Java Spring安全性:使用PersistentTokenBasedMemberMeservices的CookiethefteException
我有一个使用SpringBoot2.0.1的web应用程序,它受到SpringSecurity的保护。我使用Java Spring安全性:使用PersistentTokenBasedMemberMeservices的CookiethefteException,java,spring,spring-boot,spring-security,Java,Spring,Spring Boot,Spring Security,我有一个使用SpringBoot2.0.1的web应用程序,它受到SpringSecurity的保护。我使用PersistentTokenRepository来记住我,并将令牌存储在MySQL数据库中 在服务器日志文件中,我看到大量带有CookiethefteExceptions的堆栈跟踪。它太多了,我很难相信真的饼干被偷了,但却假设了某种错误的配置。通过添加一些分析代码,似乎只有移动浏览器受到影响 Servlet.service() for servlet [dispatcherServlet
PersistentTokenRepositoryCookiethefteExceptionServlet.service() for servlet [dispatcherServlet] in context with path [/r] threw exception
org.springframework.security.web.authentication.rememberme.CookieTheftException: Invalid remember-me token (Series/token) mismatch. Implies previous cookie theft attack.
at org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices.processAutoLoginCookie(PersistentTokenBasedRememberMeServices.java:119) ~[spring-security-web-5.0.4.RELEASE.jar!/:5.0.4.RELEASE]
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig {
@Configuration
public static class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
private RememberMeServices rememberMeServices;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.rememberMe()
.key(rememberMeKey)
.rememberMeServices(rememberMeServices);
;
}
}
/**
* Key for RememberMeServices and RememberMeAuthenticationProvider.
*/
private static final String rememberMeKey = "...";
@Bean
public RememberMeServices rememberMeServices(UserDetailsService userDetailsService, PersistentTokenRepository persistentTokenRepository) {
PersistentTokenBasedRememberMeServices rememberMeServices = new AnalyzingPersistentTokenBasedRememberMeServices(
rememberMeKey, userDetailsService, persistentTokenRepository);
rememberMeServices.setTokenValiditySeconds((int) Duration.of(366L, ChronoUnit.DAYS).toSeconds());
return rememberMeServices;
}
@Bean
public PersistentTokenRepository persistentTokenRepository(JdbcTemplate jdbcTemplate) {
JdbcTokenRepositoryImpl tokenRepository = new JdbcTokenRepositoryImpl();
tokenRepository.setJdbcTemplate(jdbcTemplate);
return tokenRepository;
}
}
analyzingPersistentTokenBasedMemberMeservicesPersistentTokenBasedMemberMeservicesProcessAutologyCookieAuthenticationProviderUserDetailsService有没有人经历过这样的事情并有解决办法?我是否错过了一些关键配置?
PersistentTokenBasedMemberMeservices使用
TokenBasedMemberMeservicesprotected UserDetails processAutoLoginCookie(String[] cookieTokens,...
.....
PersistentRememberMeToken newToken = new PersistentRememberMeToken(
token.getUsername(), token.getSeries(), generateTokenData(), new Date());
try {
tokenRepository.updateToken(newToken.getSeries(), newToken.getTokenValue(),
newToken.getDate());
addCookie(newToken, request, response);
}
catch (Exception e) {
logger.error("Failed to update token: ", e);
throw new RememberMeAuthenticationException(
"Autologin failed due to data access problem");
}
if (token.date + 1 < new Date()){
try {
PersistentRememberMeToken newToken = new PersistentRememberMeToken( token.getUsername(), generateSeriesData(), generateTokenData(), new Date())
tokenRepository.createNewToken(newToken)
addCookie(newToken, request, response)
}
catch (Exception e) {
logger.error("Failed to update token: ", e);
throw new RememberMeAuthenticationException(
"Autologin failed due to data access problem");
}
}
if(token.date+1此代码在结果时生成许多DB记录,但有效此答案有点误导。在大多数情况下,人们选择PersistentTokenBasedMemberMeservices是因为TokenBasedMemberMeservices一开始就不适合。也就是说,它不那么安全。