How to implement “Stay Logged In” when user login in to the web application

by

Java EE 8 and up

If you’re on Java EE 8 or newer, put @RememberMe on a custom HttpAuthenticationMechanism along with a RememberMeIdentityStore.

@ApplicationScoped
@AutoApplySession
@RememberMe
public class CustomAuthenticationMechanism implements HttpAuthenticationMechanism {

    @Inject
    private IdentityStore identityStore;

    @Override
    public AuthenticationStatus validateRequest(HttpServletRequest request, HttpServletResponse response, HttpMessageContext context) {
        Credential credential = context.getAuthParameters().getCredential();

        if (credential != null) {
            return context.notifyContainerAboutLogin(identityStore.validate(credential));
        }
        else {
            return context.doNothing();
        }
    }
}

public class CustomIdentityStore implements RememberMeIdentityStore {

    @Inject
    private UserService userService; // This is your own EJB.
    
    @Inject
    private LoginTokenService loginTokenService; // This is your own EJB.
    
    @Override
    public CredentialValidationResult validate(RememberMeCredential credential) {
        Optional<User> user = userService.findByLoginToken(credential.getToken());
        if (user.isPresent()) {
            return new CredentialValidationResult(new CallerPrincipal(user.getEmail()));
        }
        else {
            return CredentialValidationResult.INVALID_RESULT;
        }
    }

    @Override
    public String generateLoginToken(CallerPrincipal callerPrincipal, Set<String> groups) {
        return loginTokenService.generateLoginToken(callerPrincipal.getName());
    }

    @Override
    public void removeLoginToken(String token) {
        loginTokenService.removeLoginToken(token);
    }

}

You can find a real world example in the Java EE Kickoff Application.

Java EE 6/7

If you’re on Java EE 6 or 7, homegrow a long-living cookie to track the unique client and use the Servlet 3.0 API provided programmatic login HttpServletRequest#login() when the user is not logged-in but the cookie is present.

This is the easiest to achieve if you create another DB table with a java.util.UUID value as PK and the ID of the user in question as FK.

Assume the following login form:

<form action="login" method="post">
    <input type="text" name="username" />
    <input type="password" name="password" />
    <input type="checkbox" name="remember" value="true" />
    <input type="submit" />
</form>

And the following in doPost() method of a Servlet which is mapped on /login:

String username = request.getParameter("username");
String password = hash(request.getParameter("password"));
boolean remember = "true".equals(request.getParameter("remember"));
User user = userService.find(username, password);

if (user != null) {
    request.login(user.getUsername(), user.getPassword()); // Password should already be the hashed variant.
    request.getSession().setAttribute("user", user);

    if (remember) {
        String uuid = UUID.randomUUID().toString();
        rememberMeService.save(uuid, user);
        addCookie(response, COOKIE_NAME, uuid, COOKIE_AGE);
    } else {
        rememberMeService.delete(user);
        removeCookie(response, COOKIE_NAME);
    }
}

(the COOKIE_NAME should be the unique cookie name, e.g. "remember" and the COOKIE_AGE should be the age in seconds, e.g. 2592000 for 30 days)

Here’s how the doFilter() method of a Filter which is mapped on restricted pages could look like:

HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
User user = request.getSession().getAttribute("user");

if (user == null) {
    String uuid = getCookieValue(request, COOKIE_NAME);

    if (uuid != null) {
        user = rememberMeService.find(uuid);

        if (user != null) {
            request.login(user.getUsername(), user.getPassword());
            request.getSession().setAttribute("user", user); // Login.
            addCookie(response, COOKIE_NAME, uuid, COOKIE_AGE); // Extends age.
        } else {
            removeCookie(response, COOKIE_NAME);
        }
    }
}

if (user == null) {
    response.sendRedirect("login");
} else {
    chain.doFilter(req, res);
}

In combination with those cookie helper methods (too bad they are missing in Servlet API):

public static String getCookieValue(HttpServletRequest request, String name) {
    Cookie[] cookies = request.getCookies();
    if (cookies != null) {
        for (Cookie cookie : cookies) {
            if (name.equals(cookie.getName())) {
                return cookie.getValue();
            }
        }
    }
    return null;
}

public static void addCookie(HttpServletResponse response, String name, String value, int maxAge) {
    Cookie cookie = new Cookie(name, value);
    cookie.setPath("/");
    cookie.setMaxAge(maxAge);
    response.addCookie(cookie);
}

public static void removeCookie(HttpServletResponse response, String name) {
    addCookie(response, name, null, 0);
}

Although the UUID is extremely hard to brute-force, you could provide the user an option to lock the “remember” option to user’s IP address (request.getRemoteAddr()) and store/compare it in the database as well. This makes it a tad more robust. Also, having an “expiration date” stored in the database would be useful.

It’s also a good practice to replace the UUID value whenever the user has changed its password.

Java EE 5 or below

Please, upgrade.

More Related Contents:

  1. java.io.WriteAbortedException: writing aborted; java.io.NotSerializableException
  2. JSF request scoped bean keeps recreating new Stateful session beans on every request?
  3. Servlet vs RESTful
  4. What does the servlet value signify
  5. Maven2: Best practice for Enterprise Project (EAR file)
  6. Java EE Web Profile vs Java EE Full Platform
  7. EJB Transactions in local method-calls
  8. Name [jdbc/mydb] is not bound in this Context
  9. Correlation between Java EE / J2EE to J2SE / JDK versions
  10. Where to use EJB 3.1 and CDI?
  11. Packaging EJB in JavaEE 6 WAR vs EAR
  12. javax.mail.MessagingException: Could not connect to SMTP host: smtp.gmail.com, port: 25;
  13. Notify only specific user(s) through WebSockets, when something is modified in the database
  14. What is Java EE? [duplicate]
  15. What is a host only cookie?
  16. How to include values from .properties file into web.xml?
  17. EJB 3.0 – Nested Transaction != Requires New?
  18. Is it possible to @Inject a @RequestScoped bean into a @Stateless EJB?
  19. Is it possible to inject a CDI Bean into a static variable in Java EE 6?
  20. Get JSF managed bean by name in any Servlet related class
  21. How to add JAR libraries to WAR project without facing java.lang.ClassNotFoundException? Classpath vs Build Path vs /WEB-INF/lib
  22. What’s the difference between JPA and Hibernate? [closed]
  23. The absolute uri: http://java.sun.com/jsp/jstl/core cannot be resolved in either web.xml or the jar files deployed with this application
  24. Handling service layer exception in Java EE frontend method
  25. Store/assign roles of authenticated users
  26. Stop scheduled timer when shutdown tomcat [duplicate]
  27. Call a servlet on click of hyperlink
  28. How to check whether a port is open at client’s network/firewall?
  29. calling java method in javascript [closed]
  30. Why do we use web.xml? [closed]

Leave a Comment