RememberMeAuthenticationFilter

Remember Me的功能为记住用户的登录状态并保持一定时间。在此期间内，即便是用户session已经失效，用户仍然可以免登录访问系统。

RememberMeAuthenticationFilter主要功能为实现这一逻辑，实现自动登陆功能。

我们分析下它的doFilter方法，内容如下：

private void doFilter(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
        throws IOException, ServletException {
    // 如果已经有认证信息，跳过此filter
    if (SecurityContextHolder.getContext().getAuthentication() != null) {
        this.logger.debug(LogMessage
                .of(() -> "SecurityContextHolder not populated with remember-me token, as it already contained: '"
                        + SecurityContextHolder.getContext().getAuthentication() + "'"));
        chain.doFilter(request, response);
        return;
    }
    // 使用RememberMe服务自动登陆
    // autoLogin方法的逻辑在下一节介绍
    Authentication rememberMeAuth = this.rememberMeServices.autoLogin(request, response);
    // 如果获取到了authentication
    if (rememberMeAuth != null) {
        // Attempt authenticaton via AuthenticationManager
        try {
            // 使用AuthenticationManager认证
            rememberMeAuth = this.authenticationManager.authenticate(rememberMeAuth);
            // Store to SecurityContextHolder
            // 储存认证信息到SecurityContext
            SecurityContextHolder.getContext().setAuthentication(rememberMeAuth);
            onSuccessfulAuthentication(request, response, rememberMeAuth);
            this.logger.debug(LogMessage.of(() -> "SecurityContextHolder populated with remember-me token: '"
                    + SecurityContextHolder.getContext().getAuthentication() + "'"));
            // 发布认证成功事件
            if (this.eventPublisher != null) {
                this.eventPublisher.publishEvent(new InteractiveAuthenticationSuccessEvent(
                        SecurityContextHolder.getContext().getAuthentication(), this.getClass()));
            }
            // 调用登陆成功handler的相关逻辑
            if (this.successHandler != null) {
                this.successHandler.onAuthenticationSuccess(request, response, rememberMeAuth);
                return;
            }
        }
        catch (AuthenticationException ex) {
            // 认证失败，调用失败逻辑
            this.logger.debug(LogMessage
                    .format("SecurityContextHolder not populated with remember-me token, as AuthenticationManager "
                            + "rejected Authentication returned by RememberMeServices: '%s'; "
                            + "invalidating remember-me token", rememberMeAuth),
                    ex);
            this.rememberMeServices.loginFail(request, response);
            onUnsuccessfulAuthentication(request, response, ex);
        }
    }
    chain.doFilter(request, response);
}

AbstractRememberMeServices

Remember me相关的service封装了主要的实现逻辑，包含如何从remember me cookie中获取到用户信息和登陆状态，检查cookie内容的有效性和如何在用户允许时启用remember me功能。

autoLogin方法的功能为从cookie中获取用户信息并认证。它的内容如下：

@Override
public final Authentication autoLogin(HttpServletRequest request, HttpServletResponse response) {
    // 获取remeber me服务保存信息的cookie，默认cookie名称为remember-me
    String rememberMeCookie = extractRememberMeCookie(request);
    // 如果没找到cookie，返回
    if (rememberMeCookie == null) {
        return null;
    }
    this.logger.debug("Remember-me cookie detected");
    // 如果cookie value长度为0
    // 让这个cookie立刻过期
    if (rememberMeCookie.length() == 0) {
        this.logger.debug("Cookie was empty");
        cancelCookie(request, response);
        return null;
    }
    try {
        // 解析cookie获取token
        // base64解码，以冒号为分隔符切分string为数组后再依次URL解码
        String[] cookieTokens = decodeCookie(rememberMeCookie);
        // 获取user详细信息，这个方法在子类中实现
        UserDetails user = processAutoLoginCookie(cookieTokens, request, response);
        // 检查user信息
        this.userDetailsChecker.check(user);
        this.logger.debug("Remember-me cookie accepted");
        // 创建认证成功的authentication
        return createSuccessfulAuthentication(request, user);
    }
    catch (CookieTheftException ex) {
        cancelCookie(request, response);
        throw ex;
    }
    catch (UsernameNotFoundException ex) {
        this.logger.debug("Remember-me login was valid but corresponding user not found.", ex);
    }
    catch (InvalidCookieException ex) {
        this.logger.debug("Invalid remember-me cookie: " + ex.getMessage());
    }
    catch (AccountStatusException ex) {
        this.logger.debug("Invalid UserDetails: " + ex.getMessage());
    }
    catch (RememberMeAuthenticationException ex) {
        this.logger.debug(ex.getMessage());
    }
    cancelCookie(request, response);
    return null;
}

createSuccessfulAuthentication方法，将用户认证信息包装为RememberMeAuthenticationToken。
注意，remember me服务包含有一个key，在这里会被写入token。Token在校验的时候会拿出它的key，同remember me服务的key做比较，只有key相同才能认证通过。

protected Authentication createSuccessfulAuthentication(HttpServletRequest request, UserDetails user) {
    RememberMeAuthenticationToken auth = new RememberMeAuthenticationToken(this.key, user,
            this.authoritiesMapper.mapAuthorities(user.getAuthorities()));
    auth.setDetails(this.authenticationDetailsSource.buildDetails(request));
    return auth;
}

loginSuccess方法负责检查request中是否带有remeber me参数（勾选了“记住我”复选框）或者是配置了永远启用remember me。如果启用了remember me，调用子类的onLoginSuccess方法。AbstractAuthenticationProcessingFilter和BasicAuthenticationFilter中会调用该方法。

@Override
public final void loginSuccess(HttpServletRequest request, HttpServletResponse response,
        Authentication successfulAuthentication) {
    // rememberMeRequested方法判断是否需要启用remember me服务
    // this.parameter为remember me的参数名，默认为remember-me
    if (!rememberMeRequested(request, this.parameter)) {
        this.logger.debug("Remember-me login not requested.");
        return;
    }
    onLoginSuccess(request, response, successfulAuthentication);
}

rememberMeRequested方法包含了用来判断是否启用remember me服务（用户是否勾选remember me复选框）的具体操作。内容如下：

protected boolean rememberMeRequested(HttpServletRequest request, String parameter) {
    // 如果永远启用，返回true
    if (this.alwaysRemember) {
        return true;
    }
    // 获取remember me请求参数的值
    String paramValue = request.getParameter(parameter);
    // 如果是true，on，yes或1，返回true
    if (paramValue != null) {
        if (paramValue.equalsIgnoreCase("true") || paramValue.equalsIgnoreCase("on")
                || paramValue.equalsIgnoreCase("yes") || paramValue.equals("1")) {
            return true;
        }
    }
    this.logger.debug(
            LogMessage.format("Did not send remember-me cookie (principal did not set parameter '%s')", parameter));
    return false;
}

到这里AbstractRememberMeServices抽象类的主要逻辑已分析完毕。

下面我们重点分析下AbstractRememberMeServices两个子类：

• TokenBasedRememberMeServices
• PersistentTokenBasedRememberMeServices
  的onLoginSuccess方法和processAutoLoginCookie方法。

其中onLoginSuccess方法负责在认证成功时，将用户的登陆状态记录下来，从而做到有效期内免登录。
processAutoLoginCookie负责从cookie中读取用户的登陆状态，还原为用户详细信息(UserDetails)。

TokenBasedRememberMeServices

该类将用户认证token相关信息保存在cookie中，不需要数据库等外部存储。

onLoginSuccess方法内容如下：

@Override
public void onLoginSuccess(HttpServletRequest request, HttpServletResponse response,
        Authentication successfulAuthentication) {
    // 从authentication获取用户名和密码
    String username = retrieveUserName(successfulAuthentication);
    String password = retrievePassword(successfulAuthentication);
    // If unable to find a username and password, just abort as
    // TokenBasedRememberMeServices is
    // unable to construct a valid token in this case.
    // 如果用户名找不到，忽略后面流程
    if (!StringUtils.hasLength(username)) {
        this.logger.debug("Unable to retrieve username");
        return;
    }
    // 如果密码找不到，从UserDetailsService中查找用户的密码
    if (!StringUtils.hasLength(password)) {
        UserDetails user = getUserDetailsService().loadUserByUsername(username);
        password = user.getPassword();
        // 如果还是找不到密码，忽略后面的逻辑
        if (!StringUtils.hasLength(password)) {
            this.logger.debug("Unable to obtain password for user: " + username);
            return;
        }
    }
    // 获取token有效时间
    int tokenLifetime = calculateLoginLifetime(request, successfulAuthentication);
    long expiryTime = System.currentTimeMillis();
    // SEC-949
    // 计算token过期的时间戳，如果token有效时间小于0，设置过期时间为2周后
    expiryTime += 1000L * ((tokenLifetime < 0) ? TWO_WEEKS_S : tokenLifetime);
    // 计算token签名
    // token签名为MD5(username + ":" + tokenExpiryTime + ":" + password + ":" + getKey())
    String signatureValue = makeTokenSignature(expiryTime, username, password);
    // 设置token内容到cookie
    // Cookie内容为Base64(URLEncode(username):URLEncode(expiryTime):URLEncode(signatureValue))
    setCookie(new String[] { username, Long.toString(expiryTime), signatureValue }, tokenLifetime, request,
            response);
    if (this.logger.isDebugEnabled()) {
        this.logger.debug(
                "Added remember-me cookie for user '" + username + "', expiry: '" + new Date(expiryTime) + "'");
    }
}

processAutoLoginCookie方法：

@Override
protected UserDetails processAutoLoginCookie(String[] cookieTokens, HttpServletRequest request,
        HttpServletResponse response) {
    // 依照上面的分析，token解析前是一个string数组，长度为3
    // 如果这里长度不为3，说明token有误，抛出异常
    if (cookieTokens.length != 3) {
        throw new InvalidCookieException(
                "Cookie token did not contain 3" + " tokens, but contained '" + Arrays.asList(cookieTokens) + "'");
    }
    // 获取token过期时间，位于string数组第二个元素
    long tokenExpiryTime = getTokenExpiryTime(cookieTokens);
    // 如果token已过期（小于系统当前时间），抛出异常
    if (isTokenExpired(tokenExpiryTime)) {
        throw new InvalidCookieException("Cookie token[1] has expired (expired on '" + new Date(tokenExpiryTime)
                + "'; current time is '" + new Date() + "')");
    }
    // Check the user exists. Defer lookup until after expiry time checked, to
    // possibly avoid expensive database call.
    // 检查cookie中保存的用户名对应的用户是否存在
    UserDetails userDetails = getUserDetailsService().loadUserByUsername(cookieTokens[0]);
    Assert.notNull(userDetails, () -> "UserDetailsService " + getUserDetailsService()
            + " returned null for username " + cookieTokens[0] + ". " + "This is an interface contract violation");
    // Check signature of token matches remaining details. Must do this after user
    // lookup, as we need the DAO-derived password. If efficiency was a major issue,
    // just add in a UserCache implementation, but recall that this method is usually
    // only called once per HttpSession - if the token is valid, it will cause
    // SecurityContextHolder population, whilst if invalid, will cause the cookie to
    // be cancelled.
    // 重新计算token的签名，判断是否和cookie中保存的一致
    String expectedTokenSignature = makeTokenSignature(tokenExpiryTime, userDetails.getUsername(),
            userDetails.getPassword());
    // 如果不一致，认证失败，抛出异常
    if (!equals(expectedTokenSignature, cookieTokens[2])) {
        throw new InvalidCookieException("Cookie token[2] contained signature '" + cookieTokens[2]
                + "' but expected '" + expectedTokenSignature + "'");
    }
    return userDetails;
}

PersistentTokenBasedRememberMeServices

该实现方式把token的内容写入到tokenRepository中，支持token内容持久化。可以防御cookie窃取攻击。

onLoginSuccess方法：

@Override
protected void onLoginSuccess(HttpServletRequest request, HttpServletResponse response,
        Authentication successfulAuthentication) {
    // 获取用户名
    String username = successfulAuthentication.getName();
    this.logger.debug(LogMessage.format("Creating new persistent login for user %s", username));
    // 创建PersistentRememberMeToken
    // 参数中的序列号和token数据均为Base64编码的随机字节数据
    PersistentRememberMeToken persistentToken = new PersistentRememberMeToken(username, generateSeriesData(),
            generateTokenData(), new Date());
    try {
        // 保存token
        this.tokenRepository.createNewToken(persistentToken);
        // 设置token到cookie中
        // cookie内容为Base64(URLEncode(序列号):URLEncode(token数据))
        addCookie(persistentToken, request, response);
    }
    catch (Exception ex) {
        this.logger.error("Failed to save persistent token ", ex);
    }
}

PersistentTokenRepository负责保存持久化的token信息。有两个子类：

• InMemoryTokenRepositoryImpl：保存token信息到内存中
• JdbcTokenRepositoryImpl：保存token信息到数据库

processAutoLoginCookie方法：

@Override
protected UserDetails processAutoLoginCookie(String[] cookieTokens, HttpServletRequest request,
        HttpServletResponse response) {
    // 按照上面的分析，persistence类型的cookie内容包含2部分
    // 如果长度不为2，cookie内容无效，抛出异常
    if (cookieTokens.length != 2) {
        throw new InvalidCookieException("Cookie token did not contain " + 2 + " tokens, but contained '"
                + Arrays.asList(cookieTokens) + "'");
    }
    // 获取序列号和token数据
    String presentedSeries = cookieTokens[0];
    String presentedToken = cookieTokens[1];
    // 从tokenRepository中读取PersistentRememberMeToken
    PersistentRememberMeToken token = this.tokenRepository.getTokenForSeries(presentedSeries);
    // 如果没获取到，抛出异常
    if (token == null) {
        // No series match, so we can't authenticate using this cookie
        throw new RememberMeAuthenticationException("No persistent token found for series id: " + presentedSeries);
    }
    // We have a match for this user/series combination
    // 如果保存的token数据和cookie中的不一致
    if (!presentedToken.equals(token.getTokenValue())) {
        // Token doesn't match series value. Delete all logins for this user and throw
        // an exception to warn them.
        // 删除tokenRepository中保存的用户token
        this.tokenRepository.removeUserTokens(token.getUsername());
        // 抛出异常，很可能遭受到cookie窃取攻击
        throw new CookieTheftException(this.messages.getMessage(
                "PersistentTokenBasedRememberMeServices.cookieStolen",
                "Invalid remember-me token (Series/token) mismatch. Implies previous cookie theft attack."));
    }
    // 判断token是否过期
    if (token.getDate().getTime() + getTokenValiditySeconds() * 1000L < System.currentTimeMillis()) {
        throw new RememberMeAuthenticationException("Remember-me login has expired");
    }
    // Token also matches, so login is valid. Update the token value, keeping the
    // *same* series number.
    this.logger.debug(LogMessage.format("Refreshing persistent login token for user '%s', series '%s'",
            token.getUsername(), token.getSeries()));
    // 认证成功后，需要更新token数据，但是保持序列号内容不变
    PersistentRememberMeToken newToken = new PersistentRememberMeToken(token.getUsername(), token.getSeries(),
            generateTokenData(), new Date());
    try {
        // 更新token的内容
        this.tokenRepository.updateToken(newToken.getSeries(), newToken.getTokenValue(), newToken.getDate());
        // 重新设置token内容到cookie中
        addCookie(newToken, request, response);
    }
    catch (Exception ex) {
        this.logger.error("Failed to update token: ", ex);
        throw new RememberMeAuthenticationException("Autologin failed due to data access problem");
    }
    // 从UserDetailsService中读取UserDetails并返回
    return getUserDetailsService().loadUserByUsername(token.getUsername());
}

本文为原创内容，欢迎大家讨论、批评指正与转载。转载时请注明出处。