如题,我开启了security的remember-me功能,数据库查询正常,
浏览器登陆正常,第一次登陆的时候也成功的设置了remember-me的
cookie信息,数据库也正常存储了toeken信息,但是关闭浏览器之后直接
访问连接直接重定向到登陆页面,这是为什么?
附上配置信息
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.2.xsd">
<security:http auto-config="false">
<security:intercept-url pattern="/error" access="permitAll()"/>
<security:intercept-url pattern="/userlogin" access="permitAll()"/>
<security:intercept-url pattern="/admin" access="hasAuthority('All')"/>
<security:intercept-url pattern="/**" access="isFullyAuthenticated()"/>
<!-- authentication-failure-url="/error" authentication-success-forward-url="/security"
认证失败跳转的页面,认证成功跳转的页面(这两个方法都是线程同步)
-->
<security:form-login login-page="/userlogin" login-processing-url="/user" authentication-success-handler-ref="succes" authentication-failure-handler-ref="failure"/>
<!-- <security:access-denied-handler error-page="/error"/>-->
<security:csrf disabled="true"/>
<security:remember-me data-source-ref="dataSource" user-service-ref="userService"/>
</security:http>
<security:authentication-manager>
<security:authentication-provider user-service-ref="userService">
<security:password-encoder ref="password"/>
</security:authentication-provider>
</security:authentication-manager>
<bean id="userService" class="com.project.config.UserService"/>
<bean id="password" class="com.project.config.PasswordNo"/>
<bean id="succes" class="com.project.config.MyAuthenticationnSuccessHandler"/>
<bean id="failure" class="com.project.config.MyAuthenticationFailureHandler"/>
</beans>
jsp页面
<html>
<body>
<h2>这是登陆页面</h2>
<form id="loginForm" action="http://www.demo.com:8080/user" method="post">
账号:<input type="text" name="username"><br/>
密码:<input type="password" name="password"><br/>
记住:<input type="checkbox" name="remember-me" value="true"/><br/>
<input type="submit" value="提交">
</form>
</body>
</html>
请大佬帮我看一下实在是不知道到底还有哪里有问题了,非常感谢
这边后面调试了一下log4j配置信息,之前一直返回登陆界面其实是浏览器cookie存储的token与数据库存储的不匹配,因为log4j的配置问题没有输出异常信息.
今天分析源码发现PersistentTokenBasedRememberMeServices的
processAutoLoginCookie方法中的!presentedToken.equals(token.getTokenValue())作比较居然不相等,从而抛出:Invalid remember-me token (Series/token) mismatch. Implies previous cookie theft attack.
但是我解析cookie出来的token明明与数据库存储的token一模一样,为啥会判断不相等呢?