All I want, is a simple remember-me. I read http://static.springsource.org/spring-security/site/docs/3.0.x/reference/remember-me.html
What I have done so far:
- Created my own
UserDetailsService
to work with Hibernate / JPA. My impl. does not consider any remember-me stuff - Considered configuration through appContext
<security:remember-me key="89dqj219dn910lsAc12" user-service-ref="jpaUserDetailsService" token-validity-seconds="864000"/>
- Checked, that the cookie
SPRING_SECURITY_REMEMBER_ME_COOKIE
is really set - Logged in to the secured site and it works
When I restart my browser, I keep getting an error:
org.springframework.security.access.AccessDeniedException: Access is denied Authentication object as a String: org.springframework.security.authentication.RememberMeAuthenticationToken@9ab72a70: Principal: de.myapp.businessobjects.AppUser@61f68b18: Username: myad; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; PersonalInformation: 65537; ; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ADMIN, ROLE_USER
And here is my secContext.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<security:global-method-security pre-post-annotations="enabled">
</security:global-method-security>
<security:http use-expressions="true" access-denied-page="/accessDenied">
<security:form-login
login-page="/login"
login-processing-url="/loginProcess"
default-target-url="/intro"
authentication-failure-url="/login?login_error=1"
/>
<security:logout
logout-url="/logout"
logout-success-url="/logoutSuccess"/>
<security:intercept-url pattern="/**" access="permitAll"/>
<security:intercept-url pattern="/login" access="permitAll"/>
<security:intercept-url pattern="/styles/**" access="permitAll"/>
<security:intercept-url pattern="/scripts/**" access="permitAll"/>
<security:remember-me key="89dqj219dn910lsAc12" user-service-ref="jpaUserDetailsService"
token-validity-seconds="864000"/>
</security:http>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider user-service-ref="jpaUserDetailsService">
<security:password-encoder hash="sha">
</security:password-encoder>
</security:authentication-provider>
</security:authentication-manager>
<bean id="rememberMeFilter" class=
"org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter">
<property name="rememberMeServices" ref="rememberMeServices"/>
<property name="authenticationManager" ref="authenticationManager"/>
</bean>
<bean id="rememberMeServices" class=
"org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices">
<property name="userDetailsService" ref="jpaUserDetailsService"/>
<property name="key" value="89dqj219dn910lsAc12"/>
</bean>
<bean id="rememberMeAuthenticationProvider" class=
"org.springframework.security.authentication.RememberMeAuthenticationProvider">
<property name="key" value="89dqj219dn910lsAc12"/>
</bean>
</beans>
and finally some debug trace
03:45:14.598 [7225609@qtp-10131947-7] DEBUG o.s.w.b.a.s.HandlerMethodInvoker - Invoking request handler method: public java.lang.String de.myapp.controller.bstController.showbstpage(java.lang.String,javax.servlet.http.HttpServletResponse)
03:45:14.598 [7225609@qtp-10131947-7] DEBUG o.s.s.a.i.a.MethodSecurityInterceptor - Secure object: ReflectiveMethodInvocation: public java.lang.String de.myapp.controller.bstController.showbstpage(java.lang.String,javax.servlet.http.HttpServletResponse); target is of class [de.myapp.controller.bstController]; Attributes: [[authorize: 'isFullyAuthenticated() and #username == principal.username', filter: 'null', filterTarget: 'null']]
03:45:14.598 [7225609@qtp-10131947-7] DEBUG o.s.s.a.i.a.MethodSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.RememberMeAuthenticationToken@9ab72a70: Principal: de.myapp.businessobjects.AppUser@61f68b18: Username: myad; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; PersonalInformation: 65537; ; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId开发者_C百科: null; Granted Authorities: ROLE_ADMIN, ROLE_USER
03:45:14.599 [7225609@qtp-10131947-7] DEBUG o.s.c.c.s.GenericConversionService - Converting value false of [TypeDescriptor java.lang.Boolean] to [TypeDescriptor java.lang.Boolean]
03:45:14.599 [7225609@qtp-10131947-7] TRACE o.s.c.c.s.GenericConversionService - Matched cached converter NO_OP
03:45:14.599 [7225609@qtp-10131947-7] DEBUG o.s.c.c.s.GenericConversionService - Converted to false
03:45:14.599 [7225609@qtp-10131947-7] DEBUG o.s.s.access.vote.AffirmativeBased - Voter: org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter@a866a9, returned: -1
03:45:14.599 [7225609@qtp-10131947-7] DEBUG o.s.s.access.vote.AffirmativeBased - Voter: org.springframework.security.access.vote.RoleVoter@1ebf305, returned: 0
03:45:14.599 [7225609@qtp-10131947-7] DEBUG o.s.s.access.vote.AffirmativeBased - Voter: org.springframework.security.access.vote.AuthenticatedVoter@19ffd6f, returned: 0
I really don't know where to continue debugging. What have I missed? Do I have to create my own implementation of remember-me?
I would really appreciate a working sample application that demonstrates the default implementation of springs remember-me...
-------- EDIT -----------
I have just compiled and run the remember-me reference app by springsecurity itself: the spring-security\samples\tutorial
account app AND the contact app. Actually, I have exactly the same problem?!?. I have tried firefox, opera and ie ... I am shattered ...
It looks like remember-me authentication was working fine in your application, since you obtain a valid authentication token from the remember-me cookie.
However, the log output indicates that there is a method access control annotation on a controller method bstController.showbstpage
which requires "full" authentication, from the expression isFullyAuthenticated() and #username == principal.username
. Remember-me doesn't qualify as full authentication, hence the expression rejects the current authentication.
As an aside the intercept-url
elements are wrongly ordered since /**
is at the top and will be applied to all requests, making the others redundant.
Also, it wouldn't be possible to get the same issue with the sample applications, since they don't require full authentication for any operation, so you must have had some other issue there.
When you login, is the "password" field on your UserDetails object being set to non-null / non-empty value? In my application, the actual authentication is delegated off to another system and I don't store the user-submitted password on my UserDetails object. I couldn't get the RememberMe cookie to work until I set the password property to a value. In my case, I simply defaulted the property to the word "password" just so it wouldn't be null/empty string.
I don't know if that's anything like your scenario, but this drove me crazy until I figured it out.
精彩评论