实现无需密钥即可记住我
我发现一些示例仅通过以下方式实现“记住我”功能
<remember-me/>
,其他示例将其实现为:
<remember-me key="_spring_security_remember_me"/>
我想知道这两个声明之间有什么区别,以及 _spring_security_remember_me 是预定义的键吗? 谢谢。
i found some samples that implements remember me functionality by just
<remember-me/>
and other samples implement it as:
<remember-me key="_spring_security_remember_me"/>
and i want to know what is the difference between the two declarations, and is the _spring_security_remember_me is a predefined key?
thanks.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
默认密钥可以在
AuthenticationConfigBuilder.createRememberMeFilter()中找到,如果您未在
The default key can be found in
AuthenticationConfigBuilder.createRememberMeFilter()That is the value that is used if you don't specify one in
<remember-me>从文档中,
key属性用于对 cookie 中存储的值进行哈希处理。它可以防止恶意用户尝试解码 cookie,因为如果没有密钥,他们就无法做到这一点(嗯,这要困难得多)。From the documentation, the
keyattribute is used in hashing the value stored in the cookie. It prevents a malicious user from trying to decode the cookie, because they can't do that (well it s a lot harder) without the key.对于将来寻找 Rememberme().key() 功能的人来说,似乎从 Spring Boot 2.2.6 开始,如果未提供密钥,就有 SecureRandom 生成器来生成密钥。这是在 org.springframework.security.config.http.AuthenticationConfigBuilder.createRememberMeFilter 中找到的实现
For anyone looking for the rememberme().key() feature in the future, it seems that as of Spring Boot 2.2.6 there is SecureRandom generator to generate the key if it is not provided. Here is the implementation found in
org.springframework.security.config.http.AuthenticationConfigBuilder.createRememberMeFilter