項目中Spring Security 整合Spring Session實現記住我功能

Spring Session提供了與Spring Security的“我記得”身份驗證的集成的支持:

目的：

 

• 更改會話過期長度
• 確保會話cookie在Integer.MAX_VALUE處過期。將cookie過期設置為最大的可能值，因為只有在創建會話時才設置cookie。如果將其設置為與會話到期相同的值，那么當用戶使用該值時，會話將得到更新，但是cookie過期不會更新，導致過期時間被修復。

具體做法：

1.login.html

     <input type="checkbox" name="remember-me" lay-skin="primary" title="記住密碼">

注意：name必須為remember-me，否則設置失敗。

2.SecurityConfig配置

@Override
protected void configure(HttpSecurity http) throws Exception {


http.authorizeRequests()// 該方法所返回的對象的方法來配置請求級別的安全細節
.antMatchers(HttpMethod.GET, "/user/login", "/user/forget", "/user/regist").permitAll()// 登錄頁面不攔截
.antMatchers(HttpMethod.POST, "/user/checkLogin").permitAll().anyRequest().authenticated()// 對於登錄路徑不進行攔截
.and().formLogin()// 配置登錄頁面
.loginPage("/user/login")// 登錄頁面的訪問路徑;
.loginProcessingUrl("/user/checkLogin")// 登錄頁面下表單提交的路徑
.failureUrl("/user/login?error=true")// 登錄失敗后跳轉的路徑,為了給客戶端提示
.defaultSuccessUrl("/index")// 登錄成功后默認跳轉的路徑;
.and().logout()// 用戶退出操作
.logoutRequestMatcher(new AntPathRequestMatcher("/user/logout", "POST"))// 用戶退出所訪問的路徑，需要使用Post方式
.permitAll().logoutSuccessUrl("/user/login?logout=true")/// 退出成功所訪問的路徑
.and().csrf().disable().rememberMe().rememberMeServices(rememberMeServices()).and().headers()
.frameOptions()// 允許iframe內呈現。
.sameOrigin().and().sessionManagement().maximumSessions(1).expiredUrl("/user/login?expired=true");

}

@Bean
public static RememberMeServices rememberMeServices() {

SpringSessionRememberMeServices rememberMeServices = new SpringSessionRememberMeServices();

 / /設置1000秒后過期

rememberMeServices.setValiditySeconds(1000);
return rememberMeServices;
}

 

源碼：

  

    //登錄成功后的檢驗

  public final void loginSuccess(HttpServletRequest request,

HttpServletResponse response, Authentication successfulAuthentication) {

 //alwaysRemember：默認為false,設置true為永久記住



if (!this.alwaysRemember
&& !rememberMeRequested(request, this.rememberMeParameterName)) {
logger.debug("Remember-me login not requested.");
return;
}

request.setAttribute(REMEMBER_ME_LOGIN_ATTR, true);

                //validitySeconds默認為2592000 即30天



request.getSession().setMaxInactiveInterval(this.validitySeconds);
}


/**
* Allows customization of whether a remember-me login has been requested. The default
* is to return {@code true} if the configured parameter name has been included in the
* request and is set to the value {@code true}.
* @param request the request submitted from an interactive login, which may include
* additional information indicating that a persistent login is desired.
* @param parameter the configured remember-me parameter name.
* @return true if the request includes information indicating that a persistent login
* has been requested.
*/

protected boolean rememberMeRequested(HttpServletRequest request, String parameter) {

     //獲取參數remember-me對應的值

String rememberMe = request.getParameter(parameter);

  //如果設置滿足以下條件證明用戶設置了記住我的功能

if (rememberMe != null) {
if (rememberMe.equalsIgnoreCase("true") || rememberMe.equalsIgnoreCase("on")
|| rememberMe.equalsIgnoreCase("yes") || rememberMe.equals("1")) {
return true;
}
}
if (logger.isDebugEnabled()) {
logger.debug("Did not send remember-me cookie (principal did not set "
+ "parameter '" + parameter + "')");
}
return false;
}

 

 微信公眾號

 ​