Spring Security - Persistent記住我問題

我一直在試圖追查爲什麼Spring Security沒有創建Spring Security記得我cookie（SPRING_SECURITY_REMEMBER_ME_COOKIE）。但是，根據我通過HTTP標頭看到的cookie正在設置，只是有一個額外的GET請求/ j_spring_security_check導致下面的異常。這也會導致Cookie被刪除。Spring Security - Persistent記住我問題

FINE: Authentication request failed: org.springframework.security.authentication.AuthenticationServiceException: Authentication method not supported: GET

我使用Spring 3.0.1，Spring Security 3.0.3 Snapshot和Google App Engine 1.3.1。關於發生了什麼的任何想法？

Mar 17, 2010 10:38:35 AM org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter doFilter 
FINE: Request is to process authentication 
Mar 17, 2010 10:38:35 AM org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter unsuccessfulAuthentication 
FINE: Authentication request failed: org.springframework.security.authentication.AuthenticationServiceException: Authentication method not supported: GET 
Mar 17, 2010 10:38:35 AM org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter unsuccessfulAuthentication 
FINE: Updated SecurityContextHolder to contain null Authentication 
Mar 17, 2010 10:38:35 AM org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter unsuccessfulAuthentication 
FINE: Delegating to authentication failure handlerorg.springframework.se[email protected]4196c169 
Mar 17, 2010 10:38:35 AM org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices loginFail 
FINE: Interactive login attempt was unsuccessful. 
Mar 17, 2010 10:38:35 AM org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices cancelCookie 
FINE: Cancelling cookie

下面是applicationContext-security.xml的相關部分。

<http auto-config="false"> 
    <intercept-url pattern="/css/**" filters="none" /> 
    <intercept-url pattern="/img/**" filters="none" /> 
    <intercept-url pattern="/js/**" filters="none" /> 
    <intercept-url pattern="/app/admin/**" filters="none" /> 
    <intercept-url pattern="/app/login/**" filters="none" /> 
    <intercept-url pattern="/app/register/**" filters="none" /> 
    <intercept-url pattern="/app/error/**" filters="none" /> 
    <intercept-url pattern="/" filters="none" /> 
    <intercept-url pattern="/**" access="ROLE_USER" /> 
    <logout logout-success-url="/" /> 
    <form-login login-page="/app/login" default-target-url="/" authentication-failure-url="/app/login?login_error=1" /> 
    <session-management invalid-session-url="/app/login" /> 
    <remember-me services-ref="rememberMeServices" key="myKey" /> 
</http> 

<authentication-manager alias="authenticationManager"> 
    <authentication-provider user-service-ref="userDetailsService"> 
     <password-encoder hash="sha-256" base64="true"> 
      <salt-source user-property="username" /> 
     </password-encoder> 
    </authentication-provider> 
</authentication-manager> 

<beans:bean id="userDetailsService" class="com.my.service.auth.UserDetailsServiceImpl" /> 

<beans:bean id="rememberMeServices" class="org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices"> 
    <beans:property name="userDetailsService" ref="userDetailsService" /> 
    <beans:property name="tokenRepository" ref="persistentTokenRepository" /> 
    <beans:property name="key" value="myKey" /> 
</beans:bean> 

<beans:bean id="persistentTokenRepository" class="com.my.service.auth.PersistentTokenRepositoryImpl" />

下面是我遇到問題的情況下的HTTP標頭：

http://localhost:8080/j_spring_security_check 

POST /j_spring_security_check HTTP/1.1 
Host: localhost:8080 
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729) 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
Accept-Language: en-us,en;q=0.5 
Accept-Encoding: gzip,deflate 
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 
Keep-Alive: 115 
Connection: keep-alive 
Referer: http://localhost:8080/app/login 
Cookie: JSESSIONID=15t2gq1vo5noj 
Content-Type: application/x-www-form-urlencoded 
Content-Length: 88 
j_username=test%40test.com&j_password=test&_spring _security_remember_me=on&submit=Submit 
HTTP/1.1 302 Found 
Expires: Thu, 01 Jan 1970 00:00:00 GMT 
Set-Cookie: JSESSIONID=1dymxpkh13z32;Path=/ 
Set-Cookie: SPRING_SECURITY_REMEMBER_ME_COOKIE=U05kS2NTakNIZTN Dd0hFcWxqZXRUQT09Oi90M3Q0NTA1czhxSjRadTQ5NW5FQVE9P Q;Path=/;Expires=Wed, 31-Mar-10 10:52:07 GMT 
Location: http://localhost:8080/app/helloWorld 
Content-Length: 0 
Server: Jetty(6.1.x) 
---------------------------------------------------------- 
http://localhost:8080/app/helloWorld 

GET /app/helloWorld HTTP/1.1 
Host: localhost:8080 
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729) 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
Accept-Language: en-us,en;q=0.5 
Accept-Encoding: gzip,deflate 
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 
Keep-Alive: 115 
Connection: keep-alive 
Referer: http://localhost:8080/app/login 
Cookie: JSESSIONID=1dymxpkh13z32; SPRING_SECURITY_REMEMBER_ME_COOKIE=U05kS2NTakNIZTN Dd0hFcWxqZXRUQT09Oi90M3Q0NTA1czhxSjRadTQ5NW5FQVE9P Q 

HTTP/1.1 200 OK 
Content-Language: en-US 
Content-Type: text/html 
Content-Length: 526 
Server: Jetty(6.1.x) 
---------------------------------------------------------- 
http://localhost:8080/j_spring_security_check 

GET /j_spring_security_check HTTP/1.1 
Host: localhost:8080 
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729) 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
Accept-Language: en-us,en;q=0.5 
Accept-Encoding: gzip,deflate 
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 
Keep-Alive: 115 
Connection: keep-alive 
Cookie: JSESSIONID=1dymxpkh13z32; SPRING_SECURITY_REMEMBER_ME_COOKIE=U05kS2NTakNIZTN Dd0hFcWxqZXRUQT09Oi90M3Q0NTA1czhxSjRadTQ5NW5FQVE9P Q 

HTTP/1.1 302 Found 
Expires: Thu, 01 Jan 1970 00:00:00 GMT 
Set-Cookie: SPRING_SECURITY_REMEMBER_ME_COOKIE=;Path=/;Expires=Thu, 01 Jan 1970 00:00:00 GMT 
Location: http://localhost:8080/app/login?login_error=1 
Content-Length: 0 
Server: Jetty(6.1.x) 
---------------------------------------------------------- 
http://localhost:8080/app/login?login_error=1 

GET /app/login?login_error=1 HTTP/1.1 
Host: localhost:8080 
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729) 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
Accept-Language: en-us,en;q=0.5 
Accept-Encoding: gzip,deflate 
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 
Keep-Alive: 115 
Connection: keep-alive 
Cookie: JSESSIONID=1dymxpkh13z32 

HTTP/1.1 200 OK 
Content-Language: en-US 
Content-Type: text/html 
Content-Length: 928 
Server: Jetty(6.1.x)

來源

2010-03-16 Taylor Leese

我在這裏發佈了一個類似的線程在Spring論壇上。這也有一個附加的日誌文件，顯示更多的調試日誌。 http://forum.springsource.org/showthread.php?t=86278 – 2010-03-17 21:30:27

我創建了一個Spring Security bug來跟蹤這個問題：http://jira.springframework.org/browse/SEC-1441 – 2010-03-17 22:26:52

原來，Firebug正在生成額外的GET請求。

來源

2010-03-22 05:54:06

您是否嘗試過使用記得，我的最簡單的版本？

<remember-me key="myAppKey"/>

可能是您的令牌存儲庫的自定義實施存在問題。你的PersistentTokenRepositoryImpl實際上做了什麼？

http://static.springsource.org/spring-security/site/docs/3.0.x/reference/remember-me.html

來源

2010-03-16 10:33:55

我必須實現我的自己的PersistentTokenRepository，因爲我必須與App Engine數據存儲進行交互。我已經確認persistentTokenRepository.createNewToken（）調用成功保存到數據存儲。 – 2010-03-16 10:36:46

我甚至已經能夠跟蹤到UsernamePasswordAuthenticationFilter.successfulAuthentication（...） – 2010-03-16 10:42:16

我更新了這個問題，並提供更多信息以防萬一您有任何想法。 – 2010-03-17 20:19:02

記住在春季安全3.0.1被打破：SEC-1356。使用3.0.2。

來源

2010-03-16 14:37:07 axtavt

該錯誤的狀態是「不會修復」，因此3.0.2如何提供幫助？看起來沒有改變。 – 2010-03-16 16:30:12

也許如果我使用Spring Security 3.0.0的話會起作用？由於此問題，我無法使用Spring Security 3.0.2：http://jira.springframework.org/browse/SEC-1434。 – 2010-03-16 16:38:06

@泰勒：是的，在3.0.0中應該可以工作。它被標記爲「不會修復」，因爲原始問題在3.0.1中被錯誤解決（破壞所有內容）並在3.0.2中被恢復。 – axtavt 2010-03-16 19:38:33

Spring Security - Persistent記住我問題

回答

相關問題