GWT into Spring Boot with remember-me is not working

[Josep Llort Tella]

Hi

I have an application based in Spring Boot and the latest GWT 2.8.2. In the 
application I have some protected resources one with GWT and others with 
standard Servlets and JSP pages. 
Now I have included remember-me feature, the remember-me feature is working 
with all the protected resources except with GWT section what fails

My GWT Servlets extends RemoteServiceServlet

It is raising this error:
org.springframework.security.web.authentication.rememberme.CookieTheftException:
 
Invalid remember-me token (Series/token) mismatch. Implies previous cookie 
theft attack.
    at 
org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices.processAutoLoginCookie(PersistentTokenBasedRememberMeServices.java:120)

I have debug the internal spring security class 
PersistentTokenBasedRememberMeServices and the error it is raised because 
the initial tokenValue for some reason is changed in the middle:

@Override
    protected UserDetails processAutoLoginCookie(String[] cookieTokens,
            HttpServletRequest request, HttpServletResponse response) {

        if (cookieTokens.length != 2) {
            throw new InvalidCookieException("Cookie token did not contain 
" + 2
                    + " tokens, but contained '" + 
Arrays.asList(cookieTokens) + "'");
        }

        final String presentedSeries = cookieTokens[0];
        final String presentedToken = cookieTokens[1];

        PersistentRememberMeToken token = tokenRepository
                .getTokenForSeries(presentedSeries);

        if (token == null) {
            // No series match, so we can't authenticate using this cookie
            throw new RememberMeAuthenticationException(
                    "No persistent token found for series id: " + 
presentedSeries);
        }

        // We have a match for this user/series combination
        if (!presentedToken.equals(token.getTokenValue())) {
            // Token doesn't match series value. Delete all logins for this 
user and throw
            // an exception to warn them.
            tokenRepository.removeUserTokens(token.getUsername());

            throw new CookieTheftException(
                    messages.getMessage(
                            
"PersistentTokenBasedRememberMeServices.cookieStolen",
                            "Invalid remember-me token (Series/token) 
mismatch. Implies previous cookie theft attack."));
        }




-- 
You received this message because you are subscribed to the Google Groups "GWT 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to google-web-toolkit+unsubscr...@googlegroups.com.
To post to this group, send email to google-web-toolkit@googlegroups.com.
Visit this group at https://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/d/optout.