Remember Me如何在Spring Security中工作?
[英]How does Remember Me work in Spring Security?
问题描述
I'm curious how does Remember Me work and how does it work in Spring Security? 
我很好奇Remember Me如何工作以及它如何在Spring Security中运行?
I understand that server sends long-lived cookies to the client. 我知道服务器会向客户端发送长期存在的cookie。 And then client sends cookie back and server can recognize the client because there's something like hash-map on the server with relations cookie --> session . 然后客户端发回cookie并且服务器可以识别客户端,因为服务器上的hash-map类似于关系cookie --> session 。
I don't understand how does the server [server-side application] recognize a client by cookie after server [Tomcat] has been restarted. 我不明白服务器[服务器端应用程序]在服务器[Tomcat]重新启动后如何通过cookie识别客户端。
How and where does Spring Security save cookie-session map before server shutdown? Spring Security在服务器关闭之前如何以及在何处保存cookie-session映射? Is it server-specific (ie something different is happened in Tomcat, Jetty etc)? 它是特定于服务器的(即Tomcat,Jetty等发生了不同的事情)吗?
PS one more related problem with Spring Security and redeployment: even if I don't tick RememberMe and log in, I'm still recognized after redeployment for about 3 mins. PS与Spring Security和重新部署相关的一个问题:即使我没有勾选RememberMe并登录,我仍然可以在重新部署约3分钟后得到认可。 Is it fixable? 它可以修复吗?
2 个解决方案
解决方案1
12 已采纳 2010-06-29 16:48:37
The Spring Security docs discuss how this actually works. Spring Security文档讨论了它实际上是如何工作的。
This approach uses hashing to achieve a useful remember-me strategy.
base64(username + ":" + expirationTime + ":" + md5Hex(username + ":" + expirationTime + ":" password + ":" + key))...
As such the remember-me token is valid only for the period specified, and provided that the username, password and key does not change.
Basically the cookie contains the username, password, expiration time and a key (which you specify), all of which are hashed together. 基本上,cookie包含用户名,密码,到期时间和密钥(您指定的密钥),所有这些都是一起散列的 。 When your browser sends the contents of this cookie to the server, Spring Security: 当您的浏览器将此cookie的内容发送到服务器时,Spring Security:
- Retrieves the password from the backend for the given username 从后端检索给定用户名的密码
- Computes the
md5Hex()of the username/password/etc from the database and compares it to the value in the cookie计算数据库中用户名/密码/ etc的md5Hex(),并将其与cookie中的值进行比较 - If they match - you are logged in! 如果匹配 - 您已登录! If not a match, then you've supplied a forged cookie or one of the username/password/key has changed. 如果不匹配,那么您提供了伪造的cookie或其中一个用户名/密码/密钥已更改。
The underlying assumption here is that the hash function - the md5Hex() part above - provides a way to easily encode some piece of data in one direction yet is incredibly hard and unpractical to reverse (to recover the password from the md5Hex text). 这里的基本假设是散列函数 - 上面的md5Hex()部分 - 提供了一种方法,可以在一个方向上轻松编码某些数据,但却非常难以逆转(从md5Hex文本中恢复密码)。
解决方案2
10 2010-06-29 16:56:51
Dont' confuse session cookies with Remember Me cookies. 不要将会话cookie与Remember Me cookies混淆。
Session cookie is sent by the server (eg Tomcat) and used to associate incoming request with the session. 会话cookie由服务器(例如Tomcat)发送,用于将传入请求与会话相关联。
Remember Me cookie is sent by Spring Security to authenticate the client in the different sessions (eg after expiration of the original session or after the server restart). 记住我是由Spring Security发送的cookie,用于在不同的会话中验证客户端(例如,在原始会话到期之后或服务器重启之后)。
To authenticate a user by Remember Me cookie Spring Security provides 2 strategies: 要通过Remember Me cookie对用户进行身份验证,Spring Security提供了两种策略:
-
TokenBasedRememberMeServices- used by default, less secure - cookie contains a hash of the password and other dataTokenBasedRememberMeServices- 默认使用,安全性较低 - cookie包含密码和其他数据的哈希值 -
PersistentTokenBasedRememberMeServices- more secure, requires database access - cookie containt an unique identifier stored in the databasePersistentTokenBasedRememberMeServices- 更安全,需要数据库访问 - cookie包含存储在数据库中的唯一标识符
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.