项目中Spring Security 整合Spring Session实现记住我功能

Spring Session提供了与Spring Security的“我记得”身份验证的集成的支持:

目的：

 

• 更改会话过期长度
• 确保会话cookie在Integer.MAX_VALUE处过期。将cookie过期设置为最大的可能值，因为只有在创建会话时才设置cookie。如果将其设置为与会话到期相同的值，那么当用户使用该值时，会话将得到更新，但是cookie过期不会更新，导致过期时间被修复。

具体做法：

1.login.html

     

注意：name必须为remember-me，否则设置失败。

2.SecurityConfig配置

@Override
protected void configure(HttpSecurity http) throws Exception {


http.authorizeRequests()// 该方法所返回的对象的方法来配置请求级别的安全细节
.antMatchers(HttpMethod.GET, "/user/login", "/user/forget", "/user/regist").permitAll()// 登录页面不拦截
.antMatchers(HttpMethod.POST, "/user/checkLogin").permitAll().anyRequest().authenticated()// 对于登录路径不进行拦截
.and().formLogin()// 配置登录页面
.loginPage("/user/login")// 登录页面的访问路径;
.loginProcessingUrl("/user/checkLogin")// 登录页面下表单提交的路径
.failureUrl("/user/login?error=true")// 登录失败后跳转的路径,为了给客户端提示
.defaultSuccessUrl("/index")// 登录成功后默认跳转的路径;
.and().logout()// 用户退出操作
.logoutRequestMatcher(new AntPathRequestMatcher("/user/logout", "POST"))// 用户退出所访问的路径，需要使用Post方式
.permitAll().logoutSuccessUrl("/user/login?logout=true")/// 退出成功所访问的路径
.and().csrf().disable().rememberMe().rememberMeServices(rememberMeServices()).and().headers()
.frameOptions()// 允许iframe内呈现。
.sameOrigin().and().sessionManagement().maximumSessions(1).expiredUrl("/user/login?expired=true");

}

@Bean
public static RememberMeServices rememberMeServices() {

SpringSessionRememberMeServices rememberMeServices = new SpringSessionRememberMeServices();

 / /设置1000秒后过期

rememberMeServices.setValiditySeconds(1000);
return rememberMeServices;
}

源码：

      //登录成功后的检验

  public final void loginSuccess(HttpServletRequest request,

HttpServletResponse response, Authentication successfulAuthentication) {

 //alwaysRemember：默认为false,设置true为永久记住



if (!this.alwaysRemember
&& !rememberMeRequested(request, this.rememberMeParameterName)) {
logger.debug("Remember-me login not requested.");
return;
}

request.setAttribute(REMEMBER_ME_LOGIN_ATTR, true);

                //validitySeconds默认为2592000 即30天



request.getSession().setMaxInactiveInterval(this.validitySeconds);
}


/**
* Allows customization of whether a remember-me login has been requested. The default
* is to return {@code true} if the configured parameter name has been included in the
* request and is set to the value {@code true}.
* @param request the request submitted from an interactive login, which may include
* additional information indicating that a persistent login is desired.
* @param parameter the configured remember-me parameter name.
* @return true if the request includes information indicating that a persistent login
* has been requested.
*/

protected boolean rememberMeRequested(HttpServletRequest request, String parameter) {

     //获取参数remember-me对应的值

String rememberMe = request.getParameter(parameter);

  //如果设置满足以下条件证明用户设置了记住我的功能

if (rememberMe != null) {
if (rememberMe.equalsIgnoreCase("true") || rememberMe.equalsIgnoreCase("on")
|| rememberMe.equalsIgnoreCase("yes") || rememberMe.equals("1")) {
return true;
}
}
if (logger.isDebugEnabled()) {
logger.debug("Did not send remember-me cookie (principal did not set "
+ "parameter '" + parameter + "')");
}
return false;
}

微信公众号