spring security采用基于简单加密 token 的方法实现的remember me功能
记住我功能,相信你们在一些网站已经用过,一些安全要求不高的均可以使用这个功能,方便快捷。
spring security针对该功能有两种实现方式,
一种是简单的使用加密来保证基于 cookie 的 token 的安全,另外一种是经过数据库或其它持久化存储机制来保存生成的 token。
下面是基于简单加密 token 的方法的实现,基于前篇的限制登陆次数的功能之上加入remember me功能
项目结构以下:
基本的结构没有变化,主要在于一些类的修改和配置。
1、修改SecurityConfig配置文件
package com.petter.config; import com.petter.handler.CustomAuthenticationProvider; import com.petter.service.CustomUserDetailsService; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler; import javax.annotation.Resource; /** * 至关于spring-security.xml中的配置 * @author hongxf * @since 2017-03-08 9:30 */ @Configuration @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Resource private CustomAuthenticationProvider authenticationProvider; @Resource private CustomUserDetailsService userDetailsService; @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.authenticationProvider(authenticationProvider); } /** * 配置权限要求 * 采用注解方式,默认开启csrf * @param http * @throws Exception */ @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers("/admin/**").hasRole("ADMIN") .antMatchers("/dba/**").hasAnyRole("ADMIN", "DBA") .and() .formLogin().successHandler(savedRequestAwareAuthenticationSuccessHandler()) .loginPage("/login") //指定自定义登陆页 .failureUrl("/login?error") //登陆失败的跳转路径 .loginProcessingUrl("/auth/login_check") //指定了登陆的form表单提交的路径,需与表单的action值保存一致,默认是login .usernameParameter("user-name").passwordParameter("pwd") .and() .logout().logoutSuccessUrl("/login?logout") .and() .exceptionHandling().accessDeniedPage("/403") .and() .csrf() .and() .rememberMe().rememberMeParameter("remember-me") //其实默认就是remember-me,这里能够指定更换 .tokenValiditySeconds(1209600) .key("hongxf"); } //使用remember-me必须指定UserDetailsService @Override protected UserDetailsService userDetailsService() { return userDetailsService; } /** * 这里是登陆成功之后的处理逻辑 * 设置目标地址参数为targetUrl * /auth/login_check?targetUrl=/admin/update * 这个地址就会被解析跳转到/admin/update,不然就是默认页面 * * 本示例中访问update页面时候会判断用户是手动登陆仍是remember-me登陆的 * 若是是remember-me登陆的则会跳转到登陆页面进行手动登陆再跳转 * @return */ @Bean public SavedRequestAwareAuthenticationSuccessHandler savedRequestAwareAuthenticationSuccessHandler() { SavedRequestAwareAuthenticationSuccessHandler auth = new SavedRequestAwareAuthenticationSuccessHandler(); auth.setTargetUrlParameter("targetUrl"); return auth; } }
这里须要指出几点:html
一、使用remember-me功能必须指定UserDetailsService
二、修改登陆成功之后的逻辑,具体见注释
三、添加remember me的配置,key("hongxf"),这里的key用于加密,能够进行指定
2、修改admin.html,添加
<div sec:authorize="isRememberMe()"> <h2>该用户是经过remember me cookies登陆的</h2> </div> <div sec:authorize="isFullyAuthenticated()"> <h2>该用户是经过输入用户名和密码登陆的</h2> </div>
用于展现java
3、修改登陆页面login.html
form表单须要进行相应的修改
<form name='loginForm' th:action="@{/auth/login_check(targetUrl=${session.targetUrl})}" method='POST'> <table> <tr> <td>用户名:</td> <td><input type='text' name='user-name' /></td> </tr> <tr> <td>密码:</td> <td><input type='password' name='pwd' /></td> </tr> <!-- 若是是进行更新操做跳转过来的页面则不显示记住我 --> <div th:if="${loginUpdate} eq null"> <tr> <td></td> <td>记住我: <input type="checkbox" name="remember-me" /></td> </tr> </div> <tr> <td colspan='2'> <input type="submit" value="提交" /> </td> </tr> </table> </form>
注意action的值,首先请求路径是/auth/login_check,与SecurityConfig配置的loginProcessingUrl保持一致web
/auth/login_check(targetUrl=${session.targetUrl})会被解析成
/auth/login_check?
targetUrl=XXX 其中
targetUrl的从session中获取
4、编写update.html页面
<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>update</title> </head> <body> <h1>Title : 更新页面</h1> <h1>只有经过用户名和密码登陆的用户才容许进入这个页面,remember me登陆的用户不容许,防止被盗用cookie</h1> <h2>更新帐号信息</h2> </body> </html>
5、修改HelloController类spring
package com.petter.web; import org.springframework.security.authentication.AnonymousAuthenticationToken; import org.springframework.security.authentication.BadCredentialsException; import org.springframework.security.authentication.LockedException; import org.springframework.security.authentication.RememberMeAuthenticationToken; import org.springframework.security.core.Authentication; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.stereotype.Controller; import org.springframework.util.StringUtils; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.bind.annotation.RequestParam; import org.springframework.web.servlet.ModelAndView; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpSession; /** * @author hongxf * @since 2017-03-08 9:29 */ @Controller public class HelloController { @RequestMapping(value = { "/", "/welcome" }, method = RequestMethod.GET) public ModelAndView welcomePage() { ModelAndView model = new ModelAndView(); model.addObject("title", "Spring Security Hello World"); model.addObject("message", "This is welcome page!"); model.setViewName("hello"); return model; } @RequestMapping(value = "/admin", method = RequestMethod.GET) public ModelAndView adminPage() { ModelAndView model = new ModelAndView(); model.addObject("title", "Spring Security Hello World"); model.addObject("message", "This is protected page - Admin Page!"); model.setViewName("admin"); return model; } @RequestMapping(value = "/dba", method = RequestMethod.GET) public ModelAndView dbaPage() { ModelAndView model = new ModelAndView(); model.addObject("title", "Spring Security Hello World"); model.addObject("message", "This is protected page - Database Page!"); model.setViewName("admin"); return model; } /** * 登陆页面只容许使用密码登陆 * 若是用户经过remember me的cookie登陆则跳转到登陆页面输入密码 * 为了不盗用remember me cookie 来更新信息 */ @RequestMapping(value = "/admin/update", method = RequestMethod.GET) public ModelAndView updatePage(HttpServletRequest request) { ModelAndView model = new ModelAndView(); if (isRememberMeAuthenticated()) { //把targetUrl放入session中,登陆页面使用${session.targetUrl}获取 setRememberMeTargetUrlToSession(request); //跳转到登陆页面 model.addObject("loginUpdate", true); model.setViewName("login"); } else { model.setViewName("update"); } return model; } /** * 判断用户是否是经过remember me方式登陆,参考 * org.springframework.security.authentication.AuthenticationTrustResolverImpl */ private boolean isRememberMeAuthenticated() { Authentication authentication = SecurityContextHolder.getContext().getAuthentication(); return authentication != null && RememberMeAuthenticationToken.class.isAssignableFrom(authentication.getClass()); } /** * 保存请求的页面targetUrl到session中 */ private void setRememberMeTargetUrlToSession(HttpServletRequest request){ HttpSession session = request.getSession(false); if(session != null){ session.setAttribute("targetUrl", request.getRequestURI()); } } //获取session存储的SPRING_SECURITY_LAST_EXCEPTION的值,自定义错误信息 @RequestMapping(value = "/login", method = RequestMethod.GET) public ModelAndView login( @RequestParam(value = "error", required = false) String error, @RequestParam(value = "logout", required = false) String logout, HttpServletRequest request) { ModelAndView model = new ModelAndView(); if (error != null) { model.addObject("error", getErrorMessage(request, "SPRING_SECURITY_LAST_EXCEPTION")); //在update的登陆页面上,判断targetUrl是否有值,没有则显示记住我,有则不显示 String targetUrl = getRememberMeTargetUrlFromSession(request); System.out.println(targetUrl); if(StringUtils.hasText(targetUrl)){ model.addObject("loginUpdate", true); } } if (logout != null) { model.addObject("msg", "你已经成功退出"); } model.setViewName("login"); return model; } /** * 从session中获取targetUrl */ private String getRememberMeTargetUrlFromSession(HttpServletRequest request){ String targetUrl = ""; HttpSession session = request.getSession(false); if(session != null){ targetUrl = session.getAttribute("targetUrl") == null ? "" :session.getAttribute("targetUrl").toString(); } return targetUrl; } //自定义错误类型 private String getErrorMessage(HttpServletRequest request, String key){ Exception exception = (Exception) request.getSession().getAttribute(key); String error; if (exception instanceof BadCredentialsException) { error = "不正确的用户名或密码"; }else if(exception instanceof LockedException) { error = exception.getMessage(); }else{ error = "不正确的用户名或密码"; } return error; } @RequestMapping(value = "/403", method = RequestMethod.GET) public ModelAndView accessDenied() { ModelAndView model = new ModelAndView(); //检查用户是否已经登陆 Authentication auth = SecurityContextHolder.getContext().getAuthentication(); if (!(auth instanceof AnonymousAuthenticationToken)) { UserDetails userDetail = (UserDetails) auth.getPrincipal(); model.addObject("username", userDetail.getUsername()); } model.setViewName("403"); return model; } }
6、进行测试数据库
启动应用,访问
http://localhost:8080/admin 会跳转到登陆页
输入正确的用户名和密码,勾选记住我,登陆成功进入admin页面
能够看到remember-me的值以及失效日期
想要尝试记住我免登陆功能,重启应用,访问
http://localhost:8080/admin ,能够看到
注意上面的访问地址就是
http://localhost:8080/admin/update 只是返回的是登陆页内容,而且隐藏了记住我选项,查看页面源代码,能够看到
<form name='loginForm' action="/auth/login_check?targetUrl=/admin/update" method='POST'>
当输入争取的用户名和密码时候security会根据targetUrl的值跳转到以前访问的页面
相关文章
- 1. Spring Security 实现 Remember Me
- 2. spring security remember me实现自动登录
- 3. 【杂谈】Remember-Me的实现
- 4. Spring Seucrity 之 Remember Me
- 5. 《Spring Security3》第三章第三部分翻译上(Remember me功能实现)
- 6. spring security 3.0x remember-me 免登陆
- 7. SpringSecurity3.X的remember-me
- 8. 利用Spring Security 3.2的remember-me搭建SSO
- 9. SpringSecurity3.X--remember-me
- 10. spring-mvc加spring security 的简单应用
- 更多相关文章...
- • 使用Redis和Lua的原子性实现抢红包功能 - 红包项目实战
- • Spring实例化Bean的三种方法 - Spring教程
- • ☆基于Java Instrument的Agent实现
- • TiDB 在摩拜单车在线数据业务的应用和实践
相关标签/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
- 1. js中 charCodeAt
- 2. Android中通过ViewHelper.setTranslationY实现View移动控制(NineOldAndroids开源项目)
- 3. 【Android】日常记录:BottomNavigationView自定义样式,修改点击后图片
- 4. maya 文件检查 ui和数据分离 (一)
- 5. eclipse 修改项目的jdk版本
- 6. Android InputMethod设置
- 7. Simulink中Bus Selector出现很多? ? ?
- 8. 【Openfire笔记】启动Mac版Openfire时提示“系统偏好设置错误”
- 9. AutoPLP在偏好标签中的生产与应用
- 10. 数据库关闭的四种方式
欢迎关注本站公众号,获取更多信息
相关文章
- 1. Spring Security 实现 Remember Me
- 2. spring security remember me实现自动登录
- 3. 【杂谈】Remember-Me的实现
- 4. Spring Seucrity 之 Remember Me
- 5. 《Spring Security3》第三章第三部分翻译上(Remember me功能实现)
- 6. spring security 3.0x remember-me 免登陆
- 7. SpringSecurity3.X的remember-me
- 8. 利用Spring Security 3.2的remember-me搭建SSO
- 9. SpringSecurity3.X--remember-me
- 10. spring-mvc加spring security 的简单应用