本文主要是介绍Spring Security 中实现 Remember Me 记住密码功能,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
在 Spring Boot 应用中使用 Spring Security 并实现 Remember Me 记住密码功能,实现自动登录
项目地址 https://github.com/helloworlde/SpringSecurity
前置条件:在 Spring Boot 应用中已正确配置 Spring Security
##在页面添加记住密码的复选框
<input type="checkbox" name="remember-me"/> Remember me
##在 Security Config 配置文件中启用记住密码功能(验证信息存放在内存中)
- SecurityConfig
import cn.com.hellowood.springsecurity.security.CustomAuthenticationProvider;import cn.com.hellowood.springsecurity.security.CustomUserDetailsService;import org.springframework.beans.factory.annotation.Autowired;import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;import org.springframework.security.config.annotation.web.builders.HttpSecurity;import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdater;@EnableWebSecuritypublic class SecurityConfig extends WebSecurityConfigurerAdapter {@Autowiredprivate CustomAuthenticationProvider customAuthenticationProvider;@Autowiredprivate CustomUserDetailsService userDetailsService;@Overrideprotected void configure(HttpSecurity http) throws Exception {// 任何用户都可以访问以下URIhttp.authorizeRequests().antMatchers("/", "/login", "/login-error", "/css/**", "/index").permitAll();// 其他URI均需要权限校验http.authorizeRequests().anyRequest().authenticated();// 只需要以下配置即可启用记住密码http.authorizeRequests().and().rememberMe();http.formLogin().loginPage("/login").usernameParameter("username").passwordParameter("password").successForwardUrl("/user/index").failureUrl("/login-error");}@Autowiredpublic void configureGlobal(AuthenticationManagerBuilder auth) {// 为了使用用户名密码校验实现了AuthenticationProvider和UserDetailsService类auth.authenticationProvider(customAuthenticationProvider);try {auth.userDetailsService(userDetailsService);} catch (Exception e) {e.printStackTrace();}}}这样就可以使用记住密码了,选择记住密码登录后会在本地保存 Cookie,下次登录的时候通过 Cookie 校验用户信息;用户登录的信息保存在内存中,当内存断电或被清除之后该 Cookie 即使在有效期内也无法登录。
通过数据库存放校验信息实现记住密码登录
###创建保存校验信息的表(表名和字段值必须为以下内容)
CREATE TABLE persistent_logins (username VARCHAR(64) NOT NULL,series VARCHAR(64) NOT NULL PRIMARY KEY,token VARCHAR(64) NOT NULL,last_used TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP);配置 Security Config
import cn.com.hellowood.springsecurity.security.*;import org.slf4j.Logger;import org.slf4j.LoggerFactory;import org.springframework.beans.factory.annotation.Autowired;import org.springframework.beans.factory.annotation.Qualifier;import org.springframework.context.annotation.Bean;import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;import org.springframework.security.config.annotation.web.builders.HttpSecurity;import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;import org.springframework.security.core.session.SessionRegistry;import org.springframework.security.core.session.SessionRegistryImpl;import org.springframework.security.web.authentication.RememberMeServices;import org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl;import org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices;import javax.sql.DataSource;@EnableWebSecuritypublic class SecurityConfig extends WebSecurityConfigurerAdapter {private final Logger logger = LoggerFactory.getLogger(getClass());@Autowiredprivate CustomAuthenticationProvider customAuthenticationProvider;@Autowiredprivate CustomUserDetailsService userDetailsService;// 数据源是为了JdbcRememberMeImpl实例而注入的,如果不设置数据源会在登陆的时候抛空指针异常@Autowired@Qualifier("dataSource")DataSource dataSource;@Overrideprotected void configure(HttpSecurity http) throws Exception {// 任何用户都可以访问以下URIhttp.authorizeRequests().antMatchers("/", "/login", "/login-error", "/css/**", "/index").permitAll();// 其他URI需要权限验证http.authorizeRequests().anyRequest().authenticated();// 当通过JDBC方式记住密码时必须设置 key,key 可以为任意非空(null 或 "")字符串,但必须和 RememberMeService 构造参数的// key 一致,否则会导致通过记住密码登录失败http.authorizeRequests().and().rememberMe().rememberMeServices(rememberMeServices()).key("INTERNAL_SECRET_KEY");// 当登录成功后会被重定向到 /user/index, 所以 loginPage 和 loginProcessingUrl 相同http.formLogin().loginPage("/login").loginProcessingUrl("/login").usernameParameter("username").passwordParameter("password").successForwardUrl("/user/index").failureUrl("/login-error");}/*** 返回 RememberMeServices 实例** @return the remember me services*/@Beanpublic RememberMeServices rememberMeServices() {JdbcTokenRepositoryImpl rememberMeTokenRepository = new JdbcTokenRepositoryImpl();// 此处需要设置数据源,否则无法从数据库查询验证信息rememberMeTokenRepository.setDataSource(dataSource);// 此处的 key 可以为任意非空值(null 或 ""),单必须和起前面// rememberMeServices(RememberMeServices rememberMeServices).key(key)的值相同PersistentTokenBasedRememberMeServices rememberMeServices =new PersistentTokenBasedRememberMeServices("INTERNAL_SECRET_KEY", userDetailsService, rememberMeTokenRepository);// 该参数不是必须的,默认值为 "remember-me", 但如果设置必须和页面复选框的 name 一致rememberMeServices.setParameter("remember-me");return rememberMeServices;}/*** Configure global.** @param auth the auth* @throws Exception the exception*/@Autowiredpublic void configureGlobal(AuthenticationManagerBuilder auth) {// 为了使用用户名密码校验实现了AuthenticationProvider和UserDetailsService类auth.authenticationProvider(customAuthenticationProvider);try {auth.userDetailsService(userDetailsService);} catch (Exception e) {logger.error("Set userDetailService failed, {}", e.getMessage());e.printStackTrace();}}}
这样就可以实现将校验信息保存在数据库中,下次通过记住密码登录后再次访问页面会根据 Cookie 查找该用户的登录信息,如果登录信息有效则登录成功, 否则重定向到登录页面
- 自定义实现 AuthenticationProvider 接口
import org.slf4j.Logger;import org.slf4j.LoggerFactory;import org.springframework.beans.factory.annotation.Autowired;import org.springframework.security.authentication.AuthenticationProvider;import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;import org.springframework.security.core.Authentication;import org.springframework.security.core.AuthenticationException;import org.springframework.security.core.GrantedAuthority;import org.springframework.stereotype.Component;import java.util.ArrayList;import java.util.List;/*** The type Custom authentication provider.** @author HelloWood*/@Componentpublic class CustomAuthenticationProvider implements AuthenticationProvider {private final Logger logger = LoggerFactory.getLogger(getClass());@Autowiredprivate CustomUserDetailsService userDetailsService;/*** Validate user info is correct form database** @param authentication* @return* @throws AuthenticationException*/@Overridepublic Authentication authenticate(Authentication authentication) throws AuthenticationException {String username = authentication.getName();String password = authentication.getCredentials().toString();List<GrantedAuthority> grantedAuthorities = new ArrayList<>();logger.info("start validate user {} login", username);// 通过用户名和密码校验,如果校验不通过会抛出 AuthenticationExceptionuserDetailsService.loadUserByUsernameAndPassword(username, password);Authentication auth = new UsernamePasswordAuthenticationToken(username, password, grantedAuthorities);return auth;}@Overridepublic boolean supports(Class<?> authentication) {return authentication.equals(UsernamePasswordAuthenticationToken.class);}}
- 自定义实现 UserDetailsService 接口
import cn.com.hellowood.springsecurity.mapper.UserMapper;import cn.com.hellowood.springsecurity.model.UserModel;import org.slf4j.Logger;import org.slf4j.LoggerFactory;import org.springframework.beans.factory.annotation.Autowired;import org.springframework.security.authentication.AccountExpiredException;import org.springframework.security.authentication.BadCredentialsException;import org.springframework.security.core.AuthenticationException;import org.springframework.security.core.GrantedAuthority;import org.springframework.security.core.userdetails.User;import org.springframework.security.core.userdetails.UserDetails;import org.springframework.security.core.userdetails.UserDetailsService;import org.springframework.security.core.userdetails.UsernameNotFoundException;import org.springframework.stereotype.Service;import javax.servlet.http.HttpSession;import java.util.ArrayList;/*** The type Custom user details service.** @author HelloWood*/@Service("userDetailsService")public class CustomUserDetailsService implements UserDetailsService {private Logger logger = LoggerFactory.getLogger(getClass());@Autowiredprivate UserMapper userMapper;@Autowiredprivate HttpSession session;/*** 通过用户名和密码加载用户信息并校验** @param username the username* @param password the password* @return the user model* @throws AuthenticationException the authentication exception*/public UserModel loadUserByUsernameAndPassword(String username, String password) throws AuthenticationException {logger.info("user {} is login by username and password", username);UserModel user = userMapper.getUserByUsernameAndPassword(username, password);validateUser(username, user);return user;}/*** 通过用户名加载用户信息,重写该方法用于记住密码后通过 Cookie 登录* * @param username* @param user*/@Overridepublic UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {logger.info("user {} is login by remember me cookie", username);UserModel user = userMapper.getUserByUsername(username);validateUser(username, user);return new User(user.getUsername(), user.getPassword(), new ArrayList<GrantedAuthority>());}/*** 校验用户信息并将用户信息放在 Session 中** @param username* @param user*/private void validateUser(String username, UserModel user) {if (user == null) {logger.error("user {} login failed, username or password is wrong", username);throw new BadCredentialsException("Username or password is not correct");} else if (!user.getEnabled()) {logger.error("user {} login failed, this account had expired", username);throw new AccountExpiredException("Account had expired");}// TODO There should add more logic to determine locked, expired and others statuslogger.info("user {} login success", username);// 当用户信息有效时放入 Session 中session.setAttribute("user", user);}}这篇关于Spring Security 中实现 Remember Me 记住密码功能的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!
