Description
Summary
I'm using LDAP auth and Remember me functionality. When LDAP connection error occurs, CookieTheftException is being thrown.
Actual Behavior
- I login correctly, remember me is checked so token is stored in database.
- I restart the server (or wait till session expire), changing LDAP url to not existing one (to simulate connection failure)
- I launch application
- I'm getting two exceptions: first CommunicationException and then CookieTheftException
Expected Behavior
I expect CommunicationException to be handled correctly by ErrorPageFilter.
Version
Spring Boot: 1.3.1
Spring Security: 4.0.3
Spring: 4.2.4
Sample
Security configuration:
.and()
.rememberMe()
.tokenRepository(jpaPersistentTokenRepository)
.userDetailsService(ldapUserDetailsService) //org.springframework.security.ldap.userdetails.LdapUserDetailsService
.rememberMeParameter("_spring_security_remember_me")
.key("irrelevant")
.tokenValiditySeconds(123456)Error pages conf:
@Override
public void customize(final ConfigurableEmbeddedServletContainer container) {
container.addErrorPages(new ErrorPage(CookieTheftException.class, "/login"), new ErrorPage("/errors/other"));
}So I debug and came to this conclusion:
Failure in LDAP connection causes org.springframework.ldap.CommunicationException (1)(which is runtime exception) from last line of PersistentTokenBasedRememberMeServices#processAutoLoginCookie method. This means that persistent token (2) was updated in database, new cookie was set in response but was not sent to the client. Exception is handled by ErrorPageFilter which forwards request to error page.
RememberMeAuthenticationFilter is launched and PersistentTokenBasedRememberMeServices compares token from request cookie (which is same as before (1)) with token from db (2) which are different which causes CookieTheftException.
Any RuntimeException thrown from last line of processAutoLoginCookie will cause this behavior. Maybe it should be moved to try-catch block above?
This may be connected slightly to #2970.