我想要的只是一个简单的记住我。我看了http://static.springsource.org/spring-security/site/docs/3.0.x/reference/remember-me.html
到目前为止我做了什么:
UserDetailsService
以使用Hibernate / JPA。 我的impl。不考虑任何记住我的东西 <security:remember-me key="89dqj219dn910lsAc12" user-service-ref="jpaUserDetailsService" token-validity-seconds="864000"/>
SPRING_SECURITY_REMEMBER_ME_COOKIE
已设置当我重新启动浏览器时,我一直收到错误:
org.springframework.security.access.AccessDeniedException:访问被拒绝 身份验证对象为String:org.springframework.security.authentication.RememberMeAuthenticationToken@9ab72a70:Principal:de.myapp.businessobjects.AppUser@61f68b18:Username:myad;密码保护];启用:true; AccountNonExpired:true; credentialsNonExpired:true; AccountNonLocked:true;个人信息:65537; ;证书:[保护];认证:真实;详细信息:org.springframework.security.web.authentication.WebAuthenticationDetails@957e:RemoteIpAddress:127.0.0.1; SessionId:null;授权机构:ROLE_ADMIN,ROLE_USER
这是我的secContext.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<security:global-method-security pre-post-annotations="enabled">
</security:global-method-security>
<security:http use-expressions="true" access-denied-page="/accessDenied">
<security:form-login
login-page="/login"
login-processing-url="/loginProcess"
default-target-url="/intro"
authentication-failure-url="/login?login_error=1"
/>
<security:logout
logout-url="/logout"
logout-success-url="/logoutSuccess"/>
<security:intercept-url pattern="/**" access="permitAll"/>
<security:intercept-url pattern="/login" access="permitAll"/>
<security:intercept-url pattern="/styles/**" access="permitAll"/>
<security:intercept-url pattern="/scripts/**" access="permitAll"/>
<security:remember-me key="89dqj219dn910lsAc12" user-service-ref="jpaUserDetailsService"
token-validity-seconds="864000"/>
</security:http>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider user-service-ref="jpaUserDetailsService">
<security:password-encoder hash="sha">
</security:password-encoder>
</security:authentication-provider>
</security:authentication-manager>
<bean id="rememberMeFilter" class=
"org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter">
<property name="rememberMeServices" ref="rememberMeServices"/>
<property name="authenticationManager" ref="authenticationManager"/>
</bean>
<bean id="rememberMeServices" class=
"org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices">
<property name="userDetailsService" ref="jpaUserDetailsService"/>
<property name="key" value="89dqj219dn910lsAc12"/>
</bean>
<bean id="rememberMeAuthenticationProvider" class=
"org.springframework.security.authentication.RememberMeAuthenticationProvider">
<property name="key" value="89dqj219dn910lsAc12"/>
</bean>
</beans>
最后是一些调试跟踪
03:45:14.598 [7225609@qtp-10131947-7] DEBUG o.s.w.b.a.s.HandlerMethodInvoker - Invoking request handler method: public java.lang.String de.myapp.controller.bstController.showbstpage(java.lang.String,javax.servlet.http.HttpServletResponse)
03:45:14.598 [7225609@qtp-10131947-7] DEBUG o.s.s.a.i.a.MethodSecurityInterceptor - Secure object: ReflectiveMethodInvocation: public java.lang.String de.myapp.controller.bstController.showbstpage(java.lang.String,javax.servlet.http.HttpServletResponse); target is of class [de.myapp.controller.bstController]; Attributes: [[authorize: 'isFullyAuthenticated() and #username == principal.username', filter: 'null', filterTarget: 'null']]
03:45:14.598 [7225609@qtp-10131947-7] DEBUG o.s.s.a.i.a.MethodSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.RememberMeAuthenticationToken@9ab72a70: Principal: de.myapp.businessobjects.AppUser@61f68b18: Username: myad; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; PersonalInformation: 65537; ; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ADMIN, ROLE_USER
03:45:14.599 [7225609@qtp-10131947-7] DEBUG o.s.c.c.s.GenericConversionService - Converting value false of [TypeDescriptor java.lang.Boolean] to [TypeDescriptor java.lang.Boolean]
03:45:14.599 [7225609@qtp-10131947-7] TRACE o.s.c.c.s.GenericConversionService - Matched cached converter NO_OP
03:45:14.599 [7225609@qtp-10131947-7] DEBUG o.s.c.c.s.GenericConversionService - Converted to false
03:45:14.599 [7225609@qtp-10131947-7] DEBUG o.s.s.access.vote.AffirmativeBased - Voter: org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter@a866a9, returned: -1
03:45:14.599 [7225609@qtp-10131947-7] DEBUG o.s.s.access.vote.AffirmativeBased - Voter: org.springframework.security.access.vote.RoleVoter@1ebf305, returned: 0
03:45:14.599 [7225609@qtp-10131947-7] DEBUG o.s.s.access.vote.AffirmativeBased - Voter: org.springframework.security.access.vote.AuthenticatedVoter@19ffd6f, returned: 0
我真的不知道在哪里继续调试。我错过了什么?我是否必须创建自己的记住我的实现?
我真的欣赏一个演示弹簧默认实现的工作示例应用程序,记住我...
--------编辑-----------
我刚刚编译并运行了springsecurity本身的remember-me参考应用程序:spring-security\samples\tutorial
帐户应用和联系人应用。实际上,我有完全相同的问题?!?。我试过火狐,歌剧等等......我被打碎了......
答案 0 :(得分:1)
看起来mem-me身份验证在您的应用程序中正常运行,因为您从remember-me cookie中获取了有效的身份验证令牌。
但是,日志输出表明控制器方法bstController.showbstpage
上存在方法访问控制注释,该方法需要从表达式isFullyAuthenticated() and #username == principal.username
进行“完全”身份验证。记住,我没有资格作为完全身份验证,因此表达式拒绝当前身份验证。
除此之外,intercept-url
元素的排序错误,因为/**
位于顶部,并将应用于所有请求,使其他请求变得多余。
此外,不可能在示例应用程序中遇到相同的问题,因为它们不需要对任何操作进行完全身份验证,因此您必须遇到其他问题。
答案 1 :(得分:0)
登录时,UserDetails对象上的“password”字段是否设置为非null /非空值?在我的应用程序中,实际身份验证被委托给另一个系统,我不会将用户提交的密码存储在我的UserDetails对象上。在将password属性设置为值之前,我无法使RememberMe cookie生效。在我的情况下,我只是将属性默认为“密码”这个词,因此它不会是空/空字符串。
我不知道这与你的情景有什么关系,但这让我疯狂,直到我弄明白。