Spring Security:记住我和会话数据
Posted
技术标签:
【中文标题】Spring Security:记住我和会话数据【英文标题】:Spring Security: remember me and session data 【发布时间】:2017-02-25 17:55:42 【问题描述】:我有对象帐户:
public class Account
String name;
List<Car> cars;
我在登录期间填充汽车(在自定义身份验证提供程序中),然后将帐户保存到会话。然后我关闭浏览器。当我再次打开它时,对象帐户是活动的,但汽车是空的。在同一会话中保存对象属性的正确方法是什么?
这是我的 applicationContext-security.xml 的 sn-p:
<http use-expressions="true"
authentication-manager-ref="authenticationManager"
auto-config="true"
create-session="ifRequired">
<intercept-url pattern="/my/**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')"/>
<intercept-url pattern="/service/**" access="hasRole('ROLE_ADMIN')"/>
<form-login
login-page="/login"
authentication-failure-handler-ref="simpleUrlAuthenticationFailureHandler"
username-parameter="j_username"
password-parameter="j_password"
default-target-url="/home"
always-use-default-target="false"/>
<logout logout-success-url="/logout" invalidate-session="true" delete-cookies="JSESSIONID"/>
<http-basic />
<remember-me key="uniqueAndSecret"
token-validity-seconds="1209600"
remember-me-cookie="edrive"
remember-me-parameter="_spring_security_remember_me"
user-service-ref="localUserService"/>
</http>
以及我如何保存帐户:
Account account = accountDao.getAccount( name, password );
HttpSession session = httpUtilities.getSession(); // session from the HttpServletRequest
account.setCars(domainUtilities.getAccountCars(account.getId()));
session.setAttribute("account", account);
Spring Security 4.1.3.RELEASE
更新 1:我的调查表明,当我第一次登录时,帐户对象仍然存在于会话中:
account core.domain.Account@1b4e3e2
并且会话还包含:
org.springframework.security.web.csrf.DefaultCsrfToken@48662c93
SPRING_SECURITY_CONTEXT org.springframework.security.core.context.SecurityContextImpl@a2e3a7b0: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@a2e3a7b0: Principal: org.springframework.security.core.userdetails.User@1901e91c: Username: someuser; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffff4c9c: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 0B7153F813D8F0B943C34EF19A7271C8; Granted Authorities: ROLE_USER
下次我启动浏览器时,Tomcat 8 会打开一个新会话,其中只有:
org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository.CSRF_TOKEN org.springframework.security.web.csrf.DefaultCsrfToken@4555644f
SPRING_SECURITY_CONTEXT org.springframework.security.core.context.SecurityContextImpl@5d1c5848: Authentication: org.springframework.security.authentication.RememberMeAuthenticationToken@5d1c5848: Principal: org.springframework.security.core.userdetails.User@1901e91c: Username: someuser; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_USER
并且 - SessionId 为空。为什么?这是第二次无法访问帐户的原因吗?
【问题讨论】:
【参考方案1】:问题已通过在标准链中添加特殊过滤器(在应用程序的 WEB-APP/web.xml 中定义)得到解决。我检查用户是否已通过身份验证并且帐户是否为空 - 然后我重新加载必要的数据。
第二 - 会话 ID 为空 - 这是 create-session="ifRequired" 的问题。我用“always”替换了它,现在它可以工作了。
【讨论】:
以上是关于Spring Security:记住我和会话数据的主要内容,如果未能解决你的问题,请参考以下文章
Spring Security 之 Remember-Me (记住我)
Grails spring security如何在自定义身份验证中记住我?
当用户注销时,Spring Security 从数据库中删除会话