Spring security：remember-me 不适用于自定义 AuthenticationProvider答案

【问题标题】：Spring security: remember-me doesn't work with custom AuthenticationProviderSpring security：remember-me 不适用于自定义 AuthenticationProvider
【发布时间】：2012-04-04 21:31:15
【问题描述】：

我正在使用自定义AuthenticationProvider：

public class CustomAuthenticationProviderImpl extends AbstractUserDetailsAuthenticationProvider {

    @Resource(name="userDetailsService")
    private UserDetailsService userDetailsService;

    //.......

}

我也尝试使用记住我的功能：

<security:http auto-config="true" use-expressions="true" access-denied-page="/auth/accessDenied.xhtml" >

    <!-- ........... -->

    <security:remember-me user-service-ref="userDetailsService" key="some-string"/>

</security:http>

除了记住我之外，一切正常。当我不使用自定义 AuthenticationProvider 时，它曾经可以工作。

我需要做什么才能使记住我起作用？

更新

我也在使用AuthenticationSuccessHandler：

public class AuthenticationSuccessHandlerImpl extends SimpleUrlAuthenticationSuccessHandler {

    @Override
    public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws ServletException, IOException {

        int timeout = 60*60;

        request.getSession().setMaxInactiveInterval(timeout); //60 minutes

        System.out.println("Session timeout of user: " + authentication.getName() + " has been set to: " + request.getSession().getMaxInactiveInterval() + " seconds.");

        setDefaultTargetUrl("/views/home.jsf");

        super.onAuthenticationSuccess(request, response, authentication);
    }
}

更新 2：

我在重新启动 Tomcat 时得到以下调试输出。但是当我加载登录表单并提交它时 - 我在调试输出中看不到任何包含 remember 的文本，并且没有创建记住我的 cookie。

DEBUG [pool-2-thread-1] 2012-04-16 09:18:11,166 (DefaultSingletonBeanRegistry.java:217) - org.springframework.beans.factory.support.DefaultSingletonBeanRegistry getSingleton :
 Creating shared instance of singleton bean 'rememberMeFilter'
DEBUG [pool-2-thread-1] 2012-04-16 09:18:11,166 (AbstractAutowireCapableBeanFactory.java:430) - org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory createBean :
 Creating instance of bean 'rememberMeFilter'
DEBUG [pool-2-thread-1] 2012-04-16 09:18:11,182 (AbstractEnvironment.java:114) - org.springframework.core.env.AbstractEnvironment <init> :
 Initializing new StandardServletEnvironment
DEBUG [pool-2-thread-1] 2012-04-16 09:18:11,182 (MutablePropertySources.java:103) - org.springframework.core.env.MutablePropertySources addLast :
 Adding [servletConfigInitParams] PropertySource with lowest search precedence
DEBUG [pool-2-thread-1] 2012-04-16 09:18:11,182 (MutablePropertySources.java:103) - org.springframework.core.env.MutablePropertySources addLast :
 Adding [servletContextInitParams] PropertySource with lowest search precedence
DEBUG [pool-2-thread-1] 2012-04-16 09:18:11,182 (MutablePropertySources.java:103) - org.springframework.core.env.MutablePropertySources addLast :
 Adding [jndiProperties] PropertySource with lowest search precedence
DEBUG [pool-2-thread-1] 2012-04-16 09:18:11,182 (MutablePropertySources.java:103) - org.springframework.core.env.MutablePropertySources addLast :
 Adding [systemProperties] PropertySource with lowest search precedence
DEBUG [pool-2-thread-1] 2012-04-16 09:18:11,182 (MutablePropertySources.java:103) - org.springframework.core.env.MutablePropertySources addLast :
 Adding [systemEnvironment] PropertySource with lowest search precedence
DEBUG [pool-2-thread-1] 2012-04-16 09:18:11,182 (AbstractEnvironment.java:120) - org.springframework.core.env.AbstractEnvironment <init> :
 Initialized StandardServletEnvironment with PropertySources [servletConfigInitParams,servletContextInitParams,jndiProperties,systemProperties,systemEnvironment]
DEBUG [pool-2-thread-1] 2012-04-16 09:18:11,182 (AbstractAutowireCapableBeanFactory.java:504) - org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory doCreateBean :
 Eagerly caching bean 'rememberMeFilter' to allow for resolving potential circular references
DEBUG [pool-2-thread-1] 2012-04-16 09:18:11,182 (DefaultSingletonBeanRegistry.java:217) - org.springframework.beans.factory.support.DefaultSingletonBeanRegistry getSingleton :
 Creating shared instance of singleton bean 'rememberMeServices'
DEBUG [pool-2-thread-1] 2012-04-16 09:18:11,182 (AbstractAutowireCapableBeanFactory.java:430) - org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory createBean :
 Creating instance of bean 'rememberMeServices'
DEBUG [pool-2-thread-1] 2012-04-16 09:18:11,198 (AbstractAutowireCapableBeanFactory.java:504) - org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory doCreateBean :
 Eagerly caching bean 'rememberMeServices' to allow for resolving potential circular references
DEBUG [pool-2-thread-1] 2012-04-16 09:18:11,198 (AbstractBeanFactory.java:245) - org.springframework.beans.factory.support.AbstractBeanFactory doGetBean :
 Returning cached instance of singleton bean 'userDetailsService'
DEBUG [pool-2-thread-1] 2012-04-16 09:18:11,213 (AbstractAutowireCapableBeanFactory.java:1498) - org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory invokeInitMethods :
 Invoking afterPropertiesSet() on bean with name 'rememberMeServices'
DEBUG [pool-2-thread-1] 2012-04-16 09:18:11,213 (AbstractBeanFactory.java:245) - org.springframework.beans.factory.support.AbstractBeanFactory doGetBean :
 Returning cached instance of singleton bean 'org.springframework.security.methodSecurityMetadataSourceAdvisor'
DEBUG [pool-2-thread-1] 2012-04-16 09:18:11,213 (AbstractBeanFactory.java:245) - org.springframework.beans.factory.support.AbstractBeanFactory doGetBean :
 Returning cached instance of singleton bean 'org.springframework.transaction.config.internalTransactionAdvisor'
DEBUG [pool-2-thread-1] 2012-04-16 09:18:11,213 (AbstractAutowireCapableBeanFactory.java:458) - org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory createBean :
 Finished creating instance of bean 'rememberMeServices'
DEBUG [pool-2-thread-1] 2012-04-16 09:18:11,213 (AbstractBeanFactory.java:245) - org.springframework.beans.factory.support.AbstractBeanFactory doGetBean :
 Returning cached instance of singleton bean 'org.springframework.security.authenticationManager'
DEBUG [pool-2-thread-1] 2012-04-16 09:18:11,213 (AbstractAutowireCapableBeanFactory.java:1498) - org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory invokeInitMethods :
 Invoking afterPropertiesSet() on bean with name 'rememberMeFilter'
DEBUG [pool-2-thread-1] 2012-04-16 09:18:11,213 (AbstractBeanFactory.java:245) - org.springframework.beans.factory.support.AbstractBeanFactory doGetBean :
 Returning cached instance of singleton bean 'org.springframework.security.methodSecurityMetadataSourceAdvisor'
DEBUG [pool-2-thread-1] 2012-04-16 09:18:11,213 (AbstractBeanFactory.java:245) - org.springframework.beans.factory.support.AbstractBeanFactory doGetBean :
 Returning cached instance of singleton bean 'org.springframework.transaction.config.internalTransactionAdvisor'
DEBUG [pool-2-thread-1] 2012-04-16 09:18:11,213 (AbstractAutowireCapableBeanFactory.java:458) - org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory createBean :
 Finished creating instance of bean 'rememberMeFilter'
DEBUG [pool-2-thread-1] 2012-04-16 09:18:11,213 (AbstractBeanFactory.java:245) - org.springframework.beans.factory.support.AbstractBeanFactory doGetBean :
 Returning cached instance of singleton bean 'rememberMeServices'
DEBUG [pool-2-thread-1] 2012-04-16 09:18:11,213 (DefaultSingletonBeanRegistry.java:217) - org.springframework.beans.factory.support.DefaultSingletonBeanRegistry getSingleton :
 Creating shared instance of singleton bean 'rememberMeAuthenticationProvider'
DEBUG [pool-2-thread-1] 2012-04-16 09:18:11,213 (AbstractAutowireCapableBeanFactory.java:430) - org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory createBean :
 Creating instance of bean 'rememberMeAuthenticationProvider'
DEBUG [pool-2-thread-1] 2012-04-16 09:18:11,213 (AbstractAutowireCapableBeanFactory.java:504) - org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory doCreateBean :
 Eagerly caching bean 'rememberMeAuthenticationProvider' to allow for resolving potential circular references
DEBUG [pool-2-thread-1] 2012-04-16 09:18:11,213 (AbstractAutowireCapableBeanFactory.java:1498) - org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory invokeInitMethods :
 Invoking afterPropertiesSet() on bean with name 'rememberMeAuthenticationProvider'
DEBUG [pool-2-thread-1] 2012-04-16 09:18:11,213 (AbstractBeanFactory.java:245) - org.springframework.beans.factory.support.AbstractBeanFactory doGetBean :
 Returning cached instance of singleton bean 'org.springframework.security.methodSecurityMetadataSourceAdvisor'
DEBUG [pool-2-thread-1] 2012-04-16 09:18:11,213 (AbstractBeanFactory.java:245) - org.springframework.beans.factory.support.AbstractBeanFactory doGetBean :
 Returning cached instance of singleton bean 'org.springframework.transaction.config.internalTransactionAdvisor'
DEBUG [pool-2-thread-1] 2012-04-16 09:18:11,213 (AbstractAutowireCapableBeanFactory.java:458) - org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory createBean :
 Finished creating instance of bean 'rememberMeAuthenticationProvider'

我的AuthenticationSuccessHandlerImpl 中有以下内容：

System.out.println("_spring_security_remember_me after authentication = " + request.getParameter("_spring_security_remember_me"));

输出是：

_spring_security_remember_me after authentication = on

但没有创建记住我的 cookie！

【问题讨论】：

在什么方面不起作用？例如：您是否从浏览器跟踪了记住我 cookie 的提交？用户通过身份验证时是否设置？日志中是否出现错误？
@Luke Taylor：我检查了 (Firebug) 响应标头 - 没有 Cookie 标头。请求标头 - 仅 JSESSIONID cookie 的标头。我检查了我的域（本地主机）的 Firefox cookie - 只有 JSESSIONID cookie。我在 Tomcat 日志中没有看到错误消息。顺便说一句，我也在使用AuthenticationSuccessHandler，见上文。
@Luke Taylor：我将 Spring 安全性与 JSF 一起使用，如下示例：tutorials.slackspace.de/tutorial/…
登录请求是否设置了remember-me参数？如果是这样，您应该会在调试日志中看到 RememberMeServices 被调用，并且应该在浏览器中设置 cookie。您需要启用调试日志记录才能确定正在发生（或未发生）的事情。
@Luke Taylor：抱歉耽搁了：我在 Tomcat 上登录时遇到了问题！好吧，我已将org.springframework 日志记录级别设置为debug。所以当 Tomcat 重新启动时，我看到了Returning cached instance of singleton bean 'rememberMeServices'。现在，当我加载登录表单并提交它时 - 我在调试输出中看不到任何包含 remember 的文本，并且没有创建记住我的 cookie。我怎样才能找出问题所在？ 请参阅上面的更新 2。

标签： spring jsf spring-security remember-me

【解决方案1】：

您可以尝试禁用自动配置：auto-config="false" 并直接声明 RememberMeAuthenticationProvider：

<bean id="rememberMeFilter" class=
 "org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter">
  <property name="rememberMeServices" ref="rememberMeServices"/>
  <property name="authenticationManager" ref="authenticationManager" />
</bean>

<bean id="rememberMeServices" class=
 "org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices">
  <property name="userDetailsService" ref="userService"/>
  <property name="key" value="some-string"/>
</bean>

<bean id="rememberMeAuthenticationProvider" class=
 "org.springframework.security.authentication.RememberMeAuthenticationProvider">
  <property name="key" value="some-string"/>
</bean>

【讨论】：

【解决方案2】：

对于最新版本的 Spring 安全，您可以添加如下配置：

它将帮助您创建一个过滤器，如果在安全上下文中没有找到凭据，它将处理自动登录。它还可以帮助您创建 rememberMeServices 和 rememberMeAuthenticationProvider。

您说，在重写 CustomAuthenticationProviderImpl 之前，它可以工作。所以我想你已经设置好了。

现在的问题是，你重写了 CustomAuthenticationProviderImpl ，然后你打破了关于记住我的原始行。首先，您需要在自定义提供程序中设置 rememberMeService：

<beans:bean id="customFilter" class="..CustomAuthenticationProviderImpl ">
    <beans:property ... />
    <beans:property name="rememberMeServices" ref="rememberMeServices" />
</beans:bean>

你可以试试这个，如果说“rememberMeServices”找不到，那么你也应该设置remember me service作为上面的回复。

【讨论】：