与会话Cookie春季安全与rememberMe服务 [英] Spring Security RememberMe Services with Session Cookie

问题描述

我使用Spring Security的了rememberMe服务保持认证的用户。

I am using Spring Security's RememberMe Services to keep a user authenticated.

我想找到一个简单的方法都有了rememberMe的cookie设置为一个会话cookie，而不是一个固定的到期时间。我的应用程序，该cookie应该持续到用户关闭浏览器。

I would like to find a simple way to have the RememberMe cookie set as a session cookie rather than with a fixed expiration time. For my application, the cookie should persist until the user closes the browser.

这是如何最好地实现这个有什么建议？在这是一个潜在的安全问题有任何疑问？

Any suggestions on how to best implement this? Any concerns on this being a potential security problem?

有这样做的主要原因是，与一个基于cookie的标记，任何后面我们的负载平衡器服务器可提供服务，而不依赖于用户的认证将要存储在一个HttpSession保护请求。事实上，我已经明确告诉春季安全永远不会创建一个使用命名空间的会话。此外，我们使用的是亚马逊的弹性负载平衡，因此粘性会话不支持。

The primary reason for doing so is that with a cookie-based token, any of the servers behind our load balancer can service a protected request without relying on the user's Authentication to be stored in an HttpSession. In fact, I have explicitly told Spring Security to never create sessions using the namespace. Further, we are using Amazon's Elastic Load Balancing, and so sticky sessions are not supported.

的注：虽然我知道，作为4月8日的，亚马逊现在支持粘性会话，我还是不希望使用他们的其它原因了一把。即一台服务器的不幸去世仍然会导致会话与它相关联的所有用户的损失。
<一href=\"http://aws.amazon.com/about-aws/whats-new/2010/04/08/support-for-session-stickiness-in-elastic-load-balancing/\">http://aws.amazon.com/about-aws/whats-new/2010/04/08/support-for-session-stickiness-in-elastic-load-balancing/

推荐答案

春季安全3不提供如何生成cookie的配置。你必须覆盖缺省行为：

import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices;

/** Cookie expires on session. */
 public class PersistentTokenBasedRememberMeServicesCustom extends
   PersistentTokenBasedRememberMeServices {

  /** only needed because super throws exception. */
  public PersistentTokenBasedRememberMeServicesCustom() throws Exception {
    super();
  }

  /** Copy of code of inherited class + setting cookieExpiration, */
  @Override
  protected void setCookie(String[] tokens, int maxAge,
      HttpServletRequest request, HttpServletResponse response) {
    String cookieValue = encodeCookie(tokens);
    Cookie cookie = new Cookie(getCookieName(), cookieValue);
    //cookie.setMaxAge(maxAge); 
    cookie.setPath("/");
    cookie.setSecure(false); // no getter available in super, so always false

    response.addCookie(cookie);
  }
}

请确保您使用此自定义的对PersistentTokenBasedRememberMeServices 的你加入的类名是它的 rememberMeService 的是bean配置：

Make sure, you use this customized PersistentTokenBasedRememberMeServices for you're rememberMeService by adding the class name to it's bean configuration:

<beans:bean id="rememberMeServices"
 class="my.custom.spring.PersistentTokenBasedRememberMeServicesCustom"/>

这篇关于与会话Cookie春季安全与rememberMe服务的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！