Spring BlazeDS Integration Spring Security (4)---Custom remembermeservices to find a successful entry point for automatic landing

Let me start with a phenomenon, such as an application that uses spring BlazeDS integration to configure spring security.

The following figure is the user has logged in successfully, entered the interface, at this time the login button is a device, no function; The logout button is the API provided by flex to complete the logout operation:

When, the user did not click the Logout button, directly closed the browser, such as Firefox browser. When users use Firefox to open the link again, the interface to the user is still a successful login.

In view of this phenomenon, my superficial analysis of spring security remembermeservices Source after analysis, there are the following results,
The authentication process for spring security is roughly as follows: "After the user has successfully logged in. When the user closes the browser directly and then re-opens the browser to access the Web ": The Dofilter () of the Org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter filter is called.
In the DoFilter () method, the Autologin (request, Response) method of the currently configured Remembermeservices class is called
The Autologin (Request, Response) method detects the cookie information transmitted by the current browser.
If the cookie information is not expired, in the cookie information, find the key "Spring_security_remember_me_cookie" value (set by SPRING SECURITY) to find value, Use UserService, re-retrieve user information, store in org.springframework.security.core.userdetails.UserDetails case object, then, put Userdetails, Converted to authentication, this autologin (request, Response) method is completed: Authentication Remembermeauth = Remembermeservices.autologin ( request, response); Continue, inside the DoFilter () method, the Remembermeauth will be put into the SecurityContext: Securitycontextholder.getcontext (). Setauthentication ( Remembermeauth); The front flex Gui is based on whether you can get authentication from SecurityContext (Authentication authentication = Securitycontextholder.getcontext (). Getauthentication ()), to determine whether the user has landed. Summary, "after the user has successfully logged in. When the user closes the browser directly and then re-opens the browser to access the Web ": Remembermeservices will be re-setup authentication to SecurityContext based on the cookie.

Then the question of the session came: "After the user has successfully logged in." When the user closes the browser directly and then re-opens the browser to access the Web ": SessionID is re-created, the session is also newly created, Log:[blazeds]flexsession created with ID ' 81e8aff21272ecfc84a29663d8eaab03 ' for an http-based client connection. This means that the session before the browser is closed can not be found, and then go to the session of the value of the add can not be found ... Note If it is a browser refresh operation, in general, the session ID is not changed) summary, "after the user successfully logged in." When the user closes the browser and then re-opens the browser to access the Web ", the session will be new, not related to the cookie, the session is empty, there is no ever set (once set, refers to, when the user login success to the session Value of Set) over the properties.

Overall look down: "After the user has successfully logged in. When the user closes the browser directly and then re-opens the browser to access the Web "
Authentication will be "restored": Because Remembermeservices will Autologin ()
Session will be "new": Because the session Id is new, the server can not go back to the original session therefore, the user is now determined that the status of the login, but the session is empty, then if in the program, If you want to take some of the properties you've set in the session, you'll get an error and not a value.


Scenario 1: When a user logs on successfully, the session ID is written to the cookie Remembermeservices call Autologin (), the session ID is read, the original session is obtained from the server

Scenario 2 To resolve this issue:
Do not write the session ID to the cookie remembermeservices call Autologin (), in fact, has created a new, empty session,
At this point, then set the relevant properties to the empty session
I personally feel that scenario 2 is better because: "Write session ID to cookie", this function is not difficult to implement, can be implemented in the Remembermeservices.onloginsuccess () method.
But it raises a few questions. The cookie has an expiration time, the session also has the expiration time, its two expiration time is different how to do. The cookie will be erased in the browser, and the session ID will disappear forever, and the original session can never be found. The Java API does not provide a way to get a session via session ID.
Online there are methods, the session can be stored in the Key-value way in ServletContext (Http://www.andowson.com/posts/list/371.page),
If the session expires, then you have to write a listening method to remove it. In short, scenario 1, will be caused by some of the column problems, too much trouble ...
Implementation of Scenario 2: Remembermeservices's Autologin () method is not allowed to be overwritten
Autologin () internally calls Processautologincookie (), this method allows the overridden
You can override the Processautologincookie () in the custom Remembermeservices method, where the empty session is reset to the relevant properties, specifically implemented as follows

Package test;
Import Javax.servlet.http.HttpServletRequest;
Import Javax.servlet.http.HttpServletResponse;

Import javax.servlet.http.HttpSession;
Import org.springframework.beans.factory.annotation.Autowired;
Import Org.springframework.flex.samples.product.IProductDAO;
Import org.springframework.security.core.Authentication;
Import Org.springframework.security.core.context.SecurityContextHolder;
Import Org.springframework.security.core.userdetails.UserDetails;

Import org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices; public class Myremembermeservices extends Tokenbasedremembermeservices {private static final String Current_name = "cur
	Rent_name ";

	@Autowired private Userdao Userdao; @Override public void onloginsuccess (HttpServletRequest request, httpservletresponse response, authentication Succe
		ssfulauthentication) {super.onloginsuccess (Request, response, successfulauthentication); Securitycontextholder.getcontext (). Setauthentication (successfulauthentication);
	This.afteronloginsuccess (Request, response, successfulauthentication); } private void Afteronloginsuccess (HttpServletRequest request, httpservletresponse response, authentication succes
		Sfulauthentication) {HttpSession session = Request.getsession ();
		
		
		SYSTEM.OUT.PRINTLN ("Login success-----------------Session id =" + session.getid ());
		String userName = Successfulauthentication.getname (); 
	When the login is successful, set properties for the newly created empty session, Session.setattribute (Current_name, Userdao.findbyusername (userName));  } protected Userdetails Processautologincookie (string[] cookietokens, httpservletrequest request, HttpServletResponse
		Response) {Userdetails userdetails = Super.processautologincookie (cookietokens, request, response);
		This.afterprocessautologincookie (userdetails, request, response);
	return userdetails; } private void Afterprocessautologincookie (Userdetails userdetails, httpservletrequest request, HttpserVletresponse response) {HttpSession session = Request.getsession ();//Before session,</span> here will be based on the new session
		
		ID creates a new session System.out.println ("Auto Login success-----------------Session id =" + session.getid ());
		String userName = Userdetails.getusername (); 
		When the user has logged in, directly close the browser, and then open the browser again, access to the Web application, the following is: "Automatic" Login process//"Automatic" login success, for the newly created empty session set properties, 
	Session.setattribute (Current_name, Userdao.findbyusername (userName));
 }

}

Here, I set a database inside the session of the user record, the purpose is to let the session can be stored, the user ID primary key we have to know, the authentication object is not the ID of the primary key ....... ..... 。。。。。。。。。。。。。。。


There are no changes to the Security-config.xml configuration file:

<?xml version= "1.0" encoding= "UTF-8"?> <beans:beans xmlns= "http://www.springframework.org/schema/security "Xmlns:beans=" Http://www.springframework.org/schema/beans "xmlns:xsi=" http://www.w3.org/2001/XMLSchema-instance "Xsi:schemalocation=" Http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/ Spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org /schema/security/spring-security-3.0.xsd ">  

 

 

 

 

 

 

PS: Why always use the same browser during this test. The reason is that cookies are different from the cookie files stored in different browsers, such as the cookie path of Firefox:

XP C:\Documents and Settings\ user name \application Data\mozilla\firefox\profiles\xxxxxxxx.default\

Win7 C:\Users\ user name \appdata\local\mozilla\firefox\profiles but the normal way to see the folder is not visible.