我遇到了Spring Security 3.1.0 remember-me cookies的问题。我需要尽快找到解决方案,但我找不到这个问题的原因。
以下是我要遵循的步骤:
此时我希望绕过登录表单进入我的应用程序,因为remember-me cookie仍然在我的浏览器中。尽管如此,登录页面再次出现。
再次尝试,我可以绕过登录表单输入我的应用程序。
这很令人困惑,到目前为止我找不到解释。
我尝试调试这两次尝试,当Spring Security的RememberMeAuthenticationFilter被解雇时,我发现了以下内容:
尝试1
request path = /app.htm:request.getCookies()不包含我的SPRING_SECURITY_REMEMBER_ME_COOKIE,因此我被重定向到登录页面
request path = /security/login.htm:此时request.getCookies()DID有我的SPRING_SECURITY_REMEMBER_ME_COOKIE,它被接受了;无论如何,我已经被重定向到登录页面
尝试2
记住我的cookie已被接受,所以我可以毫无问题地输入我的应用程序。
以下是Spring Security XML配置和两次尝试的日志。
非常感谢任何帮助!
Spring Security配置(我将省略有关daoAuthenticationProvider和事件侦听器的所有内容):
<sec:http auto-config="false" use-expressions="true" authentication-manager-ref="authenticationManager">
<sec:custom-filter ref="sessionLocaleResolvingFilter" before="FORM_LOGIN_FILTER"/>
<sec:intercept-url pattern="/security/*.htm" requires-channel="https" />
<sec:intercept-url pattern="/retrieve-password/*.htm" requires-channel="https" />
<sec:intercept-url pattern="/messagebroker/*" access="authenticated" requires-channel="http" />
<sec:intercept-url pattern="/platform/*.htm"
access="hasRole('limited') or (authenticated and !hasRole('role1') and !hasRole('role2'))"
requires-channel="http" />
<sec:intercept-url pattern="/app.htm" access="authenticated" requires-channel="http" />
<sec:intercept-url pattern="/**" requires-channel="http" />
<sec:form-login login-page="/security/login.htm" default-target-url="/app.htm"
login-processing-url="/security/process-login.htm" authentication-failure-url="/security/login.htm?error=true" />
<sec:logout logout-url="/security/logout.htm" delete-cookies="JSESSIONID,SPRING_SECURITY_REMEMBER_ME_COOKIE"
logout-success-url="/security/logout-success.htm" invalidate-session="true"/>
<sec:anonymous/>
<sec:remember-me use-secure-cookie="true" key="myAppServices"
services-ref="ipTokenBasedRememberMeServicesBean" />
<sec:session-management session-fixation-protection="none"/>
<sec:access-denied-handler error-page="/denied-access.htm"/>
</sec:http>
<bean id="sessionLocaleResolvingFilter" class="com.myapp.spring.security.SessionLocaleResolvingFilter" />
<bean class="com.myapp.spring.security.IPTokenBasedRememberMeServices"
id="ipTokenBasedRememberMeServicesBean">
<constructor-arg value="myAppServices"/>
<constructor-arg ref="myAppJdbcDaoImpl"/>
</bean>
<bean id="myAppPasswordEncoder" class="com.myapp.spring.security.MyAppPasswordEncoder" />
<bean id="authenticationManager"
class="o.s.s.authentication.ProviderManager">
<property name="providers">
<list>
<ref local="daoAuthenticationProvider" />
</list>
</property>
</bean>
<!-- Other beans... -->
记录第一次尝试(用o.s替换org.springframework,用o.s.s替换org.springframework.security):
o.s.s.web.access.channel.ChannelProcessingFilter:134 - Request: FilterInvocation: URL: /app.htm?lang=en; ConfigAttributes: [REQUIRES_INSECURE_CHANNEL]
o.s.s.web.context.HttpSessionSecurityContextRepository:127 - No HttpSession currently exists
o.s.s.web.context.HttpSessionSecurityContextRepository:85 - No SecurityContext was available from the HttpSession: null. A new one will be created.
o.s.s.web.FilterChainProxy:318 - /app.htm?lang=en at position 9 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
o.s.s.web.authentication.AnonymousAuthenticationFilter:102 - Populated SecurityContextHolder with anonymous token: 'o.s.s.authentication.AnonymousAuthenticationToken@90550640: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: o.s.s.web.authentication.WebAuthenticationDetails@7798: RemoteIpAddress: fe80:0:0:0:ec09:25fb:3df4:323b; SessionId: 057E689401E69589BB7359F3E95B4A18; Granted Authorities: ROLE_ANONYMOUS'
o.s.s.web.FilterChainProxy:318 - /app.htm?lang=en at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
o.s.s.web.FilterChainProxy:318 - /app.htm?lang=en at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
o.s.s.web.util.AntPathRequestMatcher:103 - Checking match of request : '/app.htm'; against '/messagebroker/*'
o.s.s.web.util.AntPathRequestMatcher:103 - Checking match of request : '/app.htm'; against '/app.htm'
o.s.s.web.access.intercept.FilterSecurityInterceptor:193 - Secure object: FilterInvocation: URL: /app.htm?lang=en; Attributes: [authenticated]
o.s.s.web.access.intercept.FilterSecurityInterceptor:298 - Previously Authenticated: o.s.s.authentication.AnonymousAuthenticationToken@90550640: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: o.s.s.web.authentication.WebAuthenticationDetails@7798: RemoteIpAddress: fe80:0:0:0:ec09:25fb:3df4:323b; SessionId: 057E689401E69589BB7359F3E95B4A18; Granted Authorities: ROLE_ANONYMOUS
o.s.s.access.vote.AffirmativeBased:65 - Voter: o.s.s.web.access.expression.WebExpressionVoter@1ce3388, returned: -1
o.s.s.web.access.ExceptionTranslationFilter:165 - Access is denied (user is anonymous); redirecting to authentication entry point
o.s.s.access.AccessDeniedException: Access is denied
at o.s.s.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83)
at o.s.s.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:205)
at o.s.s.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:114)
at o.s.s.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
at o.s.s.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at o.s.s.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
at o.s.s.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
(X more)
o.s.s.web.DefaultRedirectStrategy:36 - Redirecting to 'http://arbad67464/services/security/login.htm'
o.s.s.web.context.HttpSessionSecurityContextRepository:269 - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
o.s.s.web.context.SecurityContextPersistenceFilter:97 - SecurityContextHolder now cleared, as request processing completed
o.s.s.web.access.channel.RetryWithHttpsEntryPoint:55 - Redirecting to: https://arbad67464/services/security/login.htm
o.s.s.web.DefaultRedirectStrategy:36 - Redirecting to 'https://arbad67464/services/security/login.htm'
o.s.s.web.access.channel.ChannelProcessingFilter:134 - Request: FilterInvocation: URL: /security/login.htm; ConfigAttributes: [REQUIRES_SECURE_CHANNEL]
o.s.s.web.FilterChainProxy:318 - /security/login.htm at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
o.s.s.web.context.HttpSessionSecurityContextRepository:139 - HttpSession returned null object for SPRING_SECURITY_CONTEXT
o.s.s.web.context.HttpSessionSecurityContextRepository:85 - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@16de87. A new one will be created.
o.s.s.web.FilterChainProxy:318 - /security/login.htm at position 3 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
o.s.s.web.FilterChainProxy:318 - /security/login.htm at position 4 of 11 in additional filter chain; firing Filter: 'SessionLocaleResolvingFilter'
o.s.s.web.FilterChainProxy:318 - /security/login.htm at position 5 of 11 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
o.s.s.web.FilterChainProxy:318 - /security/login.htm at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
o.s.s.web.FilterChainProxy:318 - /security/login.htm at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
o.s.s.web.FilterChainProxy:318 - /security/login.htm at position 8 of 11 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter'
com.myapp.spring.security.IPTokenBasedRememberMeServices:103 - Remember-me cookie detected
com.myapp.spring.security.IPTokenBasedRememberMeServices:118 - Remember-me cookie accepted
o.s.s.authentication.ProviderManager:152 - Authentication attempt using o.s.s.authentication.RememberMeAuthenticationProvider
记录我的第二次尝试:
o.s.s.web.access.channel.ChannelProcessingFilter:134 - Request: FilterInvocation: URL: /app.htm?lang=en; ConfigAttributes: [REQUIRES_INSECURE_CHANNEL]
o.s.s.web.context.HttpSessionSecurityContextRepository:158 - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'o.s.s.core.context.SecurityContextImpl@7db9504: Authentication: o.s.s.authentication.RememberMeAuthenticationToken@7db9504: Principal: com.myapp.spring.security.MyAppUserImpl@9716c62c: Username: somebody@mail.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: limited,premium,special; Credentials: [PROTECTED]; Authenticated: true; Details: o.s.s.web.authentication.WebAuthenticationDetails@7798: RemoteIpAddress: fe80:0:0:0:ec09:25fb:3df4:323b; SessionId: 057E689401E69589BB7359F3E95B4A18; Granted Authorities: limited, premium, special'
o.s.s.web.FilterChainProxy:318 - /app.htm?lang=en at position 8 of 11 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter'
o.s.s.web.authentication.rememberme.RememberMeAuthenticationFilter:142 - SecurityContextHolder not populated with remember-me token, as it already contained: 'o.s.s.authentication.RememberMeAuthenticationToken@7db9504: Principal: com.myapp.spring.security.MyAppUserImpl@9716c62c: Username: somebody@mail.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: limited,premium,special; Credentials: [PROTECTED]; Authenticated: true; Details: o.s.s.web.authentication.WebAuthenticationDetails@7798: RemoteIpAddress: fe80:0:0:0:ec09:25fb:3df4:323b; SessionId: 057E689401E69589BB7359F3E95B4A18; Granted Authorities: limited, premium, special'
o.s.s.web.FilterChainProxy:318 - /app.htm?lang=en at position 9 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
o.s.s.web.authentication.AnonymousAuthenticationFilter:107 - SecurityContextHolder not populated with anonymous token, as it already contained: 'o.s.s.authentication.RememberMeAuthenticationToken@7db9504: Principal: com.myapp.spring.security.MyAppUserImpl@9716c62c: Username: somebody@mail.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: limited,premium,special; Credentials: [PROTECTED]; Authenticated: true; Details: o.s.s.web.authentication.WebAuthenticationDetails@7798: RemoteIpAddress: fe80:0:0:0:ec09:25fb:3df4:323b; SessionId: 057E689401E69589BB7359F3E95B4A18; Granted Authorities: limited, premium, special'
o.s.s.web.access.intercept.FilterSecurityInterceptor:193 - Secure object: FilterInvocation: URL: /app.htm?lang=en; Attributes: [authenticated]
o.s.s.web.access.intercept.FilterSecurityInterceptor:298 - Previously Authenticated: o.s.s.authentication.RememberMeAuthenticationToken@7db9504: Principal: com.myapp.spring.security.MyAppUserImpl@9716c62c: Username: somebody@mail.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: limited,premium,special; Credentials: [PROTECTED]; Authenticated: true; Details: o.s.s.web.authentication.WebAuthenticationDetails@7798: RemoteIpAddress: fe80:0:0:0:ec09:25fb:3df4:323b; SessionId: 057E689401E69589BB7359F3E95B4A18; Granted Authorities: limited, premium, special
o.s.s.access.vote.AffirmativeBased:65 - Voter: o.s.s.web.access.expression.WebExpressionVoter@1ce3388, returned: 1
o.s.s.web.access.intercept.FilterSecurityInterceptor:214 - Authorization successful
答案 0 :(得分:5)
在Spring安全性中,他们提供了两种使用rememberMe服务的方法。
在rememberMeService定义中,设置属性alwaysRememberMe为true。 在这种情况下,每当第一次用户尝试访问安全URL时,它将需要登录 页。一旦用户使用正确的用户名和密码登录,之后就不会 在您退出之前要求您登录。
在登录页面中添加一个记住我的复选框,名称为“_spring_security_remember_me” 和value =“true”。 在这种情况下,当用户选中“记住我”复选框时,只有它才能访问 在您退出之前没有登录页面的安全URL。
它为我工作..
答案 1 :(得分:3)
我猜这与您将某些网址配置为使用HTTPS的事实有关。
记住我的cookie将被标记为安全(您应该能够在浏览器收到的set-cookie标题中看到此信息,也可能在浏览器Cookie缓存中看到此信息)。由于对/app的请求是通过HTTP进行的,因此不会发送cookie。但是,对登录页面的请求将重定向到HTTPS,此时将发送cookie 。
你应该真正使用HTTPS。配置起来比较简单,否则你的应用程序不是很安全。但是,remember-me namespace element中还有一个use-secure-cookie选项,您可以将其设置为false以覆盖默认行为。