Spring Security 3不提供如何生成cookie的配置。你必须覆盖默认行为:
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices;
/** Cookie expires on session. */
public class PersistentTokenBasedRememberMeServicesCustom extends
PersistentTokenBasedRememberMeServices {
/** only needed because super throws exception. */
public PersistentTokenBasedRememberMeServicesCustom() throws Exception {
super();
}
/** Copy of code of inherited class + setting cookieExpiration, */
@Override
protected void setCookie(String[] tokens, int maxAge,
HttpServletRequest request, HttpServletResponse response) {
String cookieValue = encodeCookie(tokens);
Cookie cookie = new Cookie(getCookieName(), cookieValue);
//cookie.setMaxAge(maxAge);
cookie.setPath("/");
cookie.setSecure(false); // no getter available in super, so always false
response.addCookie(cookie);
}
}
确保,对于您通过添加类名来它是rememberMeService您使用此定制对PersistentTokenBasedRememberMeServices的bean的配置:
<beans:bean id="rememberMeServices"
class="my.custom.spring.PersistentTokenBasedRememberMeServicesCustom"/>
为什么你不是简单地实现自己的RememberMe实现吗?这很容易。 – lexicore 2010-04-09 14:58:59
重复? http://chackoverflow.com/questions/2594960/best-practice-to-implement-secure-remember-me – rook 2010-04-09 15:20:32
@lexicore人员实施他们自己的会话可能会给您的网络应用带来真正的破坏。不要重新发明风团。阅读我的帖子上的“重复?”上面的问题。 – rook 2010-04-09 15:21:44