2010-09-19 53 views
1

我想要的只是一個簡單的記住我。我讀http://static.springsource.org/spring-security/site/docs/3.0.x/reference/remember-me.html簡單的春天<記住我/> ...請幫助

我迄今所做的:

  1. 創建了自己的UserDetailsService與休眠/ JPA工作。 我的impl。不考慮任何記得,我的東西
  2. 考慮配置通過appContext <security:remember-me key="89dqj219dn910lsAc12" user-service-ref="jpaUserDetailsService" token-validity-seconds="864000"/>
  3. 經過,該Cookie SPRING_SECURITY_REMEMBER_ME_COOKIE是真正建立
  4. 登錄到安全的網站,當我重新啓動我的瀏覽器,它的工作原理
  5. ,我不斷收到一個錯誤:

    org.springframework.security.access.AccessDeniedException:訪問被拒絕 認證對象的字符串:org.springframework.security.authentication.Rem emberMeAuthenticationToken @ 9ab72a70:負責人:[email protected]:用戶名:myad;密碼保護];啓用:true; AccountNonExpired:true; credentialsNonExpired:true; AccountNonLocked:true;個人信息:65537; ;證書:[PROTECTED];已驗證:true;詳細信息:org.sprin[email protected]957e:RemoteIpAddress:127.0.0.1; SessionId:null;授予的權限:ROLE_ADMIN,ROLE_USER

這裏是我的secContext.xml:

<?xml version="1.0" encoding="UTF-8"?> 
<beans xmlns="http://www.springframework.org/schema/beans" 
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
     xmlns:security="http://www.springframework.org/schema/security" 
     xsi:schemaLocation=" 
      http://www.springframework.org/schema/beans 
      http://www.springframework.org/schema/beans/spring-beans-3.0.xsd 
      http://www.springframework.org/schema/security 
      http://www.springframework.org/schema/security/spring-security-3.0.xsd"> 

    <security:global-method-security pre-post-annotations="enabled"> 
    </security:global-method-security> 

    <security:http use-expressions="true" access-denied-page="/accessDenied"> 
     <security:form-login 
       login-page="/login" 
       login-processing-url="/loginProcess" 
       default-target-url="/intro" 
       authentication-failure-url="/login?login_error=1" 
       /> 
     <security:logout 
       logout-url="/logout" 
       logout-success-url="/logoutSuccess"/> 

     <security:intercept-url pattern="/**" access="permitAll"/> 
     <security:intercept-url pattern="/login" access="permitAll"/> 
     <security:intercept-url pattern="/styles/**" access="permitAll"/> 
     <security:intercept-url pattern="/scripts/**" access="permitAll"/> 
     <security:remember-me key="89dqj219dn910lsAc12" user-service-ref="jpaUserDetailsService" 
           token-validity-seconds="864000"/> 
    </security:http> 

    <security:authentication-manager alias="authenticationManager"> 
     <security:authentication-provider user-service-ref="jpaUserDetailsService"> 
      <security:password-encoder hash="sha"> 
      </security:password-encoder> 
     </security:authentication-provider> 
    </security:authentication-manager> 

    <bean id="rememberMeFilter" class= 
      "org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter"> 
     <property name="rememberMeServices" ref="rememberMeServices"/> 
     <property name="authenticationManager" ref="authenticationManager"/> 
    </bean> 

    <bean id="rememberMeServices" class= 
      "org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices"> 
     <property name="userDetailsService" ref="jpaUserDetailsService"/> 
     <property name="key" value="89dqj219dn910lsAc12"/> 
    </bean> 

    <bean id="rememberMeAuthenticationProvider" class= 
      "org.springframework.security.authentication.RememberMeAuthenticationProvider"> 
     <property name="key" value="89dqj219dn910lsAc12"/> 
    </bean> 
</beans> 

最後一些調試跟蹤

03:45:14.598 [[email protected]] DEBUG o.s.w.b.a.s.HandlerMethodInvoker - Invoking request handler method: public java.lang.String de.myapp.controller.bstController.showbstpage(java.lang.String,javax.servlet.http.HttpServletResponse) 
03:45:14.598 [[email protected]] DEBUG o.s.s.a.i.a.MethodSecurityInterceptor - Secure object: ReflectiveMethodInvocation: public java.lang.String de.myapp.controller.bstController.showbstpage(java.lang.String,javax.servlet.http.HttpServletResponse); target is of class [de.myapp.controller.bstController]; Attributes: [[authorize: 'isFullyAuthenticated() and #username == principal.username', filter: 'null', filterTarget: 'null']] 
03:45:14.598 [[email protected]] DEBUG o.s.s.a.i.a.MethodSecurityInterceptor - Previously Authenticated: org.spring[email protected]9ab72a70: Principal: [email protected]: Username: myad; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; PersonalInformation: 65537; ; Credentials: [PROTECTED]; Authenticated: true; Details: org.sprin[email protected]957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ADMIN, ROLE_USER 
03:45:14.599 [[email protected]] DEBUG o.s.c.c.s.GenericConversionService - Converting value false of [TypeDescriptor java.lang.Boolean] to [TypeDescriptor java.lang.Boolean] 
03:45:14.599 [[email protected]] TRACE o.s.c.c.s.GenericConversionService - Matched cached converter NO_OP 
03:45:14.599 [[email protected]tp-10131947-7] DEBUG o.s.c.c.s.GenericConversionService - Converted to false 
03:45:14.599 [[email protected]] DEBUG o.s.s.access.vote.AffirmativeBased - Voter: org.springframewor[email protected]a866a9, returned: -1 
03:45:14.599 [[email protected]] DEBUG o.s.s.access.vote.AffirmativeBased - Voter: [email protected], returned: 0 
03:45:14.599 [[email protected]] DEBUG o.s.s.access.vote.AffirmativeBased - Voter: [email protected]d6f, returned: 0 

我真的不知道從哪裏繼續調試。我錯過了什麼?我是否必須創建自己的記住我的實現?

我真的欣賞演示泉記得,我的默認實現工作示例應用程序...

-------- ----------編輯 -

我剛編譯並運行springsecurity本身的記憶我參考應用程序:spring-security\samples\tutorial帳戶應用程序和聯繫人應用程序。其實我有完全一樣的問題?!?。我已經嘗試過Firefox,Opera和ie ...我破碎了...

回答

0

當您登錄時,您的UserDetails對象上的「密碼」字段被設置爲非空/非空值?在我的應用程序中,實際身份驗證委託給另一個系統,並且我不會將用戶提交的密碼存儲在我的UserDetails對象中。在將密碼屬性設置爲某個值之前,我無法使用RememberMe cookie。在我的情況下,我只是默認屬性爲「密碼」一詞,所以它不會是空/空字符串。

我不知道這是不是像你的情況,但這讓我瘋狂,直到我明白了。

1

由於您從remember-me cookie中獲取有效的身份驗證令牌,因此它看起來像記住我身份驗證在您的應用程序中工作正常。

但是,日誌輸出表示在表達式isFullyAuthenticated() and #username == principal.username需要「完整」身份驗證的控制器方法bstController.showbstpage上存在方法訪問控制註釋。記住我不符合完整身份驗證的條件,因此表達式會拒絕當前的身份驗證。

由於intercept-url元素錯誤地排序,因爲/**位於頂部,並且將應用於所有請求,使其他元素變得冗餘。

此外,它不可能得到與示例應用程序相同的問題,因爲它們不需要對任何操作進行完全身份驗證,所以您必須在其中有其他問題。