Spring Security自定义身份验证并记住我
我使用教程实现了一个自定义身份验证管理器。登录和注销工作正常 现在我想使用SpringSecurity记住我身份验证。据我所知,记住我需要userDetailService。因此,我实现了一个定制的Spring Security自定义身份验证并记住我,spring,spring-security,remember-me,Spring,Spring Security,Remember Me,我使用教程实现了一个自定义身份验证管理器。登录和注销工作正常 现在我想使用SpringSecurity记住我身份验证。据我所知,记住我需要userDetailService。因此,我实现了一个定制的userDetailService 在登录页面上,我添加了一个名为\u spring\u security\u memory\u me的复选框。但是,记住我不工作。成功登录后未设置“记住我”cookie。我认为这是一个配置问题,还是我需要实现一个自定义的“记住我”来使用自定义身份验证 <inpu
userDetailService
在登录页面上,我添加了一个名为\u spring\u security\u memory\u me
的复选框。但是,记住我不工作。成功登录后未设置“记住我”cookie。我认为这是一个配置问题,还是我需要实现一个自定义的“记住我”来使用自定义身份验证
<input type="checkbox" name="_spring_security_remember_me">stay signed in
保持登录状态
My Spring-Security.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:jee="http://www.springframework.org/schema/jee"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd
http://www.springframework.org/schema/jee http://www.springframework.org/schema/jee/spring-jee-3.0.xsd">
<security:http auto-config="false" use-expressions="true" access-denied-page="/login?error=true"
entry-point-ref="authenticationEntryPoint" >
<!-- Zugriff auf /login für alle erlauben -->
<security:intercept-url pattern="/login" access="permitAll"/>
<!-- resources -->
<security:intercept-url pattern="/resources/**" access="permitAll"/>
<!--<security:intercept-url pattern="/**" access="permitAll"/> -->
<security:intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
<!-- Zugriff auf /admin/** einschränken -->
<security:intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')"/>
<security:logout
invalidate-session="true"
logout-success-url="/login?logout=true"
logout-url="/j_spring_security_logout"/>
<security:custom-filter ref="blacklistFilter" before="FILTER_SECURITY_INTERCEPTOR"/>
<security:custom-filter ref="authenticationFilter" position="FORM_LOGIN_FILTER"/>
<!-- Session Timeout Seite setzen und
Session Fixation Attack Protection einschalten -->
<security:session-management invalid-session-url="/login?timeout=true"
session-fixation-protection="migrateSession">
<!-- Maxmale Anzahl von Session per User (Doppelanmeldung) -->
<security:concurrency-control max-sessions="3"
error-if-maximum-exceeded="false" />
</security:session-management>
<security:remember-me key="myAppKey" token-validity-seconds="864000" user-service-ref="customUserDetailService"/>
</security:http>
<!-- custom user service -->
<bean id="customUserDetailService" class="com.stefan.app.security.CustomUserDetailsService">
<property name="userBean" ref="userBean" />
</bean>
<!-- Custom filter to deny unwanted users even though registered -->
<bean id="blacklistFilter" class="com.stefan.app.security.filter.BlacklistFilter" />
<!-- Custom filter for username and password. The real customization is done in the customAthenticationManager -->
<bean id="authenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"
p:authenticationManager-ref="customAuthenticationManager"
p:authenticationFailureHandler-ref="customAuthenticationFailureHandler"
p:authenticationSuccessHandler-ref="customAuthenticationSuccessHandler" />
<!-- Custom authentication manager. In order to authenticate, username and password must not be the same -->
<bean id="customAuthenticationManager" class="com.stefan.app.security.CustomAuthenticationManager">
<property name="userBean" ref="userBean" />
</bean>
<jee:local-slsb id="userBean" jndi-name="java:global/com.stefan.auctionnsiper-ear/app.ejb/UserBean!com.stefan.app.user.UserBeanLocal"
business-interface="com.stefan.app.user.UserBeanLocal"/>
<!-- We just actually need to set the default failure url here -->
<bean id="customAuthenticationFailureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"
p:defaultFailureUrl="/login?error=true" />
<!-- We just actually need to set the default target url here -->
<bean id="customAuthenticationSuccessHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler"
p:defaultTargetUrl="/products" />
<!-- The AuthenticationEntryPoint is responsible for redirecting the user to a particular page, like a login page,
whenever the server sends back a response requiring authentication -->
<!-- See Spring-Security Reference 5.4.1 for more info -->
<bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"
p:loginFormUrl="/login"/>
<!-- The tag below has no use but Spring Security needs it to autowire the parent property of
org.springframework.security.authentication.ProviderManager. Otherwise we get an error
A probable bug. This is still under investigation-->
<security:authentication-manager/>
</beans>
检查:
试试这个:
<security:http>
...
<security:remember-me services-ref="rememberMeServices" />
</security:http>
<bean id="rememberMeServices" class="org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices">
<property name="userDetailsService" ref="customUserDetailService"/>
<property name="tokenValiditySeconds" value="864000"/>
<property name="cookieName" value="SPRING_RM"/>
<property name="key" value="myAppKey"/>
</bean>
...
除了JoGo所说的,别忘了在“authenticationFilter”上设置“RememberServices”属性,即:
<bean id="authenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"
p:authenticationManager-ref="customAuthenticationManager"
p:authenticationFailureHandler-ref="customAuthenticationFailureHandler"
p:authenticationSuccessHandler-ref="customAuthenticationSuccessHandler"
p:rememberMeServices-ref="rememberMeServices" />
此外,当用户注销时,您可能需要删除“记住我”cookie,这样他就不会自动登录:
<security:logout
invalidate-session="true"
logout-success-url="/login?logout=true"
logout-url="/j_spring_security_logout"
delete-cookies="SPRING_RM"
/>
我希望这有帮助。谢谢JoGo。我试过你的建议,但没有成功。未设置记住cookie。我检查链接并更改authenticationFilter:现在Cookie已设置为aber Memory me不起作用。还有其他想法吗?你好@Stefan,我也面临同样的问题。你如何解决这个问题?