很多网站登陆的时候都会提供“记住我”或者“记住我&&周”的选项,spring security 3也提供了此功能,本人写了两个demo,一个是基于cookie来实现免登陆,一个是基于数据库的:
1 基于cookie的remember-me
spring security的配置如下:
<b:beans xmlns="http://www.springframework.org/schema/security"
xmlns:b="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<http auto-config="false" access-denied-page="/accessDenied.jsp">
<!-- 不要过滤图片等静态资源,其中**代表可以跨越目录,*不可以跨越目录。
<intercept-url pattern="/**/*.jpg" filters="none" />
<intercept-url pattern="/**/*.png" filters="none" />
<intercept-url pattern="/**/*.gif" filters="none" />
<intercept-url pattern="/**/*.css" filters="none" />
<intercept-url pattern="/**/*.js" filters="none" /> -->
<!-- 登录页面和忘记密码页面不过滤 -->
<intercept-url pattern="/login.jsp" filters="none" />
<intercept-url pattern="/jsp/forgotpassword.jsp" filters="none" />
<!-- ROLE_ENTER_ORDINARY_PAGE, -->
<intercept-url pattern="/index.jsp" access="ROLE_ENTER_ORDINARY_PAGE, ROLE_ENTER_HIGH_LEVEL_PAGE" />
<!-- 检测失效的sessionId,超时时定位到另外一个URL, 防止固化session攻击 -->
<session-management invalid-session-url="/timeout.jsp" session-fixation-protection="migrateSession">
<concurrency-control max-sessions="1" error-if-maximum-exceeded="true"/>
</session-management>
<form-login login-page="/login.jsp" authentication-failure-url="/loginError.jsp" default-target-url="/index.jsp"/>
<logout invalidate-session="true" logout-success-url="/login.jsp"/>
<http-basic/>
<!-- 使用cookie来记录登陆 -->
<remember-me user-service-ref="userService" use-secure-cookie="true"/>
<anonymous/>
</http>
<!-- 注意能够为authentication-manager 设置alias别名 -->
<authentication-manager alias="authenticationManager">
<!-- <authentication-provider user-service-ref="userDetailsManager"> -->
<authentication-provider user-service-ref="userService">
<password-encoder hash="md5">
<salt-source user-property="username"/>
</password-encoder>
<!-- <password-encoder ref="passwordEncoder"> -->
<!-- 用户名做为盐值 -->
<!--<salt-source user-property="username" />
</password-encoder>-->
</authentication-provider>
</authentication-manager>
</b:beans>
2 基于数据库的rember-me
首先要建一张表记录登陆:
create table persistent_logins (username varchar(64) not null, series varchar(64) primary key, token varchar(64) not null, last_used timestamp not null)
然后spring security的配置与第一种配置不一样的地方在<rember-me>
<remember-me user-service-ref="userService" data-source-ref="myDataSource"/>
此处的myDataSource要在spring的配置文件中配置:
<!-- 数据源 -->
<bean id="myDataSource" class="org.apache.commons.dbcp.BasicDataSource" destroy-method="close">
<property name="driverClassName" value="${JDBC.DRIVERNAME}"/>
<property name="url" value="${JDBC.URL}"/>
<property name="username" value="${JDBC.USERNAME}"/>
<property name="password" value="${JDBC.PASSWORD}"/>
</bean>
测试,jsp登陆代码如下:
<form action="/spring_security/j_spring_security_check" method="post">
Account:<Input name="j_username"/><br/>
Password:<input name="j_password" type="password"/><br/>
<input type='checkbox' name='_spring_security_remember_me'/>记住我<br/>
<input value="submit" type="submit"/> <br/>
</form>
验证是否记住用户的页面为index.jsp,页面代码为:
<body>
<form action="">
<sec:authorize ifAllGranted="ROLE_ENTER_ORDINARY_PAGE" >
<input type="button" value="普通用户点击 "/><br/>
</sec:authorize>
<sec:authorize ifAllGranted="ROLE_ENTER_HIGH_LEVEL_PAGE">
<input type="button" value="高级用户点击 "/><br/>
</sec:authorize>
用户名称:<sec:authentication property="principal.username"></sec:authentication><br/>
<a href="<%= request.getContextPath() %>/j_spring_security_logout">
<input type="button" value="退出"/>
</a>
</form>
</body>
如果用户登陆就会显示登陆用户的名称,
使用第一种配置登陆后,可以在浏览器中查看cookie,
此时关掉浏览器,重新打开浏览器访问http://localhost:8080/spring_security/index.jsp,页面显示为:
使用第二种配置登陆后,数据库中的数据,
此时关掉浏览器,重新打开浏览器访问http://localhost:8080/spring_security/index.jsp
页面显示为: