我在使用Spring Security 3.1的Spring MVC应用程序中实现了“记住我”功能
我的security-context.xml如下所示:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<import resource="servlet-context.xml" />
<security:global-method-security secured-annotations="enabled" />
<security:http auto-config="true" authentication-manager-ref="am">
<!-- Restrict URLs based on role -->
<security:intercept-url pattern="/public/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/resources/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/**" access="ROLE_USER" />
<!-- Override default login and logout pages -->
<security:form-login login-page="/public/login"
login-processing-url="/public/loginProcess"
default-target-url="/public/loginSuccess"
authentication-failure-url="/public/login?login_error=1"
always-use-default-target="true" />
<security:logout logout-url="/public/logout" logout-success-url="/public/login?logout=1" />
<security:remember-me services-alias="rmService" data-source-ref="dataSource"/>
<security:custom-filter position="LAST" ref="httpResponseAuthFilter" />
</security:http>
<security:authentication-manager id="am">
<security:authentication-provider >
<security:password-encoder ref="passwordEncoder" />
<security:jdbc-user-service data-source-ref="dataSource" />
</security:authentication-provider>
</security:authentication-manager>
<bean id="httpResponseAuthFilter"
class="mypackage.HttpResponseAuthenticationFilter" >
<property name="authenticationManager" ref="am"/>
<property name="rememberMeServices" ref="rmService"></property>
</bean>
</beans>
Filter类的实现如下:
public class HttpResponseAuthenticationFilter extends RememberMeAuthenticationFilter {
@Override
protected void onSuccessfulAuthentication(final HttpServletRequest request, final HttpServletResponse response,
final Authentication authResult) {
super.onSuccessfulAuthentication(request, response, authResult);
if (authResult != null) {
// process post authentication logic here..
}
}
}
请记住,使用上述配置可以正常运行,但在eclipse调试器中运行时,我发现HttpResponseAuthenticationFilter.onSuccessfulAuthentication()没有被调用。
修改
修改我的security-context.xmls并使用标准Spring bean定义remember-me服务并在配置中引用服务后
<security:http auto-config="true" authentication-manager-ref="am">
<!-- Restrict URLs based on role -->
<security:intercept-url pattern="/public/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/resources/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/**" access="ROLE_USER" />
<!-- Override default login and logout pages -->
<security:form-login login-page="/public/login"
login-processing-url="/public/loginProcess"
default-target-url="/public/loginSuccess"
authentication-failure-url="/public/login?login_error=1"
always-use-default-target="true" />
<security:remember-me services-ref="rememberMeService"/>
<security:logout logout-url="/public/logout" logout-success-url="/public/login?logout=1" />
<security:custom-filter position="LAST" ref="httpResponseAuthFilter" />
</security:http>
<security:authentication-manager id="am">
<security:authentication-provider >
<security:password-encoder ref="passwordEncoder" />
<security:jdbc-user-service data-source-ref="dataSource" />
</security:authentication-provider>
<security:authentication-provider ref="rememberMeAuthenticationProvider" />
</security:authentication-manager>
<bean id="rememberMeAuthenticationProvider" class=
"org.springframework.security.authentication.RememberMeAuthenticationProvider">
<property name="key" value="riskAnalysis" />
</bean>
<bean id="httpResponseAuthFilter"
class="mypacakge.HttpResponseAuthenticationFilter" >
<property name="authenticationManager" ref="am"/>
<property name="rememberMeServices" ref="rememberMeService"></property>
</bean>
<bean id="rememberMeService"
class="org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices">
<property name="userDetailsService" ref="userDetailsService" />
<property name="key" value="riskAnalysis" />
</bean>
<bean id="userDetailsService"
class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl">
<property name="dataSource" ref="dataSource"/>
</bean>
以下是我在日志中的内容:
* DEBUG:mypackage.HttpResponseAuthenticationFilter - SecurityContextHolder没有填充remember-me标记,因为它已经包含:'org.springframework.security.authentication.RememberMeAuthenticationToken@303f2184:Principal:org.springframework.security.core.userdetails.User @ cb7ea6f6:用户名:tarun4;密码保护];启用:true; AccountNonExpired:true; credentialsNonExpired:true; AccountNonLocked:true;授权机构:ROLE_ADMIN,ROLE_USER;证书:[保护];认证:真实;详细信息:org.springframework.security.web.authentication.WebAuthenticationDetails@b364:RemoteIpAddress:0:0:0:0:0:0:0:1; SessionId:null;授权机构:ROLE_ADMIN,ROLE_USER'*
所以看起来会话中存在身份验证信息。
谢谢, 塔伦
答案 0 :(得分:2)
remember-me名称空间元素已插入RememberMeAuthenticationFilter,因此它仍将优先于您的,因为它位于过滤器链之前。
如果要使用自定义过滤器,则应删除命名空间元素并使用标准Spring bean作为相关服务。有一个示例in the reference manual (Section 11.4.1),显示了所需的bean。