spring-security（五）java config-sample之rememberme

前言：
  本篇文章简单介绍spring-security给我们提供的remember me功能的使用方法，参数名、配置方式采用spring默认配置，后续章节进一步探讨时会详细说明自定义的方式。
环境：
  spring boot 版本：1.5.4.RELEASE

1.项目结构



application.yml文件是放在src/main/resources/目录下

2.配置类SecurityConfig.java

/**
 * 
 */
package nariis.chengf.security.samples.javaconfig.remeberme;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

/**
 * @author: 作者： chengaofeng
 * @date: 创建时间：2018-01-16 19:32:47
 * @Description: TODO
 * @version V1.0
 */
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

	@Autowired
	public void auth(AuthenticationManagerBuilder auth) throws Exception {
		auth.inMemoryAuthentication().withUser("user").password("password").authorities("ROLE_USER");
	}

	@Override
	protected void configure(HttpSecurity http) throws Exception {
		http
		.csrf()
			.disable()
		.authorizeRequests()
			.anyRequest().authenticated()
			.and()
		.formLogin()
			.loginPage("/login.html")
			.permitAll()
			.and()
		.rememberMe()
			.and()
		.logout()
			.logoutSuccessUrl("/login.html");
	}
}

为了简单，这个示例中禁止了csrf检查，利用基于memory的认证
2.启动类RemeberMeApp.java

package nariis.chengf.security.samples.javaconfig.remeberme;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;

/**
 * Hello world!
 *
 */
@SpringBootApplication
public class RemeberMeApp 
{
    public static void main( String[] args )
    {
        SpringApplication.run(RemeberMeApp.class, args);
    }
}

3.项目的pom.xml

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
	<modelVersion>4.0.0</modelVersion>

	<groupId>nariis.chengf</groupId>
	<artifactId>security-samples-javaconfig-remeberme</artifactId>
	<version>0.0.1-SNAPSHOT</version>
	<packaging>jar</packaging>

	<name>security-samples-javaconfig-remeberme</name>
	<url>http://maven.apache.org</url>

	<properties>
		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
	</properties>
	<dependencyManagement>

		<dependencies>
			<dependency>
				<groupId>org.springframework.boot</groupId>
				<artifactId>spring-boot-starter-parent</artifactId>
				<version>1.5.4.RELEASE</version>
				<type>pom</type>
				<scope>import</scope>
			</dependency>
		</dependencies>
	</dependencyManagement>
	<dependencies>
		<dependency>
			<groupId>junit</groupId>
			<artifactId>junit</artifactId>
			<scope>test</scope>
		</dependency>
		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-web</artifactId>
		</dependency>
		<dependency>
			<groupId>org.springframework.security</groupId>
			<artifactId>spring-security-config</artifactId>
		</dependency>
		<dependency>
			<groupId>org.springframework.security</groupId>
			<artifactId>spring-security-web</artifactId>
		</dependency>
	</dependencies>
	<build>
		<plugins>
			<plugin>
				<groupId>org.springframework.boot</groupId>
				<artifactId>spring-boot-maven-plugin</artifactId>
				<executions>
					<execution>
						<goals>
							<goal>repackage</goal>
						</goals>
					</execution>
				</executions>
				<configuration>
					<mainClass>${start-class}</mainClass>
				</configuration>
			</plugin>
		</plugins>
	</build>
</project>

4.登录页面login.html

<html xmlns:th="http://www.thymeleaf.org">
	<head th:include="layout :: head(title=~{::title},links=~{})">
		<title>Please Login</title>
	</head>
	<body th:include="layout :: body" th:with="content=~{::content}">
		<div th:fragment="content">
			<form name="f" th:action="@{/login}" method="post">
				<fieldset>
					<legend>Please Login</legend>
					<div th:if="${param.error}" class="alert alert-error">Invalid
						username and password.</div>
					<div th:if="${param.logout}" class="alert alert-success">You
						have been logged out.</div>
					<label for="username">Username</label> <input type="text"
						id="username" name="username" /> <label for="password">Password</label>
					<input type="password" id="password" name="password" /> <label
						for="remember-me">Remember Me?</label> <input type="checkbox"
						id="remember-me" name="remember-me" />
					<div class="form-actions">
						<button type="submit" class="btn">Log in</button>
					</div>
				</fieldset>
			</form>
		</div>
	</body>
</html>

设置了一个名称为remember-me 的checkbox，因为采用spring 默认配置，此处名字必须叫这个

5.登录成功后默认的欢迎页index.html

<!DOCTYPE html>
<html>
<head>
<title>Static</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0">
</head>
<body>
	hello! wait for 2 minutes and refresh the browser,you will still be here.
</body>
</html>

6.项目配置文件application.yml

server:
  session:
    timeout: 120

因为spring 内嵌tomcat的session的默认存活时间是30分钟，这里为了更好的验证remember me功能，我们把session的存活时间改成了2分钟
7.启动项目
  选中启动类，选择 Run As -> Java application,正常启动后，在浏览器中输入
http://localhost:8080/login.html，正常情况下，将进入如下界面



输入用户名：user，密码：password，选中Remember me，点击login，之后我们会被重定向到欢迎页



之后让我们等待超过两分钟等着session过期，重新刷新界面，会发现我们仍然处于login状态，如果我们在之前的login界面没有选中remember me，在这个页面等待超过两分钟刷新后我们将被重新定向到login页面，要求我们重新登录

默认情况下，spring默认采用的是TokenBasedRememberMeServices，在这个类的onLoginSuccess方法中可以明确看出默认的记住时长是TWO_WEEKS_S（两周）

下载源码