Spring Social+;Spring安全HTTPS/HTTP
当使用spring social从http或https请求facebook登录时,如何通过http访问remember me cookie和会话。当前,如果用户通过https登录,则无法通过http页面读取cookie(没有用户登录)。我使用的是use secure cookie=“false”,但这没有帮助Spring Social+;Spring安全HTTPS/HTTP,spring,spring-security,spring-social,Spring,Spring Security,Spring Social,当使用spring social从http或https请求facebook登录时,如何通过http访问remember me cookie和会话。当前,如果用户通过https登录,则无法通过http页面读取cookie(没有用户登录)。我使用的是use secure cookie=“false”,但这没有帮助 <s:remember-me key="mykey" services-ref="rememberMeServices" use-secure-cookie="false"/>
<s:remember-me key="mykey" services-ref="rememberMeServices" use-secure-cookie="false"/>
<bean id="rememberMeServices" class="org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices">
<property name="userDetailsService" ref="userService" />
<property name="tokenRepository" ref="persistentTokenRepository" />
<property name="key" value="mykey" />
<property name="cookieName" value="rmb" />
<property name="useSecureCookie" value="false" />
<property name="tokenValiditySeconds" value="946708560" />
<property name="alwaysRemember" value="true"></property>
</bean>
“使用安全cookie”属性仅影响记忆。您需要确保HTTP会话也可以通过HTTP进行。注意:通过HTTP允许这两种方式中的任何一种都是错误的!!!主意Google for Firesheep了解您不应通过HTTP提交会话cookies的原因。谢谢您…Google sslstrip,或黑客宣言..只有在机器脱机时,机器才是安全的。。
@Configuration
public class SocialConfig {
@Inject
private Environment environment;
@Inject
private DataSource dataSource;
@Inject
private TextEncryptor textEncryptor;
@Value("${app.url}")
private String applicationUrl;
@Value("${facebook.clientId}")
private String facebookClientId;
@Value("${facebook.clientSecret}")
private String facebookClientSecret;
@Bean
public ConnectionFactoryLocator connectionFactoryLocator() {
ConnectionFactoryRegistry registry = new ConnectionFactoryRegistry();
registry.addConnectionFactory(new FacebookConnectionFactory(
facebookClientId,
facebookClientSecret));
return registry;
}
@Bean
@Scope(value="request", proxyMode=ScopedProxyMode.INTERFACES)
public ConnectionRepository connectionRepository() {
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
if (authentication == null) {
throw new IllegalStateException("Unable to get a ConnectionRepository: no user signed in");
}
return usersConnectionRepository().createConnectionRepository(authentication.getName());
}
@Bean
public UsersConnectionRepository usersConnectionRepository() {
JdbcUsersConnectionRepository repository = new JdbcUsersConnectionRepository(
dataSource, connectionFactoryLocator(), textEncryptor);
repository.setConnectionSignUp(connectionSignUp());
return repository;
}
@Bean
public TextEncryptor textEncryptor() {
return Encryptors.noOpText();
}
@Bean
public ConnectController connectController() {
ConnectController controller = new ConnectController(
connectionFactoryLocator(), connectionRepository());
controller.setApplicationUrl(applicationUrl);
return controller;
}
@Bean
public ProviderSignInController providerSignInController(RequestCache requestCache) {
ProviderSignInController controller = new ProviderSignInController(connectionFactoryLocator(),
usersConnectionRepository(), signInAdapter());
controller.setSignUpUrl("/register");
controller.setSignInUrl("/socialSignIn");
controller.setPostSignInUrl("socialSignIn");
controller.addSignInInterceptor(new RedirectAfterConnectInterceptor());
return controller;
}
@Bean
public SignInAdapter signInAdapter() {
return new SignInAdapterImpl();
}
@Bean
public ConnectionSignUp connectionSignUp() {
return new ConnectionSignUpImpl();
}
}