Spring Session提供了与Spring Security的“我记得”身份验证的集成的支持:
目的:
- 更改会话过期长度
- 确保会话cookie在Integer.MAX_VALUE处过期。将cookie过期设置为最大的可能值,因为只有在创建会话时才设置cookie。如果将其设置为与会话到期相同的值,那么当用户使用该值时,会话将得到更新,但是cookie过期不会更新,导致过期时间被修复。
具体做法:
1.login.html
<input type="checkbox" name="remember-me" lay-skin="primary" title="记住密码">
注意:name必须为remember-me,否则设置失败。
2.SecurityConfig配置
@Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests()// 该方法所返回的对象的方法来配置请求级别的安全细节 .antMatchers(HttpMethod.GET, "/user/login", "/user/forget", "/user/regist").permitAll()// 登录页面不拦截 .antMatchers(HttpMethod.POST, "/user/checkLogin").permitAll().anyRequest().authenticated()// 对于登录路径不进行拦截 .and().formLogin()// 配置登录页面 .loginPage("/user/login")// 登录页面的访问路径; .loginProcessingUrl("/user/checkLogin")// 登录页面下表单提交的路径 .failureUrl("/user/login?error=true")// 登录失败后跳转的路径,为了给客户端提示 .defaultSuccessUrl("/index")// 登录成功后默认跳转的路径; .and().logout()// 用户退出操作 .logoutRequestMatcher(new AntPathRequestMatcher("/user/logout", "POST"))// 用户退出所访问的路径,需要使用Post方式 .permitAll().logoutSuccessUrl("/user/login?logout=true")/// 退出成功所访问的路径 .and().csrf().disable().rememberMe().rememberMeServices(rememberMeServices()).and().headers() .frameOptions()// 允许iframe内呈现。 .sameOrigin().and().sessionManagement().maximumSessions(1).expiredUrl("/user/login?expired=true"); } @Bean SpringSessionRememberMeServices rememberMeServices = new SpringSessionRememberMeServices(); / /设置1000秒后过期 rememberMeServices.setValiditySeconds(1000);return rememberMeServices; } |
源码:
//登录成功后的检验
public final void loginSuccess(HttpServletRequest request,
HttpServletResponse response, Authentication successfulAuthentication) {
//alwaysRemember:默认为false,设置true为永久记住
if (!this.alwaysRemember&& !rememberMeRequested(request, this.rememberMeParameterName)) {
logger.debug("Remember-me login not requested.");
return;
}
request.setAttribute(REMEMBER_ME_LOGIN_ATTR, true);
//validitySeconds默认为2592000 即30天
}
/**
* Allows customization of whether a remember-me login has been requested. The default
* is to return {@code true} if the configured parameter name has been included in the
* request and is set to the value {@code true}.
* @param request the request submitted from an interactive login, which may include
* additional information indicating that a persistent login is desired.
* @param parameter the configured remember-me parameter name.
* @return true if the request includes information indicating that a persistent login
* has been requested.
*/
protected boolean rememberMeRequested(HttpServletRequest request, String parameter) {
//获取参数remember-me对应的值
String rememberMe = request.getParameter(parameter);
//如果设置满足以下条件证明用户设置了记住我的功能
if (rememberMe != null) {if (rememberMe.equalsIgnoreCase("true") || rememberMe.equalsIgnoreCase("on")
|| rememberMe.equalsIgnoreCase("yes") || rememberMe.equals("1")) {
return true;
}
}
if (logger.isDebugEnabled()) {
logger.debug("Did not send remember-me cookie (principal did not set "
+ "parameter '" + parameter + "')");
}
return false;
}