SpringSecurity的remember-me(记住我，记住密码，免登陆)功能无效

0 0
SpringSecurity的remember-me(记住我，记住密码，免登陆)功能无效5

我用的是版本是3.0.5版本authentication-manager标签里没有erase-credentials="false"的属性，下面上配置文件请大神们指点。
<beans:beans xmlns="http://www.springframework.org/schema/security"
	xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://www.springframework.org/schema/beans
					http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
					http://www.springframework.org/schema/security
					http://www.springframework.org/schema/security/spring-security-3.0.xsd">

	<!-- 访问被拒绝时跳转到403界面 -->
	<!-- 在http标签中配置 use-expressions="true" 支持sec:authorize权限控制后在所有非java文件的地方都要使用hasRole('') -->
	<http entry-point-ref="authenticationProcessingFilterEntryPoint" auto-config="false"
		access-denied-page="/403.jsp">
		<!-- 放行页面 -->
		<intercept-url pattern="/*.css" filters="none" />
		<intercept-url pattern="/error.jsp" filters="none" />
		<intercept-url pattern="/captcha.jsp" filters="none" />
		<intercept-url pattern="/logout.jsp" filters="none"/>
		<!-- 自定义登录页面 任何人都可以访问，此属性为只有https才可以访问 requires-channel="https" -->
		<intercept-url pattern="/index*.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY" requires-channel="any" />
		<intercept-url pattern="/**" access="isAuthenticated()" /> 
		<!-- 访问全部要有ROLE_JIANGYUAN或者ROLE_USER权限 -->
		<intercept-url pattern="/*role_admin.jsp" access="ROLE_ADMIN" />
		<intercept-url pattern="/**" access="ROLE_USER" />
		<!-- ROLE_ADMIN和ROLE_USER都不是管理员权限 -->

		<!-- 安全退出后的页面 -->
		<logout logout-success-url="/logout.jsp" invalidate-session="true"  /> 
		<!-- 两周内记住我  token-validity-seconds="300" key="springRocks"  services-ref="rememberMeServices" -->
		<remember-me data-source-ref="dataSource" /> 
			
		<!-- session管理过滤器 -->
		<custom-filter ref="concurrencyFilter" position="CONCURRENT_SESSION_FILTER" />
		<!-- 登录过滤器 -->
		<custom-filter ref="loginFilter" position="FORM_LOGIN_FILTER" />
		<!-- 免登陆过滤器 
		<custom-filter ref="rememberMeFilter" position="REMEMBER_ME_FILTER"/>
		-->
		<!-- 防止session固话攻击 -->
		<session-management session-fixation-protection="none" session-authentication-error-url="/time_out.jsp" invalid-session-url="/time_out.jsp" />
		<!-- session相关管理 -->
		<session-management 
			session-authentication-strategy-ref="sas" />
	</http>
	
	<!-- 启用jsr250的注解 -->
	<global-method-security jsr250-annotations="enabled" />
	
	
	<!-- session管理过滤器 -->
	<beans:bean id="concurrencyFilter"
		class="org.springframework.security.web.session.ConcurrentSessionFilter">
		<beans:property name="sessionRegistry" ref="sessionRegistry" />
		<beans:property name="expiredUrl" value="/session-expired.htm" />
	</beans:bean>
	
	<!-- session管理相关注入 -->
	<beans:bean id="sas"
		class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
		<beans:constructor-arg name="sessionRegistry"
			ref="sessionRegistry" />
		<!-- true限制不允许第二个用户登录,false第二个登陆用户踢掉前一个登陆用户 -->
		<beans:property name="exceptionIfMaximumExceeded" value="false" />
		<!-- 当前用户最大连接数 -->
		<beans:property name="maximumSessions" value="1" />
		<!-- 防止session攻击 -->
		<!-- 每次都创建一个新的session -->
		<beans:property name="alwaysCreateSession" value="true"/>
		<!-- 不迁移session数据 -->
		<beans:property name="migrateSessionAttributes" value="false" />
	</beans:bean>
	
	<beans:bean id="sessionRegistry"
		class="org.springframework.security.core.session.SessionRegistryImpl" />
	<!-- session管理相关注入结束 -->




	<!-- 自定义登录过滤 -->
	<beans:bean id="loginFilter"
		class="filter.UsernamePasswordAuthenticationExtendFilter">
		<!-- 认证器 -->
		<beans:property name="authenticationManager" ref="authenticationManager" />
		<!-- 虚拟处理URL -->
		<beans:property name="filterProcessesUrl" value="/login"/>
		<!-- 用户名 -->
		<beans:property name="usernameParameter" value="username"/>
		<!-- 密码 -->
		<beans:property name="passwordParameter" value="password"/>
		<!-- 验证成功后的处理 -->
		<beans:property name="authenticationSuccessHandler"
			ref="loginLogAuthenticationSuccessHandler" />
		<!-- 验证失败后的处理 -->
		<beans:property name="authenticationFailureHandler"
			ref="simpleUrlAuthenticationFailureHandler" />
		<!-- session管理 -->
		<beans:property name="sessionAuthenticationStrategy" ref="sas" />
			<!-- 		 
		<beans:property name="rememberMeServices" ref="rememberMeServices"/>
		-->
	</beans:bean>
	
	<!-- 开始注入登录过滤器 -->
	<beans:bean id="loginLogAuthenticationSuccessHandler"
		class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
		<beans:property name="defaultTargetUrl" value="/welcome.jsp"/>
	</beans:bean>
	<beans:bean id="simpleUrlAuthenticationFailureHandler"
		class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
		<!-- 可以配置相应的跳转方式。属性forwardToDestination为true采用forward false为sendRedirect -->
		<beans:property name="defaultFailureUrl" value="/index.jsp?error=true"/>
	</beans:bean>
	<!-- 注入登录过滤器结束 -->
	
	
	
	<!-- 免登陆过滤器 
	<beans:bean id="rememberMeFilter" class="org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter">
		<beans:property name="rememberMeServices" ref="rememberMeServices"/>
		<beans:property name="authenticationManager" ref="authenticationManager"/>
	</beans:bean>	
	
	<beans:bean id="rememberMeServices" class="filter.IPTokenBasedRememberMeServices">
<!-- 这个filter无论是自己重写的还是用Spring原声的 都不好使-->
		<beans:property name="userDetailsService" ref="myUserDetailService"/>
		<beans:property name="key" value="springRocks"/>
		<beans:property name="cookieName" value="springRocks"/>
		<beans:property name="parameter" value="_spring_security_remember_me"/>
	</beans:bean>
	-->
	<!--  
	<beans:bean id="rememberMeAuthenticationProvider" class="org.springframework.security.authentication.RememberMeAuthenticationProvider">
		<beans:property name="key" value="springRocks"/>
	</beans:bean>-->
	
	

	<!-- 认证器 -->
	<authentication-manager  alias="authenticationManager"  >
		<authentication-provider  user-service-ref="myUserDetailService" />
	</authentication-manager>
	

	<!-- 开始注入认证过滤器 -->
	<beans:bean id="myUserDetailService" class="filter.MyUserDetailService" />	

	<!-- 未登录的切入点 -->
	<beans:bean id="authenticationProcessingFilterEntryPoint"
		class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
		<beans:property name="loginFormUrl" value="/index.jsp"/>
	</beans:bean>

</beans:beans>