Spring Security 使用自定义 AuthenticationFilter（带Remember Me功能）

参考链接：

• (18条消息) spring security 使用自定义的AuthenticationFilter，提示Invalid remember-me cookie，自动登录失败的解决方法_蜀中孤鹰的博客-CSDN博客
• Spring Security之Remember me详解 - 仅此而已-远方 - 博客园 (cnblogs.com)

自定义 WebSecurityConfigurerAdapter：

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Value("${rememberme_key}")
    private String remembermeKey;

    @Autowired
    private XxxAuthSuccessHandler xxxAuthSuccessHandler;

    @Autowired
    private XxxAuthFailureHandler xxxAuthFailureHandler;

    // 记住我服务Bean
    @Bean
    public RememberMeServices beanRememberMeServices() {
        // 需要设置 key 和 获取用户信息的服务
        TokenBasedRememberMeServices service = new TokenBasedRememberMeServices(remembermeKey, XxxUserDetailsService);
        service.setParameter("remember_me");

        return service;
    }
    
    // 自定义AuthenticationFilter的Bean
    @Bean
    XxxAuthenticationFilter beanAuthFilter() throws Exception {
        XxxAuthenticationFilter filter = new XxxAuthenticationFilter();
        filter.setUsernameParameter("userId");
        filter.setPasswordParameter("password");
        filter.setFilterProcessesUrl("/authorize");
        filter.setAuthenticationManager(authenticationManagerBean());
        filter.setAuthenticationSuccessHandler(xxxAuthSuccessHandler);
        filter.setAuthenticationFailureHandler(xxxAuthFailureHandler);
        filter.setRememberMeServices(beanRememberMeServices());
        return filter;
    }

    // Spring Security 配置
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.addFilterAt(beanAuthFilter(), UsernamePasswordAuthenticationFilter.class)
            // .略
            .formLogin()
            .loginProcessingUrl("/authorize");
        
        // 记住我
        http.rememberMe().rememberMeServices(beanRememberMeServices());
    }

获取用户信息的 Service ：

@Service
public class XxxUserDetailsService implements UserDetailsService {
    // 获取用户信息
}

自定义的 UsernamePasswordAuthenticationFilter ：

public class XxxAuthenticationFilter extends UsernamePasswordAuthenticationFilter {
    @Override
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
        // TODO 自定义处理
        return super.attemptAuthentication(request, response);
    }
}

自定义的授权成功 Handler ：

@Component
public class XxxAuthSuccessHandler extends SimpleUrlAuthenticationSuccessHandler {
  @Override
  public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication auth) throws IOException {
      // 授权成功
   }
}

自定义的授权失败 Handler ：

@Component
public class XxxAuthFailureHandler extends SimpleUrlAuthenticationFailureHandler {
  @Override
  public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException e) throws IOException {
    // 授权失败
    this.saveException(request, e);
  }
}