The setup is that most of the webapp (served over multiple wars) make use of stateless remember-me tokens.
When SAML gets involved it takes over the user logging in, this results in the Rememeber me token service being called and the onLoginSuccess() method adds the remember me token to the users cookies as desired.
The problem now begins.
When the user makes their requests the browser sends both cookies:
JESSIONID
remember-me
Spring seems to make use of the JSESSIONID and claims the requests is authenticated for all requests. This means the RememberMeAuthenticationFilter doesn't forward the request on to the remember me service.
This is a pain as the remember me service is extended to provide additional business logic and the remember service avoids caching the Principle (it was surprising to see that enabling sessions which seemed required by SAML resulted in a Principle that was cached between requests).
Ideally I would like to see that JSESSIONID is only used for authenticating with SAML and after that the remember me token is issued and takes over authenticating requests. It seems that such a setup isn't possible or isn't obvious.
The setup is that most of the webapp (served over multiple wars) make use of stateless remember-me tokens.
When SAML gets involved it takes over the user logging in, this results in the Rememeber me token service being called and the
onLoginSuccess()method adds the remember me token to the users cookies as desired.The problem now begins.
When the user makes their requests the browser sends both cookies:
Spring seems to make use of the JSESSIONID and claims the requests is authenticated for all requests. This means the
RememberMeAuthenticationFilterdoesn't forward the request on to the remember me service.This is a pain as the remember me service is extended to provide additional business logic and the remember service avoids caching the Principle (it was surprising to see that enabling sessions which seemed required by SAML resulted in a Principle that was cached between requests).
Ideally I would like to see that JSESSIONID is only used for authenticating with SAML and after that the remember me token is issued and takes over authenticating requests. It seems that such a setup isn't possible or isn't obvious.