当前位置：网站首页>Principle analysis of security rememberme

Principle analysis of security rememberme

2022-07-02 13:13:00 【InfoQ】

Security RememberMe Principle analysis

When we configure

.rememberMe()
.key(&quot;xiepanapn&quot;)

Actually, the configuration class is introduced RememberMeConfigurer, about RememberMeConfigurer for , most important of all init Methods and configure Method

@Override
public void init(H http) throws Exception {
 validateInput();
 String key = getKey();
 RememberMeServices rememberMeServices = getRememberMeServices(http, key);
 http.setSharedObject(RememberMeServices.class, rememberMeServices);
 LogoutConfigurer<H> logoutConfigurer = http.getConfigurer(LogoutConfigurer.class);
 if (logoutConfigurer != null && this.logoutHandler != null) {
 logoutConfigurer.addLogoutHandler(this.logoutHandler);
 }

 RememberMeAuthenticationProvider authenticationProvider = new RememberMeAuthenticationProvider(
 key);
 authenticationProvider = postProcess(authenticationProvider);
 http.authenticationProvider(authenticationProvider);

 initDefaultLoginFilter(http);
}

First of all get key, Not configured. The default is UUID character string , Every time the system restarts, a new key, This led to the previously issued remember-me invalid , With key Get after RememberMeServices According to whether there is tokenRepository establish TokenBasedRememberMeServices perhaps PersistentRememberMeServices

private AbstractRememberMeServices createRememberMeServices(H http, String key) {
 return this.tokenRepository == null
 ? createTokenBasedRememberMeServices(http, key)
 : createPersistentRememberMeServices(http, key);
}

configure Method mainly creates RememberMeAuthenticationFilter Pass in the instance when creating. Ok rememberMeServices, And then we will create RememberMeAuthenticationFilter Add to the filter chain .

@Override
public void configure(H http) {
 RememberMeAuthenticationFilter rememberMeFilter = new RememberMeAuthenticationFilter(
 http.getSharedObject(AuthenticationManager.class),
 this.rememberMeServices);
 if (this.authenticationSuccessHandler != null) {
 rememberMeFilter
 .setAuthenticationSuccessHandler(this.authenticationSuccessHandler);
 }
 rememberMeFilter = postProcess(rememberMeFilter);
 http.addFilter(rememberMeFilter);
}

RememberMeAuthenticationFilter

RememberMeAuthenticationFilter most important of all doFilter Method

public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
 HttpServletRequest request = (HttpServletRequest)req;
 HttpServletResponse response = (HttpServletResponse)res;
 if (SecurityContextHolder.getContext().getAuthentication() == null) {
 Authentication rememberMeAuth = this.rememberMeServices.autoLogin(request, response);
 if (rememberMeAuth != null) {
 try {
 rememberMeAuth = this.authenticationManager.authenticate(rememberMeAuth);
 SecurityContextHolder.getContext().setAuthentication(rememberMeAuth);
 this.onSuccessfulAuthentication(request, response, rememberMeAuth);
 if (this.logger.isDebugEnabled()) {
 this.logger.debug(&quot;SecurityContextHolder populated with remember-me token: '&quot; + SecurityContextHolder.getContext().getAuthentication() + &quot;'&quot;);
 }

 if (this.eventPublisher != null) {
 this.eventPublisher.publishEvent(new InteractiveAuthenticationSuccessEvent(SecurityContextHolder.getContext().getAuthentication(), this.getClass()));
 }

 if (this.successHandler != null) {
 this.successHandler.onAuthenticationSuccess(request, response, rememberMeAuth);
 return;
 }
 } catch (AuthenticationException var8) {
 if (this.logger.isDebugEnabled()) {
 this.logger.debug(&quot;SecurityContextHolder not populated with remember-me token, as AuthenticationManager rejected Authentication returned by RememberMeServices: '&quot; + rememberMeAuth + &quot;'; invalidating remember-me token&quot;, var8);
 }

 this.rememberMeServices.loginFail(request, response);
 this.onUnsuccessfulAuthentication(request, response, var8);
 }
 }

 chain.doFilter(request, response);
 } else {
 if (this.logger.isDebugEnabled()) {
 this.logger.debug(&quot;SecurityContextHolder not populated with remember-me token, as it already contained: '&quot; + SecurityContextHolder.getContext().getAuthentication() + &quot;'&quot;);
 }

 chain.doFilter(request, response);
 }

}

When the request arrives , First judge SecurityContextHolder Is there any value in , No indicates that the user has not logged in , Call at this time autoLogin Automatic login .

After successful automatic login, return rememberMeAuth, Not for null Indicates that the automatic login is successful , Call at this time authenticate Method pair key check , Save the login successful user information to SecurityContextHolder in , Then call the login success callback , Post login success Events .

If automatic login fails , call rememberMeServices.loginFail Method to handle login failure logic

Let's focus on autoLogin

AbstractRememberMeServices

Interface for RememberMeServices

public interface RememberMeServices {
 Authentication autoLogin(HttpServletRequest var1, HttpServletResponse var2);

 void loginFail(HttpServletRequest var1, HttpServletResponse var2);

 void loginSuccess(HttpServletRequest var1, HttpServletResponse var2, Authentication var3);
}

AbstractRememberMeServices Realized RememberMeServices Interface

Realization autoLogin Method ： The main function is to extract token information from the current request , Complete the automatic login function according to the token information , Return after successful login Authentication object

public final Authentication autoLogin(HttpServletRequest request, HttpServletResponse response) {
 String rememberMeCookie = this.extractRememberMeCookie(request);
 if (rememberMeCookie == null) {
 return null;
 } else {
 this.logger.debug(&quot;Remember-me cookie detected&quot;);
 if (rememberMeCookie.length() == 0) {
 this.logger.debug(&quot;Cookie was empty&quot;);
 this.cancelCookie(request, response);
 return null;
 } else {
 UserDetails user = null;

 try {
 String[] cookieTokens = this.decodeCookie(rememberMeCookie);
 user = this.processAutoLoginCookie(cookieTokens, request, response);
 this.userDetailsChecker.check(user);
 this.logger.debug(&quot;Remember-me cookie accepted&quot;);
 return this.createSuccessfulAuthentication(request, user);
 } catch (CookieTheftException var6) {
 this.cancelCookie(request, response);
 throw var6;
 } catch (UsernameNotFoundException var7) {
 this.logger.debug(&quot;Remember-me login was valid but corresponding user not found.&quot;, var7);
 } catch (InvalidCookieException var8) {
 this.logger.debug(&quot;Invalid remember-me cookie: &quot; + var8.getMessage());
 } catch (AccountStatusException var9) {
 this.logger.debug(&quot;Invalid UserDetails: &quot; + var9.getMessage());
 } catch (RememberMeAuthenticationException var10) {
 this.logger.debug(var10.getMessage());
 }

 this.cancelCookie(request, response);
 return null;
 }
 }
}

call extractRememberMeCookie Method extracts the required from the current request Cookie Information .rememberMeCookie by null return null, The length is 0 Cancel cookie, take remember-me Is set to null

call decodeCookie Method to parse the obtained token , The result of parsing is that the first part is the currently logged in user name , The second part is the timestamp , The third part is signature , Extract it to form an array .

call processAutoLoginCookie Method Cookie To verify , User information is returned after verification , Implemented by subclasses

Last call createSuccessfulAuthentication Create a user object with successful login , The type is RememberMeAuthenticationToken , Different from the user object logged in with user name and password UsernamePasswordAuthenticationToken

Login failed. Cancel Cookie Set up , Login successfully called rememberMeRequested Judge whether the current request has enabled the automatic login request ,

If automatic login is enabled, call onLoginSuccess Method , Implemented by subclasses

ublic final void loginSuccess(HttpServletRequest request, HttpServletResponse response, Authentication successfulAuthentication) {
 if (!this.rememberMeRequested(request, this.parameter)) {
 this.logger.debug(&quot;Remember-me login not requested.&quot;);
 } else {
 this.onLoginSuccess(request, response, successfulAuthentication);
 }
}

Judge whether the current request has enabled the automatic login request ：

protected boolean rememberMeRequested(HttpServletRequest request, String parameter) {
 if (this.alwaysRemember) {
 return true;
 } else {
 String paramValue = request.getParameter(parameter);
 if (paramValue != null && (paramValue.equalsIgnoreCase(&quot;true&quot;) || paramValue.equalsIgnoreCase(&quot;on&quot;) || paramValue.equalsIgnoreCase(&quot;yes&quot;) || paramValue.equals(&quot;1&quot;))) {
 return true;
 } else {
 if (this.logger.isDebugEnabled()) {
 this.logger.debug(&quot;Did not send remember-me cookie (principal did not set parameter '&quot; + parameter + &quot;')&quot;);
 }

 return false;
 }
 }
}

Server configuration alwaysRemember Is it true From the front remember-me Value is not on yes true 1

After logging in successfully, it will call setCookie Method ：

protected void setCookie(String[] tokens, int maxAge, HttpServletRequest request, HttpServletResponse response) {
 String cookieValue = this.encodeCookie(tokens);
 Cookie cookie = new Cookie(this.cookieName, cookieValue);
 cookie.setMaxAge(maxAge);
 cookie.setPath(this.getCookiePath(request));
 if (this.cookieDomain != null) {
 cookie.setDomain(this.cookieDomain);
 }

 if (maxAge < 1) {
 cookie.setVersion(1);
 }

 if (this.useSecureCookie == null) {
 cookie.setSecure(request.isSecure());
 } else {
 cookie.setSecure(this.useSecureCookie);
 }

 cookie.setHttpOnly(true);
 response.addCookie(cookie);
}

protected String encodeCookie(String[] cookieTokens) {
 StringBuilder sb = new StringBuilder();

 for(int i = 0; i < cookieTokens.length; ++i) {
 try {
 sb.append(URLEncoder.encode(cookieTokens[i], StandardCharsets.UTF_8.toString()));
 } catch (UnsupportedEncodingException var5) {
 this.logger.error(var5.getMessage(), var5);
 }

 if (i < cookieTokens.length - 1) {
 sb.append(&quot;:&quot;);
 }
 }

 String value = sb.toString();
 sb = new StringBuilder(new String(Base64.getEncoder().encode(value.getBytes())));

 while(sb.charAt(sb.length() - 1) == '=') {
 sb.deleteCharAt(sb.length() - 1);
 }

 return sb.toString();
}

Encode the data transmitted from the front end , Separate arrays with colons ,Base64 Transcoding to string Set to Cookie in .

AbstractRememberMeServices There are two subclasses TokenBasedRememberMeServices and Persistence Token Token class PersistentTokenBasedRememberMeServices

TokenBasedRememberMeServices

Realization processAutoLoginCookie Methods and onLoginSuccess Method

processAutoLoginCookie

verification Cookie Whether the token in is legal

protected UserDetails processAutoLoginCookie(String[] cookieTokens, HttpServletRequest request, HttpServletResponse response) {
 if (cookieTokens.length != 3) {
 throw new InvalidCookieException(&quot;Cookie token did not contain 3 tokens, but contained '&quot; + Arrays.asList(cookieTokens) + &quot;'&quot;);
 } else {
 long tokenExpiryTime;
 try {
 tokenExpiryTime = new Long(cookieTokens[1]);
 } catch (NumberFormatException var8) {
 throw new InvalidCookieException(&quot;Cookie token[1] did not contain a valid number (contained '&quot; + cookieTokens[1] + &quot;')&quot;);
 }

 if (this.isTokenExpired(tokenExpiryTime)) {
 throw new InvalidCookieException(&quot;Cookie token[1] has expired (expired on '&quot; + new Date(tokenExpiryTime) + &quot;'; current time is '&quot; + new Date() + &quot;')&quot;);
 } else {
 UserDetails userDetails = this.getUserDetailsService().loadUserByUsername(cookieTokens[0]);
 Assert.notNull(userDetails, () -> {
 return &quot;UserDetailsService &quot; + this.getUserDetailsService() + &quot; returned null for username &quot; + cookieTokens[0] + &quot;. This is an interface contract violation&quot;;
 });
 String expectedTokenSignature = this.makeTokenSignature(tokenExpiryTime, userDetails.getUsername(), userDetails.getPassword());
 if (!equals(expectedTokenSignature, cookieTokens[2])) {
 throw new InvalidCookieException(&quot;Cookie token[2] contained signature '&quot; + cookieTokens[2] + &quot;' but expected '&quot; + expectedTokenSignature + &quot;'&quot;);
 } else {
 return userDetails;
 }
 }
 }
}

Judge cookieTokens Is the length 3 No 3 Wrong format Throw an exception directly

from cookieTokens Extract the first item from the array , Judge whether it is overdue

For the first 0 term , Get the user name and query the current user information

call makeTokenSignature Generate signature , Signature generation method ：username + ":" + tokenExpiryTime + ":" + password + ":" + this.getKey() Form a string for MD5 encryption

Judgment No. 4 Whether the signature generated in this step is the same as the one passed in

protected String makeTokenSignature(long tokenExpiryTime, String username, String password) {
 String data = username + &quot;:&quot; + tokenExpiryTime + &quot;:&quot; + password + &quot;:&quot; + this.getKey();

 MessageDigest digest;
 try {
 digest = MessageDigest.getInstance(&quot;MD5&quot;);
 } catch (NoSuchAlgorithmException var8) {
 throw new IllegalStateException(&quot;No MD5 algorithm available!&quot;);
 }

 return new String(Hex.encode(digest.digest(data.getBytes())));
}

onLoginSuccess

public void onLoginSuccess(HttpServletRequest request, HttpServletResponse response, Authentication successfulAuthentication) {
 String username = this.retrieveUserName(successfulAuthentication);
 String password = this.retrievePassword(successfulAuthentication);
 if (!StringUtils.hasLength(username)) {
 this.logger.debug(&quot;Unable to retrieve username&quot;);
 } else {
 if (!StringUtils.hasLength(password)) {
 UserDetails user = this.getUserDetailsService().loadUserByUsername(username);
 password = user.getPassword();
 if (!StringUtils.hasLength(password)) {
 this.logger.debug(&quot;Unable to obtain password for user: &quot; + username);
 return;
 }
 }

 int tokenLifetime = this.calculateLoginLifetime(request, successfulAuthentication);
 long expiryTime = System.currentTimeMillis();
 expiryTime += 1000L * (long)(tokenLifetime < 0 ? 1209600 : tokenLifetime);
 String signatureValue = this.makeTokenSignature(expiryTime, username, password);
 this.setCookie(new String[]{username, Long.toString(expiryTime), signatureValue}, tokenLifetime, request, response);
 if (this.logger.isDebugEnabled()) {
 this.logger.debug(&quot;Added remember-me cookie for user '&quot; + username + &quot;', expiry: '&quot; + new Date(expiryTime) + &quot;'&quot;);
 }

 }
}

Get user name and password information The password was not reloaded from the database

Calculate the expiration time of the token , The default validity period of the token is 14 God

According to the token expiration time , User name password calculation signature

call setCookie Method setting Cookie, Pass in the user name, expiration time and signature respectively , stay setCookie The array is converted to a string and Base64 code

summary ：

When the user logs in through the user name and password , The system calculates a signature according to the user's user name, password and token expiration time , This signature is in MD5 encryption , Irreversible . And then the user name , Token expiration time , The signature is spliced into a string , Separated by a colon in the middle , Do... On the spliced string Base64 code , Then the encoded result is returned to the front end , This is a token . When the user closes the browser and opens it again , Access to system resources will be carried automatically Cookie Information , Server get Cookie The token in , to Base64 decode , After decoding, three items of data of the token are extracted ; Then, judge whether it has expired according to the data of the token , No expired user information is found , Compare the calculated signature with the signature in the token , Consistent indicates that the token is legal , Automatic login succeeded , Otherwise, automatic login fails .

PersistentTokenBasedRememberMeServices

Persistence Token Stored data

processAutoLoginCookie

verification Cookie Whether the token in is legal

protected UserDetails processAutoLoginCookie(String[] cookieTokens, HttpServletRequest request, HttpServletResponse response) {
 if (cookieTokens.length != 2) {
 throw new InvalidCookieException(&quot;Cookie token did not contain 2 tokens, but contained '&quot; + Arrays.asList(cookieTokens) + &quot;'&quot;);
 } else {
 String presentedSeries = cookieTokens[0];
 String presentedToken = cookieTokens[1];
 PersistentRememberMeToken token = this.tokenRepository.getTokenForSeries(presentedSeries);
 if (token == null) {
 throw new RememberMeAuthenticationException(&quot;No persistent token found for series id: &quot; + presentedSeries);
 } else if (!presentedToken.equals(token.getTokenValue())) {
 this.tokenRepository.removeUserTokens(token.getUsername());
 throw new CookieTheftException(this.messages.getMessage(&quot;PersistentTokenBasedRememberMeServices.cookieStolen&quot;, &quot;Invalid remember-me token (Series/token) mismatch. Implies previous cookie theft attack.&quot;));
 } else if (token.getDate().getTime() + (long)this.getTokenValiditySeconds() * 1000L < System.currentTimeMillis()) {
 throw new RememberMeAuthenticationException(&quot;Remember-me login has expired&quot;);
 } else {
 if (this.logger.isDebugEnabled()) {
 this.logger.debug(&quot;Refreshing persistent login token for user '&quot; + token.getUsername() + &quot;', series '&quot; + token.getSeries() + &quot;'&quot;);
 }

 PersistentRememberMeToken newToken = new PersistentRememberMeToken(token.getUsername(), token.getSeries(), this.generateTokenData(), new Date());

 try {
 this.tokenRepository.updateToken(newToken.getSeries(), newToken.getTokenValue(), newToken.getDate());
 this.addCookie(newToken, request, response);
 } catch (Exception var9) {
 this.logger.error(&quot;Failed to update token: &quot;, var9);
 throw new RememberMeAuthenticationException(&quot;Autologin failed due to data access problem&quot;);
 }

 return this.getUserDetailsService().loadUserByUsername(token.getUsername());
 }
 }
}

cookieTokens The array length is 2 The first 0 Items for series The first 1 Items for token

Extract two data according to series Query the database ,token The difference indicates that the automatic login token has been compromised , At this point, remove all automatic login records , Throw an exception

Judge whether it is expired according to the query results in the database

Generate a new PersistentRememberMeToken User name and series unchanged , change token And the current time , modify the database

call addCookie add to Cookie,addCookie Call in method setCookie Set up

Feel the user name, query the user object and return

onLoginSuccess

protected void onLoginSuccess(HttpServletRequest request, HttpServletResponse response, Authentication successfulAuthentication) {
 String username = successfulAuthentication.getName();
 this.logger.debug(&quot;Creating new persistent login for user &quot; + username);
 PersistentRememberMeToken persistentToken = new PersistentRememberMeToken(username, this.generateSeriesData(), this.generateTokenData(), new Date());

 try {
 this.tokenRepository.createNewToken(persistentToken);
 this.addCookie(persistentToken, request, response);
 } catch (Exception var7) {
 this.logger.error(&quot;Failed to save persistent token &quot;, var7);
 }

}

After successful login, build PersistentRememberMeToken series and token It's randomly generated , Then the generated object is stored in the database , call addCookie Method to add related Cookie Information .

PersistentTokenBasedRememberMeServices and TokenBasedRememberMeServices difference ：

PersistentTokenBasedRememberMeServices The token returned to the front end is series and token A string composed of Base64 code

TokenBasedRememberMeServices The returned front-end token is a string composed of user name, expiration time and signature Base64 code

原网站

版权声明
本文为[InfoQ]所创，转载请带上原文链接，感谢
https://yzsam.com/2022/183/202207020954461759.html