1、需求来源
很多网站在登录时都会看到类似”记住我”的选项,毕竟总让用户输入用户名和密码是一件很麻烦的事。
自动登录功能就是,用户在登录成功后,在某一段时间内,如果用户关闭了浏览器并重新打开,或者服务器重启了,都不需要用户重新登录,用户依然可以直接访问接口数据。
2、实战代码
在我们的自定义配置SecurityConfig中添加remember-me的配置:
@Overrideprotected void configure(HttpSecurity http) throws Exception {http....rememberMe().key("security").and().formLogin().and()...}
除了添加以上配置之外,还得在表单登录中添加一个remember-me的参数并且设置为”true”或者”on”或者”1”或者”yes”都行,类似这样:
📍为什么要添加一个remember-me参数并且值可以是这些值???后面在源码分析的时候会解释清楚。
登录成功之后,在返回的reopnese中会携带一个remember-me的cookie:
接下来,当我们关闭浏览器再重新打开浏览器。正常情况下,浏览器关闭重新打开,如果再次访问受保护的接口,就需要我们重新登录。但是此时,我们访问的时候并不需要再次登录,直接就能访问成功,这就说明我们的rememer-me配置已经生效。
3、源码分析🎨
经过前面这么多篇源码分析的洗礼,相信大家都已经知道一个认证过滤器是怎样生成的了吧?
我们在SecurityConfig自定义配置中加入http.rememberMe().key("security"),即我们在HttpSecurity对象中的cofigurers集合中添加RememberMeConfigurer配置,然后在httpSecurity构建过滤器链的时候,会依次执行RememberMeConfigurer配置类的init方法和configure方法。
3.1、init方法
public void init(H http) throws Exception {validateInput();String key = getKey();RememberMeServices rememberMeServices = getRememberMeServices(http, key);http.setSharedObject(RememberMeServices.class, rememberMeServices);LogoutConfigurer<H> logoutConfigurer = http.getConfigurer(LogoutConfigurer.class);if (logoutConfigurer != null && this.logoutHandler != null) {logoutConfigurer.addLogoutHandler(this.logoutHandler);}RememberMeAuthenticationProvider authenticationProvider = new RememberMeAuthenticationProvider(key);authenticationProvider = postProcess(authenticationProvider);http.authenticationProvider(authenticationProvider);initDefaultLoginFilter(http);}
获取key:在接下来去计算散列值的时候会用到,这个散列值就是我们在上面看到
cookie中remember-me对应的value值,这个key默认值是一个UUID字符串,这样在服务端重启之后,这个Key会变,这样就会导致之前派发出去的所有remember-me自动登录令牌失效,所以我在自定义配置中指定了这个key,这样就算服务端重启对用户来说也不需要重新登录。private String getKey() {if (this.key == null) {if (this.rememberMeServices instanceof AbstractRememberMeServices) {this.key = ((AbstractRememberMeServices) this.rememberMeServices).getKey();}else {this.key = UUID.randomUUID().toString();}}return this.key;}
获取RememeberMeServices:创建
RememeberMeServices,如果没有配置过tokenRepository,那么创建的是TokenBasedRememberMeServices,否则创建的是PersistentTokenBasedRememberMeServices。 ```java private RememberMeServices getRememberMeServices(H http, String key) throws Exception { if (this.rememberMeServices != null) {if (this.rememberMeServices instanceof LogoutHandler && this.logoutHandler == null) {this.logoutHandler = (LogoutHandler) this.rememberMeServices;}return this.rememberMeServices;
} AbstractRememberMeServices tokenRememberMeServices = createRememberMeServices(http, key); tokenRememberMeServices.setParameter(this.rememberMeParameter); tokenRememberMeServices.setCookieName(this.rememberMeCookieName); if (this.rememberMeCookieDomain != null) {
tokenRememberMeServices.setCookieDomain(this.rememberMeCookieDomain);
} if (this.tokenValiditySeconds != null) {
tokenRememberMeServices.setTokenValiditySeconds(this.tokenValiditySeconds);
} if (this.useSecureCookie != null) {
tokenRememberMeServices.setUseSecureCookie(this.useSecureCookie);
} if (this.alwaysRemember != null) {
tokenRememberMeServices.setAlwaysRemember(this.alwaysRemember);
} tokenRememberMeServices.afterPropertiesSet(); this.logoutHandler = tokenRememberMeServices; this.rememberMeServices = tokenRememberMeServices; return tokenRememberMeServices; }
private AbstractRememberMeServices createRememberMeServices(H http, String key) { return (this.tokenRepository != null) ? createPersistentRememberMeServices(http, key) : createTokenBasedRememberMeServices(http, key); }
3. 将创建好的`RememeberMeServices`放到`httpSecurity`的共享对象中,这样其他的`xxxConfigurer`配置类也能拿到该`RememeberMeServices`,在`AbstractAuthenticationFilterConfigurer#cofigure`方法中就用到了从共享对象中获取`RememeberMeServices`对象,然后设置到`UsernamePasswordAuthenticationFilter`的`rememberMeServices`属性中。3. 新建一个`RememberMeAuthenticationProvider`对象,将获取到的key当做参数传入,然后将其使用`postProcess`方法放到`spring`容器中,然后将其添加到`HttpSecuity`对象中的`providers`集合中,后续在进行`remember-me`认证的时候会使用。3. 最后在初始化默认登录页面生成过滤器中设置它的`remember-me`参数。<a name="RYT7v"></a>## 3.2、configure方法就像我们之前分析过的其他过滤器一样,在该阶段的主要任务就是将配置好的过滤器加入到`HttpSecurity`的`filters`集合中,即加入到过滤器链中。```javapublic void configure(H http) {RememberMeAuthenticationFilter rememberMeFilter = new RememberMeAuthenticationFilter(http.getSharedObject(AuthenticationManager.class), this.rememberMeServices);if (this.authenticationSuccessHandler != null) {rememberMeFilter.setAuthenticationSuccessHandler(this.authenticationSuccessHandler);}rememberMeFilter = postProcess(rememberMeFilter);http.addFilter(rememberMeFilter);}
新建一个RememberMeAuthenticationFilter过滤器对象,将从共享对象中取出来的AuthenticationManager对象和上面创建好的RememeberMeServices作为参数传入,将创建好的RememberMeAuthenticationFilter过滤器注入到spring容器中以及添加到HttpSecurity的filters集合中(即将该过滤器添加到过滤器链中)。
3.3、生成令牌
我们先来看看remember-me的令牌是什么时候生成的,以及怎么生成的呢?
在我们使用表单登录成功后,会调用UsernamePasswordAuthenticationFilter的父类AbstractAuthenticationProcessingFilter中的的successfulAuthentication。
protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain,Authentication authResult) throws IOException, ServletException {SecurityContext context = SecurityContextHolder.createEmptyContext();context.setAuthentication(authResult);SecurityContextHolder.setContext(context);if (this.logger.isDebugEnabled()) {this.logger.debug(LogMessage.format("Set SecurityContextHolder to %s", authResult));}this.rememberMeServices.loginSuccess(request, response, authResult);if (this.eventPublisher != null) {this.eventPublisher.publishEvent(new InteractiveAuthenticationSuccessEvent(authResult, this.getClass()));}this.successHandler.onAuthenticationSuccess(request, response, authResult);}
在这个方法里面,就调用了rememberMeServices类(在3.2章节的configure中被赋值)中的loginSuccess方法。这个方法会先判断参数中给是否存在remember-me参数以及remember-me的值是否是”true” | “on” | “yes” | “1” 这四个值中的一个,这也就解释了上面的疑问,为什么要添加remember-me这个参数以及参数的值可以是这4种,如果正确的话,就会调用onLoginSuccess方法,这个方法是个抽象方法,在子类中被实现。经过上面的分析,因为我们没有配置tokenRepository,所以使用的就是TokenBasedRememberMeServices。
public final void loginSuccess(HttpServletRequest request, HttpServletResponse response,Authentication successfulAuthentication) {if (!rememberMeRequested(request, this.parameter)) {this.logger.debug("Remember-me login not requested.");return;}onLoginSuccess(request, response, successfulAuthentication);}protected boolean rememberMeRequested(HttpServletRequest request, String parameter) {if (this.alwaysRemember) {return true;}String paramValue = request.getParameter(parameter);if (paramValue != null) {if (paramValue.equalsIgnoreCase("true") || paramValue.equalsIgnoreCase("on")|| paramValue.equalsIgnoreCase("yes") || paramValue.equals("1")) {return true;}}this.logger.debug(LogMessage.format("Did not send remember-me cookie (principal did not set parameter '%s')", parameter));return false;}
onLoginSuccess方法是生成令牌的核心方法。
@Overridepublic void onLoginSuccess(HttpServletRequest request, HttpServletResponse response,Authentication successfulAuthentication) {String username = retrieveUserName(successfulAuthentication);String password = retrievePassword(successfulAuthentication);if (!StringUtils.hasLength(password)) {UserDetails user = getUserDetailsService().loadUserByUsername(username);password = user.getPassword();}int tokenLifetime = calculateLoginLifetime(request, successfulAuthentication);long expiryTime = System.currentTimeMillis();expiryTime += 1000L * (tokenLifetime < 0 ? TWO_WEEKS_S : tokenLifetime);String signatureValue = makeTokenSignature(expiryTime, username, password);setCookie(new String[] { username, Long.toString(expiryTime), signatureValue },tokenLifetime, request, response);}protected String makeTokenSignature(long tokenExpiryTime, String username,String password) {String data = username + ":" + tokenExpiryTime + ":" + password + ":" + getKey();MessageDigest digest;digest = MessageDigest.getInstance("MD5");return new String(Hex.encode(digest.digest(data.getBytes())));}
- 首先从登录成功的
Authentication中取出用户名和密码。 - 由于登录成功之后,密码可能会被擦除,所以,如果一开始没有拿到密码,就再从
UserDetailsService中重新加载用户并重新获取密码。 - 再接下来就是去获取令牌的有效期,令牌有效期如果没有配置的话默认就是两周。
- 再接下来就是调用
makeTokenSignature方法去计算散列值,实际上就是根据username,令牌有效期以及password、key一起计算出一个散列值。 最后,将用户名、令牌有效期以及计算得到的散列值放入Cookie中。
3.4、解析令牌
当用户登录成功之后,关掉再打开浏览器,访问受保护的接口,居然可以访问成功!那么这是怎么做到的呢?
经过上面的init和configure方法,在我们的Spring Security过滤器链中已经存在一个专门用于remember-me认证的过滤器RememberMeAuthenticationFilter。public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)throws IOException, ServletException {HttpServletRequest request = (HttpServletRequest) req;HttpServletResponse response = (HttpServletResponse) res;if (SecurityContextHolder.getContext().getAuthentication() == null) {Authentication rememberMeAuth = rememberMeServices.autoLogin(request,response);if (rememberMeAuth != null) {rememberMeAuth = authenticationManager.authenticate(rememberMeAuth);SecurityContextHolder.getContext().setAuthentication(rememberMeAuth);onSuccessfulAuthentication(request, response, rememberMeAuth);if (this.eventPublisher != null) {eventPublisher.publishEvent(new InteractiveAuthenticationSuccessEvent(SecurityContextHolder.getContext().getAuthentication(), this.getClass()));}if (successHandler != null) {successHandler.onAuthenticationSuccess(request, response,rememberMeAuth);return;}}chain.doFilter(request, response);}else {chain.doFilter(request, response);}}
这个方法最关键的地方在于,如果从
SecurityContextHolder中无法获取到当前登录用户实例,那么就调用rememberMeService.autoLogin方法进行登录。public final Authentication autoLogin(HttpServletRequest request,HttpServletResponse response) {String rememberMeCookie = extractRememberMeCookie(request);if (rememberMeCookie == null) {return null;}logger.debug("Remember-me cookie detected");if (rememberMeCookie.length() == 0) {logger.debug("Cookie was empty");cancelCookie(request, response);return null;}UserDetails user = null;try {String[] cookieTokens = decodeCookie(rememberMeCookie);user = processAutoLoginCookie(cookieTokens, request, response);userDetailsChecker.check(user);logger.debug("Remember-me cookie accepted");return createSuccessfulAuthentication(request, user);}catch (CookieTheftException cte) {throw cte;}cancelCookie(request, response);return null;}
可以看到,这里就是提取
Cookie信息,并对Cookie信息进行解码,解码之后,再调用processAutoLoginCookie方法去做校验。判断令牌是否过期,如果过期则直接抛出异常,如果没有过期则根据用户名查询出用户及其密码,然后通过md5散列函数计算出散列值,再将计算出来的散列值与浏览器传递过来的散列值进行比对,如果不一致则抛出异常,如果一致则返回获取到的userDetails。然后用RememberMeAuthenticationProvider去认证该rememberMeAuth,比对其中的key值是否相等,不相等则抛出异常,相等则将认证成功的rememberMeAuth放入SecurityContextHolder中。@Overrideprotected UserDetails processAutoLoginCookie(String[] cookieTokens, HttpServletRequest request,HttpServletResponse response) {if (cookieTokens.length != 3) {throw new InvalidCookieException("Cookie token did not contain 3" + " tokens, but contained '" + Arrays.asList(cookieTokens) + "'");}long tokenExpiryTime = getTokenExpiryTime(cookieTokens);if (isTokenExpired(tokenExpiryTime)) {throw new InvalidCookieException("Cookie token[1] has expired (expired on '" + new Date(tokenExpiryTime)+ "'; current time is '" + new Date() + "')");}UserDetails userDetails = getUserDetailsService().loadUserByUsername(cookieTokens[0]);Assert.notNull(userDetails, () -> "UserDetailsService " + getUserDetailsService()+ " returned null for username " + cookieTokens[0] + ". " + "This is an interface contract violation");String expectedTokenSignature = makeTokenSignature(tokenExpiryTime, userDetails.getUsername(),userDetails.getPassword());if (!equals(expectedTokenSignature, cookieTokens[2])) {throw new InvalidCookieException("Cookie token[2] contained signature '" + cookieTokens[2]+ "' but expected '" + expectedTokenSignature + "'");}return userDetails;}
4、总结
看了上面的源码分析,大家可能发现,如果我们开启了RememberMe功能,最最核心的东西就是放在Cookie中的令牌了,这个令牌突破了session的限制,即使浏览器关闭后重新打开亦或者服务器重新,只要这个令牌没有过期,那么用户就无需登录都可以访问受保护的接口。
所以一旦令牌丢失,别人就可以拿着这个令牌随意登录我们的系统,这是一个非常危险的操作。
但是实际上这是一段悖论,为了提高用户体验(少登录),我们的系统不可避免的引出了一些安全问题,不过我们可以通过技术将安全风险降低到最小。
如何让我们的RememberMe功能更加安全呢?请看下篇文章—-持久化令牌方案。
若有收获,就点个赞吧
0 人点赞
