问题描述
我的 SecurityConfig
类,我在其中配置了由 userService
和 persistenceTokenRepository()
支持的记住我的功能:
My SecurityConfig
class where I configure remember-me feature backed by userService
and persistenceTokenRepository()
:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers(
"/js/**",
"/css/**",
"/img/**",
"/webjars/**").permitAll()
.anyRequest().authenticated()
// ... and login, and logout
.and()
.rememberMe()
.userDetailsService(userService)
.tokenRepository(persistentTokenRepository());
}
@Bean
public PersistentTokenRepository persistentTokenRepository() {
JdbcTokenRepositoryImpl tokenRepository = new JdbcTokenRepositoryImpl();
tokenRepository.setDataSource(dataSource);
return tokenRepository;
}
用例:
- 用户在他的浏览器中打开登录页面,使用启用的记住我"选项授权自己.
- [后端] 生成新的记住我令牌,保存在数据库中并发送给用户.默认有效期为 2 周.
- 用户被重定向到主页.
- 用户关闭浏览器以结束浏览会话.
- 用户再次启动浏览器并再次进入主页.
预期结果:[后端] 没有例外,DB中的token与remember-me cookie匹配.[前端] 用户认证成功,可以进入首页.
实际结果:[后端] CookieTheftException
被抛出.令牌从数据库中删除.[前端] 用户被重定向到登录页面.
Expected result: [Back-end] No exceptions, the token in DB is matched with the remember-me cookie. [Front-end] The user is successfully authenticated and can proceed to homepage.
Actual result: [Back-end] CookieTheftException
is thrown. The token is deleted from DB. [Front-end] User is redirected to Login page.
org.springframework.security.web.authentication.rememberme.CookieTheftException: Invalid remember-me token (Series/token) mismatch. Implies previous cookie theft attack.
at org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices.processAutoLoginCookie(PersistentTokenBasedRememberMeServices.java:119) ~[spring-security-web-5.0.9.RELEASE.jar:5.0.9.RELEASE]
推荐答案
这里已经回答了这个问题:Spring Security Invalid remember-me令牌(系列/令牌)不匹配.暗示先前的 cookie 盗窃攻击.《记住我》该答案中详细解释了该功能,我建议您在应用以下解决方案之前先阅读它.
This question is already answered here: Spring Security Invalid remember-me token (Series/token) mismatch. Implies previous cookie theft attack. "Remember Me" feature is explained in details in that answer, I recommend you to read it before applying the following solution.
我想分享我的 Java 配置解决方案.从 webapp 页面安全中分离静态资源安全:
I'd like to share my solution for Java configuration. Split static resources security from webapp pages security:
http
.authorizeRequests()
.antMatchers(
"/js/**",
"/css/**",
"/img/**",
"/webjars/**").permitAll();
http
.authorizeRequests()
.anyRequest().authenticated()
// ... and login, and logout
.and()
.rememberMe()
.userDetailsService(userService)
.tokenRepository(persistentTokenRepository());
是否在一个单独的配置中定义这两个配置取决于您configure(HttpSecurity http)
方法或将它们拆分为两个 @Configuration
类.如果你选择后一个选项,不要忘记在这些配置上加上 @Order(int)
注释,否则会产生冲突.
It's up to you whether you define these two configurations in a singleconfigure(HttpSecurity http)
method or split them into two @Configuration
classes. If you choose the latter option, don't forget to put @Order(int)
annotations on these configurations, otherwise, you get a conflict.
这篇关于Spring Security 记住我因 CookieTheftException 而失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!