spring security 實現免登陸功能大體也是基于COOKIE來實現的。

主要配置信息：

authentication-success-handler-ref="authenticationSuccessHandler"

services-alias="rememberMeServices" />

1.首先登陸表單要Post?URL: /j_spring_security_check 同時_spring_security_remember_me要等于yes，這時登陸后會記錄cookie到數據庫中；

/j_spring_security_check?_spring_security_remember_me=yes

代碼邏輯：

UsernamePasswordAuthenticationFilter 登陸驗證過濾器攔截/j_spring_security_check同時調用AbstractRememberMeServices 接口實現

this.rememberMeServices.loginSuccess(request, response, authResult);

2.當會話失效時，這個時候RememberMeAuthenticationFilter 過濾器會調用this.rememberMeServices.autoLogin(request, response);自動登陸；

同時successHandler.onAuthenticationSuccess(request, response, rememberMeAuth); 可以進行一些會話信息加載，這個地方需要根據項目的需要進行改造。

AbstractRememberMeServices

public final Authentication autoLogin(HttpServletRequest request, HttpServletResponse response) {

1.根據spring security 的cookiename獲取spring security 保存的cookie

String rememberMeCookie = extractRememberMeCookie(request);

。。。。。

2.解析rememberMeCookie的信息

UserDetails user = null;

String[] cookieTokens = decodeCookie(rememberMeCookie);

3.???? 獲取cookie中信息，并生成登陸的session

user = processAutoLoginCookie(cookieTokens, request, response);

userDetailsChecker.check(user);

logger.debug("Remember-me cookie accepted");

return createSuccessfulAuthentication(request, user);cancelCookie(request, response);

return null;

}

processAutoLoginCookie方法由子類PersistentTokenBasedRememberMeServices? ，TokenBasedRememberMeServices來進行實現；

PersistentTokenBasedRememberMeServices 在登陸時保存登陸時的cookie備份，在處理processAutoLoginCookie時會首先比對cookie是否屬于偽造的，

不是偽造的才可以獲取登陸信息，進行登陸；這一點非常重要！！！

PersistentTokenBasedRememberMeServices 會實例化加密后的cookie信息到PersistentTokenRepository 接口的實現中，

private PersistentTokenRepository tokenRepository = new InMemoryTokenRepositoryImpl();

InMemoryTokenRepositoryImpl? 的存儲方式：Map seriesTokens = new HashMap();

JdbcTokenRepositoryImpl 的存儲方式數據庫表：推薦使用JdbcTokenRepositoryImpl 方式，這樣集群環境下也可以實現cookie的信息的機器備份；

public static final String CREATE_TABLE_SQL =

"create table persistent_logins (username varchar(64) not null, series varchar(64) primary key, " +

"token varchar(64) not null, last_used timestamp not null)";

官方配置reference參考：

Attributes

authentication-success-handler-refSets theauthenticationSuccessHandlerproperty on theRememberMeAuthenticationFilterif custom navigation is required. The value should be the name of aAuthenticationSuccessHandlerbean in the application context.

data-source-refA reference to aDataSourcebean. If this is set,PersistentTokenBasedRememberMeServiceswill be used and configured with aJdbcTokenRepositoryImplinstance.

remember-me-parameterThe name of the request parameter which toggles remember-me authentication. Defaults to "_spring_security_remember_me". Maps to the "parameter" property ofAbstractRememberMeServices.

keyMaps to the "key" property ofAbstractRememberMeServices. Should be set to a unique value to ensure that remember-me cookies are only valid within the one application[26]. If this is not set a secure random value will be generated. Since generating secure random values can take a while, setting this value explicitly can help improve startup times when using the remember me functionality.

services-aliasExports the internally definedRememberMeServicesas a bean alias, allowing it to be used by other beans in the application context.

services-refAllows complete control of theRememberMeServicesimplementation that will be used by the filter. The value should be theidof a bean in the application context which implements this interface. Should also implementLogoutHandlerif a logout filter is in use.

token-repository-refConfigures aPersistentTokenBasedRememberMeServicesbut allows the use of a customPersistentTokenRepositorybean.

token-validity-secondsMaps to thetokenValiditySecondsproperty ofAbstractRememberMeServices. Specifies the period in seconds for which the remember-me cookie should be valid. By default it will be valid for 14 days.

use-secure-cookieIt is recommended that remember-me cookies are only submitted over HTTPS and thus should be flagged as "secure". By default, a secure cookie will be used if the connection over which the login request is made is secure (as it should be). If you set this property tofalse, secure cookies will not be used. Setting it totruewill always set the secure flag on the cookie. This attribute maps to theuseSecureCookieproperty ofAbstractRememberMeServices.

user-service-refThe remember-me services implementations require access to aUserDetailsService, so there has to be one defined in the application context. If there is only one, it will be selected and used automatically by the namespace configuration. If there are multiple instances, you can specify a beanidexplicitly using this attribute.

總結

以上是生活随笔為你收集整理的security 底层原理_spring security 实现remeber me（免登陆功能）的原理的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。