Spring-security remember me functionality not working

Question

I write the below given code in config.groovy

grails.plugins.springsecurity.providerNames = [
    'rememberMeAuthenticationProvider'
]

grails.plugin.springsecurity.rememberMe.cookieName='grails_remember_me'
grails.plugin.springsecurity.rememberMe.alwaysRemember=false
grails.plugin.springsecurity.rememberMe.tokenValiditySeconds=31*24*60*60
grails.plugin.springsecurity.rememberMe.parameter='_spring_security_remember_me'
grails.plugin.springsecurity.rememberMe.key='monitoringApp' 
grails.plugin.springsecurity.rememberMe.useSecureCookie=false
grails.plugin.springsecurity.rememberMe.persistent=false
grails.plugin.databasemigration.updateOnStart = true

i write the below given code on my gsp page

<div class="col-xs-7">
<div class="checkbox">
<label>
<input type='checkbox' name='_spring_security_remember_me' id='remember_me'
<g:if test='${hasCookie}'>checked='checked'</g:if>/>
<g:message code="springSecurity.login.remember.me.label"/>
</label>
</div>
</div>

My controller all action are fully authenticated using spring security @Secured(['IS_AUTHENTICATED_FULLY']) But i cannot able to use benefit of spring security remember me functionality.Please help me .

I am using grails version 2.3.0 and spring security :"spring-security-core:2.0-RC2"

Answer 1

The reason why your users, which have used the remember me feature of Spring security are still being prompted to login is because is IS_AUTHENTICATED_REMEMBERED not the same as IS_AUTHENTICATED_FULLY.

IS_AUTHENTICATED_REMEMBERED requires the user to be authenticated through a remember-me cookie or an explicit login.

IS_AUTHENTICATED_FULLY requires the user to be fully authenticated with an explicit login.

All of this is outlined in the very well written documentation.

Since you want to allow users to access things either by being remembered or logging in you should strongly consider using IS_AUTHENTICATED_REMEMBERED instead of IS_AUTHENTICATED_FULLY since it supports both cases.