Spring Security 记住我因 CookieTheftException 而失败 [英] Spring Security Remember Me fails with CookieTheftException

问题描述

我的 SecurityConfig 类，我在其中配置了由 userService 和 persistenceTokenRepository() 支持的记住我的功能:

My SecurityConfig class where I configure remember-me feature backed by userService and persistenceTokenRepository():

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .authorizeRequests()
            .antMatchers(
                    "/js/**",
                    "/css/**",
                    "/img/**",
                    "/webjars/**").permitAll()
            .anyRequest().authenticated()
    // ... and login, and logout
    .and()
        .rememberMe()
            .userDetailsService(userService)
            .tokenRepository(persistentTokenRepository());
}

@Bean
public PersistentTokenRepository persistentTokenRepository() {
    JdbcTokenRepositoryImpl tokenRepository = new JdbcTokenRepositoryImpl();
    tokenRepository.setDataSource(dataSource);
    return tokenRepository;
}

用例:

1. 用户在他的浏览器中打开登录页面，使用启用的记住我"选项授权自己.
2. [后端] 生成新的记住我令牌，保存在数据库中并发送给用户.默认有效期为 2 周.
3. 用户被重定向到主页.
4. 用户关闭浏览器以结束浏览会话.
5. 用户再次启动浏览器并再次进入主页.

预期结果:[后端] 没有例外，DB中的token与remember-me cookie匹配.[前端] 用户认证成功，可以进入首页.
实际结果:[后端] CookieTheftException 被抛出.令牌从数据库中删除.[前端] 用户被重定向到登录页面.

Expected result: [Back-end] No exceptions, the token in DB is matched with the remember-me cookie. [Front-end] The user is successfully authenticated and can proceed to homepage.
Actual result: [Back-end] CookieTheftException is thrown. The token is deleted from DB. [Front-end] User is redirected to Login page.

org.springframework.security.web.authentication.rememberme.CookieTheftException: Invalid remember-me token (Series/token) mismatch. Implies previous cookie theft attack.
    at org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices.processAutoLoginCookie(PersistentTokenBasedRememberMeServices.java:119) ~[spring-security-web-5.0.9.RELEASE.jar:5.0.9.RELEASE]

推荐答案

这里已经回答了这个问题:Spring Security Invalid remember-me令牌(系列/令牌)不匹配.暗示先前的 cookie 盗窃攻击.《记住我》该答案中详细解释了该功能，我建议您在应用以下解决方案之前先阅读它.

This question is already answered here: Spring Security Invalid remember-me token (Series/token) mismatch. Implies previous cookie theft attack. "Remember Me" feature is explained in details in that answer, I recommend you to read it before applying the following solution.

我想分享我的 Java 配置解决方案.从 webapp 页面安全中分离静态资源安全:

I'd like to share my solution for Java configuration. Split static resources security from webapp pages security:

http
    .authorizeRequests()
    .antMatchers(
        "/js/**",
        "/css/**",
        "/img/**",
        "/webjars/**").permitAll();

http
    .authorizeRequests()
    .anyRequest().authenticated()
    // ... and login, and logout
    .and()
    .rememberMe()
    .userDetailsService(userService)
    .tokenRepository(persistentTokenRepository());

是否在一个单独的配置中定义这两个配置取决于您configure(HttpSecurity http) 方法或将它们拆分为两个 @Configuration 类.如果你选择后一个选项，不要忘记在这些配置上加上 @Order(int) 注释，否则会产生冲突.

It's up to you whether you define these two configurations in a single configure(HttpSecurity http) method or split them into two @Configuration classes. If you choose the latter option, don't forget to put @Order(int) annotations on these configurations, otherwise, you get a conflict.

这篇关于Spring Security 记住我因 CookieTheftException 而失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！