【发布时间】:2018-09-23 01:34:56
【问题描述】:
我在 spring 安全性方面遇到了一个非常奇怪的问题。
remember-me 令牌似乎只持续一次自动登录,之后就停止工作了。
1.登录后:
2.然后,我手动删除 JSESSIONID cookie 并重新加载页面
3.我再次删除 JSESSIONID cookie 并重新加载页面。
现在,我退出了!
在控制台中我得到了这个:
SEVERE [http-nio-8080-exec-10] org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service() for servlet [dispatcher] in context with path [] threw exception
org.springframework.security.web.authentication.rememberme.CookieTheftException: Invalid remember-me token (Series/token) mismatch. Implies previous cookie theft attack.
我读到这可能是浏览器同时发出多个请求的结果,我检查了(禁用所有资源,只留下纯 HTML,但无济于事)
这是我的配置
@EnableWebSecurity
public class Security extends WebSecurityConfigurerAdapter {
@Autowired
private CustomUserDetailsService customUserDetailsService;
@Autowired
DataSource dataSource;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/assets/**").permitAll();
http.authorizeRequests().anyRequest().authenticated();
http.formLogin().permitAll();
http.rememberMe().tokenRepository(persistentTokenRepository()).userDetailsService(customUserDetailsService);
http.logout().permitAll();
}
@Bean
public PersistentTokenRepository persistentTokenRepository() {
JdbcTokenRepositoryImpl tokenRepository = new JdbcTokenRepositoryImpl();
tokenRepository.setDataSource(dataSource);
return tokenRepository;
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(authenticationProvider());
}
@Bean
public DaoAuthenticationProvider authenticationProvider() {
DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();
authProvider.setUserDetailsService(customUserDetailsService);
authProvider.setPasswordEncoder(passwordEncoder());
return authProvider;
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder(11);
}
}
【问题讨论】:
标签: spring-security remember-me