grails - 如何在grails spring security rest应用程序上15分钟后过期刷新令牌

Question

我们正在使用 Spring Security Core(3.0.0) 和 Spring Security Rest 插件(2.0.0.M2) 进行用户授权和访问控制的 Grails 3.2.12 项目。

现在，我们需要实现一种方法，在系统处于非活动状态 15 分钟后使用户访问过期。

项目配置为在登录后 15 分钟后访问令牌过期，并且刷新令牌进程处于非活动状态，因此，用户需要重新登录。

问题是refresh token默认是永不过期的，如果我们实现refresh token的过程，用户访问永不过期。

我们计划的解决方案是什么：我们将访问令牌的过期时间更改为 5 分钟，并为刷新令牌创建一个 15 分钟的过期时间。

有什么方法可以为 grails spring security rest 插件上的刷新令牌创建过期时间？

score 2 · Accepted Answer

Funny I just gave some advice about this question on Slack: From looking at the code you would have to override the functionality of these three classes, at the minimum:

https://github.com/alvarosanchez/grails-spring-security-rest/blob/ffa848c9c6dd82f92f2ab489cb5d7a1515c587f2/spring-security-rest/grails-app/controllers/grails/plugin/springsecurity/rest/RestOauthController.groovy#L137

https://github.com/alvarosanchez/grails-spring-security-rest/blob/develop/spring-security-rest/src/main/groovy/grails/plugin/springsecurity/rest/token/storage/jwt/JwtTokenStorageService.groovy#L52

https://github.com/alvarosanchez/grails-spring-security-rest/blob/ffa848c9c6dd82f92f2ab489cb5d7a1515c587f2/spring-security-rest/src/main/groovy/grails/plugin/springsecurity/rest/token/generation/jwt/AbstractJwtTokenGenerator.groovy#L113

It seems like the way it differentiates between a refresh token is by it not having an expiration, so you would have to come up with an alternative mechanism. Good luck...

grails - 如何在grails spring security rest应用程序上15分钟后过期刷新令牌

1 回答 1

Related

Reference