Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
R
R
Romanov19812020-10-08 15:12:48
Spring
Romanov1981, 2020-10-08 15:12:48

Why does a loop occur when using rememberMe in Sprung Security?

Greetings dear forum users.

Can you please tell me why there is a loop when using rememberMe in Sprung Security?

For example: I clear Cookies, go to the site, log in, but at the same time check the "remember me" box. Everything is fine.

Further, without logging out, if I restart the server, everything seems to be fine, I remain authorized, but if I try to get to the login page, the page starts to freeze, the system starts to get hung up on connecting to the database

Hibernate: 
    select
        user0_.username as col_0_0_,
        user0_.password as col_1_0_ 
    from
        User user0_ 
    where
        user0_.username=?
Hibernate: 
    select
        user0_.username as col_0_0_,
        user0_.password as col_1_0_ 
    from
        User user0_ 
    where
        user0_.username=?
Hibernate: 
    select
        user0_.username as col_0_0_,
        user0_.password as col_1_0_ 
    from
        User user0_ 
    where
        user0_.username=?


and if you stop and reload the page, then Exception - Message Invalid remember-me token (Series / token) mismatch appears. Implies previous cookie theft attack.

and if you reboot again, then everything becomes normal, but just to enter, you need to log in again.

It's such a problem, I don't know why it's such a problem.

Just in case, I made a test TestRemember https://github.com/romanych2021/TestRemember

Help me solve the problem? After all, this is not a healthy thing.

SecurityConfig

package com.testremember.security;

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.web.authentication.rememberme.PersistentTokenRepository;

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {


    private final
    PersistentTokenRepository persistentTokenRepository;

    private final
    UserDetailsService userDetailsService;

    public SecurityConfig(PersistentTokenRepository persistentTokenRepository, UserDetailsService userDetailsService) {
        this.persistentTokenRepository = persistentTokenRepository;
        this.userDetailsService = userDetailsService;
    }



    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {

        auth.userDetailsService(userDetailsService);
    }



    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()

                .mvcMatchers("/").permitAll()
                .mvcMatchers("/login", "/registration").anonymous()
                .mvcMatchers("/admin").hasAnyRole("ADMIN")
                .mvcMatchers("/user").hasAnyRole("ADMIN", "USER")

                .and()
                .formLogin()
                .loginPage("/login")
                .loginProcessingUrl("/login")
                .defaultSuccessUrl("/")

                .and().csrf().disable()
                .rememberMe()
                .tokenRepository(persistentTokenRepository)
                .rememberMeParameter("remember-me")
                .rememberMeCookieName("_rm")

                .and()
                .logout()
                .permitAll()
                .logoutUrl("/logout")
                .logoutSuccessUrl("/")

                .invalidateHttpSession(true)
                .deleteCookies("JSESSIONID");

    }


}


UserDetail

package com.testremember.security;

import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;

import java.util.Collection;
import java.util.Collections;

@Service
public class UserDetail implements UserDetailsService {





    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {

        return new org.springframework.security.core.userdetails.User("user", "{noop}1111",
                true, true, true, true, getAuthorities());

    }


    private Collection<? extends GrantedAuthority> getAuthorities(){

        return Collections.singletonList(new SimpleGrantedAuthority("ROLE_ADMIN"));

    }




}

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

0 answer(s)
Similar questions
K
Konstantin Malyarov2016-03-19 23:58:37
How to solve given exception in Spring? 3Reply
V
Vitaly2014-01-07 16:46:48
Java. Serializing an object to html 3Reply
A
Andrey Kovalchuk2016-04-03 11:09:14
Where can I find a Java mentor (hibernate, spring, JSF)? 2Reply
M
MeeLeSh2021-11-12 17:56:59
NullPointerException on injection? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question