We know that there is a risk that there will be some interception and reuse of the information in the Cookie:
650) this.width=650; "src=" http://s2.51cto.com/wyfs02/M02/8A/9B/wKioL1g1Uw3g6QpwAACE8qe8GdA965.png "title=" QQ picture 20161123162728.png "alt=" wkiol1g1uw3g6qpwaace8qe8gda965.png "/>
One way to make the remember me function more secure is to bind the User's IP address to the contents of the Cookie. Let's use an example to describe how to build a Remembermeservices implementation class to do This.
The basic implementation is to extend the O.s.s.web.authentication.rememberme.tokenbasedremembermeservices base class to add the Requestor's IP address to the cookie itself and other MD5 hash elements.
Extending this base class involves rewriting the two main methods and overriding or implementing a few small helper methods. Another note is that we need to temporarily store HttpServletRequest (which will use it to get the User's IP address) into a threadlocal, because some methods in the base class do not use HttpServletRequest as a parameter.
first, We want to extend the Tokenbasedremembermeservices class and override the specific behavior of the parent class. Although the parent class is very easy to rewrite, we do not want to repeat some of the important processing processes, so it is very concise and somewhat difficult to understand. Create this class under the Com.packtpub.springsecurity.security package :
public class Iptokenbasedremembermeservices extends Tokenbasedremembermeservices {
There are also some simple ways to set up and get Threadlocal httpservletrequest:
private static final threadlocal
We also need to add a tool method to get the IP address from the Httpservletrequest:
Protected String getuseripaddress (httpservletrequest request) {return request.getremoteaddr (); }
The first interesting method that we want to rewrite is onloginsuccess, which is used to set the value of the cookie for remember me processing. In this method, we need to set up the threadlocal and clear it after processing is Complete. What you need to remember is the process of the parent method-gathering all of the User's authentication request information and synthesizing it into a cookie.
@Override public void onloginsuccess ( httpservletrequest request, httpservletresponse response, authentication successfulauthentication) { try { setcontext (request); super.onloginsuccess (request, response, successfulauthentication } finally { setcontext (null); } }
The Onloginsuccess method of the parent class will trigger the Maketokensignature method to create the MD5 hash value of the authentication Credential. We will override this method to implement the cookie value to be returned by obtaining an IP address from request and using a tool class encoding of the spring Framework. (this method is also called when the Remember Me check is made to determine if the value of the cookie passed by the foreground is consistent with the MD5 value generated by the background based on the user name, password, IP address, and so on.)
@Override protected string maketokensignature (long tokenexpirytime, string username, string Password) {return Digestutils.md5digestashex ((username + ":" + tokenexpirytime + ":" + password + ":" + GetKey () + ":" + getuseripadd re SS (getcontext ())). getBytes ()); }
similarly, we have rewritten the Setcookie method to add additional encoding information that contains an IP address:
@Override protected void Setcookie (string[] tokens, int maxAge, httpservletrequest request, httpservletresponse respon Se) {//append the IP adddress to the cookie string[] tokenswithipaddress = arrays.copyof (tokens, tokens.le ngth+1); tokenswithipaddress[tokenswithipaddress.length-1] = getuseripaddress (request); Super.setcookie (tokenswithipaddress, maxAge, request, response); }
finally, we're going to rewrite the Processautologincookie method, which is used to validate the client-supplied remember Me The content of the Cookie. The parent class has solved most of the interesting work for us, but in order to avoid invoking the lengthy code of the parent class, we made a check of the IP address first before calling it .
@Override protected userdetails processautologincookie ( string[) cookieTokens, HttpServletRequest request, HttpServletResponse Response) { try { setcontext (request); // take off the last token String ipAddressToken = cookieTokens[cookieTokens.length-1]; if (!getuseripaddress (request). equals (IPADDRESSTOKEN)) { throw new invalidcookieexception ("cookie ip address did not contain a matching IP (contained ' " + ipAddressToken + " ') "); } &nbsP; return super.processautologincookie (Arrays.copyOf (cookietokens, cookietokens.length-1), request, response); } finally { setcontext (null); } }
Our custom remembermeservices encoding has been completed. Now we're going to do some tiny Configuration.
Configuring a custom Remembermeservices implementation takes two steps to Complete. The first step is to modify the dogstore-base.xml spring configuration file to add the spring Bean declaration of the class we just completed:
<bean class= "com.packtpub.springsecurity.security.IPTokenBasedRememberMeServices" id= " Iptokenbasedremembermeservicesbean "> <property name=" key "><value>jbcppetstore</value></ property> <property name= "userdetailsservice" ref= "userservice"/> </bean>
The second modification to be made is the XML configuration file for spring Security. Modify the <remember-me> element to refer to the custom spring Bean as Follows:
<remember-me key= "jbcppetstore" services-ref= "iptokenbasedremembermeservicesbean"/>
Finally add an id attribute for the <user-service> declaration if it has not yet been added:
<user-service id= "userservice" >
Restart the web app and you'll see that the new IP filtering feature is already in Effect.
If the user is under a shared or load-balanced network facility, such as the Multi-wan corporate environment, the ip-based Remember me tokens may be problematic. But in most scenarios, adding an IP address to the Remember Me feature can provide a stronger, better security layer for the User.
remember The checkbox name (_spring_security_remember_me) of the Me form, and the name of the COOKIE (spring_security_remember_me_cookie), can be modified?< The remember-me> declaration does not support this extensibility, but now that we declare our own remembermeservices implementations as a spring bean, we can define more properties to change the names of the checkboxes and cookies:
<bean class= "com.packtpub.springsecurity.web.custom. Iptokenbasedremembermeservices " id=" Iptokenbasedremembermeservicesbean "> <property Name= "key" ><value>jbcppetstore</value></property> <property name= "userdetailsservice" ref= "userservice"/> <property name= " Parameter " value=" _remember_me "/> <property name=" cookieName " Value= "remember_me"/> </bean>
Don't forget that you also need to modify the CheckBox form field in the Login.jsp page to match the parameter value that we Declared. We recommend that you experiment to make sure that you understand the associations between these settings.
This article is from the "attack on the program ape" blog, please be sure to keep this source http://zangyanan.blog.51cto.com/11610700/1876133
Follow me to learn spring Security--online pet Store development (fri)