SpringSecurity 表单登陆
本文已参与好文召集令活动,点击查看:后端、大前端双赛道投稿,2万元奖池等你挑战html
表单登陆
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/mylogin.html")
.loginProcessingUrl("/doLogin")
.defaultSuccessUrl("/index.html")
.failureHandler(new MyAuthenticationFailureHandler())
.usernameParameter("uname")
.passwordParameter("passwd")
.permitAll()
.and()
.logout()
.logoutRequestMatcher(new OrRequestMatcher(
new AntPathRequestMatcher("/logout1", "GET"),
new AntPathRequestMatcher("/logout2", "POST")))
.invalidateHttpSession(true)
.clearAuthentication(true)
.defaultLogoutSuccessHandlerFor((req,resp,auth)->{
resp.setContentType("application/json;charset=utf-8");
Map<String, Object> result = new HashMap<>();
result.put("status", 200);
result.put("msg", "使用 logout1 注销成功!");
ObjectMapper om = new ObjectMapper();
String s = om.writeValueAsString(result);
resp.getWriter().write(s);
},new AntPathRequestMatcher("/logout1","GET"))
.defaultLogoutSuccessHandlerFor((req,resp,auth)->{
resp.setContentType("application/json;charset=utf-8");
Map<String, Object> result = new HashMap<>();
result.put("status", 200);
result.put("msg", "使用 logout2 注销成功!");
ObjectMapper om = new ObjectMapper();
String s = om.writeValueAsString(result);
resp.getWriter().write(s);
},new AntPathRequestMatcher("/logout2","POST"))
.and()
.csrf().disable();
}
}
复制代码
springSecurity须要自定义配置值 基本都是继承WebSecurityConfigurerAdapter前端
-
authorizeRequests表示开启权限配置,.anyRequest().authenticated()表示全部的请求都认证以后才能访问java
-
and()方法返回HttpSecurity的实例web
-
formLogin()表示开启表单登陆配置spring
- loginPage 配置登陆页面地址
- loginProcessingUrl 配置登陆接口地址
- defaultSuccessUrl 登陆成功后的跳转地址
- failureUrl表示登陆失败后的跳转地址
- usernameParameter表示登陆用户名的参数名
- passwordParameter 登陆密码的参数名
- permitAll()表示和登陆相关的页面和接口不作拦截 直接经过
其中loginProcessingUrl usernameParameter passwordParameter要和登陆表单的配置一致。apache
.loginPage("/mylogin.html") // .loginProcessingUrl("/doLogin") .defaultSuccessUrl("/index.html") .failureHandler(new MyAuthenticationFailureHandler()) .usernameParameter("uname") .passwordParameter("passwd") 复制代码 -
csrf().disable()表示禁用CSRF防护功能json
登陆成功
用户登陆成功后除了defaultSuccessUrl方法能够实现登陆成功的跳转以外,successForwardUrl也能够实现登陆成功后的跳转,后端
defaultSuccessUrl 和successForwardUrl区别:缓存
- defaultSuccessUrl表示当用户登陆成功后,会自动重定向到登陆以前的地址,若是用户自己就是访问的登陆页面,登陆成功后就会重定向到defaultSuccessUrl指定页面
- successForwardUrl不会考虑用户以前的访问地址,登陆成功后经过服务器端跳转到successForwardUrl所指定的页面。
defaultSuccessUrl是客户端跳转重定向,successForwardUrl是经过服务端实现的跳转。服务器
他们的接口都AuthenticationSuccessHandler
AuthenticationSuccessHandler有三个实现类
- SimpleUrlAuthenticationSuccessHandler 继承 AbstractAuthenticationTargetUrlRequestHandler 经过他的handle方法处理请求
- SavedRequestAwareAuthenticationSuccessHandler 在SimpleUrlAuthenticationSuccessHandler基础上增长了请求加缓存的功能,能够记录以前请求的地址,今儿在登陆成功后重定向到开始访问的地址。
- ForwardAuthenticationSuccessHandler 是服务端的跳转
SavedRequestAwareAuthenticationSuccessHandler
defaultSuccessUrl 对应的是SavedRequestAwareAuthenticationSuccessHandler
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws ServletException, IOException {
SavedRequest savedRequest = this.requestCache.getRequest(request, response);
if (savedRequest == null) {
super.onAuthenticationSuccess(request, response, authentication);
} else {
String targetUrlParameter = this.getTargetUrlParameter();
if (!this.isAlwaysUseDefaultTargetUrl() && (targetUrlParameter == null || !StringUtils.hasText(request.getParameter(targetUrlParameter)))) {
this.clearAuthenticationAttributes(request);
String targetUrl = savedRequest.getRedirectUrl();
this.logger.debug("Redirecting to DefaultSavedRequest Url: " + targetUrl);
this.getRedirectStrategy().sendRedirect(request, response, targetUrl);
} else {
this.requestCache.removeRequest(request, response);
super.onAuthenticationSuccess(request, response, authentication);
}
}
}
复制代码
- 首先从requestCache中获取缓存下来的请求 若是没有获取到缓存请求,就说明用户在访问登陆页面以前并无访问其余页面,此时直接调用父类的onAuthenticationSuccess方法来处理,重定向到defaultSuccessUrl指定的地址。
- 获取targetUrlParameter 拿到target参数后重定向地址。
- 若是targetUrlParameter不存在或者alwaysUseDefaultTargetUrl为true 缓存下来的请求没有意义,直接调用父类的onAuthenticationSuccess方法完成重定向 。targetUrlParameter存在 则重定向到targetUrlParameter中,alwaysUseDefaultTargetUrl为true 走默认
ForwardAuthenticationSuccessHandler
successForwardUrl对应ForwardAuthenticationSuccessHandler
public class ForwardAuthenticationSuccessHandler implements AuthenticationSuccessHandler {
private final String forwardUrl;
public ForwardAuthenticationSuccessHandler(String forwardUrl) {
Assert.isTrue(UrlUtils.isValidRedirectUrl(forwardUrl), () -> {
return "'" + forwardUrl + "' is not a valid forward URL";
});
this.forwardUrl = forwardUrl;
}
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
request.getRequestDispatcher(this.forwardUrl).forward(request, response);
}
}
复制代码
主要调用getRequestDispatcher进行服务端请求转发
自定义AuthenticationSuccessHandler 实现类
public class MyAuthenticationSuccessHandler implements AuthenticationSuccessHandler{
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
response.setContentType("application/json;charset=utf-8");
Map<String, Object> resp = new HashMap<>();
resp.put("status", 200);
resp.put("msg", "登陆成功!");
ObjectMapper om = new ObjectMapper();
String s = om.writeValueAsString(resp);
response.getWriter().write(s);
}
}
复制代码
.successHandler(new MyAuthenticationSuccessHandler())
复制代码
经过HttpServletResponse对象返回登陆成功的json给前端
登陆失败
failureUrl表示登陆失败后的重定向到配置的页面,重定向是客户端的跳转,不方便携带请求失败的异常信息。
failureForwardUrl是服务端的跳转,能够携带登陆异常信息。登陆失败,自动跳转回登陆页面,将错误信息展现出来。
他们的配置的是AuthenticationFailureHandler接口的实现类
SimpleUrlAuthenticationFailureHandler
//
// Source code recreated from a .class file by IntelliJ IDEA
// (powered by FernFlower decompiler)
//
package org.springframework.security.web.authentication;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.http.HttpStatus;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.DefaultRedirectStrategy;
import org.springframework.security.web.RedirectStrategy;
import org.springframework.security.web.util.UrlUtils;
import org.springframework.util.Assert;
public class SimpleUrlAuthenticationFailureHandler implements AuthenticationFailureHandler {
protected final Log logger = LogFactory.getLog(this.getClass());
private String defaultFailureUrl;
private boolean forwardToDestination = false;
private boolean allowSessionCreation = true;
private RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();
public SimpleUrlAuthenticationFailureHandler() {
}
public SimpleUrlAuthenticationFailureHandler(String defaultFailureUrl) {
this.setDefaultFailureUrl(defaultFailureUrl);
}
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
if (this.defaultFailureUrl == null) {
this.logger.debug("No failure URL set, sending 401 Unauthorized error");
response.sendError(HttpStatus.UNAUTHORIZED.value(), HttpStatus.UNAUTHORIZED.getReasonPhrase());
} else {
this.saveException(request, exception);
if (this.forwardToDestination) {
this.logger.debug("Forwarding to " + this.defaultFailureUrl);
request.getRequestDispatcher(this.defaultFailureUrl).forward(request, response);
} else {
this.logger.debug("Redirecting to " + this.defaultFailureUrl);
this.redirectStrategy.sendRedirect(request, response, this.defaultFailureUrl);
}
}
}
protected final void saveException(HttpServletRequest request, AuthenticationException exception) {
if (this.forwardToDestination) {
request.setAttribute("SPRING_SECURITY_LAST_EXCEPTION", exception);
} else {
HttpSession session = request.getSession(false);
if (session != null || this.allowSessionCreation) {
request.getSession().setAttribute("SPRING_SECURITY_LAST_EXCEPTION", exception);
}
}
}
}
复制代码
当用户构造SimpleUrlAuthenticationFailureHandler对象时候传入defaultFailureUrl,也就是登陆失败时要跳转的url。在onAuthenticationFailure方法中
-
若是defaultFailureUrl为null,直接经过response返回异常信息,不然调用saveException
-
saveException 若是forwardToDestination为true,表示经过服务器端跳转回到登陆页面,此时就把异常信息放到request中。
-
回到onAuthenticationFailure方法,若是forwardToDestination为true,就经过服务器端跳回到登陆页面,不然重定向到登陆页面。
自定义AuthenticationFailureHandler实现类
public class MyAuthenticationFailureHandler implements AuthenticationFailureHandler {
@Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
response.setContentType("application/json;charset=utf-8");
Map<String, Object> resp = new HashMap<>();
resp.put("status", 500);
resp.put("msg", "登陆失败!" + exception.getMessage());
ObjectMapper om = new ObjectMapper();
String s = om.writeValueAsString(resp);
response.getWriter().write(s);
}
}
复制代码
经过HttpServletResponse对象返回登陆失败的json给前端
注销登陆
.logout()
.logoutUrl("")
.logoutRequestMatcher(new OrRequestMatcher(
new AntPathRequestMatcher("/logout1", "GET"),
new AntPathRequestMatcher("/logout2", "POST")))
.invalidateHttpSession(true)
.clearAuthentication(true)
.logoutSuccessUrl("")
复制代码
- logout() 表示开启注销登陆配置。
- logoutUrl 指定注销登陆请求地址,默认GET请求,路径logout
- invalidateHttpSession 表示是否使session失效,默认为true
- clearAuthentication 表示是否清除认证信息,默认为true
- logoutSuccessUrl 表示注销登陆后的跳转地址。
- logoutRequestMatcher 匹配多个注销登陆
自定义注销成功的返回内容
.logout()
.logoutRequestMatcher(new OrRequestMatcher(
new AntPathRequestMatcher("/logout1", "GET"),
new AntPathRequestMatcher("/logout2", "POST")))
.invalidateHttpSession(true)
.clearAuthentication(true)
.defaultLogoutSuccessHandlerFor((req,resp,auth)->{
resp.setContentType("application/json;charset=utf-8");
Map<String, Object> result = new HashMap<>();
result.put("status", 200);
result.put("msg", "使用 logout1 注销成功!");
ObjectMapper om = new ObjectMapper();
String s = om.writeValueAsString(result);
resp.getWriter().write(s);
},new AntPathRequestMatcher("/logout1","GET"))
.defaultLogoutSuccessHandlerFor((req,resp,auth)->{
resp.setContentType("application/json;charset=utf-8");
Map<String, Object> result = new HashMap<>();
result.put("status", 200);
result.put("msg", "使用 logout2 注销成功!");
ObjectMapper om = new ObjectMapper();
String s = om.writeValueAsString(result);
resp.getWriter().write(s);
},new AntPathRequestMatcher("/logout2","POST"))
.and()
.csrf().disable();
复制代码
defaultLogoutSuccessHandlerFor()两个参数 第一个是注销成功的回调,第二个是具体的注销请求。
相关文章
- 1. SpringSecurity 自定义表单登陆
- 2. springsecurity短信登陆
- 3. SpringSecurity 3.2入门(3)单用户登陆
- 4. springsecurity整合jwt实现单点登陆
- 5. SpringBoot基于SpringSecurity表单登陆和权限验证
- 6. Flask-表单登陆
- 7. SpringSecurity重构登陆逻辑
- 8. SpringSecurity之注销登陆
- 9. SpringSecurity登陆认证流程
- 10. SpringSecurity-2-表单登录流程
- 更多相关文章...
- • jQuery Mobile 表单 - jQuery Mobile 教程
- • Thymeleaf表单 - Thymeleaf 教程
- • TiDB 在摩拜单车在线数据业务的应用和实践
- • C# 中 foreach 遍历的用法
相关标签/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
- 1. 外部其他进程嵌入到qt FindWindow获得窗口句柄 报错无法链接的外部符号 [email protected] 无法被([email protected]@[email protected]@@引用
- 2. UVa 11524 - InCircle
- 3. The Monocycle(bfs)
- 4. VEC-C滑窗
- 5. 堆排序的应用-TOPK问题
- 6. 实例演示ElasticSearch索引查询term,match,match_phase,query_string之间的区别
- 7. 数学基础知识 集合
- 8. amazeUI 复择框问题解决
- 9. 背包问题理解
- 10. 算数平均-几何平均不等式的证明,从麦克劳林到柯西
欢迎关注本站公众号,获取更多信息
