Shulou(Shulou.com)06/01 Report--

This article mainly introduces how Spring Security realizes automatic login function. The introduction in this article is very detailed and has certain reference value. Interested friends must read it!

When we log on to most websites such as video QQ mailbox, there will often be an option to automatically log in next time on the login button. After checking, the login is successful. Within a period of time, even if the browser exits or the server restarts, the user does not need to enter the account password to log in again. This also solves the trouble of entering the account password every time.

Next up is automatic login.

applicatio.properties Configure username Password

spring.security.user.name=javaspring.security.user.password=java

controller layer implementation

@RestControllerpublic class HelloController { @GetMapping("/hello") public String hello() { return "hello"; }}

Configuration class implementation

@Configurationpublic class SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.formLogin() .and() .authorizeRequests() .anyRequest() .authenticated() .and() .rememberMe() .and() .csrf().disable();}

Visit http://localhost:8080/hello and you will be redirected to the login page.

Without a word, enter the account password and start!

At this point, you can see that the login data rember-me value is on. When customizing the login box, you should know how to define the key.

In the hello interface, you can clearly see that the cookie stores a remember-me token, which is the key to automatic login.

As for how the token is generated, let's look at a piece of source code. TokenBasedRememberMeServices->onLoginSuccess

public void onLoginSuccess(HttpServletRequest request, HttpServletResponse response, Authentication successfulAuthentication) { //Get username and password String username = this.retrieveUserName(successfulAuthentication); String password = this.retrievePassword(successfulAuthentication); //User name is empty Print log if (! StringUtils.hasLength(username)) { this.logger.debug("Unable to retrieve username"); } else { //Password is empty Go to query again by username if (! StringUtils.hasLength(password)) { UserDetails user = this.getUserDetailsService().loadUserByUsername(username); password = user.getPassword(); //The password found is still empty. End of printing log. if (! StringUtils.hasLength(password)) { this.logger.debug("Unable to obtain password for user: " + username); return; } } //Token validity period generation 1209600 is two weeks, that is to say token validity period is 14 days int tokenLifetime = this.calculateLoginLifetime(request, successfulAuthentication); long expiryTime = System.currentTimeMillis(); expiryTime += 1000L * (long)(tokenLifetime

< 0 ? 1209600 : tokenLifetime); //生成签名 signature String signatureValue = this.makeTokenSignature(expiryTime, username, password); //设置cookie this.setCookie(new String[]{username, Long.toString(expiryTime), signatureValue}, tokenLifetime, request, response); if (this.logger.isDebugEnabled()) { this.logger.debug("Added remember-me cookie for user '" + username + "', expiry: '" + new Date(expiryTime) + "'"); } }} //使用MD5加密 通过用户名、令牌有效期、密码和key生成rememberMe的令牌 这里的key也就是加密的盐值protected String makeTokenSignature(long tokenExpiryTime, String username, String password) { String data = username + ":" + tokenExpiryTime + ":" + password + ":" + this.getKey(); try { MessageDigest digest = MessageDigest.getInstance("MD5"); return new String(Hex.encode(digest.digest(data.getBytes()))); } catch (NoSuchAlgorithmException var7) { throw new IllegalStateException("No MD5 algorithm available!"); }} 看完了核心的源码，也就知道了令牌的生成规则：username + ":" + tokenExpiryTime + ":" + password + ":" + key（key 是一个散列盐值，可以用来防治令牌被修改，通过MD5散列函数生成。），然后通过Base64编码。 取出刚才的remember-me=amF2YToxNjM3MTI2MDk1OTMxOmQ5OGI3OTY5OTE4ZmQwMzE3ZWUyY2U4Y2MzMjQxZGQ0进行下验证。 解码后是java:1637126095931:d98b7969918fd0317ee2ce8cc3241dd4，很明显java是username，1637126095931是两周后的tokenExpiryTime，d98b7969918fd0317ee2ce8cc3241dd4是password和key值的MD5加密生成的。 需要注意的是key值是通过UUID随机生成的，当重启服务器时，UUID的变化会导致自动登录失败，所以为了避免之前生成的令牌失效，可以在配置中定义key值。 @Overrideprotected void configure(HttpSecurity http) throws Exception { http.formLogin() .and() .authorizeRequests() .anyRequest() .authenticated() .and() .rememberMe() .key("HelloWorld") .and() .csrf().disable();} 在Spring Security-登陆流程分析曾经说到 Spring Security中的认证授权都是通过过滤器来实现的。RememberMeAuthenticationFilter 是自动登录的核心过滤器。 public class RememberMeAuthenticationFilter extends GenericFilterBean implements ApplicationEventPublisherAware { private void doFilter(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException { //获取当前用户实例 继续过滤校验 if (SecurityContextHolder.getContext().getAuthentication() != null) { this.logger.debug(LogMessage .of(() ->

"SecurityContextHolder not populated with remember-me token, as it already contained: '" + SecurityContextHolder.getContext().getAuthentication() + "'")); chain.doFilter(request, response); return; } //登录获取Auth Authentication rememberMeAuth = this.rememberMeServices.autoLogin(request, response); if (rememberMeAuth != null) { // Attempt authenticaton via AuthenticationManager try { //进行remember-me校验 rememberMeAuth = this.authenticationManager.authenticate(rememberMeAuth); // Store to SecurityContextHolder //保存用户实例 SecurityContextHolder.getContext().setAuthentication(rememberMeAuth); //成功页面跳转 onSuccessfulAuthentication(request, response, rememberMeAuth); this.logger.debug(LogMessage.of(() -> "SecurityContextHolder populated with remember-me token: '" + SecurityContextHolder.getContext().getAuthentication() + "'")); if (this.eventPublisher != null) { this.eventPublisher.publishEvent(new InteractiveAuthenticationSuccessEvent( SecurityContextHolder.getContext().getAuthentication(), this.getClass())); } if (this.successHandler != null) { this.successHandler.onAuthenticationSuccess(request, response, rememberMeAuth); return; } } catch (AuthenticationException ex) { this.logger.debug(LogMessage .format("SecurityContextHolder not populated with remember-me token, as AuthenticationManager " + "rejected Authentication returned by RememberMeServices: '%s'; " + "invalidating remember-me token", rememberMeAuth), ex); this.rememberMeServices.loginFail(request, response); //失败页面跳转 onUnsuccessfulAuthentication(request, response, ex); } } chain.doFilter(request, response);}}@Overridepublic final Authentication autoLogin(HttpServletRequest request, HttpServletResponse response) { //获取cookie String rememberMeCookie = extractRememberMeCookie(request); if (rememberMeCookie == null) { return null; } this.logger.debug("Remember-me cookie detected"); if (rememberMeCookie.length() == 0) { this.logger.debug("Cookie was empty"); cancelCookie(request, response); return null; } try { //解码cookie 拿到令牌 String[] cookieTokens = decodeCookie(rememberMeCookie); //通过令牌获取UserdDetails UserDetails user = processAutoLoginCookie(cookieTokens, request, response); this.userDetailsChecker.check(user); this.logger.debug("Remember-me cookie accepted"); return createSuccessfulAuthentication(request, user); } catch (CookieTheftException ex) { cancelCookie(request, response); throw ex; } catch (UsernameNotFoundException ex) { this.logger.debug("Remember-me login was valid but corresponding user not found.", ex); } catch (InvalidCookieException ex) { this.logger.debug("Invalid remember-me cookie: " + ex.getMessage()); } catch (AccountStatusException ex) { this.logger.debug("Invalid UserDetails: " + ex.getMessage()); } catch (RememberMeAuthenticationException ex) { this.logger.debug(ex.getMessage()); } cancelCookie(request, response); return null;}

大致整体流程就是如果拿不到实例，则进行remember-me验证，通过autoLogin方法里获取cookie，解析令牌，拿到Auth，最后进行校验。之后剩下的和登陆流程分析的差不多。

以上是"Spring Security如何实现自动登陆功能"这篇文章的所有内容，感谢各位的阅读!希望分享的内容对大家有帮助，更多相关知识，欢迎关注行业资讯频道!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.