服务器启动时出现 Spring Security 配置错误

Question

如果我在 security.xml 文件中保留 remember-me 元素并启动服务器，则会出现以下错误。

没有注册 UserDetailsS​​ervice.......

如果我删除这个记住我的元素，那么它工作正常。

如何摆脱这个错误...

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:p="http://www.springframework.org/schema/p"
    xsi:schemaLocation="http://www.springframework.org/schema/beans 
        http://www.springframework.org/schema/beans/spring-beans-3.0.xsd 
    http://www.springframework.org/schema/security 
    http://www.springframework.org/schema/security/spring-security-3.0.xsd">

    <http auto-config="false" use-expressions="true"
        access-denied-page="/login.jsp?error=true" entry-point-ref="authenticationEntryPoint">
        <remember-me key="abcdefgh" />
        <logout invalidate-session="true" />
        <intercept-url pattern="/login.jsp" access="permitAll" />
        <intercept-url pattern="/index.jsp" access="permitAll" />
        <intercept-url pattern="/pub" access="isAuthenticated()" />
        <intercept-url pattern="/*" access="permitAll" />
        <custom-filter ref="authenticationFilter" position="FORM_LOGIN_FILTER" />
    </http>

    <beans:bean id="authenticationFilter"
        class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"
        p:authenticationManager-ref="customAuthenticationManager"
        p:authenticationFailureHandler-ref="customAuthenticationFailureHandler"
        p:authenticationSuccessHandler-ref="customAuthenticationSuccessHandler" />

    <!-- Custom authentication manager. In order to authenticate, username and 
        password must not be the same -->
    <beans:bean id="customAuthenticationManager" class="com.cv.pub.cmgt.framework.security.CustomAuthenticationManager" />

    <!-- We just actually need to set the default failure url here -->
    <beans:bean id="customAuthenticationFailureHandler"
        class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"
        p:defaultFailureUrl="/login.jsp?error=true" />

    <!-- We just actually need to set the default target url here -->
    <beans:bean id="customAuthenticationSuccessHandler"
        class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler"
        p:defaultTargetUrl="/pub" />

    <!-- The AuthenticationEntryPoint is responsible for redirecting the user 
        to a particular page, like a login page, whenever the server sends back a 
        response requiring authentication -->
    <!-- See Spring-Security Reference 5.4.1 for more info -->
    <beans:bean id="authenticationEntryPoint"
        class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"
        p:loginFormUrl="/login.jsp" />

    <!-- The tag below has no use but Spring Security needs it to autowire the 
        parent property of org.springframework.security.authentication.ProviderManager. 
        Otherwise we get an error A probable bug. This is still under investigation -->
    <authentication-manager />

</beans:beans> 

Answer 1

Spring Security 提供了 RememberMeServices requires a UserDetailsService 以便工作。这意味着您有两种选择：

1) 如果可能的话，我推荐这是您的最佳选择。不要编写自定义的 AuthenticationProvider，而是编写自定义的 UserDetailsS​​ervice。您可以找到一个查看 InMemoryDaoImpl 的 UserDetailsS​​ervice 示例，然后您可以将其连接到类似于下面的配置。请注意，您也会删除您的自定义 AuthenticationManager。

<http ..>
  ...
  <remember-me key="abcdefgh" />
</http>
<authentication-manager>
  <authentication-provider user-service-ref="myUserService"/>
</authentication-manager>
<beans:bean id="myUserService" class="MyUserService"/>

2) 编写不需要 UserDetailsS​​ervice 的自己的 RememberMeServices 实现。您可以查看TokenBasedRememberMeServices 的示例（但它需要 UserDetailsS​​ervice）。如果您想使用命名空间配置，您的 RememberMeServices 实现将需要实现 LogoutHandler。然后，您可以使用命名空间来连接它。

<http ..>
  ...
  <remember-me ref="myRememberMeServices"/>
</http>
<beans:bean id="myRememberMeServices" class="sample.MyRememberMeServices"/>