Shulou(Shulou.com)06/03 Report--

This article mainly introduces SpringSecurity how to achieve automatic login within two weeks to remember my function, the article is very detailed, has a certain reference value, interested friends must read it!

I. Minimalist practice

In fact, implementing this function is very simple, as long as we add the rememberMe () method when we rewrite the WebSecurityConfigurerAdapter method configuration HttpSecurity. (a large number of configurations for Spring Security login authentication have been omitted in the following code, which have been mentioned in previous articles on this account.)

@ Configurationpublic class SecurityConfig extends WebSecurityConfigurerAdapter {@ Override protected void configure (HttpSecurity http) throws Exception {http.rememberMe (); / / implementation remember my automatic login configuration, this is the only line of core code}}

Then add a checkbox check box to the login form, and the value of the name property must now be "remember-me" (the method of personalization changes will be discussed later).

Automatic login

It is that simple, we have achieved the function of remember me, the default effect is: no login for 2 weeks.

Second, the realization principle

Many friends may be confused when they read the above implementation process, so it is realized? The following is to explain to you what has been done during this process.

When we log in, in addition to the user name and password, we can also check remember-me. If we check remember-me, when we log in successfully, the server will generate a Cookie to return to the browser. The name of this Cookie is remember-me; value is a token token by default. When we visit the application again within the validity period, we go through RememberMeAuthenticationFilter and read the token in Cookie for verification. Verify that you can access the application without having to log in again.

The token token is an MD5 hash string: contains username, expirationTime, and passwod, and a predefined key, and encrypts them with MD5. Some friends may ask: is this safe? If cookie is hijacked, it must be insecure, and someone else will be able to access your application within the validity period when someone else gets this string. This is the same reason that your key token has been stolen and your home is definitely not safe. But there is no possibility that the password can be cracked into plaintext, and MD5 hash is irreversible.

RememberMeAuthenticationFilter is in the overall backward position in the Spring Security filter chain, so only when a variety of traditional login methods can not complete the verification, only go to RememberMeAuthenticationFilter, which is also in line with the actual needs.

III. Personalized configuration

In the actual development process, we can also make some personalized settings according to the requirements, as follows:

.rememberMeParameter ("remember-me-new") .rememberMeCookieName ("remember-me-cookie") .tokenValiditySeconds (2 * 24 * 60 * 60)

TokenValiditySeconds is used to set the validity period of token, that is, how long it takes to avoid repeated login (in seconds). The default is 2 weeks without modifying the configuration.

Set the parameter name of the automatic login check box of the from form through rememberMeParameter. If this is changed, the name property of checkbox in the from form will be changed accordingly. If it is not set, the default is remember-me.

RememberMeCookieName sets the name of the cookie saved on the browser side, and the default is remember-me if not set. See the browser's cookie in the following figure.

IV. Storage mode of token database

The way we talked about above is the easiest way to implement the "remember me-auto login" function. The disadvantage of this approach is that the correspondence between token and users is stored in memory, and when we restart the application, all token will disappear, that is, all users must log in again. To this end, Spring Security also provides us with a way to store token in the database without affecting the restart of the application.

Some articles say that the use of database storage is because it is more secure, the author does not think so. Although it is true that the token stored in the database is no longer a user name, password MD5 encrypted string, but a random serial number. But once your random serial number cookie is hijacked, the effect is the same. For example, you have a password lock in your house: you lose your key as much as you lose your password.

The above figure shows the implementation principle and verification process of token database storage, which we will implement below. First, we need to key a database table persistent_logins:

CREATE TABLE `persistent_ logins` (`username` varchar (64) NOT NULL, `series` varchar (64) NOT NULL, `token` varchar (64) NOT NULL, `last_ used` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP, PRIMARY KEY (`series`) ENGINE=InnoDB DEFAULT CHARSET=utf8

Initialize a Spring bean of type PersistentTokenRepository and inject the DataSource used by the system into the bean. (of course, the premise is that you have configured the DataSource-related connection properties in the application.yml of Spring Boot. I will not repeat them here.)

@ Autowiredprivate DataSource dataSource; @ Bean public PersistentTokenRepository persistentTokenRepository () {JdbcTokenRepositoryImpl tokenRepository = new JdbcTokenRepositoryImpl (); tokenRepository.setDataSource (dataSource); return tokenRepository;}

Finally, add the following personalized configuration to the Spring Security configuration method configure (HttpSecurity http):

.remember me () .tokenRepository (persistentTokenRepository ())

The above is all the contents of the article "how SpringSecurity can automatically log in and remember me in two weeks". Thank you for reading! Hope to share the content to help you, more related knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.