0

我已经tokenValiditySeconds设置Config.groovy

grails.plugins.springsecurity.rememberMe.tokenValiditySeconds=31*24*60*60

但是,我想为来自子域的所有请求设置不同的有效性。我可以从对象中识别域信息request,但我无法覆盖类中tokenValiditySeconds的域信息CustomRememberMeService

默认情况下,令牌将在最后一次成功的身份验证尝试后 14 天内有效。这可以使用 AbstractRememberMeServices.setTokenValiditySeconds(int) 进行更改。如果该值小于零,expiryTime 将保持在 14 天,但负值将用于 cookie 的 maxAge 属性,这意味着它不会在浏览器关闭时存储。

根据文档,我应该可以通过使用setTokenValiditySeconds(int)方法更改有效性,但它没有任何效果。

那么如何覆盖配置文件中设置的值呢?

谢谢。

编辑:

class CustomRememberMeService extends TokenBasedRememberMeServices {
    def springSecurityService;

    public final LoggedInUserDetails customAutoLogin(HttpServletRequest request, HttpServletResponse response) {
        def cookies = request.getCookies();
        if (!cookies) return null;
        String rememberMeCookie = extractRememberMeCookie(request);
        for (int i = 0; i < cookies.length; i++) {
            Cookie c = cookies[i];
            if(c.getName().equals('remember_me') && rememberMeCookie == null) {
                rememberMeCookie = c.getValue();
            }
        }
        if (rememberMeCookie == null) return null
        logger.debug("rememberMeCookie is : ${rememberMeCookie}");

        if (rememberMeCookie.length() == 0) {
            cancelCookie(request, response);
            return null;
        }

        String[] cookieTokens = decodeCookie(rememberMeCookie);
        String username = cookieTokens[0];

        def loginContext = request.getParameter('loginContext')
        loginContext = (loginContext == null) ? "mainWeb" : loginContext

        setTokenValiditySeconds(60) // not working

        LoggedInUserDetails user = getUserDetailsService().loadUserByUsername("${username}#${request.getServerName().trim()}#${loginContext}")

        springSecurityService.reauthenticate("${username}#${request.getServerName().trim()}#${loginContext}")
    }
}

resource.groovy 文件如下所示:

//..
customRememberMeService(com.rwi.springsecurity.services.CustomRememberMeService) {
    userDetailsService = ref('userDetailsService')
    springSecurityService = ref('springSecurityService')
    key = "${grailsApplication.config.grails.plugins.springsecurity.rememberMe.key}"
}
customRememberMeServicesFilter(CustomRememberMeServicesFilter){
    authenticationManager = ref('authenticationManager')
    rememberMeServices = ref('rememberMeServices')
    customRememberMeService = ref('customRememberMeService')
}
//..

CustomRemeberMEService.groovy

// ..
class CustomRememberMeServicesFilter extends RememberMeAuthenticationFilter {
    def customRememberMeService;
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
        HttpServletRequest request = (HttpServletRequest) req;
        HttpServletResponse response = (HttpServletResponse) res;
        if (SecurityContextHolder.getContext().getAuthentication() == null) {
            LoggedInUserDetails rememberMeAuth = customRememberMeService.customAutoLogin(request, response);
        }   
        chain.doFilter(request, response);
    }
}
4

1 回答 1

1

覆盖 method calculateLoginLifetime,默认情况下,这将返回配置中设置的值(它调用getTokenValiditySeconds()。通过覆盖它,您可以(根据请求)确定是应该通过正常超时还是自定义超时。

protected int calculateLoginLifetime(HttpServletRequest request, Authentication authentication) {
    if (request.getRemoteAddr().startsWith("subdomain") {
        return 15; // Or whatever you want, you could also make it configurable.
    }
    return getTokenValiditySeconds();
}
于 2013-09-12T12:34:05.550 回答