spring-security.xml配置
环境:
spring版本:5.0.7.RELEASE
spring-security.xml引入:
http://www.springframework.org/schema/beans/spring-beans-4.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.2.xsd
1、添加以下remember-me服务需要的bean:
<!--rememberMe--> <beans:bean id="myRememberMeAuthenticationProvider" class= "org.springframework.security.authentication.RememberMeAuthenticationProvider"> <beans:constructor-arg name="key" value="xxxxxxxx"/> </beans:bean> <!--不能与http标签中的remember-me同时存在,否则会报have the same 'order' value--> <beans:bean id="myRememberMeAuthenticationFilter" class= "org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter"> <beans:constructor-arg name="rememberMeServices" ref="myRememberMeServices"/> <beans:constructor-arg name="authenticationManager" ref="authenticationManager" /> </beans:bean> <!-- RememberMeServices的实现 --> <beans:bean id="myRememberMeServices" class= "org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices"> <beans:constructor-arg name="key" value="xxxxxxxx"/> <beans:constructor-arg name="userDetailsService" ref="myUserDetailService"/> <beans:constructor-arg name="tokenRepository" ref="myPersistentTokenRepository"/> <beans:property name="tokenValiditySeconds" value="86400"/><!--1天--> </beans:bean> <!--持久化token,存入数据库persistent_logins表中--> <beans:bean id="myPersistentTokenRepository" class="org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl"> <beans:property name="dataSource" ref="dataSource"/> </beans:bean>
2、
添加你的RememberMeServices
实现UsernamePasswordAuthenticationFilter.setRememberMeServices()
的属性
包括RememberMeAuthenticationProvider
在AuthenticationManager.setProviders()
中的列表,
并添加RememberMeAuthenticationFilter
到你的FilterChainProxy
(一般在你的UsernamePasswordAuthenticationFilter
之后)
详细如下:
<http auto-config="false" use-expressions="true" entry-point-ref="myLoginUrlAuthenticationEntryPoint"> <intercept-url pattern="/**" access="authenticated"/> <custom-filter ref="loginAuthenticationFilter" position="FORM_LOGIN_FILTER"/> <custom-filter ref="myRememberMeAuthenticationFilter" position="REMEMBER_ME_FILTER"/> <!--用户退出的时候清空session以及删除JSESSIONID的cookies 只有logout-url为/logout时,才会触发CookieClearingLogoutHandler的logout方法--> <logout logout-url="/logout" logout-success-url="/login" invalidate-session="true" delete-cookies="JSESSIONID"/> <!--session-authentication-strategy-ref表示会话的身份验证策略--> <session-management invalid-session-url="/login"> <concurrency-control max-sessions="1"/> </session-management> <csrf disabled="true" /> </http> <!--不能与form-login同时存在,因为它功能相当于调用http.formLogin()。同时出现,会报have the same 'order' value.--> <beans:bean id="loginAuthenticationFilter" class="com.example.demo.web.security.MyUsernamePasswordAuthenticationFilter"> <beans:property name="usernameParameter" value="name"/> <!--对应登录时的用户名需要传的参数名称--> <beans:property name="passwordParameter" value="pass"/> <!--对应登录时的密码提交时的参数名称--> <beans:property name="filterProcessesUrl" value="/signin"/> <!--表单提交地址--> <beans:property name="authenticationSuccessHandler" ref="myAuthenticationSuccessHandler"/> <beans:property name="authenticationFailureHandler" ref="myAuthenticationFailureHandler"/> <beans:property name="authenticationManager" ref="authenticationManager"/> <beans:property name="rememberMeServices" ref="myRememberMeServices"/> </beans:bean> <!-- 验证配置 , 认证管理器,实现用户认证的入口,主要实现UserDetailsService接口即可 --> <authentication-manager alias="authenticationManager"> <authentication-provider ref="myDaoAuthenticationProvider"/> <authentication-provider ref="myRememberMeAuthenticationProvider"/> </authentication-manager>