Shiro源码——记住我功能实现原理
Posted 敲代码的小小酥
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Shiro源码——记住我功能实现原理相关的知识,希望对你有一定的参考价值。
在分析login源码时,我们看到了记住我功能是SecurityManager的login方法的这行代码:
onSuccessfulLogin(token, info, loggedIn);
下面分析这行代码的源码:
一顿点击方法,进入关键方法:
protected void rememberSerializedIdentity(Subject subject, byte[] serialized)
if (!WebUtils.isHttp(subject))
if (log.isDebugEnabled())
String msg = "Subject argument is not an HTTP-aware instance. This is required to obtain a servlet " +
"request and response in order to set the rememberMe cookie. Returning immediately and " +
"ignoring rememberMe operation.";
log.debug(msg);
return;
HttpServletRequest request = WebUtils.getHttpRequest(subject);
HttpServletResponse response = WebUtils.getHttpResponse(subject);
//base 64 encode it and store as a cookie:
String base64 = Base64.encodeToString(serialized);
Cookie template = getCookie(); //the class attribute is really a template for the outgoing cookies
Cookie cookie = new SimpleCookie(template);
cookie.setValue(base64);
cookie.saveTo(request, response);
可以看到,最终将登陆信息,放入了session中。看SimpleCookie源码:
可以看到,这里设置了cookie的最大过期时间。所以,记住我的核心就是设置cookie的过期时间。
然后在UserFilter过滤器中,获取cookie中的用户信息,如果获取到,则放行,表示登陆成功。
以上是关于Shiro源码——记住我功能实现原理的主要内容,如果未能解决你的问题,请参考以下文章
CVE-2016-4437(Apache Shiro 反序列化漏洞)