Spring安全令牌持久性存储不起作用

Posted

技术标签:

【中文标题】Spring安全令牌持久性存储不起作用【英文标题】:Spring security token persistence storage not working 【发布时间】:2016-05-16 11:36:48 【问题描述】:

问题在于,除了记住我的逻辑之外,登录和所有事情都运行良好。未设置 cookie,也没有在数据库中插入任何行。

这是安全配置类。

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl;
import org.springframework.security.web.authentication.rememberme.PersistentTokenRepository;

import javax.sql.DataSource;

/**
 * Spring security configurations.
 */
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter 
    @Autowired
    private DataSource dataSource;

    @Override
    protected void configure(HttpSecurity http) throws Exception 
        http
                // Authorize all requests
                .authorizeRequests()
                    // Allow only admins to access the administration pages
                    .antMatchers("/admin/**").access("hasRole('ADMIN')")
                    // Allow any one to access the register and the main pages only alongside
                    // the resources files that contains css and javascript files
                    .antMatchers("/resources/**", "/register", "/").permitAll()
                    // Authenticate any other request
                    .anyRequest().authenticated()
                    .and()
                // Set up the login form.
                .formLogin()
                    //.successHandler(successHandler())
                    .loginPage("/login")
                    .usernameParameter("email").passwordParameter("password")
                    .permitAll()
                    .and()
                // Enable remember me cookie and persistence storage
                .rememberMe()
                    // Database token repository
                    .tokenRepository(persistentTokenRepository())
                    // Valid for 20 days
                    .tokenValiditySeconds(20 * 24 * 60 * 60)
                    .rememberMeParameter("remember-me")
                    .and()
                // Log out handler
                .logout()
                    .permitAll()
                    .and()
                // Enable Cross-Site Request Forgery
                .csrf();
    

    @Bean
    public PersistentTokenRepository persistentTokenRepository() 
        JdbcTokenRepositoryImpl db = new JdbcTokenRepositoryImpl();
        db.setDataSource(dataSource);
        return db;
    

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception 
        // Provide database authentication and swl queries to fetch the user's data..
        auth.jdbcAuthentication().dataSource(dataSource)
                .usersByUsernameQuery("select email, password, enabled from users where email=?")
                .authoritiesByUsernameQuery("select us.email, ur.role from users us, " +
                        " roles ur where us.role_id=ur.id and us.email=?");
    

这是用于令牌持久化的数据库表

CREATE TABLE persistent_logins (
    username VARCHAR(254) NOT NULL,
    series VARCHAR(64) NOT NULL,
    token VARCHAR(64) NOT NULL,
    last_used TIMESTAMP NOT NULL,
    PRIMARY KEY (series)
);

【问题讨论】:

【参考方案1】:

我已经重现了同样的问题。使用调试,我检查了 AbstractRememberMeServices 类的 loginSuccess() 方法。

内部逻辑是这样的:

public final void loginSuccess(HttpServletRequest request, HttpServletResponse response, Authentication successfulAuthentication) 
    if (!this.rememberMeRequested(request, this.parameter)) 
        this.logger.debug("Remember-me login not requested.");
     else 
        this.onLoginSuccess(request, response, successfulAuthentication);
    

原来我在用户登录时并没有被标记Remember Me标签,所以我无法调用onLoginSuccess()方法并陷入了if而不是else的块中。

标记标志后,我能够持久化令牌和 cookie。

注意:逻辑可以从@FuSsA提到的答案中获取。

【讨论】:

【参考方案2】:

Spring Security 带有两个 PersistentTokenRepository 实现:JdbcTokenRepositoryImpl 和 InMemoryTokenRepositoryImpl。 我在我的应用程序中使用 Hibernate,我使用 Hibernate 而不是使用 JDBC 创建了一个自定义实现。

@Repository("tokenRepositoryDao")
@Transactional
public class HibernateTokenRepositoryImpl extends AbstractDao<String, PersistentLogin>
        implements PersistentTokenRepository 

    static final Logger logger = LoggerFactory.getLogger(HibernateTokenRepositoryImpl.class);

    @Override
    public void createNewToken(PersistentRememberMeToken token) 
        logger.info("Creating Token for user : ", token.getUsername());
        PersistentLogin persistentLogin = new PersistentLogin();
        persistentLogin.setUsername(token.getUsername());
        persistentLogin.setSeries(token.getSeries());
        persistentLogin.setToken(token.getTokenValue());
        persistentLogin.setLast_used(token.getDate());
        persist(persistentLogin);

    

    @Override
    public PersistentRememberMeToken getTokenForSeries(String seriesId) 
        logger.info("Fetch Token if any for seriesId : ", seriesId);
        try 
            Criteria crit = createEntityCriteria();
            crit.add(Restrictions.eq("series", seriesId));
            PersistentLogin persistentLogin = (PersistentLogin) crit.uniqueResult();

            return new PersistentRememberMeToken(persistentLogin.getUsername(), persistentLogin.getSeries(),
                    persistentLogin.getToken(), persistentLogin.getLast_used());
         catch (Exception e) 
            logger.info("Token not found...");
            return null;
        
    

    @Override
    public void removeUserTokens(String username) 
        logger.info("Removing Token if any for user : ", username);
        Criteria crit = createEntityCriteria();
        crit.add(Restrictions.eq("username", username));
        PersistentLogin persistentLogin = (PersistentLogin) crit.uniqueResult();
        if (persistentLogin != null) 
            logger.info("rememberMe was selected");
            delete(persistentLogin);
        

    

    @Override
    public void updateToken(String seriesId, String tokenValue, Date lastUsed) 
        logger.info("Updating Token for seriesId : ", seriesId);
        PersistentLogin persistentLogin = getByKey(seriesId);
        persistentLogin.setToken(tokenValue);
        persistentLogin.setLast_used(lastUsed);
        update(persistentLogin);
    


【讨论】:

您的回答无关紧要。我遇到了同样的问题,问题不仅仅是将令牌数据插入数据库,remember-me cookie 也没有在客户端(浏览器)中创建。所以我认为这不仅仅是将令牌数据写入数据库。

以上是关于Spring安全令牌持久性存储不起作用的主要内容,如果未能解决你的问题,请参考以下文章

当要发送的请求是多部分请求时,Spring CSRF 令牌不起作用

mockmvc 模拟令牌不起作用并尝试在令牌库上进行验证

Spring Cloud Feign OAuth2 请求拦截器不起作用

Spring Security OAuth2 撤销令牌不起作用

存储令牌后 LocalStorage 不起作用

Spring Boot + OAuth + JWT + MySQL 刷新令牌第二次不起作用