grails - 如何在Grails Spring Security中设置自定义超时以记住我的cookie？

Question

我在tokenValiditySeconds中设置了Config.groovy为

grails.plugins.springsecurity.rememberMe.tokenValiditySeconds=31*24*60*60

但是我想为来自一个子域的所有请求设置不同的有效性。我可以从request对象中识别域信息，但无法覆盖tokenValiditySeconds类中的CustomRememberMeService。

By default the tokens will be valid for 14 days from the last successful authentication attempt. This can be changed using AbstractRememberMeServices.setTokenValiditySeconds(int). If this value is less than zero, the expiryTime will remain at 14 days, but the negative value will be used for the maxAge property of the cookie, meaning that it will not be stored when the browser is closed.

根据文档，我应该能够通过使用setTokenValiditySeconds(int)方法来更改有效性，但是它没有任何作用。

那么如何覆盖配置文件中设置的值呢？

谢谢。

编辑:

class CustomRememberMeService extends TokenBasedRememberMeServices {
    def springSecurityService;

    public final LoggedInUserDetails customAutoLogin(HttpServletRequest request, HttpServletResponse response) {
        def cookies = request.getCookies();
        if (!cookies) return null;
        String rememberMeCookie = extractRememberMeCookie(request);
        for (int i = 0; i < cookies.length; i++) {
            Cookie c = cookies[i];
            if(c.getName().equals('remember_me') && rememberMeCookie == null) {
                rememberMeCookie = c.getValue();
            }
        }
        if (rememberMeCookie == null) return null
        logger.debug("rememberMeCookie is : ${rememberMeCookie}");

        if (rememberMeCookie.length() == 0) {
            cancelCookie(request, response);
            return null;
        }

        String[] cookieTokens = decodeCookie(rememberMeCookie);
        String username = cookieTokens[0];

        def loginContext = request.getParameter('loginContext')
        loginContext = (loginContext == null) ? "mainWeb" : loginContext

        setTokenValiditySeconds(60) // not working

        LoggedInUserDetails user = getUserDetailsService().loadUserByUsername("${username}#${request.getServerName().trim()}#${loginContext}")

        springSecurityService.reauthenticate("${username}#${request.getServerName().trim()}#${loginContext}")
    }
}

resource.groovy文件如下所示:

//..
customRememberMeService(com.rwi.springsecurity.services.CustomRememberMeService) {
    userDetailsService = ref('userDetailsService')
    springSecurityService = ref('springSecurityService')
    key = "${grailsApplication.config.grails.plugins.springsecurity.rememberMe.key}"
}
customRememberMeServicesFilter(CustomRememberMeServicesFilter){
    authenticationManager = ref('authenticationManager')
    rememberMeServices = ref('rememberMeServices')
    customRememberMeService = ref('customRememberMeService')
}
//..

CustomRemeberMEService.groovy

// ..
class CustomRememberMeServicesFilter extends RememberMeAuthenticationFilter {
    def customRememberMeService;
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
        HttpServletRequest request = (HttpServletRequest) req;
        HttpServletResponse response = (HttpServletResponse) res;
        if (SecurityContextHolder.getContext().getAuthentication() == null) {
            LoggedInUserDetails rememberMeAuth = customRememberMeService.customAutoLogin(request, response);
        }   
        chain.doFilter(request, response);
    }
}

Answer 1

覆盖方法calculateLoginLifetime，默认情况下，它将返回配置中设置的值(它将调用getTokenValiditySeconds()。通过覆盖此方法，您可以确定(基于请求)是否应该传递正常超时或自定义超时。

protected int calculateLoginLifetime(HttpServletRequest request, Authentication authentication) {
    if (request.getRemoteAddr().startsWith("subdomain") {
        return 15; // Or whatever you want, you could also make it configurable.
    }
    return getTokenValiditySeconds();
}