Spring boot 记住我不工作
我成功地使用spring boot安全性实现了记住我,并将数据存储在我的表persistent_loginsusername、series、token、last_used中,并在浏览器的coockies中找到它。我的问题是,当我从浏览器中删除Jsessionid并刷新它时,浏览器会重定向到登录页面,但仍不在同一页面中: 这是我的SecurityConfigWeb.java:Spring boot 记住我不工作,spring-boot,spring-security,Spring Boot,Spring Security,我成功地使用spring boot安全性实现了记住我,并将数据存储在我的表persistent_loginsusername、series、token、last_used中,并在浏览器的coockies中找到它。我的问题是,当我从浏览器中删除Jsessionid并刷新它时,浏览器会重定向到登录页面,但仍不在同一页面中: 这是我的SecurityConfigWeb.java: @Override protected void configure(HttpSecurity http) throws
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/sentEmail").permitAll();
http.authorizeRequests().antMatchers("/contactUs").permitAll();
http.authorizeRequests().antMatchers("/reset").permitAll();
http.authorizeRequests().antMatchers(Constants.PATTERN1).permitAll();
http.authorizeRequests().antMatchers(Constants.PATHPATTERN2).permitAll();
http.authorizeRequests().antMatchers(Constants.PATHPATTERN3).permitAll().and().rememberMe().rememberMeServices(rememberMeServices());
http.authorizeRequests().anyRequest().authenticated().and().formLogin().loginPage(Constants.URL_PATH).successHandler(this.authSuccess).failureHandler(this.authFailure).permitAll();
http.authorizeRequests().anyRequest().authenticated().and().logout().logoutSuccessHandler(this.logoutSuccess).deleteCookies("JSESSIONID").invalidateHttpSession(false).permitAll();
http.csrf().disable();}
@Bean
public BCrypt bCryptPasswordEncoder() {
return new BCrypt();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(bCryptPasswordEncoder);
}
@Bean
public AbstractRememberMeServices rememberMeServices() {
PersistentTokenBasedRememberMeServices rememberMeServices =
new PersistentTokenBasedRememberMeServices("AppKey",userDetailsService(),persistentTokenRepository());
rememberMeServices.setParameter("rememberMe");
rememberMeServices.setAlwaysRemember(true);
rememberMeServices.setCookieName("javasampleapproach-remember-me");
rememberMeServices.setTokenValiditySeconds(24 * 60 * 60);
return rememberMeServices;
}
@Bean
public PersistentTokenRepository persistentTokenRepository() {
JdbcTokenRepositoryImpl tokenRepository = new JdbcTokenRepositoryImpl();
tokenRepository.setDataSource(dataSource);
return tokenRepository;}
这是我的login.html,请记住我:
<div class="checkboxDiv">
<input type="checkbox" name="remember-me" value="true"> <label class="check" for="checkbox">Stay Logged In</label>
</div>
任何帮助。提前感谢问题是您在多个语句中配置了安全性,而不是使用fluent api
http.authorizeRequests().antMatchers(Constants.PATHPATTERN3).permitAll().and().rememberMe().rememberMeServices(rememberMeServices());
通过这一行,您激活了“记住我”功能,但仅针对Constants.PATHPATTERN3。因此,如果您想为所有端点激活RememberMe,您的安全配置应该如下所示
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/sentEmail", "/contactUs", "/reset", Constants.PATTERN1,Constants.PATHPATTERN2, Constants.PATHPATTERN3).permitAll()
.anyRequest().authenticated()
.and()
.logout()
.logoutSuccessHandler(this.logoutSuccess).permitAll()
.and()
.formLogin()
.loginPage(Constants.URL_PATH)
.successHandler(this.authSuccess)
.failureHandler(this.authFailure).permitAll()
.and()
.rememberMe()
.tokenRepository(persistentTokenRepository())
.key("AppKey")
.alwaysRemember(true)
.rememberMeParameter("rememberMe")
.rememberMeCookieName("javasampleapproach-remember-me")
.tokenValiditySeconds(24 * 60 * 60)
.and()
csfr().disable();
}
@Bean
public PersistentTokenRepository persistentTokenRepository() {
JdbcTokenRepositoryImpl tokenRepository = new JdbcTokenRepositoryImpl();
tokenRepository.setDataSource(dataSource);
return tokenRepository;
}
通过这种方式,您可以一次完成所有配置 问题在于您在多个语句中配置了安全性,而不是使用fluent api
http.authorizeRequests().antMatchers(Constants.PATHPATTERN3).permitAll().and().rememberMe().rememberMeServices(rememberMeServices());
通过这一行,您激活了“记住我”功能,但仅针对Constants.PATHPATTERN3。因此,如果您想为所有端点激活RememberMe,您的安全配置应该如下所示
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/sentEmail", "/contactUs", "/reset", Constants.PATTERN1,Constants.PATHPATTERN2, Constants.PATHPATTERN3).permitAll()
.anyRequest().authenticated()
.and()
.logout()
.logoutSuccessHandler(this.logoutSuccess).permitAll()
.and()
.formLogin()
.loginPage(Constants.URL_PATH)
.successHandler(this.authSuccess)
.failureHandler(this.authFailure).permitAll()
.and()
.rememberMe()
.tokenRepository(persistentTokenRepository())
.key("AppKey")
.alwaysRemember(true)
.rememberMeParameter("rememberMe")
.rememberMeCookieName("javasampleapproach-remember-me")
.tokenValiditySeconds(24 * 60 * 60)
.and()
csfr().disable();
}
@Bean
public PersistentTokenRepository persistentTokenRepository() {
JdbcTokenRepositoryImpl tokenRepository = new JdbcTokenRepositoryImpl();
tokenRepository.setDataSource(dataSource);
return tokenRepository;
}
通过这种方式,您可以一次完成所有配置 你只为pattern3启用了“记住我”。您的安全配置很奇怪,只需将所有内容链接到一个调用中…抱歉M.Deinum我不明白您的意思是我应该这样做:http.authorizeRequests.antMatchersConstants.PATTERN1.permitAll.and.rememberMe.remembermeservices Membermeservices;http.authorizeRequests.antMatchersConstants.PATHPATTERN2.PermithTall.and.rememberMe.RememberMemberServicesRememberMeservices;http.authorizeRequests.antMatchersConstants.PATHPATTERN3.Permithill.and.rememberMe.remembermeservices Membermeservices???不,您应该有一个链来配置您的安全性…一个链是指与登录或注销的关系,即:http.authorizeRequests.anyRequest.authorized.and.logout.logoutSuccessHandlerthis.logoutSuccess.DeleteCookiesJSSessionId.invalidateHttpSessionfalse.permitAll.and.rememberMe.rememberServicesRemembermeservices?否?类似的事情是的,这也是为什么注销的广泛配置,您基本上是重新配置默认值。您只为pattern3启用了MemberMe。您的安全配置很奇怪,只需将所有内容链接到一个调用中…抱歉M.Deinum我不明白您的意思是我应该这样做:http.authorizeRequests.antMatchersConstants.PATTERN1.permitAll.and.rememberMe.remembermeservices Membermeservices;http.authorizeRequests.antMatchersConstants.PATHPATTERN2.PermithTall.and.rememberMe.RememberMemberServicesRememberMeservices;http.authorizeRequests.antMatchersConstants.PATHPATTERN3.Permithill.and.rememberMe.remembermeservices Membermeservices???不,您应该有一个链来配置您的安全性…一个链是指与登录或注销的关系,即:http.authorizeRequests.anyRequest.authorized.and.logout.logoutSuccessHandlerthis.logoutSuccess.DeleteCookiesJSSessionId.invalidateHttpSessionfalse.permitAll.and.rememberMe.rememberServicesRemembermeservices?否?类似的事情是的还有为什么注销的广泛配置,您基本上是在重新配置默认设置。也许添加一些关于原始问题是什么以及代码修复问题的原因的更多信息会提高您的回答质量。@M.Deinum我很抱歉响应太晚,但当我检索jsessionid时,我会得到登录页面,这是我得到的异常:org.springframework.security.web.access.ExceptionTranslationFilter.handleSpringSecurityException:173-拒绝访问用户是匿名的;重定向到身份验证入口点org.springframework.security.access.AccessDeniedException:Accès refuséorg.springframework.security.web.authentication.rememberme.rememberauthenticationfilter.doFilterRememberMeAuthenticationFilter.java:149那么您没有“记住我”cookie。。。确保RememberMe参数的名称与配置的名称匹配。另外,我建议不要手动配置服务,而是使用名称空间。也许可以添加一些关于原始问题是什么以及代码修复问题的原因的更多信息,这样可以提高回答的质量。@M.Deinum我很抱歉响应太晚,但当我检索jsessionid时,它仍然是一样的,我得到了登录页面,这是我得到的异常:org.springframework.security.web.access.ExceptionTranslationFilter.handleSpringSecurityException:173-访问被拒绝用户是匿名的;重定向到身份验证入口点org.springframework.security.access.AccessDeniedException:Accès refuséorg.springframework.security.web.authentication.rememberme.rememberauthenticationfilter.doFilterRememberMeAuthenticationFilter.java:149那么您没有“记住我”cookie。。。确保RememberMe参数的名称与配置的名称匹配。也代替 我建议使用名称空间手动配置服务。