SpringBoot 之Spring Security自动登录功能

版本SpringBoot2.2.6.RELEASE

1、pom.xml依赖

 <dependency>
       <groupId>org.springframework.boot</groupId>
       <artifactId>spring-boot-starter-security</artifactId>
   </dependency>


   <dependency>
       <groupId>org.springframework.boot</groupId>
       <artifactId>spring-boot-starter-web</artifactId>
   </dependency>

完整pom.xml：

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.2.6.RELEASE</version>
        <relativePath/> <!-- lookup parent from repository -->
    </parent>
    <groupId>cn.linst</groupId>
    <artifactId>rememberme</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <name>rememberme</name>

    <properties>
        <java.version>1.8</java.version>
    </properties>

    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>


        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
            <exclusions>
                <exclusion>
                    <groupId>org.junit.vintage</groupId>
                    <artifactId>junit-vintage-engine</artifactId>
                </exclusion>
            </exclusions>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-test</artifactId>
            <scope>test</scope>
        </dependency>
    </dependencies>

    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
        </plugins>
    </build>

</project>

2、Spring Security配置
SecurityConfig 类：

package cn.linst.remeberme;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;


@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Bean
    PasswordEncoder passwordEncoder() {
        return NoOpPasswordEncoder.getInstance();
    }
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
                .withUser("zhangsan")
                .password("123").roles("admin");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .anyRequest().authenticated()
                .and()
                .formLogin()
                .and()
                .rememberMe()
//               .key("coffee")   //可以指定这个 key，服务端重启或者浏览器打开再关闭，也能访问到 /hello 接口。
                .and()
                .csrf().disable();
    }
}

加上 .rememberMe()即可。

3、创建一个控制器

package cn.linst.remeberme;

import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;


@RestController
public class HelloController {
    @GetMapping("/hello")
    public String hello() {
        return "hello";
    }
}

4、启动访问http://localhost:8001/hello
跳转到登录页

登录成功后，跳转到/hello。
/login请求参数

查看控制台，/hello请求发现带上RememberMe

关闭浏览器，再去访问不用登录了。直接能访问到/hello。

5、remember-me分析
1）remember-me的值是一个 Base64 转码后的字符串。
remember格式是MD5 ( username + “:” + tokenExpiryTime + “:” + password + “:” + key)， key 是一个散列盐值，用来防治令牌被修改。
2）在源码TokenBasedRememberMeServices中可以看到：

public class TokenBasedRememberMeServices extends AbstractRememberMeServices {
	@Override
	public void onLoginSuccess(HttpServletRequest request, HttpServletResponse response,
			Authentication successfulAuthentication) {

		// 从登录成功的 Authentication 中提取出用户名/密码
		String username = retrieveUserName(successfulAuthentication);
		String password = retrievePassword(successfulAuthentication);

		// If unable to find a username and password, just abort as
		// TokenBasedRememberMeServices is
		// unable to construct a valid token in this case.
		if (!StringUtils.hasLength(username)) {
			logger.debug("Unable to retrieve username");
			return;
		}

		if (!StringUtils.hasLength(password)) {
			UserDetails user = getUserDetailsService().loadUserByUsername(username);
			password = user.getPassword();

			if (!StringUtils.hasLength(password)) {
				logger.debug("Unable to obtain password for user: " + username);
				return;
			}
		}

		//去获取令牌的有效期，令牌有效期默认就是两周
		int tokenLifetime = calculateLoginLifetime(request, successfulAuthentication);
		long expiryTime = System.currentTimeMillis();
		// SEC-949，令牌有效期默认两个星期
		expiryTime += 1000L * (tokenLifetime < 0 ? TWO_WEEKS_S : tokenLifetime);
		
		// 计算散列值
		String signatureValue = makeTokenSignature(expiryTime, username, password);
		
		// 用户名、令牌有效期、散列值放入 Cookie 
		setCookie(new String[] { username, Long.toString(expiryTime), signatureValue },
				tokenLifetime, request, response);

		if (logger.isDebugEnabled()) {
			logger.debug("Added remember-me cookie for user '" + username
					+ "', expiry: '" + new Date(expiryTime) + "'");
		}
	}
	
	protected String makeTokenSignature(long tokenExpiryTime, String username, String password) {
			// getKey()，默认值是一个 UUID 字符串。如果服务端重启，这个 key 会变，这样之前的所有 remember-me 自动登录令牌失效。
			String data = username + ":" + tokenExpiryTime + ":" + password + ":" + getKey();
			MessageDigest digest;
			try {
				digest = MessageDigest.getInstance("MD5");
			}
			catch (NoSuchAlgorithmException e) {
				throw new IllegalStateException("No MD5 algorithm available!");
			}
	
			return new String(Hex.encode(digest.digest(data.getBytes())));
		}
	}

6、优化
可以指定这个 key，服务端重启或者浏览器打开再关闭，也能访问到 /hello 接口。
修改SecurityConfig #configure(HttpSecurity http) ，如下：

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
// 省略其他
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .anyRequest().authenticated()
                .and()
                .formLogin()
                .and()
                .rememberMe()
                .key("coffee")	// 任意
                .and()
                .csrf().disable();
    }
 }