CookieTheftException with PersistentTokenBasedRememberMeServices

I am using PersistentTokenBasedRememberMeServices (Spring Security 2.04) in a Grails Application in conjunction with an OpenIDAuthenticationProcessingFilter. The configuration looks like this (it's a Grails DSL, equivalent to Spring resource.xml, but pretty easy to adapt):

customTokenRepository(JdbcTokenRepositoryImpl)
{
  dataSource = ref('dataSource')
}

rememberMeServices(PersistentTokenBasedRememberMeServices) {
    userDetailsService = ref('userDetailsService')
    key = securityConf.rememberMeKey
    cookieName = securityConf.cookieName
    alwaysRemember = securityConf.alwaysRemember
    tokenValiditySeconds = securityConf.tokenValiditySeconds
    parameter = securityConf.parameter
    tokenRepository = customTokenRepository
}

openIDAuthProvider(org.codehaus.groovy.grails.plugins.springsecurity.openid.GrailsOpenIdAuthenticationProvider) {
    userDetailsService = ref('userDetailsService')
}

openIDStore(org.openid4java.consumer.InMemoryConsumerAssociationStore)

openIDNonceVerifier(org.openid4java.consumer.InMemoryNonceVerifier, securityConf.openIdNonceMaxSeconds) // 300 seconds

openIDConsumerManager(org.openid4java.consumer.ConsumerManager) {
    nonceVerifier = openIDNonceVerifier
}

openIDConsumer(org.springframework.security.ui.openid.consumers.OpenID4JavaConsumer, openIDConsumerManager)

openIDAuthenticationProcessingFilter(org.springframework.security.ui.openid.OpenIDAuthenticationProcessingFilter) {
    authenticationManager = ref('authenticationManager')
    authenticationFailureUrl = securityConf.authenticationFailureUrl //'/login/authfail?login_error=1' // /spring_security_login?login_error
    defaultTargetUrl = securityConf.defaultTargetUrl // '/'
    filterProcessesUrl = '/j_spring_openid_security_check' // not configurable
    rememberMeServices = ref('rememberMeServices')
    consumer = openIDConsumer
    targetUrlResolver = customTargetUrlResolver
}

      

        
        
        
      

    

After the user has authenticated, everything will be fine until the cookie issued for him is used the first time, for example after a container reload (see here ).

The very first request using a cookie always seems to be fine, but after the cookie is updated with a new date and most importantly a new token, subsequent requests will be broken down to here . It's like the browser will still request resources using the old version of the cookie containing the old token. I have absolutely no idea why this is happening. Any suggestions?