Spring Security Memberme不在Safari中工作
我已经成功地配置了一个具有Spring安全性和持久记忆功能的Spring应用程序。但是,以下步骤会在Safari 7.1.2中产生错误:Spring Security Memberme不在Safari中工作,spring,security,spring-mvc,Spring,Security,Spring Mvc,我已经成功地配置了一个具有Spring安全性和持久记忆功能的Spring应用程序。但是,以下步骤会在Safari 7.1.2中产生错误: 使用RememberMe登录(已确认在数据库中创建令牌) 从浏览器中手动删除JSESSIONID cookie以模拟会话过期 刷新浏览器 由此产生的错误是: org.springframework.security.web.authentication.rememberme.CookiethefteException:无效的rememberme令牌(系列/令牌
@Configuration
@EnableWebMvcSecurity
@ComponentScan(basePackages={"com.example.app.config"})
public class SecurityConfig extends WebSecurityConfigurerAdapter{
@Autowired
private DataSource dataSource;
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.jdbcAuthentication()
.dataSource(dataSource);
}
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/new").access("hasRole('USER')")
.antMatchers("/call/**").access("hasRole('USER')")
.antMatchers("/contacts/**").access("hasRole('USER')")
.antMatchers("/").access("hasRole('USER')")
.antMatchers("/resources/css/**").permitAll()
.antMatchers("/resources/js/**").permitAll()
.and()
.formLogin()
.loginPage("/signin")
.loginProcessingUrl("/j_spring_security_check")
.usernameParameter("username")
.passwordParameter("password")
.permitAll();
http.rememberMe()
.key("notasecret")
.rememberMeServices(rememberMeServices())
.userDetailsService(userDetailsService());
}
@Bean
public JdbcDaoImpl userDetailsService() {
JdbcDaoImpl userDetailsService = new JdbcDaoImpl();
userDetailsService.setDataSource(dataSource);
return userDetailsService;
}
@Bean
public PersistentTokenBasedRememberMeServices rememberMeServices() {
PersistentTokenBasedRememberMeServices services = new PersistentTokenBasedRememberMeServices("notasecret", userDetailsService(), tokenRepository());
services.setTokenValiditySeconds(43200);
return services;
}
@Bean
public JdbcTokenRepositoryImpl tokenRepository() {
JdbcTokenRepositoryImpl repository = new JdbcTokenRepositoryImpl();
repository.setDataSource(dataSource);
return repository;
}
以下是Safari的调试跟踪中发生的情况:
DEBUG: org.springframework.security.web.FilterChainProxy - / at position 1 of 13 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
DEBUG: org.springframework.security.web.FilterChainProxy - / at position 2 of 13 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG: org.springframework.security.web.context.HttpSessionSecurityContextRepository - No HttpSession currently exists
DEBUG: org.springframework.security.web.context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created.
DEBUG: org.springframework.security.web.FilterChainProxy - / at position 3 of 13 in additional filter chain; firing Filter: 'HeaderWriterFilter'
DEBUG: org.springframework.security.web.header.writers.HstsHeaderWriter - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@69d3d174
DEBUG: org.springframework.security.web.FilterChainProxy - / at position 4 of 13 in additional filter chain; firing Filter: 'CsrfFilter'
DEBUG: org.springframework.security.web.FilterChainProxy - / at position 5 of 13 in additional filter chain; firing Filter: 'LogoutFilter'
DEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'GET /' doesn't match 'POST /logout
DEBUG: org.springframework.security.web.FilterChainProxy - / at position 6 of 13 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
DEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'GET /' doesn't match 'POST /j_spring_security_check
DEBUG: org.springframework.security.web.FilterChainProxy - / at position 7 of 13 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
DEBUG: org.springframework.security.web.FilterChainProxy - / at position 8 of 13 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
DEBUG: org.springframework.security.web.FilterChainProxy - / at position 9 of 13 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter'
DEBUG: org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices - Remember-me cookie detected
DEBUG: org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices - Cancelling cookie
DEBUG: org.springframework.security.web.context.HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
DEBUG: org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
Jan 27, 2015 11:54:17 AM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [appServlet] in context with path [/ocl] threw exception
org.springframework.security.web.authentication.rememberme.CookieTheftException: Invalid remember-me token (Series/token) mismatch. Implies previous cookie theft attack.
我的理论是,日志中指出“取消cookie”的那一点就是问题所在。然而,我不知道为什么会发生这种情况
请告诉我是否有人遇到此问题,或者上述配置是否存在错误或缺失。我从一个纯安全应用程序开始,以消除所有其他复杂性,并能够使“记住我”功能正常工作。我在测试应用程序和主应用程序之间的相应POM.xml文件处达到峰值,并从“记住我”不工作的应用程序中删除了以下依赖项:
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.5.RELEASE</version>
</dependency>
org.springframework.security
spring安全网
3.2.5.1发布
这一定与spring security core
冲突,因为在我删除依赖项后,一切正常