Java Spring安全性-持久记住我的问题
我一直在努力寻找为什么Spring Security没有创建Spring Security MemberMe cookie(Spring\u Security\u MemberMe\u cookie)。然而,根据我通过HTTP头看到的设置cookie的情况,只是有一个额外的GET请求/j_spring_security_check导致了下面的异常。这也会导致cookie被删除Java Spring安全性-持久记住我的问题,java,spring,google-app-engine,spring-security,Java,Spring,Google App Engine,Spring Security,我一直在努力寻找为什么Spring Security没有创建Spring Security MemberMe cookie(Spring\u Security\u MemberMe\u cookie)。然而,根据我通过HTTP头看到的设置cookie的情况,只是有一个额外的GET请求/j_spring_security_check导致了下面的异常。这也会导致cookie被删除 FINE: Authentication request failed: org.springframework.sec
FINE: Authentication request failed: org.springframework.security.authentication.AuthenticationServiceException: Authentication method not supported: GET
Mar 17, 2010 10:38:35 AM org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter doFilter
FINE: Request is to process authentication
Mar 17, 2010 10:38:35 AM org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter unsuccessfulAuthentication
FINE: Authentication request failed: org.springframework.security.authentication.AuthenticationServiceException: Authentication method not supported: GET
Mar 17, 2010 10:38:35 AM org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter unsuccessfulAuthentication
FINE: Updated SecurityContextHolder to contain null Authentication
Mar 17, 2010 10:38:35 AM org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter unsuccessfulAuthentication
FINE: Delegating to authentication failure handlerorg.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@4196c169
Mar 17, 2010 10:38:35 AM org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices loginFail
FINE: Interactive login attempt was unsuccessful.
Mar 17, 2010 10:38:35 AM org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices cancelCookie
FINE: Cancelling cookie
<http auto-config="false">
<intercept-url pattern="/css/**" filters="none" />
<intercept-url pattern="/img/**" filters="none" />
<intercept-url pattern="/js/**" filters="none" />
<intercept-url pattern="/app/admin/**" filters="none" />
<intercept-url pattern="/app/login/**" filters="none" />
<intercept-url pattern="/app/register/**" filters="none" />
<intercept-url pattern="/app/error/**" filters="none" />
<intercept-url pattern="/" filters="none" />
<intercept-url pattern="/**" access="ROLE_USER" />
<logout logout-success-url="/" />
<form-login login-page="/app/login" default-target-url="/" authentication-failure-url="/app/login?login_error=1" />
<session-management invalid-session-url="/app/login" />
<remember-me services-ref="rememberMeServices" key="myKey" />
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="userDetailsService">
<password-encoder hash="sha-256" base64="true">
<salt-source user-property="username" />
</password-encoder>
</authentication-provider>
</authentication-manager>
<beans:bean id="userDetailsService" class="com.my.service.auth.UserDetailsServiceImpl" />
<beans:bean id="rememberMeServices" class="org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices">
<beans:property name="userDetailsService" ref="userDetailsService" />
<beans:property name="tokenRepository" ref="persistentTokenRepository" />
<beans:property name="key" value="myKey" />
</beans:bean>
<beans:bean id="persistentTokenRepository" class="com.my.service.auth.PersistentTokenRepositoryImpl" />
你试过用最简单的“记住我”吗
<remember-me key="myAppKey"/>
PersistentTokenRepositoryImpl记得我在Spring Security 3.0.1中被破坏了吗:。使用3.0.2。证明Firebug正在生成额外的GET请求。我必须实现自己的PersistentTokenRepository,因为我必须与App Engine数据存储交互。我已经确认persistentTokenRepository.createNewToken()调用成功地持久化到数据存储。我甚至能够跟踪到UsernamePasswordAuthenticationFilter。successfulAuthentication(…)我用更多信息更新了问题,以防您有任何想法。如果我正确理解http头,看起来你发布到j_spring_security_check,它会将你重定向到/app/helloWorld(我认为这意味着身份验证工作正常),你的浏览器会得到helloWorld页面。。。但在那之后,有一个GET请求,要求j_spring_安全检查。是什么在您的客户端/网页中生成此GET请求?这是真正的问题。我不知道是什么引起的。我想可能是我的配置有问题,也可能是Spring的安全漏洞。该漏洞的状态是“无法修复”,那么3.0.2会有什么帮助呢?看起来好像没有做任何更改。如果我使用SpringSecurity3.0.0,也许可以工作?我不能使用SpringSecurity3.0.2,因为这个问题:。@Taylor:是的,在3.0.0中它应该可以工作。它被标记为“不会修复”,因为原始问题在3.0.1中被错误地解决(破坏所有内容),并在3.0.2中恢复。我明白了。我将尝试3.0.0。谢谢。我尝试了SpringSecurity3.0.0和3.0.3快照,但仍然看到相同的问题。还有其他想法吗?我在这里的春季论坛上发布了一条类似的帖子。它还附带了一个日志文件,显示了调试日志的更多内容。我创建了一个Spring安全漏洞来跟踪此问题:
<remember-me key="myAppKey"/>