Spring Session提供了与Spring Security的“我记得”身份验证的集成的支持:
目的:
- 更改会话过期长度
- 确保会话cookie在Integer.MAX_VALUE处过期。将cookie过期设置为最大的可能值,因为只有在创建会话时才设置cookie。如果将其设置为与会话到期相同的值,那么当用户使用该值时,会话将得到更新,但是cookie过期不会更新,导致过期时间被修复。
具体做法:
1.login.html
<input type="checkbox" name="remember-me" lay-skin="primary" title="记住密码">
注意:name必须为remember-me,否则设置失败。
2.SecurityConfig配置
@Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests()// 该方法所返回的对象的方法来配置请求级别的安全细节 .antMatchers(HttpMethod.GET, "/user/login", "/user/forget", "/user/regist").permitAll()// 登录页面不拦截 .antMatchers(HttpMethod.POST, "/user/checkLogin").permitAll().anyRequest().authenticated()// 对于登录路径不进行拦截 .and().formLogin()// 配置登录页面 .loginPage("/user/login")// 登录页面的访问路径; .loginProcessingUrl("/user/checkLogin")// 登录页面下表单提交的路径 .failureUrl("/user/login?error=true")// 登录失败后跳转的路径,为了给客户端提示 .defaultSuccessUrl("/index")// 登录成功后默认跳转的路径; .and().logout()// 用户退出操作 .logoutRequestMatcher(new AntPathRequestMatcher("/user/logout", "POST"))// 用户退出所访问的路径,需要使用Post方式 .permitAll().logoutSuccessUrl("/user/login?logout=true")/// 退出成功所访问的路径 .and().csrf().disable().rememberMe().rememberMeServices(rememberMeServices()).and().headers() .frameOptions()// 允许iframe内呈现。 .sameOrigin().and().sessionManagement().maximumSessions(1).expiredUrl("/user/login?expired=true"); } @Bean public static RememberMeServices rememberMeServices() { SpringSessionRememberMeServices rememberMeServices = new SpringSessionRememberMeServices(); / /设置1000秒后过期 rememberMeServices.setValiditySeconds(1000); return rememberMeServices; }
源码:
//登录成功后的检验 public final void loginSuccess(HttpServletRequest request, HttpServletResponse response, Authentication successfulAuthentication) { //alwaysRemember:默认为false,设置true为永久记住 if (!this.alwaysRemember && !rememberMeRequested(request, this.rememberMeParameterName)) { logger.debug("Remember-me login not requested."); return; } request.setAttribute(REMEMBER_ME_LOGIN_ATTR, true); //validitySeconds默认为2592000 即30天 request.getSession().setMaxInactiveInterval(this.validitySeconds); } /** * Allows customization of whether a remember-me login has been requested. The default * is to return {@code true} if the configured parameter name has been included in the * request and is set to the value {@code true}. * @param request the request submitted from an interactive login, which may include * additional information indicating that a persistent login is desired. * @param parameter the configured remember-me parameter name. * @return true if the request includes information indicating that a persistent login * has been requested. */ protected boolean rememberMeRequested(HttpServletRequest request, String parameter) { //获取参数remember-me对应的值 String rememberMe = request.getParameter(parameter); //如果设置满足以下条件证明用户设置了记住我的功能 if (rememberMe != null) { if (rememberMe.equalsIgnoreCase("true") || rememberMe.equalsIgnoreCase("on") || rememberMe.equalsIgnoreCase("yes") || rememberMe.equals("1")) { return true; } } if (logger.isDebugEnabled()) { logger.debug("Did not send remember-me cookie (principal did not set " + "parameter '" + parameter + "')"); } return false; }
微信公众号
