在 Spring Security & 中禁用记住我雄猫 [英] Disable Remember-Me in Spring Security & Tomcat

问题描述

我想知道，有没有办法在 Spring Security 中禁用记住我?我想要实现的场景很常见:关闭浏览器窗口后，我希望用户的会话过期.看起来很奇怪，但它不适用于 Tomcat 7 &春季安全 3.1.我们在 Spring Security 配置文件中使用了 auto-config，但是没有 remember-me 元素.

I wonder, is there any way to disable remember-me in Spring Security? Scenario I want to implement is pretty common: after closing browser window I would like user's session to expire. Seems weird, but it doesn't work with Tomcat 7 & Spring Security 3.1. We use auto-config in Spring Security configuration file, but there is no remember-me element.

让它工作的最佳解决方案是什么?提前致谢！

What is the best solution to get it working? Thanks in advance!

更新以下是阐明我的问题的使用场景:

Update Here is the usage scenario to clarify my problem:

1. 用户登录到限制区域，例如/secure.html
2. 然后他关闭浏览器而不手动退出.
3. 他再次打开浏览器并直接转到/secure.html.
4. 当前 Spring 的行为:页面显示成功.预期行为:重定向到登录页面.

鉴别诊断的

新症状:用户可能会重新验证，因为浏览器关闭/打开之间的 JSESSIONID 相同.我如何才能让 Tomcat 或 Spring 为每个浏览器会话生成一个新会话?

New symptoms for differential diagnosis: User is probable reathenticated because JSESSIONID in the same between browser close/open. How I could forse Tomcat or Spring to generate a new session for every browser session?

更新 Spring Security 配置片段:

Update Fragment of Spring Security configuration:

<http auto-config="true">
    <anonymous key="anonymous-security" />
    <intercept-url pattern="/auth/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    <intercept-url pattern="/**" access="ROLE_ADMIN" />
    <form-login login-page="/auth/login.html" 
                default-target-url="/auth/default.html"
                authentication-failure-url="/auth/failed.html" />
    <logout logout-success-url="/auth/logout.html" delete-cookies="JSESSIONID" />
</http>

更新 文档声称 自 3.0(我们使用 3.1)以来，auto-config="true" 中没有默认的记住我配置:

Update Documentation claims that there is no default remember-me configuration in auto-config="true" since 3.0 (we use 3.1):

在 3.0 之前的版本中，此列表还包括记住我功能.这可能会导致一些令人困惑的错误配置并在 3.0 中移除.

In versions prior to 3.0, this list also included remember-me functionality. This could cause some confusing errors with some configurations and was removed in 3.0.

我的网络应用有什么问题?

What's wrong with my web app?

推荐答案

问题说明:

我遇到了同样的问题:我的浏览器会记住我的用户.

Problem clarification:

I ran into the same issue: my browser would remember my user.

通常情况下:登录访问限制区域后，关闭浏览器，然后重新打开浏览器并进入相同的限制区域，当我希望系统提示输入凭据时，它会让我访问它.

Typically: after logging in to access a restricted area, closing the browser, then reopen it and enter the same restricted area it would let me access it when I expected to be prompted for credentials.

玩完之后我注意到一件重要的事情:这种行为在不同浏览器中不一致:

After playing around I noticed one important thing: this behavior is NOT consistent across browsers:

• Eclipse 的底层浏览器在关闭后确实记得
• Chrome 在关闭后确实记得
• IE (9) 关闭后不记得
• Firefox (16.0.1) 关闭后不记得
• Safari(Windows 5.1.7)关闭后不记得

更多浏览器类型和版本可以测试...

More browser types & versions could be tested...

1. 解决方法可能是尝试检测用户何时关闭浏览器，并在发生这种情况时触发注销.不过不太确定这有多可行.

可能有更好的解决方案，如果找到我会更新此答案.

There might be a better solution, I'll update this answer if I find it.

这篇关于在 Spring Security & 中禁用记住我雄猫的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！