我将Grails App 中的 PersistentTokenBasedRememberMeServices (Spring Security 2.04) 与 OpenIDAuthenticationProcessingFilter 结合使用。配置如下(这是Grails 的DSL 等价于 Spring resource.xml 但应该很容易适应):
customTokenRepository(JdbcTokenRepositoryImpl)
{
dataSource = ref('dataSource')
}
rememberMeServices(PersistentTokenBasedRememberMeServices) {
userDetailsService = ref('userDetailsService')
key = securityConf.rememberMeKey
cookieName = securityConf.cookieName
alwaysRemember = securityConf.alwaysRemember
tokenValiditySeconds = securityConf.tokenValiditySeconds
parameter = securityConf.parameter
tokenRepository = customTokenRepository
}
openIDAuthProvider(org.codehaus.groovy.grails.plugins.springsecurity.openid.GrailsOpenIdAuthenticationProvider) {
userDetailsService = ref('userDetailsService')
}
openIDStore(org.openid4java.consumer.InMemoryConsumerAssociationStore)
openIDNonceVerifier(org.openid4java.consumer.InMemoryNonceVerifier, securityConf.openIdNonceMaxSeconds) // 300 seconds
openIDConsumerManager(org.openid4java.consumer.ConsumerManager) {
nonceVerifier = openIDNonceVerifier
}
openIDConsumer(org.springframework.security.ui.openid.consumers.OpenID4JavaConsumer, openIDConsumerManager)
openIDAuthenticationProcessingFilter(org.springframework.security.ui.openid.OpenIDAuthenticationProcessingFilter) {
authenticationManager = ref('authenticationManager')
authenticationFailureUrl = securityConf.authenticationFailureUrl //'/login/authfail?login_error=1' // /spring_security_login?login_error
defaultTargetUrl = securityConf.defaultTargetUrl // '/'
filterProcessesUrl = '/j_spring_openid_security_check' // not configurable
rememberMeServices = ref('rememberMeServices')
consumer = openIDConsumer
targetUrlResolver = customTargetUrlResolver
}
在用户通过身份验证后,一切都很好,直到第一次使用发给他的 cookie,例如在容器重启后(参见此处)。
使用 cookie 的第一个请求似乎总是很好,但是在 cookie 更新为新日期和最重要的是新令牌之后,后续请求将在此处崩溃。好像浏览器仍然会使用包含旧令牌的旧版本 cookie 来请求资源。我完全困惑为什么会发生这种情况。有什么建议么?