1

我想要的只是一个简单的记住我。我读了http://static.springsource.org/spring-security/site/docs/3.0.x/reference/remember-me.html

到目前为止我做了什么:

  1. 创建了我自己UserDetailsService的与 Hibernate / JPA 一起工作。我的意思。不考虑任何记住我的东西
  2. 通过 appContext 考虑配置<security:remember-me key="89dqj219dn910lsAc12" user-service-ref="jpaUserDetailsService" token-validity-seconds="864000"/>
  3. 检查,cookieSPRING_SECURITY_REMEMBER_ME_COOKIE确实设置了
  4. 登录到受保护的站点并且可以正常工作

  5. 当我重新启动浏览器时,我不断收到错误消息:

    org.springframework.security.access.AccessDeniedException:访问被拒绝作为字符串的身份验证对象:org.springframework.security.authentication.RememberMeAuthenticationToken@9ab72a70:主体:de.myapp.businessobjects.AppUser@61f68b18:用户名:myad;密码保护]; 启用:真;AccountNonExpired:真;凭据非过期:真;AccountNonLocked:真;个人信息:65537;; 凭证:[受保护];已认证:真实;详细信息:org.springframework.security.web.authentication.WebAuthenticationDetails@957e:RemoteIpAddress:127.0.0.1;会话ID:空;授予权限:ROLE_ADMIN、ROLE_USER

这是我的 secContext.xml:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:security="http://www.springframework.org/schema/security"
       xsi:schemaLocation="
           http://www.springframework.org/schema/beans
           http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
           http://www.springframework.org/schema/security
           http://www.springframework.org/schema/security/spring-security-3.0.xsd">

    <security:global-method-security pre-post-annotations="enabled">
    </security:global-method-security>

    <security:http use-expressions="true" access-denied-page="/accessDenied">
        <security:form-login
                login-page="/login"
                login-processing-url="/loginProcess"
                default-target-url="/intro"
                authentication-failure-url="/login?login_error=1"
                />
        <security:logout
                logout-url="/logout"
                logout-success-url="/logoutSuccess"/>

        <security:intercept-url pattern="/**" access="permitAll"/>
        <security:intercept-url pattern="/login" access="permitAll"/>
        <security:intercept-url pattern="/styles/**" access="permitAll"/>
        <security:intercept-url pattern="/scripts/**" access="permitAll"/>
        <security:remember-me key="89dqj219dn910lsAc12" user-service-ref="jpaUserDetailsService"
                              token-validity-seconds="864000"/>
    </security:http>

    <security:authentication-manager alias="authenticationManager">
        <security:authentication-provider user-service-ref="jpaUserDetailsService">
            <security:password-encoder hash="sha">
            </security:password-encoder>
        </security:authentication-provider>
    </security:authentication-manager>

    <bean id="rememberMeFilter" class=
            "org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter">
        <property name="rememberMeServices" ref="rememberMeServices"/>
        <property name="authenticationManager" ref="authenticationManager"/>
    </bean>

    <bean id="rememberMeServices" class=
            "org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices">
        <property name="userDetailsService" ref="jpaUserDetailsService"/>
        <property name="key" value="89dqj219dn910lsAc12"/>
    </bean>

    <bean id="rememberMeAuthenticationProvider" class=
            "org.springframework.security.authentication.RememberMeAuthenticationProvider">
        <property name="key" value="89dqj219dn910lsAc12"/>
    </bean>
</beans>

最后是一些调试跟踪

03:45:14.598 [7225609@qtp-10131947-7] DEBUG o.s.w.b.a.s.HandlerMethodInvoker - Invoking request handler method: public java.lang.String de.myapp.controller.bstController.showbstpage(java.lang.String,javax.servlet.http.HttpServletResponse)
03:45:14.598 [7225609@qtp-10131947-7] DEBUG o.s.s.a.i.a.MethodSecurityInterceptor - Secure object: ReflectiveMethodInvocation: public java.lang.String de.myapp.controller.bstController.showbstpage(java.lang.String,javax.servlet.http.HttpServletResponse); target is of class [de.myapp.controller.bstController]; Attributes: [[authorize: 'isFullyAuthenticated() and #username == principal.username', filter: 'null', filterTarget: 'null']]
03:45:14.598 [7225609@qtp-10131947-7] DEBUG o.s.s.a.i.a.MethodSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.RememberMeAuthenticationToken@9ab72a70: Principal: de.myapp.businessobjects.AppUser@61f68b18: Username: myad; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; PersonalInformation: 65537; ; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ADMIN, ROLE_USER
03:45:14.599 [7225609@qtp-10131947-7] DEBUG o.s.c.c.s.GenericConversionService - Converting value false of [TypeDescriptor java.lang.Boolean] to [TypeDescriptor java.lang.Boolean]
03:45:14.599 [7225609@qtp-10131947-7] TRACE o.s.c.c.s.GenericConversionService - Matched cached converter NO_OP
03:45:14.599 [7225609@qtp-10131947-7] DEBUG o.s.c.c.s.GenericConversionService - Converted to false
03:45:14.599 [7225609@qtp-10131947-7] DEBUG o.s.s.access.vote.AffirmativeBased - Voter: org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter@a866a9, returned: -1
03:45:14.599 [7225609@qtp-10131947-7] DEBUG o.s.s.access.vote.AffirmativeBased - Voter: org.springframework.security.access.vote.RoleVoter@1ebf305, returned: 0
03:45:14.599 [7225609@qtp-10131947-7] DEBUG o.s.s.access.vote.AffirmativeBased - Voter: org.springframework.security.access.vote.AuthenticatedVoter@19ffd6f, returned: 0

我真的不知道从哪里继续调试。我错过了什么?我必须创建自己的记住我的实现吗?

真的很感激一个工作示例应用程序,它演示了 springs remember-me 的默认实现......

- - - - 编辑 - - - - - -

我刚刚编译并运行了 springsecurity 本身的 remember-me 参考应用程序:spring-security\samples\tutorial帐户应用程序和联系人应用程序。实际上,我有完全相同的问题?!​​?。我试过firefox、opera和ie ...我心碎了...

4

2 回答 2

1

看起来 remember-me 身份验证在您的应用程序中运行良好,因为您从 remember-me cookie 中获取了有效的身份验证令牌。

但是,日志输出表明控制器方法上有一个方法访问控制注释,该注释bstController.showbstpage需要“完整”身份验证,来自表达式isFullyAuthenticated() and #username == principal.username。记住我不符合完全身份验证的条件,因此表达式拒绝当前身份验证。

顺便说一句,intercept-url元素排序错误,因为/**它位于顶部并将应用于所有请求,从而使其他请求变得多余。

此外,示例应用程序不可能遇到相同的问题,因为它们不需要对任何操作进行完全身份验证,因此您肯定遇到了其他问题。

于 2012-02-01T14:32:56.773 回答
0

当您登录时,您的 UserDetails 对象上的“密码”字段是否设置为非空/非空值?在我的应用程序中,实际的身份验证被委托给另一个系统,并且我没有将用户提交的密码存储在我的 UserDetails 对象上。在将密码属性设置为一个值之前,我无法让 RememberMe cookie 工作。就我而言,我只是将属性默认为“密码”一词,这样它就不会是空/空字符串。

我不知道这是否像你的情况,但这让我发疯,直到我想通了。

于 2011-02-06T21:42:52.233 回答