Loading...
My Blog 我的工作和学习笔记

Spring security 3中的10个典型用法小结

Spring专题 2015/12/18 Spring Framework , Spring Security

Spring security整合CAS单点登录,业务系统无法单点注销

Spring专题 2015/12/18 Spring Framework , Spring Security

Spring security整合CAS单点登录,业务系统无法单点注销


Spring Security启用session-fixation-protection,这会在登录时销毁用户的当前session,然后为用户创建一个新session,并将原有session中的所有属性都复制到新session中,导致单点注销时无法注销登录原有的session,从而导致单点注销失败。


将session-fixation-protection禁用后,可以正常单点注销。


在Spring security 4 中体现在:

<bean id="sessionAuthenticationStrategy" class="org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy">

         <constructor-arg>
            <list>

                  <bean />

            </list>
          </constructor-arg>

</bean>

bean类不要引入如下bean

<bean class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy" />



参考文档

http://blog.csdn.net/seng3018/article/details/7019872

Spring Security TokenBasedRememberMeServices的cookie加密

Spring专题 2015/12/18 Spring Framework , Spring Security

/**

* Calculates the digital signature to be put in the cookie. Default value is MD5

* ("username:tokenExpiryTime:password:key")

*/

protected String makeTokenSignature(long tokenExpiryTime, String username,

String password) {

String data = username + ":" + tokenExpiryTime + ":" + password + ":" + getKey();

MessageDigest digest;

try {

digest = MessageDigest.getInstance("MD5");

}

catch (NoSuchAlgorithmException e) {

throw new IllegalStateException("No MD5 algorithm available!");

}


return new String(Hex.encode(digest.digest(data.getBytes())));

}