From aa401dce8ba1ba5fecd386d857937354682537fa Mon Sep 17 00:00:00 2001
From: Mathieu Baudier <mbaudier@argeo.org>
Date: Sun, 25 Apr 2010 20:10:01 +0000
Subject: [PATCH] Improve Security

git-svn-id: https://svn.argeo.org/commons/trunk@3496 4cfe0d0a-d680-48aa-b62c-e0a02a3f76cc
---
 .../META-INF/MANIFEST.MF                      |   2 +
 .../META-INF/spring/ldap-osgi.xml             |   3 +
 .../META-INF/spring/ldap.xml                  |  12 +-
 .../ldap.properties                           |   2 +
 .../META-INF/MANIFEST.MF                      |   4 +-
 .../META-INF/spring/osgi.xml                  |   4 +-
 .../META-INF/spring/services.xml              |  11 ++
 .../security.properties                       |   1 +
 .../META-INF/MANIFEST.MF                      |   2 +
 .../WEB-INF/applicationContext.xml            |   1 -
 .../WEB-INF/osgi.xml                          |  10 +-
 .../WEB-INF/security.xml                      |   8 ++
 .../org.argeo.security.webapp/WEB-INF/web.xml |   4 +
 .../argeo/security/ArgeoSecurityService.java  |   4 +-
 .../security/core/DefaultSecurityService.java |  51 +++++++++
 .../security/core/InternalAuthentication.java |  21 ++++
 .../core/SystemAuthenticatedTaskExecutor.java |  21 ++++
 .../security/ldap/ArgeoSecurityDaoLdap.java   |   5 +
 .../org.argeo.security.mvc/build.properties   |   2 +
 .../security/mvc/ArgeoRememberMeServices.java |  53 +++++++++
 .../META-INF/MANIFEST.MF                      |   1 +
 .../org.argeo.server.jackrabbit/pom.xml       |   7 ++
 .../jcr/ThreadBoundJcrSessionFactory.java     | 105 ++++++++++++++++++
 .../mvc/OpenSessionInViewJcrInterceptor.java  |  50 +++++++++
 24 files changed, 375 insertions(+), 9 deletions(-)
 create mode 100644 security/modules/org.argeo.security.services/security.properties
 create mode 100644 security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/core/InternalAuthentication.java
 create mode 100644 security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/core/SystemAuthenticatedTaskExecutor.java
 create mode 100644 security/runtime/org.argeo.security.mvc/build.properties
 create mode 100644 security/runtime/org.argeo.security.mvc/src/main/java/org/argeo/security/mvc/ArgeoRememberMeServices.java
 create mode 100644 server/runtime/org.argeo.server.jackrabbit/src/main/java/org/argeo/jcr/ThreadBoundJcrSessionFactory.java
 create mode 100644 server/runtime/org.argeo.server.jackrabbit/src/main/java/org/argeo/server/jcr/mvc/OpenSessionInViewJcrInterceptor.java

diff --git a/security/modules/org.argeo.security.manager.ldap/META-INF/MANIFEST.MF b/security/modules/org.argeo.security.manager.ldap/META-INF/MANIFEST.MF
index 6c29e7347..3671ef8c9 100644
--- a/security/modules/org.argeo.security.manager.ldap/META-INF/MANIFEST.MF
+++ b/security/modules/org.argeo.security.manager.ldap/META-INF/MANIFEST.MF
@@ -9,11 +9,13 @@ Import-Package: com.sun.jndi.ldap;resolution:=optional,
  org.springframework.beans.factory.config,
  org.springframework.ldap.core.support,
  org.springframework.security,
+ org.springframework.security.adapters;specification-version="2.0.4.A",
  org.springframework.security.ldap,
  org.springframework.security.ldap.populator,
  org.springframework.security.providers,
  org.springframework.security.providers.ldap,
  org.springframework.security.providers.ldap.authenticator,
+ org.springframework.security.providers.rememberme;specification-version="2.0.4.A",
  org.springframework.security.userdetails,
  org.springframework.security.userdetails.ldap
 Bundle-Name: Security Manager LDAP
diff --git a/security/modules/org.argeo.security.manager.ldap/META-INF/spring/ldap-osgi.xml b/security/modules/org.argeo.security.manager.ldap/META-INF/spring/ldap-osgi.xml
index 8c4cfb43f..d3623c3c4 100644
--- a/security/modules/org.argeo.security.manager.ldap/META-INF/spring/ldap-osgi.xml
+++ b/security/modules/org.argeo.security.manager.ldap/META-INF/spring/ldap-osgi.xml
@@ -12,6 +12,9 @@
 
 	<service ref="securityDao" interface="org.argeo.security.ArgeoSecurityDao"
 		context-class-loader="service-provider" />
+	<service ref="userDetailsManager"
+		interface="org.springframework.security.userdetails.UserDetailsService"
+		context-class-loader="service-provider" />
 
 	<list id="userNatureMappers" interface="org.argeo.security.ldap.UserNatureMapper"
 		cardinality="0..N" />
diff --git a/security/modules/org.argeo.security.manager.ldap/META-INF/spring/ldap.xml b/security/modules/org.argeo.security.manager.ldap/META-INF/spring/ldap.xml
index bd0c9969e..3f6f3db58 100644
--- a/security/modules/org.argeo.security.manager.ldap/META-INF/spring/ldap.xml
+++ b/security/modules/org.argeo.security.manager.ldap/META-INF/spring/ldap.xml
@@ -8,7 +8,6 @@
 	<bean
 		class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
 		<property name="systemPropertiesModeName" value="SYSTEM_PROPERTIES_MODE_OVERRIDE" />
-		<property name="ignoreUnresolvablePlaceholders" value="true" />
 		<property name="locations">
 			<value>osgibundle:ldap.properties
 			</value>
@@ -18,6 +17,13 @@
 	<bean id="_authenticationManager" class="org.springframework.security.providers.ProviderManager">
 		<property name="providers">
 			<list>
+				<bean class="org.springframework.security.adapters.AuthByAdapterProvider">
+					<property name="key" value="${argeo.security.systemKey}" />
+				</bean>
+				<bean
+					class="org.springframework.security.providers.rememberme.RememberMeAuthenticationProvider">
+					<property name="key" value="${argeo.security.systemKey}" />
+				</bean>
 				<ref bean="authenticationProvider" />
 			</list>
 		</property>
@@ -47,6 +53,10 @@
 		<property name="userNatureMappers" ref="userNatureMappers" />
 	</bean>
 
+	<bean id="userDetailsManager" factory-bean="securityDao"
+		factory-method="getUserDetailsManager">
+	</bean>
+
 	<bean id="ldapAuthenticator"
 		class="org.springframework.security.providers.ldap.authenticator.PasswordComparisonAuthenticator">
 		<constructor-arg ref="contextSource" />
diff --git a/security/modules/org.argeo.security.manager.ldap/ldap.properties b/security/modules/org.argeo.security.manager.ldap/ldap.properties
index 1b24ee3d1..bb4298292 100644
--- a/security/modules/org.argeo.security.manager.ldap/ldap.properties
+++ b/security/modules/org.argeo.security.manager.ldap/ldap.properties
@@ -4,3 +4,5 @@ argeo.ldap.host=localhost
 argeo.ldap.port=10389
 argeo.ldap.manager.userdn=uid=admin,ou=system
 argeo.ldap.manager.password=secret
+
+argeo.security.systemKey=argeo
diff --git a/security/modules/org.argeo.security.services/META-INF/MANIFEST.MF b/security/modules/org.argeo.security.services/META-INF/MANIFEST.MF
index 4135ebdc1..249147d4f 100644
--- a/security/modules/org.argeo.security.services/META-INF/MANIFEST.MF
+++ b/security/modules/org.argeo.security.services/META-INF/MANIFEST.MF
@@ -1,5 +1,7 @@
 Bundle-SymbolicName: org.argeo.security.services
 Bundle-Version: 0.1.3.SNAPSHOT
 Import-Package: org.argeo.security,
- org.argeo.security.core
+ org.argeo.security.core,
+ org.springframework.beans.factory.config;specification-version="2.5.6.SEC01",
+ org.springframework.security;specification-version="2.0.4.A"
 Bundle-Name: Security Services
diff --git a/security/modules/org.argeo.security.services/META-INF/spring/osgi.xml b/security/modules/org.argeo.security.services/META-INF/spring/osgi.xml
index e7e64a9fb..8913486fc 100644
--- a/security/modules/org.argeo.security.services/META-INF/spring/osgi.xml
+++ b/security/modules/org.argeo.security.services/META-INF/spring/osgi.xml
@@ -8,6 +8,6 @@
 
 	<service ref="securityService" interface="org.argeo.security.ArgeoSecurityService" />
 
-	<reference id="securityDao" interface="org.argeo.security.ArgeoSecurityDao"
-		 />
+	<reference id="securityDao" interface="org.argeo.security.ArgeoSecurityDao" />
+	<reference id="authenticationManager" interface="org.springframework.security.AuthenticationManager" />
 </beans:beans>
\ No newline at end of file
diff --git a/security/modules/org.argeo.security.services/META-INF/spring/services.xml b/security/modules/org.argeo.security.services/META-INF/spring/services.xml
index dbf648926..97fe92eda 100644
--- a/security/modules/org.argeo.security.services/META-INF/spring/services.xml
+++ b/security/modules/org.argeo.security.services/META-INF/spring/services.xml
@@ -4,7 +4,18 @@
 	xsi:schemaLocation="
        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd">
 
+	<bean
+		class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
+		<property name="systemPropertiesModeName" value="SYSTEM_PROPERTIES_MODE_OVERRIDE" />
+		<property name="locations">
+			<value>osgibundle:security.properties
+			</value>
+		</property>
+	</bean>
+
 	<bean id="securityService" class="org.argeo.security.core.DefaultSecurityService">
 		<property name="securityDao" ref="securityDao" />
+		<property name="authenticationManager" ref="authenticationManager" />
+		<property name="systemAuthenticationKey" value="${argeo.security.systemKey}" />
 	</bean>
 </beans>
\ No newline at end of file
diff --git a/security/modules/org.argeo.security.services/security.properties b/security/modules/org.argeo.security.services/security.properties
new file mode 100644
index 000000000..ae7aa8725
--- /dev/null
+++ b/security/modules/org.argeo.security.services/security.properties
@@ -0,0 +1 @@
+argeo.security.systemKey=argeo
diff --git a/security/modules/org.argeo.security.webapp/META-INF/MANIFEST.MF b/security/modules/org.argeo.security.webapp/META-INF/MANIFEST.MF
index 52d2cd873..0b06dfbe3 100644
--- a/security/modules/org.argeo.security.webapp/META-INF/MANIFEST.MF
+++ b/security/modules/org.argeo.security.webapp/META-INF/MANIFEST.MF
@@ -13,7 +13,9 @@ Import-Package: javax.servlet,
  org.springframework.security,
  org.springframework.security.config,
  org.springframework.security.ui,
+ org.springframework.security.ui.rememberme;specification-version="2.0.4.A",
  org.springframework.security.ui.webapp,
+ org.springframework.security.userdetails;specification-version="2.0.4.A",
  org.springframework.web.context,
  org.springframework.web.context.support,
  org.springframework.web.filter,
diff --git a/security/modules/org.argeo.security.webapp/WEB-INF/applicationContext.xml b/security/modules/org.argeo.security.webapp/WEB-INF/applicationContext.xml
index ee1621d61..899afa312 100644
--- a/security/modules/org.argeo.security.webapp/WEB-INF/applicationContext.xml
+++ b/security/modules/org.argeo.security.webapp/WEB-INF/applicationContext.xml
@@ -15,6 +15,5 @@
 		class="org.springframework.web.context.support.ServletContextPropertyPlaceholderConfigurer"
 		lazy-init="false">
 		<property name="contextOverride" value="true" />
-		<property name="ignoreUnresolvablePlaceholders" value="true" />
 	</bean>
 </beans>
\ No newline at end of file
diff --git a/security/modules/org.argeo.security.webapp/WEB-INF/osgi.xml b/security/modules/org.argeo.security.webapp/WEB-INF/osgi.xml
index 197bd8fdc..39c74c8f0 100644
--- a/security/modules/org.argeo.security.webapp/WEB-INF/osgi.xml
+++ b/security/modules/org.argeo.security.webapp/WEB-INF/osgi.xml
@@ -8,13 +8,17 @@
 
 	<reference id="_authenticationManager"
 		interface="org.springframework.security.AuthenticationManager" />
+	<reference id="userDetailsService"
+		interface="org.springframework.security.userdetails.UserDetailsService" />
 
 	<reference id="securityService" interface="org.argeo.security.ArgeoSecurityService" />
 
 	<list id="objectFactories" interface="org.argeo.server.json.JsonObjectFactory"
 		cardinality="0..N" />
 
-<!-- 
-	<service ref="authenticationProcessingFilterEntryPoint"
-		interface="org.springframework.security.ui.AuthenticationEntryPoint" /> -->
+	<!--
+		<service ref="authenticationProcessingFilterEntryPoint"
+		interface="org.springframework.security.ui.AuthenticationEntryPoint"
+		/>
+	-->
 </beans:beans>
\ No newline at end of file
diff --git a/security/modules/org.argeo.security.webapp/WEB-INF/security.xml b/security/modules/org.argeo.security.webapp/WEB-INF/security.xml
index b423327ff..66e62cfad 100644
--- a/security/modules/org.argeo.security.webapp/WEB-INF/security.xml
+++ b/security/modules/org.argeo.security.webapp/WEB-INF/security.xml
@@ -21,8 +21,16 @@
 			logout-success-url="/getCredentials.ria" />
 		<security:anonymous username="anonymous"
 			granted-authority="ROLE_ANONYMOUS" />
+		<security:remember-me key="argeo" services-ref="rememberMeServices" />
 	</security:http>
 
+	<bean id="rememberMeServices" class="org.argeo.security.mvc.ArgeoRememberMeServices">
+		<property name="alwaysRemember" value="true" />
+		<property name="userDetailsService" ref="userDetailsService" />
+		<property name="key" value="${argeo.security.systemKey}" />
+	</bean>
+
+
 	<bean id="authenticationProcessingFilter"
 		class="org.springframework.security.ui.webapp.AuthenticationProcessingFilter">
 		<security:custom-filter position="AUTHENTICATION_PROCESSING_FILTER" />
diff --git a/security/modules/org.argeo.security.webapp/WEB-INF/web.xml b/security/modules/org.argeo.security.webapp/WEB-INF/web.xml
index 668da7899..233128718 100644
--- a/security/modules/org.argeo.security.webapp/WEB-INF/web.xml
+++ b/security/modules/org.argeo.security.webapp/WEB-INF/web.xml
@@ -50,4 +50,8 @@
 		<url-pattern>/*</url-pattern>
 	</filter-mapping>
 
+	<context-param>
+		<param-name>argeo.security.systemKey</param-name>
+		<param-value>argeo</param-value>
+	</context-param>
 </web-app>
diff --git a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/ArgeoSecurityService.java b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/ArgeoSecurityService.java
index 73f2908bd..71d6b2f41 100644
--- a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/ArgeoSecurityService.java
+++ b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/ArgeoSecurityService.java
@@ -2,7 +2,7 @@ package org.argeo.security;
 
 public interface ArgeoSecurityService {
 	public void newUser(ArgeoUser argeoUser);
-	
+
 	public void updateUser(ArgeoUser user);
 
 	public void updateUserPassword(String username, String password);
@@ -12,4 +12,6 @@ public interface ArgeoSecurityService {
 	public void newRole(String role);
 
 	public ArgeoSecurityDao getSecurityDao();
+
+	public Runnable wrapWithSystemAuthentication(final Runnable runnable);
 }
diff --git a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/core/DefaultSecurityService.java b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/core/DefaultSecurityService.java
index ef64337eb..a4dd7a202 100644
--- a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/core/DefaultSecurityService.java
+++ b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/core/DefaultSecurityService.java
@@ -6,10 +6,19 @@ import org.argeo.security.ArgeoSecurityDao;
 import org.argeo.security.ArgeoSecurityService;
 import org.argeo.security.ArgeoUser;
 import org.argeo.security.SimpleArgeoUser;
+import org.springframework.core.task.SimpleAsyncTaskExecutor;
+import org.springframework.core.task.TaskExecutor;
+import org.springframework.security.Authentication;
+import org.springframework.security.AuthenticationManager;
+import org.springframework.security.context.SecurityContext;
+import org.springframework.security.context.SecurityContextHolder;
 
 public class DefaultSecurityService implements ArgeoSecurityService {
 	private ArgeoSecurity argeoSecurity = new DefaultArgeoSecurity();
 	private ArgeoSecurityDao securityDao;
+	private AuthenticationManager authenticationManager;
+
+	private String systemAuthenticationKey;
 
 	public ArgeoSecurityDao getSecurityDao() {
 		return securityDao;
@@ -48,6 +57,39 @@ public class DefaultSecurityService implements ArgeoSecurityService {
 		securityDao.update(simpleArgeoUser);
 	}
 
+	public TaskExecutor createSystemAuthenticatedTaskExecutor() {
+		return new SimpleAsyncTaskExecutor() {
+			private static final long serialVersionUID = -8126773862193265020L;
+
+			@Override
+			public Thread createThread(Runnable runnable) {
+				return super
+						.createThread(wrapWithSystemAuthentication(runnable));
+			}
+
+		};
+	}
+
+	/**
+	 * Wraps another runnable, adding security context <br/>
+	 * TODO: secure the call to this method with Java Security
+	 */
+	public Runnable wrapWithSystemAuthentication(final Runnable runnable) {
+		return new Runnable() {
+
+			public void run() {
+				SecurityContext securityContext = SecurityContextHolder
+						.getContext();
+				Authentication auth = authenticationManager
+						.authenticate(new InternalAuthentication(
+								systemAuthenticationKey));
+				securityContext.setAuthentication(auth);
+
+				runnable.run();
+			}
+		};
+	}
+
 	public void setArgeoSecurity(ArgeoSecurity argeoSecurity) {
 		this.argeoSecurity = argeoSecurity;
 	}
@@ -56,4 +98,13 @@ public class DefaultSecurityService implements ArgeoSecurityService {
 		this.securityDao = dao;
 	}
 
+	public void setAuthenticationManager(
+			AuthenticationManager authenticationManager) {
+		this.authenticationManager = authenticationManager;
+	}
+
+	public void setSystemAuthenticationKey(String systemAuthenticationKey) {
+		this.systemAuthenticationKey = systemAuthenticationKey;
+	}
+
 }
diff --git a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/core/InternalAuthentication.java b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/core/InternalAuthentication.java
new file mode 100644
index 000000000..99ac3ad4e
--- /dev/null
+++ b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/core/InternalAuthentication.java
@@ -0,0 +1,21 @@
+package org.argeo.security.core;
+
+import org.springframework.security.GrantedAuthority;
+import org.springframework.security.GrantedAuthorityImpl;
+import org.springframework.security.adapters.PrincipalSpringSecurityUserToken;
+
+public class InternalAuthentication extends PrincipalSpringSecurityUserToken {
+	private static final long serialVersionUID = -6783376375615949315L;
+	private final static String SYSTEM_USERNAME = "system";
+	private final static String SYSTEM_ROLE = "ROLE_SYSTEM";
+
+	public InternalAuthentication(String key) {
+		super(
+				key,
+				SYSTEM_USERNAME,
+				key,
+				new GrantedAuthority[] { new GrantedAuthorityImpl(SYSTEM_ROLE) },
+				SYSTEM_USERNAME);
+	}
+
+}
diff --git a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/core/SystemAuthenticatedTaskExecutor.java b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/core/SystemAuthenticatedTaskExecutor.java
new file mode 100644
index 000000000..421a7dcde
--- /dev/null
+++ b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/core/SystemAuthenticatedTaskExecutor.java
@@ -0,0 +1,21 @@
+package org.argeo.security.core;
+
+import org.argeo.security.ArgeoSecurityService;
+import org.springframework.core.task.SimpleAsyncTaskExecutor;
+
+public class SystemAuthenticatedTaskExecutor extends SimpleAsyncTaskExecutor {
+	private static final long serialVersionUID = 453384889461147359L;
+
+	private ArgeoSecurityService securityService;
+
+	@Override
+	public Thread createThread(Runnable runnable) {
+		return super.createThread(securityService
+				.wrapWithSystemAuthentication(runnable));
+	}
+
+	public void setSecurityService(ArgeoSecurityService securityService) {
+		this.securityService = securityService;
+	}
+
+}
diff --git a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/ldap/ArgeoSecurityDaoLdap.java b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/ldap/ArgeoSecurityDaoLdap.java
index c9ba367c6..15cd1360b 100644
--- a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/ldap/ArgeoSecurityDaoLdap.java
+++ b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/ldap/ArgeoSecurityDaoLdap.java
@@ -272,4 +272,9 @@ public class ArgeoSecurityDaoLdap implements ArgeoSecurityDao, InitializingBean
 	public void setGroupClasses(String[] groupClasses) {
 		this.groupClasses = groupClasses;
 	}
+
+	public UserDetailsManager getUserDetailsManager() {
+		return userDetailsManager;
+	}
+
 }
diff --git a/security/runtime/org.argeo.security.mvc/build.properties b/security/runtime/org.argeo.security.mvc/build.properties
new file mode 100644
index 000000000..a740a346d
--- /dev/null
+++ b/security/runtime/org.argeo.security.mvc/build.properties
@@ -0,0 +1,2 @@
+additional.bundles = org.springframework.beans
+source.. = src/main/java/
diff --git a/security/runtime/org.argeo.security.mvc/src/main/java/org/argeo/security/mvc/ArgeoRememberMeServices.java b/security/runtime/org.argeo.security.mvc/src/main/java/org/argeo/security/mvc/ArgeoRememberMeServices.java
new file mode 100644
index 000000000..e71b86e1a
--- /dev/null
+++ b/security/runtime/org.argeo.security.mvc/src/main/java/org/argeo/security/mvc/ArgeoRememberMeServices.java
@@ -0,0 +1,53 @@
+package org.argeo.security.mvc;
+
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.springframework.security.ui.rememberme.TokenBasedRememberMeServices;
+
+public class ArgeoRememberMeServices extends TokenBasedRememberMeServices {
+	public final static String DEFAULT_COOKIE_NAME = "ARGEO_SECURITY";
+
+	public ArgeoRememberMeServices() {
+		setCookieName(DEFAULT_COOKIE_NAME);
+	}
+
+	/**
+	 * Sets a "cancel cookie" (with maxAge = 0) on the response to disable
+	 * persistent logins.
+	 * 
+	 * @param request
+	 * @param response
+	 */
+	protected void cancelCookie(HttpServletRequest request,
+			HttpServletResponse response) {
+		Cookie cookie = new Cookie(getCookieName(), null);
+		cookie.setMaxAge(0);
+		cookie.setPath("/");
+
+		response.addCookie(cookie);
+	}
+
+	/**
+	 * Sets the cookie on the response
+	 * 
+	 * @param tokens
+	 *            the tokens which will be encoded to make the cookie value.
+	 * @param maxAge
+	 *            the value passed to {@link Cookie#setMaxAge(int)}
+	 * @param request
+	 *            the request
+	 * @param response
+	 *            the response to add the cookie to.
+	 */
+	protected void setCookie(String[] tokens, int maxAge,
+			HttpServletRequest request, HttpServletResponse response) {
+		String cookieValue = encodeCookie(tokens);
+		Cookie cookie = new Cookie(getCookieName(), cookieValue);
+		cookie.setMaxAge(maxAge);
+		cookie.setPath("/");
+		response.addCookie(cookie);
+	}
+
+}
diff --git a/server/modules/org.argeo.server.catalina/META-INF/MANIFEST.MF b/server/modules/org.argeo.server.catalina/META-INF/MANIFEST.MF
index 8e17b15d5..6885d9f54 100644
--- a/server/modules/org.argeo.server.catalina/META-INF/MANIFEST.MF
+++ b/server/modules/org.argeo.server.catalina/META-INF/MANIFEST.MF
@@ -12,6 +12,7 @@ Import-Package: org.apache.commons.logging.impl;resolution:=optional,
  org.springframework.security;resolution:=optional,
  org.springframework.security.context;resolution:=optional,
  org.springframework.security.providers;resolution:=optional,
+ org.springframework.security.providers.rememberme;resolution:=optional,
  org.springframework.security.ui;resolution:=optional,
  org.springframework.security.ui.savedrequest;resolution:=optional,
  org.springframework.security.userdetails;resolution:=optional,
diff --git a/server/runtime/org.argeo.server.jackrabbit/pom.xml b/server/runtime/org.argeo.server.jackrabbit/pom.xml
index 4b3c32545..58ff3063e 100644
--- a/server/runtime/org.argeo.server.jackrabbit/pom.xml
+++ b/server/runtime/org.argeo.server.jackrabbit/pom.xml
@@ -29,6 +29,7 @@
 				<version>${version.maven-bundle-plugin}</version>
 				<configuration>
 					<instructions>
+						<Fragment-Host>org.argeo.dep.osgi.jackrabbit</Fragment-Host>
 						<Export-Package>
 							org.argeo.jcr.*,
 							org.argeo.server.jackrabbit.*,
@@ -36,6 +37,7 @@
 						</Export-Package>
 						<Import-Package>
 							*,
+							org.springframework.security.providers.jaas;resolution:="optional",
 							junit.framework;resolution:="optional"
 						</Import-Package>
 					</instructions>
@@ -88,6 +90,11 @@
 			<artifactId>org.springframework.web.servlet</artifactId>
 		</dependency>
 
+		<dependency>
+			<groupId>org.springframework.security</groupId>
+			<artifactId>org.springframework.security</artifactId>
+		</dependency>
+
 		<!-- Logging -->
 		<dependency>
 			<groupId>org.slf4j</groupId>
diff --git a/server/runtime/org.argeo.server.jackrabbit/src/main/java/org/argeo/jcr/ThreadBoundJcrSessionFactory.java b/server/runtime/org.argeo.server.jackrabbit/src/main/java/org/argeo/jcr/ThreadBoundJcrSessionFactory.java
new file mode 100644
index 000000000..9996b7bd1
--- /dev/null
+++ b/server/runtime/org.argeo.server.jackrabbit/src/main/java/org/argeo/jcr/ThreadBoundJcrSessionFactory.java
@@ -0,0 +1,105 @@
+package org.argeo.jcr;
+
+import java.lang.reflect.InvocationHandler;
+import java.lang.reflect.Method;
+import java.lang.reflect.Proxy;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import javax.jcr.Repository;
+import javax.jcr.RepositoryException;
+import javax.jcr.Session;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.argeo.ArgeoException;
+import org.springframework.beans.factory.DisposableBean;
+import org.springframework.beans.factory.FactoryBean;
+
+public class ThreadBoundJcrSessionFactory implements FactoryBean,
+		DisposableBean {
+	private final static Log log = LogFactory
+			.getLog(ThreadBoundJcrSessionFactory.class);
+
+	private Repository repository;
+	private List<Session> activeSessions = Collections
+			.synchronizedList(new ArrayList<Session>());
+
+	private ThreadLocal<Session> session = new ThreadLocal<Session>();
+	private boolean destroying = false;
+	private final Session proxiedSession;
+
+	public ThreadBoundJcrSessionFactory() {
+		Class<?>[] interfaces = { Session.class };
+		proxiedSession = (Session) Proxy.newProxyInstance(getClass()
+				.getClassLoader(), interfaces, new InvocationHandler() {
+
+			public Object invoke(Object proxy, Method method, Object[] args)
+					throws Throwable {
+				Session threadSession = session.get();
+				if (threadSession == null) {
+					if ("logout".equals(method.getName()))// no need to login
+						return Void.TYPE;
+					threadSession = login();
+					session.set(threadSession);
+				}
+
+				Object ret = method.invoke(threadSession, args);
+				if ("logout".equals(method.getName())) {
+					session.remove();
+					if (!destroying)
+						activeSessions.remove(threadSession);
+					if (log.isTraceEnabled())
+						log.trace("Logged out from JCR session "
+								+ threadSession + "; userId="
+								+ threadSession.getUserID());
+				}
+				return ret;
+			}
+		});
+	}
+
+	protected Session login() {
+		try {
+			Session sess = repository.login();
+			if (log.isTraceEnabled())
+				log.trace("Log in to JCR session " + sess + "; userId="
+						+ sess.getUserID());
+			// Thread.dumpStack();
+			activeSessions.add(sess);
+			return sess;
+		} catch (RepositoryException e) {
+			throw new ArgeoException("Cannot log in to repository", e);
+		}
+	}
+
+	public Object getObject() {
+		return proxiedSession;
+	}
+
+	public void destroy() throws Exception {
+		if (log.isDebugEnabled())
+			log.debug("Cleaning up " + activeSessions.size()
+					+ " active JCR sessions...");
+
+		destroying = true;
+		for (Session sess : activeSessions) {
+			sess.logout();
+		}
+		activeSessions.clear();
+	}
+
+	public Class<? extends Session> getObjectType() {
+		return Session.class;
+	}
+
+	public boolean isSingleton() {
+		return true;
+	}
+
+	public void setRepository(Repository repository) {
+		this.repository = repository;
+	}
+
+}
diff --git a/server/runtime/org.argeo.server.jackrabbit/src/main/java/org/argeo/server/jcr/mvc/OpenSessionInViewJcrInterceptor.java b/server/runtime/org.argeo.server.jackrabbit/src/main/java/org/argeo/server/jcr/mvc/OpenSessionInViewJcrInterceptor.java
new file mode 100644
index 000000000..ea02ae352
--- /dev/null
+++ b/server/runtime/org.argeo.server.jackrabbit/src/main/java/org/argeo/server/jcr/mvc/OpenSessionInViewJcrInterceptor.java
@@ -0,0 +1,50 @@
+package org.argeo.server.jcr.mvc;
+
+import javax.jcr.Session;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.springframework.ui.ModelMap;
+import org.springframework.web.context.request.WebRequest;
+import org.springframework.web.context.request.WebRequestInterceptor;
+
+public class OpenSessionInViewJcrInterceptor implements WebRequestInterceptor {
+	private final static Log log = LogFactory
+			.getLog(OpenSessionInViewJcrInterceptor.class);
+
+	private Session session;
+
+	public void preHandle(WebRequest request) throws Exception {
+		if (log.isTraceEnabled())
+			log.trace("preHandle: " + request);
+		// Authentication auth = SecurityContextHolder.getContext()
+		// .getAuthentication();
+		// if (auth != null)
+		// log.debug("auth=" + auth + ", authenticated="
+		// + auth.isAuthenticated() + ", name=" + auth.getName());
+		// else
+		// log.debug("No auth");
+
+		// FIXME: find a safer way to initialize
+		// FIXME: not really needed to initialize here
+		//session.getRepository();
+	}
+
+	public void postHandle(WebRequest request, ModelMap model) throws Exception {
+		// if (log.isDebugEnabled())
+		// log.debug("postHandle: " + request);
+	}
+
+	public void afterCompletion(WebRequest request, Exception ex)
+			throws Exception {
+		if (log.isTraceEnabled())
+			log.trace("afterCompletion: " + request);
+		// FIXME: only close session that were open
+		session.logout();
+	}
+
+	public void setSession(Session session) {
+		this.session = session;
+	}
+
+}
-- 
2.30.2