项目中Spring Security 整合Spring Session实现记住我功能
Spring Session提供了与Spring Security的“我记得”身份验证的集成的支持:
目的:
- 更改会话过期长度
- 确保会话cookie在Integer.MAX_VALUE处过期。将cookie过期设置为最大的可能值,因为只有在创建会话时才设置cookie。如果将其设置为与会话到期相同的值,那么当用户使用该值时,会话将得到更新,但是cookie过期不会更新,导致过期时间被修复。
具体做法:
1.login.html
注意:name必须为remember-me,否则设置失败。
2.SecurityConfig配置
-
-
@Override
-
protected void configure(HttpSecurity http) throws Exception {
-
-
-
http.authorizeRequests()
// 该方法所返回的对象的方法来配置请求级别的安全细节
-
.antMatchers(HttpMethod.GET,
"/user/login",
"/user/forget",
"/user/regist").permitAll()
// 登录页面不拦截
-
.antMatchers(HttpMethod.POST,
"/user/checkLogin").permitAll().anyRequest().authenticated()
// 对于登录路径不进行拦截
-
.and().formLogin()
// 配置登录页面
-
.loginPage(
"/user/login")
// 登录页面的访问路径;
-
.loginProcessingUrl(
"/user/checkLogin")
// 登录页面下表单提交的路径
-
.failureUrl(
"/user/login?error=true")
// 登录失败后跳转的路径,为了给客户端提示
-
.defaultSuccessUrl(
"/index")
// 登录成功后默认跳转的路径;
-
.and().logout()
// 用户退出操作
-
.logoutRequestMatcher(
new AntPathRequestMatcher(
"/user/logout",
"POST"))
// 用户退出所访问的路径,需要使用Post方式
-
.permitAll().logoutSuccessUrl(
"/user/login?logout=true")
/// 退出成功所访问的路径
-
.and().csrf().disable().rememberMe().rememberMeServices(rememberMeServices()).and().headers()
-
.frameOptions()
// 允许iframe内呈现。
-
.sameOrigin().and().sessionManagement().maximumSessions(
1).expiredUrl(
"/user/login?expired=true");
-
-
}
-
-
@Bean
-
public static RememberMeServices rememberMeServices() {
-
-
SpringSessionRememberMeServices rememberMeServices =
new SpringSessionRememberMeServices();
-
-
/ /设置
1000秒后过期
-
-
rememberMeServices.setValiditySeconds(
1000);
-
return rememberMeServices;
-
}
源码:
//登录成功后的检验
-
public final void loginSuccess(HttpServletRequest request,
-
-
HttpServletResponse response, Authentication successfulAuthentication) {
-
-
//alwaysRemember:默认为false,设置true为永久记住
-
-
-
-
if (!
this.alwaysRemember
-
&& !rememberMeRequested(request,
this.rememberMeParameterName)) {
-
logger.debug(
"Remember-me login not requested.");
-
return;
-
}
-
-
request.setAttribute(REMEMBER_ME_LOGIN_ATTR,
true);
-
-
//validitySeconds默认为2592000 即30天
-
-
-
-
request.getSession().setMaxInactiveInterval(
this.validitySeconds);
-
}
-
-
-
/**
-
* Allows customization of whether a remember-me login has been requested. The default
-
* is to return {@code true} if the configured parameter name has been included in the
-
* request and is set to the value {@code true}.
-
* @param request the request submitted from an interactive login, which may include
-
* additional information indicating that a persistent login is desired.
-
* @param parameter the configured remember-me parameter name.
-
* @return true if the request includes information indicating that a persistent login
-
* has been requested.
-
*/
-
-
protected boolean rememberMeRequested(HttpServletRequest request, String parameter) {
-
-
//获取参数remember-me对应的值
-
-
String rememberMe = request.getParameter(parameter);
-
-
//如果设置满足以下条件证明用户设置了记住我的功能
-
-
if (rememberMe !=
null) {
-
if (rememberMe.equalsIgnoreCase(
"true") || rememberMe.equalsIgnoreCase(
"on")
-
|| rememberMe.equalsIgnoreCase(
"yes") || rememberMe.equals(
"1")) {
-
return
true;
-
}
-
}
-
if (logger.isDebugEnabled()) {
-
logger.debug(
"Did not send remember-me cookie (principal did not set "
-
+
"parameter '" + parameter +
"')");
-
}
-
return
false;
-
}
JAVA程序猿成长之路
分享学习资源,学习方法,记录程序员生活。