开发者

Simple Spring <remember-me/> ... help please

开发者 https://www.devze.com 2023-01-17 04:45 出处:网络
All I want, is a simple remember-me. I read http://static.springsource.org/spring-security/site/docs/3.0.x/reference/remember-me.html

All I want, is a simple remember-me. I read http://static.springsource.org/spring-security/site/docs/3.0.x/reference/remember-me.html

What I have done so far:

  1. Created my own UserDetailsService to work with Hibernate / JPA. My impl. does not consider any remember-me stuff
  2. Considered configuration through appContext <security:remember-me key="89dqj219dn910lsAc12" user-service-ref="jpaUserDetailsService" token-validity-seconds="864000"/>
  3. Checked, that the cookie SPRING_SECURITY_REMEMBER_ME_COOKIE is really set
  4. Logged in to the secured site and it works
  5. When I restart my browser, I keep getting an error:

    org.springframework.security.access.AccessDeniedException: Access is denied Authentication object as a String: org.springframework.security.authentication.RememberMeAuthenticationToken@9ab72a70: Principal: de.myapp.businessobjects.AppUser@61f68b18: Username: myad; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; PersonalInformation: 65537; ; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ADMIN, ROLE_USER

And here is my secContext.xml:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:security="http://www.springframework.org/schema/security"
       xsi:schemaLocation="
           http://www.springframework.org/schema/beans
           http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
           http://www.springframework.org/schema/security
           http://www.springframework.org/schema/security/spring-security-3.0.xsd">

    <security:global-method-security pre-post-annotations="enabled">
    </security:global-method-security>

    <security:http use-expressions="true" access-denied-page="/accessDenied">
        <security:form-login
                login-page="/login"
                login-processing-url="/loginProcess"
                default-target-url="/intro"
                authentication-failure-url="/login?login_error=1"
                />
        <security:logout
                logout-url="/logout"
                logout-success-url="/logoutSuccess"/>

        <security:intercept-url pattern="/**" access="permitAll"/>
        <security:intercept-url pattern="/login" access="permitAll"/>
        <security:intercept-url pattern="/styles/**" access="permitAll"/>
        <security:intercept-url pattern="/scripts/**" access="permitAll"/>
        <security:remember-me key="89dqj219dn910lsAc12" user-service-ref="jpaUserDetailsService"
                              token-validity-seconds="864000"/>
    </security:http>

    <security:authentication-manager alias="authenticationManager">
        <security:authentication-provider user-service-ref="jpaUserDetailsService">
            <security:password-encoder hash="sha">
            </security:password-encoder>
        </security:authentication-provider>
    </security:authentication-manager>

    <bean id="rememberMeFilter" class=
            "org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter">
        <property name="rememberMeServices" ref="rememberMeServices"/>
        <property name="authenticationManager" ref="authenticationManager"/>
    </bean>

    <bean id="rememberMeServices" class=
            "org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices">
        <property name="userDetailsService" ref="jpaUserDetailsService"/>
        <property name="key" value="89dqj219dn910lsAc12"/>
    </bean>

    <bean id="rememberMeAuthenticationProvider" class=
            "org.springframework.security.authentication.RememberMeAuthenticationProvider">
        <property name="key" value="89dqj219dn910lsAc12"/>
    </bean>
</beans>

and finally some debug trace

03:45:14.598 [7225609@qtp-10131947-7] DEBUG o.s.w.b.a.s.HandlerMethodInvoker - Invoking request handler method: public java.lang.String de.myapp.controller.bstController.showbstpage(java.lang.String,javax.servlet.http.HttpServletResponse)
03:45:14.598 [7225609@qtp-10131947-7] DEBUG o.s.s.a.i.a.MethodSecurityInterceptor - Secure object: ReflectiveMethodInvocation: public java.lang.String de.myapp.controller.bstController.showbstpage(java.lang.String,javax.servlet.http.HttpServletResponse); target is of class [de.myapp.controller.bstController]; Attributes: [[authorize: 'isFullyAuthenticated() and #username == principal.username', filter: 'null', filterTarget: 'null']]
03:45:14.598 [7225609@qtp-10131947-7] DEBUG o.s.s.a.i.a.MethodSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.RememberMeAuthenticationToken@9ab72a70: Principal: de.myapp.businessobjects.AppUser@61f68b18: Username: myad; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; PersonalInformation: 65537; ; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId开发者_C百科: null; Granted Authorities: ROLE_ADMIN, ROLE_USER
03:45:14.599 [7225609@qtp-10131947-7] DEBUG o.s.c.c.s.GenericConversionService - Converting value false of [TypeDescriptor java.lang.Boolean] to [TypeDescriptor java.lang.Boolean]
03:45:14.599 [7225609@qtp-10131947-7] TRACE o.s.c.c.s.GenericConversionService - Matched cached converter NO_OP
03:45:14.599 [7225609@qtp-10131947-7] DEBUG o.s.c.c.s.GenericConversionService - Converted to false
03:45:14.599 [7225609@qtp-10131947-7] DEBUG o.s.s.access.vote.AffirmativeBased - Voter: org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter@a866a9, returned: -1
03:45:14.599 [7225609@qtp-10131947-7] DEBUG o.s.s.access.vote.AffirmativeBased - Voter: org.springframework.security.access.vote.RoleVoter@1ebf305, returned: 0
03:45:14.599 [7225609@qtp-10131947-7] DEBUG o.s.s.access.vote.AffirmativeBased - Voter: org.springframework.security.access.vote.AuthenticatedVoter@19ffd6f, returned: 0

I really don't know where to continue debugging. What have I missed? Do I have to create my own implementation of remember-me?

I would really appreciate a working sample application that demonstrates the default implementation of springs remember-me...

-------- EDIT -----------

I have just compiled and run the remember-me reference app by springsecurity itself: the spring-security\samples\tutorial account app AND the contact app. Actually, I have exactly the same problem?!?. I have tried firefox, opera and ie ... I am shattered ...


It looks like remember-me authentication was working fine in your application, since you obtain a valid authentication token from the remember-me cookie.

However, the log output indicates that there is a method access control annotation on a controller method bstController.showbstpage which requires "full" authentication, from the expression isFullyAuthenticated() and #username == principal.username. Remember-me doesn't qualify as full authentication, hence the expression rejects the current authentication.

As an aside the intercept-url elements are wrongly ordered since /** is at the top and will be applied to all requests, making the others redundant.

Also, it wouldn't be possible to get the same issue with the sample applications, since they don't require full authentication for any operation, so you must have had some other issue there.


When you login, is the "password" field on your UserDetails object being set to non-null / non-empty value? In my application, the actual authentication is delegated off to another system and I don't store the user-submitted password on my UserDetails object. I couldn't get the RememberMe cookie to work until I set the password property to a value. In my case, I simply defaulted the property to the word "password" just so it wouldn't be null/empty string.

I don't know if that's anything like your scenario, but this drove me crazy until I figured it out.

0

精彩评论

暂无评论...
验证码 换一张
取 消

关注公众号