带有用户名和 ID 的 Spring Security RememberMe 功能

Question

I have a Spring Boot application and the login handled by Spring security. I have added the remeberme() funtion to the HttpSecurity

http.<...>.rememberMe().rememberMeParameter(REMEMBER_ME_PARAM).rememberMeCookieName(REMEMBER_ME_NAME).key(KEY_NAME).userDetailsService(userDetailsService);

and added the checkbox to login form. My users login by their email as username and belong to a special group. That works fine for normal users who just belong to one group.

But I have users which belong to several groups with the same email as username (they get a select of group when they login).

This users have several database entries, each user with single ID but same email. So I do not have a "unique" username which can be used in RemeberMe Cookie and so it throws a 500 exception when I use remember me funtion with this users.

Is there any possibility to expand the remeberme cookie to also use the users ID for example? So that I can get the email and ID of the cookie and search for it in database?

Answer 1

I think you should change approach. Use another approach PersistentTokenBasedRememberMeServices Here

Answer 2

The problem is we have one person with actually two users with the same username. Eg two users in database , both with username/email test@test.de

First user has ID 1 and belongs to group Foo, second has ID 2 and belongs to group Bar. Though same username all users can have different names, passwords, ....

The person then logs in with test@test.de and gets a select option to choose wether he wants to login for group Foo or Bar.

The remember me function now just remembers the username in cookie, so I can not assign an explicit user. As the users can also have different passwords I also cannot use the group select of the login.

As far as I see does the PersistentTokenBasedRememberMeServices also just uses the username to identify the user?! So I need a possibility to add a second unique field (user or group id) to the saved/remembered users.