spring - 在已配置的 spring OUTH 和 usernamepassword 令牌认证系统中添加记住我功能

Question

我有以下弹簧安全配置。

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans"
xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
    http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd">


<!-- For S2OAuth endpoints -->
<http   pattern="/oauth/token" 
        create-session="stateless" 
        authentication-manager-ref="clientAuthenticationManager" 
        entry-point-ref="oauthAuthenticationEntryPoint"
        xmlns="http://www.springframework.org/schema/security">
    <intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" />
    <anonymous enabled="false" />
    <http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
    <!-- include this only if you need to authenticate clients via request parameters -->
    <custom-filter ref="clientCredentialsTokenEndpointFilter" before="BASIC_AUTH_FILTER" />
</http>

<http use-expressions="true">
    <!-- Authentication policy -->
    <form-login login-page="/signin" login-processing-url="/signin/authenticate" authentication-failure-url="/signin?error=1" />
    <logout logout-url="/signout" delete-cookies="JSESSIONID" />
    <!-- Remember Me -->
    <remember-me services-ref="rememberMeServices" key="myRememberMeKey" />
    <!-- Authorization policy definition: TODO consider replacing with @Secured on @Controllers -->
    <intercept-url pattern="/" access="permitAll" />
    <intercept-url pattern="/favicon.ico" access="permitAll" />
    <intercept-url pattern="/members/**" access="permitAll" />
    <intercept-url pattern="/groups/**" access="permitAll" />
    <intercept-url pattern="/pubsub/**" access="permitAll" />
    <intercept-url pattern="/resources/**" access="permitAll" />
    <intercept-url pattern="/signup" access="permitAll" requires-channel="#{environment['application.secureChannel']}" />   
    <intercept-url pattern="/signin" access="permitAll" requires-channel="#{environment['application.secureChannel']}" />
    <intercept-url pattern="/signin/*" access="permitAll" requires-channel="#{environment['application.secureChannel']}" />
    <intercept-url pattern="/reset" access="permitAll" requires-channel="#{environment['application.secureChannel']}" />
    <!-- TODO this would probably be better mapped to simply /invite?token={token} but not able to vary security policy here based on presence of a request parameter.  Consider @Secured on @Controller. -->               
    <intercept-url pattern="/invite/accept" access="permitAll" requires-channel="#{environment['application.secureChannel']}" />
    <!-- TODO this should be restricted to admin users only -->
    <intercept-url pattern="/admin/**" access="permitAll" />           
    <intercept-url pattern="/**" access="isAuthenticated()" requires-channel="#{environment['application.secureChannel']}" />
    <custom-filter ref="resourceServerFilter" before="EXCEPTION_TRANSLATION_FILTER" />
</http>

<authentication-manager alias="authenticationManager">
    <authentication-provider ref="usernamePasswordAuthenticationProvider" />
</authentication-manager>

<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased" xmlns="http://www.springframework.org/schema/beans">
    <constructor-arg>
        <list>
            <bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
            <bean class="org.springframework.security.access.vote.RoleVoter" />
            <bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
        </list>
    </constructor-arg>
</bean>

<bean id="jdbcRememberMeRepository" class="com.springsource.greenhouse.rememberme.JdbcRememberMeRepository" xmlns="http://www.springframework.org/schema/beans"/>
<bean id="coreUserDetailsService" class="com.springsource.greenhouse.rememberme.RememberMeUserDetailsService" xmlns="http://www.springframework.org/schema/beans"/>

<bean id="rememberMeServices" class="org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices" xmlns="http://www.springframework.org/schema/beans">
  <property name="tokenRepository" ref="jdbcRememberMeRepository" />
  <property name="userDetailsService" ref="coreUserDetailsService" />
  <property name="key" value="myRememberMeKey" />
  <property name="alwaysRemember" value="true" />
</bean>


<!-- For S2OAuth endpoints -->
<authentication-manager id="clientAuthenticationManager" xmlns="http://www.springframework.org/schema/security">
    <authentication-provider user-service-ref="clientDetailsUserService" />
</authentication-manager>

<beans:bean id="clientDetailsUserService" class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
    <beans:constructor-arg ref="clientDetails" />
</beans:bean>

<beans:bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
    <beans:property name="realmName" value="greenhouseApi" />
</beans:bean>


<beans:import resource="security-oauth-provider.xml" />

 </beans:beans>

当我勾选 remember-me 复选框时，我看到我的 remember-me 数据库已填充，如快照所示。现在我关闭浏览器并尝试访问需要登录的 url。我可以看到页面。现在在这里，我很困惑我是因为登录还是因为记住我而能够看到该页面。其次，我在记住我的数据库表中看到最后日期没有更新。这可能是什么原因？

Answer 1

重新启动浏览器是不够的。要测试记住我的功能，您需要确保您的会话已过期。如果lastUsed未更新，则表示未使用记住我功能。在您的情况下，HTTP 会话处于活动状态。您需要停用它，并且有多种选择：

• 等待会话到期。提示：您可以设置最小会话超时，例如在 web.xml 中设置 1 分钟。
• 或删除会话 cockie（不要删除您域的所有 cookie，记住我也使用 coockie）
• 或停止您的应用程序服务器，然后清理它保存会话数据的目录并重新启动它。对于 tomcat，它是 tomcat_root/work。

在 web.xml 中将会话超时值设置为 1 分钟：

<session-config>
    <session-timeout>1</session-timeout>
</session-config>