Josep Llort Tella
2018-09-13 18:02:08 UTC
Hi
I have an application based in Spring Boot and the latest GWT 2.8.2. In the
application I have some protected resources one with GWT and others with
standard Servlets and JSP pages.
Now I have included remember-me feature, the remember-me feature is working
with all the protected resources except with GWT section what fails
My GWT Servlets extends RemoteServiceServlet
It is raising this error:
org.springframework.security.web.authentication.rememberme.CookieTheftException:
Invalid remember-me token (Series/token) mismatch. Implies previous cookie
theft attack.
at
org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices.processAutoLoginCookie(PersistentTokenBasedRememberMeServices.java:120)
I have debug the internal spring security class
PersistentTokenBasedRememberMeServices and the error it is raised because
the initial tokenValue for some reason is changed in the middle:
@Override
protected UserDetails processAutoLoginCookie(String[] cookieTokens,
HttpServletRequest request, HttpServletResponse response) {
if (cookieTokens.length != 2) {
throw new InvalidCookieException("Cookie token did not contain
" + 2
+ " tokens, but contained '" +
Arrays.asList(cookieTokens) + "'");
}
final String presentedSeries = cookieTokens[0];
final String presentedToken = cookieTokens[1];
PersistentRememberMeToken token = tokenRepository
.getTokenForSeries(presentedSeries);
if (token == null) {
// No series match, so we can't authenticate using this cookie
throw new RememberMeAuthenticationException(
"No persistent token found for series id: " +
presentedSeries);
}
// We have a match for this user/series combination
if (!presentedToken.equals(token.getTokenValue())) {
// Token doesn't match series value. Delete all logins for this
user and throw
// an exception to warn them.
tokenRepository.removeUserTokens(token.getUsername());
throw new CookieTheftException(
messages.getMessage(
"PersistentTokenBasedRememberMeServices.cookieStolen",
"Invalid remember-me token (Series/token)
mismatch. Implies previous cookie theft attack."));
}
I have an application based in Spring Boot and the latest GWT 2.8.2. In the
application I have some protected resources one with GWT and others with
standard Servlets and JSP pages.
Now I have included remember-me feature, the remember-me feature is working
with all the protected resources except with GWT section what fails
My GWT Servlets extends RemoteServiceServlet
It is raising this error:
org.springframework.security.web.authentication.rememberme.CookieTheftException:
Invalid remember-me token (Series/token) mismatch. Implies previous cookie
theft attack.
at
org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices.processAutoLoginCookie(PersistentTokenBasedRememberMeServices.java:120)
I have debug the internal spring security class
PersistentTokenBasedRememberMeServices and the error it is raised because
the initial tokenValue for some reason is changed in the middle:
@Override
protected UserDetails processAutoLoginCookie(String[] cookieTokens,
HttpServletRequest request, HttpServletResponse response) {
if (cookieTokens.length != 2) {
throw new InvalidCookieException("Cookie token did not contain
" + 2
+ " tokens, but contained '" +
Arrays.asList(cookieTokens) + "'");
}
final String presentedSeries = cookieTokens[0];
final String presentedToken = cookieTokens[1];
PersistentRememberMeToken token = tokenRepository
.getTokenForSeries(presentedSeries);
if (token == null) {
// No series match, so we can't authenticate using this cookie
throw new RememberMeAuthenticationException(
"No persistent token found for series id: " +
presentedSeries);
}
// We have a match for this user/series combination
if (!presentedToken.equals(token.getTokenValue())) {
// Token doesn't match series value. Delete all logins for this
user and throw
// an exception to warn them.
tokenRepository.removeUserTokens(token.getUsername());
throw new CookieTheftException(
messages.getMessage(
"PersistentTokenBasedRememberMeServices.cookieStolen",
"Invalid remember-me token (Series/token)
mismatch. Implies previous cookie theft attack."));
}
--
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+***@googlegroups.com.
To post to this group, send email to google-web-***@googlegroups.com.
Visit this group at https://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/d/optout.
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+***@googlegroups.com.
To post to this group, send email to google-web-***@googlegroups.com.
Visit this group at https://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/d/optout.