is my "manual login" configuration file:
<b:beans xmlns:b="http://www.springframework.org/schema/beans"
xmlns="http://www.springframework.org/schema/security"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">
<!-- HTTP security configurations -->
<http use-expressions="true" auto-config='true' disable-url-rewriting="false">
<intercept-url access="permitAll" pattern="/" /><!-- To permit "/" allows the use of web.xml's <welcome-file> -->
<intercept-url access="permitAll" pattern="/home" />
<intercept-url access="permitAll" pattern="/login" />
<intercept-url access="permitAll" pattern="/pages/exceptions/**" />
<intercept-url access="permitAll" pattern="/javax.faces.resource/**" />
<intercept-url access="permitAll" pattern="/resources/**" />
<intercept-url access="permitAll" pattern="/j_spring_security_check"/>
<intercept-url access="hasRole('ROLE_ADMIN')" pattern="/administration/**" />
<intercept-url access="isAuthenticated()" pattern="/**" />
<logout logout-url="/logout" logout-success-url='/home' />
<form-login login-page='/login'
username-parameter="j_username"
password-parameter="j_password"
login-processing-url="/j_spring_security_check"
authentication-failure-url="/login?auth=fail"
default-target-url="/home" />
</http>
<!-- Configure Authentication mechanism -->
<authentication-manager alias="authenticationManager">
<authentication-provider ref="${authentication.provider}" />
</authentication-manager>
<b:bean name="bcryptEncoder"
class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />
<b:bean id="daoAuthProvider"
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<b:property name="userDetailsService">
<b:bean class="eu.ueb.acem.services.auth.DaoUserDetailsService">
<b:property name="domainService" ref="domainService" />
</b:bean>
</b:property>
<b:property name="passwordEncoder" ref="bcryptEncoder" />
</b:bean>
</b:beans>
I try to use:
<http use-expressions="true" auto-config='true' disable-url-rewriting="false">
<headers disabled="true" />
<csrf disabled="true"/>
...
</http>
but I get :
cvc-complex-type.3.2.2: Attribute 'disabled' is not allowed to appear in element 'headers'
cvc-complex-type.3.2.2: Attribute 'disabled' is not allowed to appear in element 'csrf'
which is normal because 4.0.0 has no dedicated XML Schema at:
http://www.springframework.org/schema/security/
So what could possibly cause these "403 forbidden" errors?
Ok, I found the solution. It is indeed to use:
<http use-expressions="true" auto-config='true' disable-url-rewriting="false">
<csrf disabled="true"/>
...
</http>
but for the time being, we have to ignore the XML Schema error in Eclipse. Hopefully Spring will put their new Schema online soon.

Parsing error for spring-security.xml file

I know very little or nothing about xml and I have to write a spring-security.xml file . The problem i guess has something to do with my xml not following xsd. Here is the xml.
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:s="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<s:http auto-config="true">
<s:intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<s:intercept-url pattern="/index.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<s:intercept-url pattern="/**" access="ROLE_USER" />
<s:intercept-url pattern="/" access="ROLE_USER" />
<s:form-login login-page="/login" default-target-url="/getemp"/>
<s:logout logout-success-url="/logout" />
</s:http>
<s:authentication-manager>
<s:authentication-provider>
<s:ldap-authentication-provider user-dn-pattern="uid={0},ou=people"/>
</s:authentication-provider>
</s:authentication-manager>
<s:ldap-server id="ldapServer" url="ldap://test.com:389" />
</beans>
When I try to run the web application I am getting an error.
Caused by: org.xml.sax.SAXParseException: cvc-complex-type.2.4.a: Invalid content was found starting with element 's:ldap-authentication-provider'. One of '{"http://www.springframework.org/schema/security":any-user-service, "http://www.springframework.org/schema/security":password-encoder}' is expected.
Here is the xsd
spring security xsd
The xsd says that <s:authentication-manager> accepts as children an authentication-provider OR an ldap-authentication-provider. So, remove the <s:authentication-provider> that is wrapping your <s:ldap-authentication-provider> and that should get you past this problem. Your final code should look like:
<s:authentication-manager>
<s:ldap-authentication-provider user-dn-pattern="uid={0},ou=people"/>
</s:authentication-manager>

Spring Security Config Error while server startup

If I keep remember-me element in security.xml file and startup a server then I got following error.
No UserDetailsService registered.......
If I remove this remember-me element then it works fine.
How to get rid of this error...
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<http auto-config="false" use-expressions="true"
access-denied-page="/login.jsp?error=true" entry-point-ref="authenticationEntryPoint">
<remember-me key="abcdefgh" />
<logout invalidate-session="true" />
<intercept-url pattern="/login.jsp" access="permitAll" />
<intercept-url pattern="/index.jsp" access="permitAll" />
<intercept-url pattern="/pub" access="isAuthenticated()" />
<intercept-url pattern="/*" access="permitAll" />
<custom-filter ref="authenticationFilter" position="FORM_LOGIN_FILTER" />
</http>
<beans:bean id="authenticationFilter"
class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"
p:authenticationManager-ref="customAuthenticationManager"
p:authenticationFailureHandler-ref="customAuthenticationFailureHandler"
p:authenticationSuccessHandler-ref="customAuthenticationSuccessHandler" />
<!-- Custom authentication manager. In order to authenticate, username and
password must not be the same -->
<beans:bean id="customAuthenticationManager" class="com.cv.pub.cmgt.framework.security.CustomAuthenticationManager" />
<!-- We just actually need to set the default failure url here -->
<beans:bean id="customAuthenticationFailureHandler"
class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"
p:defaultFailureUrl="/login.jsp?error=true" />
<!-- We just actually need to set the default target url here -->
<beans:bean id="customAuthenticationSuccessHandler"
class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler"
p:defaultTargetUrl="/pub" />
<!-- The AuthenticationEntryPoint is responsible for redirecting the user
to a particular page, like a login page, whenever the server sends back a
response requiring authentication -->
<!-- See Spring-Security Reference 5.4.1 for more info -->
<beans:bean id="authenticationEntryPoint"
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"
p:loginFormUrl="/login.jsp" />
<!-- The tag below has no use but Spring Security needs it to autowire the
parent property of org.springframework.security.authentication.ProviderManager.
Otherwise we get an error A probable bug. This is still under investigation -->
<authentication-manager />
</beans:beans>
Spring Security's provided RememberMeServices requires a UserDetailsService in order to work. This means you have two options:
1) If possible, I recommend this as your best option. Instead of writing a custom AuthenticationProvider, write a custom UserDetailsService. You can find an example UserDetailsService looking at InMemoryDaoImpl You can then wire it similar to the configuration below. Note you would remove your custom AuthenticationManager too.
<http ..>
...
<remember-me key="abcdefgh" />
</http>
<authentication-manager>
<authentication-provider user-service-ref="myUserService"/>
</authentication-manager>
<beans:bean id="myUserService" class="MyUserService"/>
2) Write your own RememberMeServices implementation that does not require a UserDetailsService. You can take a look at TokenBasedRememberMeServices for an example (but it requires UserDetailsService). If you want to use the namespace configuration your RememberMeServices implementation will need to implement LogoutHandler. You can then use the namespace to wire it.
<http ..>
...
<remember-me ref="myRememberMeServices"/>
</http>
<beans:bean id="myRememberMeServices" class="sample.MyRememberMeServices"/>

Resources