[code]if (SecurityContextHolder.getContext().getAuthentication() == null) {
Authentication rememberMeAuth = rememberMeServices.autoLogin(httpRequest, httpResponse);
if (rememberMeAuth != null) {
// Attempt authenticaton via AuthenticationManager
try {
authenticationManager.authenticate(rememberMeAuth);
// Store to SecurityContextHolder
SecurityContextHolder.getContext().setAuthentication(rememberMeAuth);
if (logger.isDebugEnabled()) {
logger.debug("SecurityContextHolder populated with remember-me token: '"
+ SecurityContextHolder.getContext().getAuthentication() + "'");
}
// Fire event
if (this.eventPublisher != null) {
eventPublisher.publishEvent(new InteractiveAuthenticationSuccessEvent(
SecurityContextHolder.getContext().getAuthentication(), this.getClass()));
}
} catch (AuthenticationException authenticationException) {
if (logger.isDebugEnabled()) {
logger.debug(
"SecurityContextHolder not populated with remember-me token, as AuthenticationManager rejected Authentication returned by RememberMeServices: '"
+ rememberMeAuth + "'; invalidating remember-me token", authenticationException);
}
rememberMeServices.loginFail(httpRequest, httpResponse);
}
}[/code]
for the protected url,if the security context is null,the RememberMeProcessingFilter will get the cookie from local which way is the same
as inputing the name and pass in the form.it will create an
RememberMeAuthenticationToken from the cookie.see the code:
[code]
RememberMeAuthenticationToken auth = new RememberMeAuthenticationToken(this.key, userDetails,
userDetails.getAuthorities());
auth.setDetails(authenticationDetailsSource.buildDetails((HttpServletRequest) request));
[/code]
The key component is the rememberMeServices see how it write and read the cookie:
write:
[code]
String signatureValue = new String(DigestUtils.md5Hex(username + ":" + expiryTime + ":" + password + ":" + key));
String tokenValue = username + ":" + expiryTime + ":" + signatureValue;
String tokenValueBase64 = new String(Base64.encodeBase64(tokenValue.getBytes()));
response.addCookie(makeValidCookie(expiryTime, tokenValueBase64, request));[/code];
read:
[code] String expectedTokenSignature = DigestUtils.md5Hex(userDetails.getUsername() + ":"
+ tokenExpiryTime + ":" + userDetails.getPassword() + ":" + this.key);
if (!expectedTokenSignature.equals(cookieTokens[2])) {
cancelCookie(request, response,
"Cookie token[2] contained signature '" + cookieTokens[2] + "' but expected '"
+ expectedTokenSignature + "'");
return null;
}[/code];
u could see the cookie is encripted by MD5,so if even attackers get
the cookie,he can't get the passward.
after geting the RememberMeAuthenticationToken ,it pass it to the
authenticationManager for more authentication.
Authentication rememberMeAuth = rememberMeServices.autoLogin(httpRequest, httpResponse);
if (rememberMeAuth != null) {
// Attempt authenticaton via AuthenticationManager
try {
authenticationManager.authenticate(rememberMeAuth);
// Store to SecurityContextHolder
SecurityContextHolder.getContext().setAuthentication(rememberMeAuth);
if (logger.isDebugEnabled()) {
logger.debug("SecurityContextHolder populated with remember-me token: '"
+ SecurityContextHolder.getContext().getAuthentication() + "'");
}
// Fire event
if (this.eventPublisher != null) {
eventPublisher.publishEvent(new InteractiveAuthenticationSuccessEvent(
SecurityContextHolder.getContext().getAuthentication(), this.getClass()));
}
} catch (AuthenticationException authenticationException) {
if (logger.isDebugEnabled()) {
logger.debug(
"SecurityContextHolder not populated with remember-me token, as AuthenticationManager rejected Authentication returned by RememberMeServices: '"
+ rememberMeAuth + "'; invalidating remember-me token", authenticationException);
}
rememberMeServices.loginFail(httpRequest, httpResponse);
}
}[/code]
for the protected url,if the security context is null,the RememberMeProcessingFilter will get the cookie from local which way is the same
as inputing the name and pass in the form.it will create an
RememberMeAuthenticationToken from the cookie.see the code:
[code]
RememberMeAuthenticationToken auth = new RememberMeAuthenticationToken(this.key, userDetails,
userDetails.getAuthorities());
auth.setDetails(authenticationDetailsSource.buildDetails((HttpServletRequest) request));
[/code]
The key component is the rememberMeServices see how it write and read the cookie:
write:
[code]
String signatureValue = new String(DigestUtils.md5Hex(username + ":" + expiryTime + ":" + password + ":" + key));
String tokenValue = username + ":" + expiryTime + ":" + signatureValue;
String tokenValueBase64 = new String(Base64.encodeBase64(tokenValue.getBytes()));
response.addCookie(makeValidCookie(expiryTime, tokenValueBase64, request));[/code];
read:
[code] String expectedTokenSignature = DigestUtils.md5Hex(userDetails.getUsername() + ":"
+ tokenExpiryTime + ":" + userDetails.getPassword() + ":" + this.key);
if (!expectedTokenSignature.equals(cookieTokens[2])) {
cancelCookie(request, response,
"Cookie token[2] contained signature '" + cookieTokens[2] + "' but expected '"
+ expectedTokenSignature + "'");
return null;
}[/code];
u could see the cookie is encripted by MD5,so if even attackers get
the cookie,he can't get the passward.
after geting the RememberMeAuthenticationToken ,it pass it to the
authenticationManager for more authentication.
扫一扫
201
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
