笔者在SpringSecurity中配置remember-me时,遇到这样的问题,remember-me没有起作用,按照官方文档的讲解,只
需要在<http>中增加<remember-me />配置,并在login.jsp中增加如下代码即可:
-
<input id=
"_spring_security_remember_me"
name=
"_spring_security_remember_me"
type=
"checkbox"
value=
"true"
/>
看上去挺简单的,可是笔者测试后发现并未起作用,google了一下,也未见有人提起过该问题,于是乎翻出源码一探究竟,果然发现了问题。
这里先简要说明一下SpringSecurity的登录过程:
-
UsernamePasswordAuthenticationFilter :获得用户提交的用户名和密码信息
-
-->
UserDetailsService :由其封装用户对象
-
-->
AbstractUserDetailsAuthenticationProvider :转由其进行密码和权限验证,验证通过后封装一个Authentication
-
-->
ProviderManager:会将Authentication封装到SecurityContext中(默认情况下,ProviderManager会在认证成功后清除掉Authentication的密码信息,但会保留用户名称)
-
-->
AbstractRememberMeServices :判断请求参数中是否包含_spring_security_remember_me参数,如果包含并且值为(true,on,yes,1)中的任意一个,则将用户名和密码信息保存进cookie,否则不做处理
-
-->
AccessDecisionManager :由其决定是否放行
-
-
之后在请求被保护的资源时,RememberMeAuthenticationFilter会先判断是否Authentication已经失效,如果失效,则试图从cookie中寻找,找到则重新封装Authentication。
问题就出在ProviderManager中,其布尔属性eraseCredentialsAfterAuthentication默认值为
true,如果为true则会在username和password验证成功后清除掉Authentication中的password信息,而
AbstractRememberMeServices
保存cookie的条件则需要从Authentication中同时取得username和password,这就导致默认情况下
AbstractRememberMeServices永远不会将username和password存储到cookie中,所以,为了保证
username和password可以被正确的存储到cookie中,我们需要修改
eraseCredentialsAfterAuthentication的值为false,好在修改这个属性很方便,如下:
-
<
authentication-manager
erase-credentials
=
"false"
>
-
<
authentication-provider
user-service-ref
=
"userService"
>
-
<
password-encoder
hash
=
"md5"
/>
-
</
authentication-provider
>
-
</
authentication-manager
>
增加该配置后,则cookie信息被成功保存。
默认情况下,cookie的有效期为两个星期,如果希望修改这个有效期,可以在<remember-me />中进行配置:
-
<
remember-me
token-validity-seconds
=
"123456789"
/>
不知道为什么ProviderManager要这样处理,也许是我还没搞清楚缘由,希望与各位讨论。
分享到:
相关推荐
赠送jar包:spring-security-core-5.3.9.RELEASE.jar; 赠送原API文档:spring-security-core-5.3.9.RELEASE-javadoc.jar; 赠送源代码:spring-security-core-5.3.9.RELEASE-sources.jar; 赠送Maven依赖信息文件:...
赠送jar包:spring-security-core-5.2.0.RELEASE.jar; 赠送原API文档:spring-security-core-5.2.0.RELEASE-javadoc.jar; 赠送源代码:spring-security-core-5.2.0.RELEASE-sources.jar; 赠送Maven依赖信息文件:...
赠送jar包:spring-security-rsa-1.0.10.RELEASE.jar; 赠送原API文档:spring-security-rsa-1.0.10.RELEASE-javadoc.jar; 赠送源代码:spring-security-rsa-1.0.10.RELEASE-sources.jar; 赠送Maven依赖信息文件:...
赠送jar包:spring-security-jwt-1.0.10.RELEASE.jar; 赠送原API文档:spring-security-jwt-1.0.10.RELEASE-javadoc.jar; 赠送源代码:spring-security-jwt-1.0.10.RELEASE-sources.jar; 赠送Maven依赖信息文件:...
赠送jar包:spring-security-web-5.2.0.RELEASE.jar; 赠送原API文档:spring-security-web-5.2.0.RELEASE-javadoc.jar; 赠送源代码:spring-security-web-5.2.0.RELEASE-sources.jar; 赠送Maven依赖信息文件:...
赠送jar包:spring-security-oauth2-2.3.5.RELEASE.jar; 赠送原API文档:spring-security-oauth2-2.3.5.RELEASE-javadoc.jar; 赠送源代码:spring-security-oauth2-2.3.5.RELEASE-sources.jar; 赠送Maven依赖信息...
赠送jar包:spring-security-jwt-1.0.10.RELEASE.jar; 赠送原API文档:spring-security-jwt-1.0.10.RELEASE-javadoc.jar; 赠送源代码:spring-security-jwt-1.0.10.RELEASE-sources.jar; 赠送Maven依赖信息文件:...
org.springframework.spring-library-3.0.4.RELEASE.libd org.springframework.test-3.0.4.RELEASE.jar org.springframework.transaction-3.0.4.RELEASE.jar org.springframework.web.portlet-3.0.4.RELEASE.jar ...
赠送jar包:spring-security-core-5.0.7.RELEASE.jar; 赠送原API文档:spring-security-core-5.0.7.RELEASE-javadoc.jar; 赠送源代码:spring-security-core-5.0.7.RELEASE-sources.jar; 赠送Maven依赖信息文件:...
赠送jar包:spring-security-oauth2-2.3.5.RELEASE.jar; 赠送原API文档:spring-security-oauth2-2.3.5.RELEASE-javadoc.jar; 赠送源代码:spring-security-oauth2-2.3.5.RELEASE-sources.jar; 赠送Maven依赖信息...
org.springframework.spring-library-3.1.RELEASE.libd org.springframework.test-3.1.RELEASE.jar org.springframework.transaction-3.1.RELEASE.jar org.springframework.web.portlet-3.1.RELEASE.jar org....
包含spring 3.0.5的所有jar文件: org.springframework.aop-3.0.5.RELEASE.jar org.springframework.asm-3.0.5.RELEASE.jar org.springframework.aspects-3.0.5.RELEASE.jar org.springframework.beans-3.0.5.RELEASE...
赠送jar包:spring-security-oauth2-autoconfigure-2.1.8.RELEASE.jar; 赠送原API文档:spring-security-oauth2-autoconfigure-2.1.8.RELEASE-javadoc.jar; 赠送源代码:spring-security-oauth2-autoconfigure-...
赠送jar包:spring-security-web-5.2.0.RELEASE.jar; 赠送原API文档:spring-security-web-5.2.0.RELEASE-javadoc.jar; 赠送源代码:spring-security-web-5.2.0.RELEASE-sources.jar; 赠送Maven依赖信息文件:...
spring-security-core-2.0.5.RELEASE-sources
赠送jar包:spring-security-config-5.2.0.RELEASE.jar; 赠送原API文档:spring-security-config-5.2.0.RELEASE-javadoc.jar; 赠送源代码:spring-security-config-5.2.0.RELEASE-sources.jar; 赠送Maven依赖信息...
赠送jar包:spring-security-rsa-1.0.10.RELEASE.jar; 赠送原API文档:spring-security-rsa-1.0.10.RELEASE-javadoc.jar; 赠送源代码:spring-security-rsa-1.0.10.RELEASE-sources.jar; 赠送Maven依赖信息文件:...
赠送jar包:spring-security-oauth2-autoconfigure-2.1.8.RELEASE.jar; 赠送原API文档:spring-security-oauth2-autoconfigure-2.1.8.RELEASE-javadoc.jar; 赠送源代码:spring-security-oauth2-autoconfigure-...
spring.jar spring-aop.jar spring-aop.jar spring-beans.jar spring-hibernate3.jar spring-jdbc.jar spring-struts.jar spring-web.jar
赠送jar包:spring-security-web-5.0.7.RELEASE.jar; 赠送原API文档:spring-security-web-5.0.7.RELEASE-javadoc.jar; 赠送源代码:spring-security-web-5.0.7.RELEASE-sources.jar; 赠送Maven依赖信息文件:...