在已配置的spring OAUTH和用户名密码令牌认证系统中添加Remember Me功能

时间:2013-01-22 12:10:27

标签: spring spring-security

我有以下弹簧安全配置。

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans"
xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
    http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd">


<!-- For S2OAuth endpoints -->
<http   pattern="/oauth/token" 
        create-session="stateless" 
        authentication-manager-ref="clientAuthenticationManager" 
        entry-point-ref="oauthAuthenticationEntryPoint"
        xmlns="http://www.springframework.org/schema/security">
    <intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" />
    <anonymous enabled="false" />
    <http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
    <!-- include this only if you need to authenticate clients via request parameters -->
    <custom-filter ref="clientCredentialsTokenEndpointFilter" before="BASIC_AUTH_FILTER" />
</http>

<http use-expressions="true">
    <!-- Authentication policy -->
    <form-login login-page="/signin" login-processing-url="/signin/authenticate" authentication-failure-url="/signin?error=1" />
    <logout logout-url="/signout" delete-cookies="JSESSIONID" />
    <!-- Remember Me -->
    <remember-me services-ref="rememberMeServices" key="myRememberMeKey" />
    <!-- Authorization policy definition: TODO consider replacing with @Secured on @Controllers -->
    <intercept-url pattern="/" access="permitAll" />
    <intercept-url pattern="/favicon.ico" access="permitAll" />
    <intercept-url pattern="/members/**" access="permitAll" />
    <intercept-url pattern="/groups/**" access="permitAll" />
    <intercept-url pattern="/pubsub/**" access="permitAll" />
    <intercept-url pattern="/resources/**" access="permitAll" />
    <intercept-url pattern="/signup" access="permitAll" requires-channel="#{environment['application.secureChannel']}" />   
    <intercept-url pattern="/signin" access="permitAll" requires-channel="#{environment['application.secureChannel']}" />
    <intercept-url pattern="/signin/*" access="permitAll" requires-channel="#{environment['application.secureChannel']}" />
    <intercept-url pattern="/reset" access="permitAll" requires-channel="#{environment['application.secureChannel']}" />
    <!-- TODO this would probably be better mapped to simply /invite?token={token} but not able to vary security policy here based on presence of a request parameter.  Consider @Secured on @Controller. -->               
    <intercept-url pattern="/invite/accept" access="permitAll" requires-channel="#{environment['application.secureChannel']}" />
    <!-- TODO this should be restricted to admin users only -->
    <intercept-url pattern="/admin/**" access="permitAll" />           
    <intercept-url pattern="/**" access="isAuthenticated()" requires-channel="#{environment['application.secureChannel']}" />
    <custom-filter ref="resourceServerFilter" before="EXCEPTION_TRANSLATION_FILTER" />
</http>

<authentication-manager alias="authenticationManager">
    <authentication-provider ref="usernamePasswordAuthenticationProvider" />
</authentication-manager>

<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased" xmlns="http://www.springframework.org/schema/beans">
    <constructor-arg>
        <list>
            <bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
            <bean class="org.springframework.security.access.vote.RoleVoter" />
            <bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
        </list>
    </constructor-arg>
</bean>

<bean id="jdbcRememberMeRepository" class="com.springsource.greenhouse.rememberme.JdbcRememberMeRepository" xmlns="http://www.springframework.org/schema/beans"/>
<bean id="coreUserDetailsService" class="com.springsource.greenhouse.rememberme.RememberMeUserDetailsService" xmlns="http://www.springframework.org/schema/beans"/>

<bean id="rememberMeServices" class="org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices" xmlns="http://www.springframework.org/schema/beans">
  <property name="tokenRepository" ref="jdbcRememberMeRepository" />
  <property name="userDetailsService" ref="coreUserDetailsService" />
  <property name="key" value="myRememberMeKey" />
  <property name="alwaysRemember" value="true" />
</bean>


<!-- For S2OAuth endpoints -->
<authentication-manager id="clientAuthenticationManager" xmlns="http://www.springframework.org/schema/security">
    <authentication-provider user-service-ref="clientDetailsUserService" />
</authentication-manager>

<beans:bean id="clientDetailsUserService" class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
    <beans:constructor-arg ref="clientDetails" />
</beans:bean>

<beans:bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
    <beans:property name="realmName" value="greenhouseApi" />
</beans:bean>


<beans:import resource="security-oauth-provider.xml" />

 </beans:beans>

当我勾选remember-me复选框时,我看到我的remember-me数据库已填充,如快照中所示。现在我关闭浏览器并尝试访问需要登录的URL。我能看到这个页面。现在我在这里因为登录还是因为记得我而能够看到页面而感到困惑。其次,我在remember-me数据库表中看到最后一个日期没有更新。可能是什么原因?

1 个答案:

答案 0 :(得分:1)

重新启动浏览器是不够的。要测试记住我的功能,您需要确保您的会话已过期。如果 lastUsed 未更新,则表示未使用记住我的功能。在您的情况下,HTTP会话是活动的。您需要停用它,并且有多种选择:

  • 等待会话到期。提示:您可以设置最小会话超时,例如在web.xml中设置1分钟。
  • 或删除会话cockie(不要删除所有域名的coockies,记住我也使用coockie)
  • 或者停止您的应用程序服务器,然后清理其持久存储会话数据的目录并重新启动它。对于tomcat,它是tomcat_root / work。

在web.xml中将会话超时值设置为1分钟:

<session-config>
    <session-timeout>1</session-timeout>
</session-config>