To be successfully validated, the org.acegisecurity.providers.rememberme.RememberMeAuthenticationToken.getKeyHash must match this class' RememberMeAuthenticationProvider.getKey() .