1. 首頁
  2. 問答
  3. Spring Security自定義身份驗證並記住我

Spring Security自定義身份驗證並記住我

2013-04-07 169 views
2

我使用本教程http://krams915.blogspot.de/2010/12/spring-security-mvc-integration-using_26.html來實現自定義身份驗證管理器。登錄和註銷工作正常。Spring Security自定義身份驗證並記住我

現在我想用spring安全記住我的身份驗證。就我所知,我記得我需要一個userDetailService。所以我實現了一個自定義的userDetailService。在登錄頁面上,我添加一個名爲_spring_security_remember_me的複選框。但記住我不行。記住我的cookie不會在成功登錄後設置。我認爲這是一個配置問題,或者我必須實現一個自定義記住我使用自定義身份驗證?

<input type="checkbox" name="_spring_security_remember_me">stay signed in

我的春天-security.xml文件:

<?xml version="1.0" encoding="UTF-8"?> 
<beans xmlns="http://www.springframework.org/schema/beans" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xmlns:security="http://www.springframework.org/schema/security" 
    xmlns:p="http://www.springframework.org/schema/p" 
    xmlns:jee="http://www.springframework.org/schema/jee" 
    xsi:schemaLocation="http://www.springframework.org/schema/beans 
      http://www.springframework.org/schema/beans/spring-beans-3.0.xsd 
      http://www.springframework.org/schema/security 
      http://www.springframework.org/schema/security/spring-security-3.0.xsd 
      http://www.springframework.org/schema/jee http://www.springframework.org/schema/jee/spring-jee-3.0.xsd"> 

    <security:http auto-config="false" use-expressions="true" access-denied-page="/login?error=true" 
      entry-point-ref="authenticationEntryPoint" > 

     <!-- Zugriff auf /login für alle erlauben --> 
     <security:intercept-url pattern="/login" access="permitAll"/> 
     <!-- resources --> 
     <security:intercept-url pattern="/resources/**" access="permitAll"/> 
     <!--<security:intercept-url pattern="/**" access="permitAll"/> --> 
     <security:intercept-url pattern="/**" access="hasRole('ROLE_USER')"/> 
     <!-- Zugriff auf /admin/** einschränken --> 
     <security:intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')"/> 


     <security:logout 
       invalidate-session="true" 
       logout-success-url="/login?logout=true" 
       logout-url="/j_spring_security_logout"/> 

     <security:custom-filter ref="blacklistFilter" before="FILTER_SECURITY_INTERCEPTOR"/> 
     <security:custom-filter ref="authenticationFilter" position="FORM_LOGIN_FILTER"/> 

     <!-- Session Timeout Seite setzen und 
      Session Fixation Attack Protection einschalten --> 
     <security:session-management invalid-session-url="/login?timeout=true" 
      session-fixation-protection="migrateSession"> 

      <!-- Maxmale Anzahl von Session per User (Doppelanmeldung) --> 
      <security:concurrency-control max-sessions="3" 
       error-if-maximum-exceeded="false" /> 
     </security:session-management> 
     <security:remember-me key="myAppKey" token-validity-seconds="864000" user-service-ref="customUserDetailService"/> 
    </security:http> 

    <!-- custom user service --> 
    <bean id="customUserDetailService" class="com.stefan.app.security.CustomUserDetailsService"> 
     <property name="userBean" ref="userBean" /> 
    </bean> 

    <!-- Custom filter to deny unwanted users even though registered --> 
    <bean id="blacklistFilter" class="com.stefan.app.security.filter.BlacklistFilter" /> 

    <!-- Custom filter for username and password. The real customization is done in the customAthenticationManager --> 
    <bean id="authenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter" 
     p:authenticationManager-ref="customAuthenticationManager" 
     p:authenticationFailureHandler-ref="customAuthenticationFailureHandler" 
     p:authenticationSuccessHandler-ref="customAuthenticationSuccessHandler" /> 

    <!-- Custom authentication manager. In order to authenticate, username and password must not be the same --> 
    <bean id="customAuthenticationManager" class="com.stefan.app.security.CustomAuthenticationManager"> 
     <property name="userBean" ref="userBean" /> 
    </bean> 

    <jee:local-slsb id="userBean" jndi-name="java:global/com.stefan.auctionnsiper-ear/app.ejb/UserBean!com.stefan.app.user.UserBeanLocal" 
       business-interface="com.stefan.app.user.UserBeanLocal"/> 

    <!-- We just actually need to set the default failure url here --> 
    <bean id="customAuthenticationFailureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler" 
     p:defaultFailureUrl="/login?error=true" /> 

    <!-- We just actually need to set the default target url here --> 
    <bean id="customAuthenticationSuccessHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler" 
     p:defaultTargetUrl="/products" /> 

    <!-- The AuthenticationEntryPoint is responsible for redirecting the user to a particular page, like a login page, 
      whenever the server sends back a response requiring authentication --> 
    <!-- See Spring-Security Reference 5.4.1 for more info --> 
    <bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint" 
     p:loginFormUrl="/login"/> 

    <!-- The tag below has no use but Spring Security needs it to autowire the parent property of 
      org.springframework.security.authentication.ProviderManager. Otherwise we get an error 
      A probable bug. This is still under investigation--> 
    <security:authentication-manager/> 
</beans>

來源

2013-04-07 Stefan

+1

hello @Stefan,我也面臨同樣的問題。你如何解決這個問題? – 2015-07-07 11:44:15

回答

2

檢查:

試試這個:

<security:http> 
    ... 
    <security:remember-me services-ref="rememberMeServices" /> 
</security:http> 

<bean id="rememberMeServices" class="org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices"> 
    <property name="userDetailsService" ref="customUserDetailService"/> 
    <property name="tokenValiditySeconds" value="864000"/> 
    <property name="cookieName" value="SPRING_RM"/> 
    <property name="key" value="myAppKey"/> 
</bean>

來源

2013-04-07 22:37:51 JoGo

+0

感謝JoGo。我已經嘗試過你的建議,但沒有成功。記住的cookie沒有設置。餘檢查鏈接和改變authenticationFilter:<豆ID = 「authenticationFilter」 類= 「org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter」> \t \t <屬性名= 「的AuthenticationManager」 REF = 「customAuthenticationManager」/> \t \t \t現在,Cookie已設置爲記住我沒有工作。任何其他想法? – Stefan 2013-04-09 20:32:19

1

再說什麼JOGO說,不要忘記設置你的 「authenticationFilter」 中的 「RememberMeServices的」 屬性,即:

<bean id="authenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter" 
    p:authenticationManager-ref="customAuthenticationManager" 
    p:authenticationFailureHandler-ref="customAuthenticationFailureHandler" 
    p:authenticationSuccessHandler-ref="customAuthenticationSuccessHandler" 
    p:rememberMeServices-ref="rememberMeServices" />

另外你可能需要當用戶註銷時刪除記住我cookie,所以他不會自動登錄:

<security:logout 
    invalidate-session="true" 
    logout-success-url="/login?logout=true" 
    logout-url="/j_spring_security_logout" 
    delete-cookies="SPRING_RM"  
    />

我希望這可以幫助。

來源

2013-04-13 10:57:03 rbarriuso

相關問題

 相關問題