Spring Boot Security Learning (10) Web Log-in to remember my function



Many logins have the function of remembering me. After the user logs in once, the system will remember the user for a period of time. During this period, the user can use our system without repeated logins. Remember the basic principles of user functions as shown below:


When the user logs in, the request is sent to the filter Username Password Authentication Filter. When the filter is authenticated successfully, it calls RememberMeService, generates a token, writes token to the browser cookie, and there is a TokenRepository inside the RememberMeService, which writes token and user information to the database. When a user visits the system again and accesses an interface, he passes through a filter of the RememberMeAuthentication Filter. He reads the token in the cookie and gives it to RememberService. RememberService will use TokenRepository to check whether there are records in the database according to token. If there are records, it will take out the user name Detail Service, and then call UserilService to get it according to the user name. Get the user information and put it in the Security Context.

Implementation class

First of all, to implement the class of token operation and add, delete and change checking function, we use redis to save and create a new class RememberMeHandler. This class needs to implement the interface PersistentTokenRepository. First, let’s take a global look at the class structure:


In order to facilitate queries, when we remember a user, we store three data in redis, two of which are searching user names according to series and searching series according to user names. The duration of token definition is 15 days, and these two definitions are 30 days. The bottom three methods are the way to save the two keys and the way to generate all keys. The four methods of rewriting are adding, deleting and modifying methods. First, let’s look at the new additions:


When you need to remember the user, put the user’s information together, add it to redis, and define a 15-day expiration time. Then look at the modification and deletion:


All of them are normal operations to save content. Finally, look at the query:


After remembering the user, the user logs in, inquires the user information, realizes the automatic authentication.

There are many ways to use JDBC on the internet, which is also a good choice.

Configuration Remember Me

In the security configuration class, you need to configure to remember my parameter name and processing class:


Note that the authorization configuration here uses authenticated (). Remember me in the login page:


Note that the parameter name remember-me here is security to remember my default name.


Do not check to remember me, click login, redis does not record token information, check to remember me, click login, you can see that remember my information recorded in redis:


We start the project, log in successfully and check to remember the user, then restart the project, visit the page in the same browser, you can see that you can succeed directly without login!

Code address: https://gitee.com/blueses/spring-boot-security 10