“This is the 22nd day of my participation in the Gwen Challenge in November. Check out the details: The Last Gwen Challenge in 2021.”
Author: Tangyuan
Personal blog: Javalover.cc
preface
The form login example based on SpringSecurity was introduced earlier;
This article explains how to add a remember me feature to form logins.
With this function, after the token becomes invalid, the system automatically obtains the latest token without re-logging in.
Note that the token is not a normal token, but a JSESSIONID; The JSESSIONID is returned the first time the front end requests the back end, and the JSESSION is used as a credential for communication between the front and back ends
directory
- Security configuration
- The front-end component
- Practice – Don’t check the rememberMe box
- Practice – Check the rememberMe
- More configuration
The body of the
1. Configure security
Here we do the simplest configuration, as follows: Add a rememberMe() method
@Configuration
@EnableWebSecurity
@Slf4j
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
// Data is not persisted, just stored in memory
auth.inMemoryAuthentication()
.withUser("javalover").password(passwordEncoder().encode("123456")).roles("USER")
.and()
.withUser("admin").password(passwordEncoder().encode("123456")).roles("ADMIN");
}
// Authorize related operations
@Override
protected void configure(HttpSecurity http) throws Exception {
log.info("=== SecurityConfiguration.authorize ===");
http
// Logout is accessible to all users
.logout().permitAll()
.deleteCookies("JSESSIONID")
.and()
.rememberMe()
/ /... Omit other configurations; }}Copy the code
As you can see, all you need to do is provide a rememberMe() method so that the rememberMe can automatically get the latest tokens when the tokens expire without having to re-enter your username and password.
2. Front-end components
Just add the rememberMe check box to the form login as simple as possible.
<form action="/login" method="post">
<table>
<tr>
<input name="username" placeholder="Username">
</tr>
<tr>
<input name="password" placeholder="Password">
</tr>
<tr>
<td>Remember me:</td>
<td><input type="checkbox" name="remember-me" /></td>
</tr>
</table>
<button type="submit">The login</button>
</form>
Copy the code
3. Practice — Don’t check a rememberMe
Here’s a simple test based on the code above: look at the difference between checking a rememberMe and not checking a rememberMe
Complete code at the end of the address
Step 1: Start the program. The interface is as follows: Javalover /123456
Here we do not check remember me, click login, jump to the following home page:
Step 2: Next to the emphasis, here we delete the JSESSIONID in the local cookie as follows: F12-> Applications -> Cookies ->JSESSION-> right-click – delete
Step 3: Refresh the page, you can see that the login page automatically jumps to, because the token is invalid, the communication certificate of the front and back end is gone:
Actually above we also can not delete the cookies, failure can also wait for the session (the default for 30 minutes, can be in the application. The configuration in the yml: server. The servlet. The session. The timeout = 60, the default units of a second)
If the session on the backend is invalid, the JSESSIONID generated by the session must also be invalid.
4. Practice — rememberMe
Next, we check “remember me”, repeat the above steps, we will find that when we delete the cookie JSESSIONID, we will see a “remember-me”;
Although the JSESSIONID is deleted, there is still a remember-me, so the communication between the front and back ends is not broken.
So now we refresh the page, still stay on the home page, will not jump to the login interface;
However, if we delete remember-me as well, the result will obviously be the login screen.
5. More configurations
Failure time:
For the remember-me we configured above, the default validity time of token is two weeks. Below, we can configure a shorter time, such as one day:
.logout().permitAll()
.deleteCookies("JSESSIONID")
.and()
.rememberMe()
.tokenValiditySeconds(86400)
.and()
Copy the code
Failure time: strictly speaking, the above failure time should be the failure time of remember-me;
In this way, if you delete the JSESSIONID more than a day later or the session expires, the refresh page will still redirect to the login page.
Encrypted key:
The remember-me cookie value we saw in the debugging interface is synthesized by: MD5(user name + expiration time + password + key);
The key here can be configured by ourselves, as follows:
.rememberMe()
.key("privateKey")
.tokenValiditySeconds(86400)
Copy the code
conclusion
JSESSIONID = JSESSIONID = JSESSIONID = JSESSIONID = JSESSIONID = JSESSIONID
When the JSESSIONID is deleted or the session expires, if a rememberMe cookie has not expired (two weeks by default), then the system will automatically log in
The actual expiration time of remember-me can be seen in the debugging interface, as follows:
The source address