SEC-786: Added information on the need ofor a UserDetailsService if using auto-config/remember-me

2025-06-12 07:02:13 +00:00 · 2008-05-09 15:01:39 +00:00 · 2008-05-09 15:01:39 +00:00 · 1030dca353
commit 1030dca353
parent b99f9d343d
2 changed files with 28 additions and 7 deletions
--- a/src/docbkx/namespace-config.xml
+++ b/src/docbkx/namespace-config.xml
@ -115,7 +115,7 @@
    </section>
  </section>
  <section xml:id="ns-getting-started">
-    <title>Getting Started with Security Namespace Cofiguration</title>
+    <title>Getting Started with Security Namespace Configuration</title>
    <para>
      In this section, we'll look at how you can build up a namespace configuration to use some of the main
      features of the framework. Let's assume you initially want to get up and running as quickly as possible 
@ -229,7 +229,18 @@
          These other elements are responsible for setting up form-login, 
          <link xlink:href="#anonymous">anonymous authentication</link>, basic authentication, logout handling and remember-me services
          respectively. They each have attributes which can be used to alter their behaviour.
+        </para>
+        <tip>
+          <title><literal>auto-config</literal> Requires a UserDetailsService</title>
+          <para>An error can occur when using auto-config without a <interfacename>UserDetailsService</interfacename> in
+          your application context (for example, if you are using LDAP authentication). 
+          This is because remember-me is automatically enabled when <literal>auto-config="true"</literal> and it requires
+            an authentication mechanism which uses a <interfacename>UserDetailsService</interfacename> to function (see 
+            the <link xlink:href="#remember-me">Remember-me chapter</link> for more details). If you have an error caused
+            by a missing <interfacename>UserDetailsService</interfacename> then try removing the <literal>auto-config</literal> 
+            setting (and any <literal>remember-me</literal> setting you might have).  
          </para>
+        </tip>
      </section>
      <section xml:id="ns-form-and-basic">
        <title>Form and Basic Login Options</title>
@ -324,6 +335,11 @@
  </section>
  <section xml:id="ns-web-advanced">
    <title>Advanced Web Features</title>
+    
+    <section xml:id="ns-remember-me">
+      <title>Remember-Me Authentication</title>
+      <para>See the separate <link xlink:href="#remember-me">Remember-Me chapter</link> for information on remember-me namespace configuration.</para>
+    </section>

    <section xml:id="ns-requires-channel">
      <title>Adding HTTP/HTTPS Channel Security</title>
--- a/src/docbkx/remember-me-authentication.xml
+++ b/src/docbkx/remember-me-authentication.xml
@ -14,7 +14,13 @@
        these operations to take place, and has two concrete
        remember-me implementations. One uses hashing to preserve the security of
        cookie-based tokens and the other uses a database or other persistent storage
-        mechanism to store the generated tokens.</para>
+        mechanism to store the generated tokens. </para>
+    <para>
+        Note that both implemementations require a <interfacename>UserDetailsService</interfacename>. 
+        If you are using an authentication provider which doesn't use a <interfacename>UserDetailsService</interfacename> 
+        (for example, the LDAP provider) then it won't work unless you also have a <interfacename>UserDetailsService</interfacename> 
+        bean in your application context.
+    </para>
 </section>
    
    <section xml:id="remember-me-hash-token">
@ -52,10 +58,9 @@
  ]]>
                </programlisting>
            It is automatically enabled for you if you are using the <link xlink:href="ns-auto-config">auto-config</link> setting.
-            Note that remember-me requires a <interfacename>UserDetailsService</interfacename>. If you are using an authentication
-            provider which doesn't use a <interfacename>UserDetailsService</interfacename> (for example, the LDAP provider) then it won't work
-            unless you also have a <interfacename>UserDetailsService</interfacename> bean in your application context. If you have more than one, 
-            you need to specify which one should be used with the <literal>user-service-ref</literal> attribute. 
+            The <interfacename>UserDetailsService</interfacename> will normally be selected automatically. If you have more than one in
+            your application context, you need to specify which one should be used with the <literal>user-service-ref</literal> attribute,
+            where the value is the name of your <interfacename>UserDetailsService</interfacename> bean.
          </para>
    </section>
    
@ -78,7 +83,7 @@
    create table persistent_logins (username varchar(64) not null, series varchar(64) primary key, token varchar(64) not null, last_used timestamp not null)    
 </programlisting>                
        </para>
-        <!-- TODO: Add more info on the implementation and behaviour when tokens are stolen etc -->
+        <!-- TODO: Add more info on the implementation and behaviour when tokens are stolen etc. Also some info for admins on invalidating tokens using key, or deleting info from db -->
    </section>    

 <section xml:id="remember-me-impls">