springboot2.0之配置spring security记住我(rememberMe功能)不起作用的原因
刚入门spring security,感觉东西有点多,不好好研究出了问题都不知道为什么。
rememberMe功能配置核心代码(有问题的):
protected void configure(HttpSecurity http) throws Exception { List<SysPermission> allPermission = permissionFeignClient.getPermissionList().getData(); ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry authorizeRequests = http .authorizeRequests(); for (SysPermission permission : allPermission) { authorizeRequests.antMatchers(permission.getUrl()).hasAnyAuthority(permission.getPermissionAlias()); } authorizeRequests.antMatchers(AUTH_WHITELIST).permitAll().antMatchers("/**").fullyAuthenticated().and().formLogin() .loginPage("/login").successHandler(successHandler).failureHandler(failureHandler).and() .rememberMe().rememberMeParameter("remember").rememberMeCookieName("renting") // 记住我配置 .tokenRepository(persistentTokenRepository()) // 配置数据库源 .tokenValiditySeconds(1209600) .userDetailsService(myUserDetailService).and().csrf().disable(); }
@Bean public PersistentTokenRepository persistentTokenRepository() { JdbcTokenRepositoryImpl persistentTokenRepository = new JdbcTokenRepositoryImpl(); persistentTokenRepository.setDataSource(dataSource); // persistentTokenRepository.setCreateTableOnStartup(true); return persistentTokenRepository; }
调试
发现浏览器的cookie里边有值,数据库也有值
RememberMeAuthenticationFilter的rememberMeAuth里边是有登录信息的,但是就是被拦截了,跳转到了登录页面
经查阅参考了如下博客:
https://blog.csdn.net/weixin_30952103/article/details/99523931
https://blog.csdn.net/zhoudingding/article/details/105116920
发现问题出在了:fullyAuthenticated()
fullyAuthenticated()和authenticated()的区别:
fullyAuthenticated:如果登录信息验证没问题或者不是rememberMe用户返回true
authenticated:如果登录信息验证没有问题返回true
那么如果要实现rememberMe功能就得用authenticated()
核心代码:
authorizeRequests.antMatchers(AUTH_WHITELIST).permitAll().anyRequest().authenticated().and().formLogin()
.loginPage("/login").successHandler(successHandler).failureHandler(failureHandler).and()
.rememberMe().rememberMeParameter("remember").rememberMeCookieName("renting") // 记住我配置
.tokenRepository(persistentTokenRepository()) // 配置数据库源
.tokenValiditySeconds(1209600)
.userDetailsService(myUserDetailService).and().csrf().disable();
红色部分为修改的部分