【发布时间】:2016-06-03 18:14:45
【问题描述】:
我正在使用自定义身份验证过滤器来捕获 spring mvc 应用程序中的附加登录参数。我想启用记住我的功能,我正在使用 java 配置。但请记住我的功能不起作用。如果用户选中登录页面上的“记住我”复选框,我可以看到一个新条目已添加到persistent_logins 表中。但是一旦会话超时并且用户单击任何应用程序链接,他/她就会被重定向到登录页面。请在下面找到相关代码,
CustomAuthenticationFilter.java:-
public class CustomAuthenticationFilter extends UsernamePasswordAuthenticationFilter {
@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
final Long locationId = Long.parseLong(request.getParameter("locations"));
request.getSession().setAttribute("LOCATION_ID", locationId);
return super.attemptAuthentication(request, response);
}
}
SecurityConfig.java:-
@Configuration
@EnableWebMvcSecurity
@ComponentScan(basePackageClasses=com.test.web.service.impl.UserServiceImpl.class)
@EnableGlobalMethodSecurity(prePostEnabled=true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
DataSource dataSource;
@Autowired
private AuthenticationManagerBuilder auth;
@Autowired
public void configureGlobal(UserDetailsService userDetailsService, AuthenticationManagerBuilder auth) throws Exception {
auth
.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Autowired
AccessDeniedExceptionHandler accessDeniedExceptionHandler;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/resources/**").permitAll()
.antMatchers("/error/**").permitAll()
.antMatchers("/secured/**").hasRole("ADMIN")
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.permitAll()
.and()
.exceptionHandling()
.accessDeniedHandler(accessDeniedExceptionHandler);
http.addFilterBefore(customAuthenticationFilter(),
UsernamePasswordAuthenticationFilter.class);
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() {
AuthenticationManager manager = null;
try {
manager = super.authenticationManagerBean();
} catch (Exception e) {
e.printStackTrace();
}
return manager;
}
@Bean
public SimpleUrlAuthenticationSuccessHandler simpleUrlAuthenticationSuccessHandler() {
SimpleUrlAuthenticationSuccessHandler handler = new SimpleUrlAuthenticationSuccessHandler();
handler.setDefaultTargetUrl("/");
return handler;
}
@Bean
public SimpleUrlAuthenticationFailureHandler simpleUrlAuthenticationFailureHandler() {
SimpleUrlAuthenticationFailureHandler handler = new SimpleUrlAuthenticationFailureHandler();
handler.setDefaultFailureUrl("/login?error");
return handler;
}
@Bean
public CustomAuthenticationFilter customAuthenticationFilter () {
CustomAuthenticationFilter filter= new CustomAuthenticationFilter();
filter.setRequiresAuthenticationRequestMatcher(
new AntPathRequestMatcher("/login","POST"));
filter.setAuthenticationManager(authenticationManagerBean());
filter.setUsernameParameter("username");
filter.setPasswordParameter("password");
filter.setAuthenticationSuccessHandler(simpleUrlAuthenticationSuccessHandler());
filter.setAuthenticationFailureHandler(simpleUrlAuthenticationFailureHandler());
filter.setRememberMeServices(persistentTokenBasedRememberMeServices());
return filter;
}
@Bean
public PersistentTokenBasedRememberMeServices persistentTokenBasedRememberMeServices() {
PersistentTokenBasedRememberMeServices service = new PersistentTokenBasedRememberMeServices("remember_me_key", userDetailsService, persistentTokenRepository());
service.setCookieName("remember_me");
service.setTokenValiditySeconds(864000);
return service;
}
@Autowired
public UserDetailsService userDetailsService;
@Bean
public PersistentTokenRepository persistentTokenRepository() {
JdbcTokenRepositoryImpl tokenRepositoryImpl = new JdbcTokenRepositoryImpl();
tokenRepositoryImpl.setDataSource(dataSource);
return tokenRepositoryImpl;
}
}
如果有人能指出我正确的方向,我将非常感激。
更新:-
单击会话过期上的任何应用程序链接后,我在日志中看到以下输出。从日志看来,RememberMeAuthenticationFilter 似乎没有被解雇。
2016-02-22 19:22:12 DEBUG FilterChainProxy:337 - / at position 1 of 13 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2016-02-22 19:22:12 DEBUG FilterChainProxy:337 - / at position 2 of 13 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2016-02-22 19:22:12 DEBUG HttpSessionSecurityContextRepository:136 - No HttpSession currently exists
2016-02-22 19:22:12 DEBUG HttpSessionSecurityContextRepository:90 - No SecurityContext was available from the HttpSession: null. A new one will be created.
2016-02-22 19:22:12 DEBUG FilterChainProxy:337 - / at position 3 of 13 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2016-02-22 19:22:12 DEBUG HstsHeaderWriter:129 - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@36fb061c
2016-02-22 19:22:12 DEBUG FilterChainProxy:337 - / at position 4 of 13 in additional filter chain; firing Filter: 'CsrfFilter'
2016-02-22 19:22:12 DEBUG FilterChainProxy:337 - / at position 5 of 13 in additional filter chain; firing Filter: 'LogoutFilter'
2016-02-22 19:22:12 DEBUG AntPathRequestMatcher:127 - Request 'GET /' doesn't match 'POST /logout
2016-02-22 19:22:12 DEBUG FilterChainProxy:337 - / at position 6 of 13 in additional filter chain; firing Filter: 'CustomAuthenticationFilter'
2016-02-22 19:22:12 DEBUG AntPathRequestMatcher:127 - Request 'GET /' doesn't match 'POST /login
2016-02-22 19:22:12 DEBUG FilterChainProxy:337 - / at position 7 of 13 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2016-02-22 19:22:12 DEBUG AntPathRequestMatcher:127 - Request 'GET /' doesn't match 'POST /login
2016-02-22 19:22:12 DEBUG FilterChainProxy:337 - / at position 8 of 13 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2016-02-22 19:22:12 DEBUG FilterChainProxy:337 - / at position 9 of 13 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2016-02-22 19:22:12 DEBUG FilterChainProxy:337 - / at position 10 of 13 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2016-02-22 19:22:12 DEBUG AnonymousAuthenticationFilter:102 - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2016-02-22 19:22:12 DEBUG FilterChainProxy:337 - / at position 11 of 13 in additional filter chain; firing Filter: 'SessionManagementFilter'
2016-02-22 19:22:12 DEBUG SessionManagementFilter:92 - Requested session ID 87ABB37D528FC51FFC5C47A717813C79 is invalid.
2016-02-22 19:22:12 DEBUG FilterChainProxy:337 - / at position 12 of 13 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2016-02-22 19:22:12 DEBUG FilterChainProxy:337 - / at position 13 of 13 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2016-02-22 19:22:12 DEBUG AntPathRequestMatcher:145 - Checking match of request : '/'; against '/logout'
2016-02-22 19:22:12 DEBUG AntPathRequestMatcher:145 - Checking match of request : '/'; against '/resources/**'
2016-02-22 19:22:12 DEBUG AntPathRequestMatcher:145 - Checking match of request : '/'; against '/error/**'
2016-02-22 19:22:12 DEBUG AntPathRequestMatcher:145 - Checking match of request : '/'; against '/secured/**'
2016-02-22 19:22:12 DEBUG FilterSecurityInterceptor:194 - Secure object: FilterInvocation: URL: /; Attributes: [authenticated]
2016-02-22 19:22:12 DEBUG FilterSecurityInterceptor:310 - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
2016-02-22 19:22:12 DEBUG AffirmativeBased:65 - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@732b4495, returned: -1
2016-02-22 19:22:12 TRACE AnnotationConfigWebApplicationContext:331 - Publishing event in Root WebApplicationContext: org.springframework.security.access.event.AuthorizationFailureEvent[source=FilterInvocation: URL: /]
2016-02-22 19:22:12 DEBUG ExceptionTranslationFilter:165 - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
更新 2:-
在添加 rememberMe() 调用之后,RememberMeAuthenticationFilter 被调用,但仍然记住我的功能与之前的行为不同。最新的日志是,
2016-02-22 20:00:08 DEBUG FilterChainProxy:337 - / at position 1 of 14 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2016-02-22 20:00:08 DEBUG FilterChainProxy:337 - / at position 2 of 14 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2016-02-22 20:00:08 DEBUG HttpSessionSecurityContextRepository:136 - No HttpSession currently exists
2016-02-22 20:00:08 DEBUG HttpSessionSecurityContextRepository:90 - No SecurityContext was available from the HttpSession: null. A new one will be created.
2016-02-22 20:00:08 DEBUG FilterChainProxy:337 - / at position 3 of 14 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2016-02-22 20:00:08 DEBUG HstsHeaderWriter:129 - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@1c6103c2
2016-02-22 20:00:08 DEBUG FilterChainProxy:337 - / at position 4 of 14 in additional filter chain; firing Filter: 'CsrfFilter'
2016-02-22 20:00:08 DEBUG FilterChainProxy:337 - / at position 5 of 14 in additional filter chain; firing Filter: 'LogoutFilter'
2016-02-22 20:00:08 DEBUG AntPathRequestMatcher:127 - Request 'GET /' doesn't match 'POST /logout
2016-02-22 20:00:08 DEBUG FilterChainProxy:337 - / at position 6 of 14 in additional filter chain; firing Filter: 'CustomAuthenticationFilter'
2016-02-22 20:00:08 DEBUG AntPathRequestMatcher:127 - Request 'GET /' doesn't match 'POST /login
2016-02-22 20:00:08 DEBUG FilterChainProxy:337 - / at position 7 of 14 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2016-02-22 20:00:08 DEBUG AntPathRequestMatcher:127 - Request 'GET /' doesn't match 'POST /login
2016-02-22 20:00:08 DEBUG FilterChainProxy:337 - / at position 8 of 14 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2016-02-22 20:00:08 DEBUG FilterChainProxy:337 - / at position 9 of 14 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2016-02-22 20:00:08 DEBUG FilterChainProxy:337 - / at position 10 of 14 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter'
2016-02-22 20:00:08 DEBUG FilterChainProxy:337 - / at position 11 of 14 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2016-02-22 20:00:08 DEBUG AnonymousAuthenticationFilter:102 - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2016-02-22 20:00:08 DEBUG FilterChainProxy:337 - / at position 12 of 14 in additional filter chain; firing Filter: 'SessionManagementFilter'
2016-02-22 20:00:08 DEBUG SessionManagementFilter:92 - Requested session ID 0C8F3CE7D018DA453CDD9E23A8125212 is invalid.
2016-02-22 20:00:08 DEBUG FilterChainProxy:337 - / at position 13 of 14 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2016-02-22 20:00:08 DEBUG FilterChainProxy:337 - / at position 14 of 14 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2016-02-22 20:00:08 DEBUG AntPathRequestMatcher:145 - Checking match of request : '/'; against '/logout'
2016-02-22 20:00:08 DEBUG AntPathRequestMatcher:145 - Checking match of request : '/'; against '/resources/**'
2016-02-22 20:00:08 DEBUG AntPathRequestMatcher:145 - Checking match of request : '/'; against '/error/**'
2016-02-22 20:00:08 DEBUG AntPathRequestMatcher:145 - Checking match of request : '/'; against '/secured/**'
2016-02-22 20:00:08 DEBUG FilterSecurityInterceptor:194 - Secure object: FilterInvocation: URL: /; Attributes: [authenticated]
2016-02-22 20:00:08 DEBUG FilterSecurityInterceptor:310 - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
2016-02-22 20:00:08 DEBUG AffirmativeBased:65 - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@3c682cd2, returned: -1
2016-02-22 20:00:08 TRACE AnnotationConfigWebApplicationContext:331 - Publishing event in Root WebApplicationContext: org.springframework.security.access.event.AuthorizationFailureEvent[source=FilterInvocation: URL: /]
2016-02-22 20:00:08 DEBUG ExceptionTranslationFilter:165 - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
【问题讨论】:
-
日志记录是什么意思 - 你应该得到所有过滤器的列表,看看是否包含了 rememberme,或者日志记录
-
您好 Farrellmr,是的,RememberMeAuthenticationFilter 似乎没有被解雇。我不确定为什么。我在上面添加了更新以包含日志摘录。谢谢
-
RememberMeAuthenticationFilter 没有被触发可能是因为我使用了自定义身份验证过滤器?我需要在自定义身份验证过滤器上明确设置 RememberMeAuthenticationFilter 吗?但我不确定如何。我已经检查了 UsernamePasswordAuthenticationFilter api,但找不到方法
标签: java spring spring-mvc spring-security