spring security ajax登陆及返回
序
本文讲述一下如何自定义spring security的登陆页,网上给的资料大多过期,并且是基于后端模板技术的,讲的不是太清晰,本文给出一个采用ajax的登陆及返回的先后端分离方式。css
ajax返回
总共须要处理3个地方,一个是异常的处理,须要兼容ajax请求,一个是成功返回的处理,一个是失败返回的处理。html
ajax的异常处理
public class UnauthorizedEntryPoint implements AuthenticationEntryPoint {
@Override
public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {
if(isAjaxRequest(request)){
response.sendError(HttpServletResponse.SC_UNAUTHORIZED,authException.getMessage());
}else{
response.sendRedirect("/login.html");
}
}
public static boolean isAjaxRequest(HttpServletRequest request) {
String ajaxFlag = request.getHeader("X-Requested-With");
return ajaxFlag != null && "XMLHttpRequest".equals(ajaxFlag);
}
}
这里咱们自定义成功及失败的ajax返回,固然这里咱们简单处理,只返回statusCode前端
AjaxAuthSuccessHandler
public class AjaxAuthSuccessHandler extends SimpleUrlAuthenticationSuccessHandler {
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
response.setStatus(HttpServletResponse.SC_OK);
}
}
AjaxAuthFailHandler
public class AjaxAuthFailHandler extends SimpleUrlAuthenticationFailureHandler {
@Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Authentication failed");
}
}
security配置
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.exceptionHandling().authenticationEntryPoint(new UnauthorizedEntryPoint())
.and()
.csrf().disable()
.authorizeRequests()
.antMatchers("/login","/css/**", "/js/**","/fonts/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login.html")
.loginProcessingUrl("/login")
.usernameParameter("name")
.passwordParameter("password")
.successHandler(new AjaxAuthSuccessHandler())
.failureHandler(new AjaxAuthFailHandler())
.permitAll()
.and()
.logout()
.logoutUrl("/logout")
.permitAll();
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("admin").password("admin").roles("USER");
}
}
这里有几个要注意的点:java
- permitAll
这里要添加前端资源路径,以及登录表单请求的接口地址/loginweb
- loginPage
这里设置登陆页面的地址,这里咱们用静态页面,即static目录下的login.htmlajax
- ajax配置
将authenticationEntryPoint,successHandler,failureHandler设置为上面自定义的ajax处理类spring
登陆页面
就是一个纯粹的html页面,其中登陆按钮的ajax请求以下:segmentfault
$.ajax({
url: '/login',
type: 'POST',
data: "name="+name+"&password="+password,
success: function (res, status) {
window.location.href='/ok.html'
},
error: function (res, status) {
dangerDialog(res.statusText);
}
});
这里是请求/login,也就是spring security会默认拦截的路径,不了解spring security的人可能会纳闷,我请求这个路径,可是工程里头没有定义/login的request mapping,没关系么。下面来剖析一下。后端
spring security内置的各类filter:
| Alias | Filter Class | Namespace Element or Attribute |
|---|---|---|
| CHANNEL_FILTER | ChannelProcessingFilter | http/intercept-url@requires-channel |
| SECURITY_CONTEXT_FILTER | SecurityContextPersistenceFilter | http |
| CONCURRENT_SESSION_FILTER | ConcurrentSessionFilter | session-management/concurrency-control |
| HEADERS_FILTER | HeaderWriterFilter | http/headers |
| CSRF_FILTER | CsrfFilter | http/csrf |
| LOGOUT_FILTER | LogoutFilter | http/logout |
| X509_FILTER | X509AuthenticationFilter | http/x509 |
| PRE_AUTH_FILTER | AbstractPreAuthenticatedProcessingFilter Subclasses | N/A |
| CAS_FILTER | CasAuthenticationFilter | N/A |
| FORM_LOGIN_FILTER | UsernamePasswordAuthenticationFilter | http/form-login |
| BASIC_AUTH_FILTER | BasicAuthenticationFilter | http/http-basic |
| SERVLET_API_SUPPORT_FILTER | SecurityContextHolderAwareRequestFilter | http/@servlet-api-provision |
| JAAS_API_SUPPORT_FILTER | JaasApiIntegrationFilter | http/@jaas-api-provision |
| REMEMBER_ME_FILTER | RememberMeAuthenticationFilter | http/remember-me |
| ANONYMOUS_FILTER | AnonymousAuthenticationFilter | http/anonymous |
| SESSION_MANAGEMENT_FILTER | SessionManagementFilter | session-management |
| EXCEPTION_TRANSLATION_FILTER | ExceptionTranslationFilter | http |
| FILTER_SECURITY_INTERCEPTOR | FilterSecurityInterceptor | http |
| SWITCH_USER_FILTER | SwitchUserFilter | N/A |
这里咱们要关注的就是这个UsernamePasswordAuthenticationFilter,顾名思义,它是filter,在执行/login请求的时候拦截,于是是不须要工程里头去定义login的request mapping的。api
UsernamePasswordAuthenticationFilter
spring-security-web-4.2.3.RELEASE-sources.jar!/org/springframework/security/web/authentication/UsernamePasswordAuthenticationFilter.java
public class UsernamePasswordAuthenticationFilter extends
AbstractAuthenticationProcessingFilter {
public Authentication attemptAuthentication(HttpServletRequest request,
HttpServletResponse response) throws AuthenticationException {
if (postOnly && !request.getMethod().equals("POST")) {
throw new AuthenticationServiceException(
"Authentication method not supported: " + request.getMethod());
}
String username = obtainUsername(request);
String password = obtainPassword(request);
if (username == null) {
username = "";
}
if (password == null) {
password = "";
}
username = username.trim();
UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(
username, password);
// Allow subclasses to set the "details" property
setDetails(request, authRequest);
return this.getAuthenticationManager().authenticate(authRequest);
}
//......
}
这里就是拦截,获取login.html提交的参数,而后交给authenticationManager去认证。以后就是走后续的filter,若是成功,则会进行相应的session配置。
doc
相关文章
- 1. spring security ajax登陆及返回
- 2. Spring Security 实战干货: 登陆成功后返回 JWT Token
- 3. Spring Security 实战干货: 登陆后返回 JWT Token
- 4. spring security登陆、登出、认证异常返回值的自定义实现
- 5. Spring Security配置JSON登陆
- 6. spring security整合QQ登陆
- 7. Spring Security 表单登陆
- 8. Spring Security(02)——关于登陆
- 9. Spring Security之短信登陆
- 10. 单点登陆:spring-security-cas
- 更多相关文章...
- • Spring Bean的配置及常用属性 - Spring教程
- • PHP imageaffine - 返回经过仿射变换后的图像 - PHP参考手册
- • 算法总结-回溯法
- • Flink 数据传输及反压详解
相关标签/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
- 1. 融合阿里云,牛客助您找到心仪好工作
- 2. 解决jdbc(jdbctemplate)在测试类时不报错在TomCatb部署后报错
- 3. 解决PyCharm GoLand IntelliJ 等 JetBrains 系列 IDE无法输入中文
- 4. vue+ant design中关于图片请求不显示的问题。
- 5. insufficient memory && Native memory allocation (malloc) failed
- 6. 解决IDEA用Maven创建的Web工程不能创建Java Class文件的问题
- 7. [已解决] Error: Cannot download ‘https://start.spring.io/starter.zip?
- 8. 在idea让java文件夹正常使用
- 9. Eclipse启动提示“subversive connector discovery”
- 10. 帅某-技巧-快速转帖博主文章(article_content)
欢迎关注本站公众号,获取更多信息
相关文章
- 1. spring security ajax登陆及返回
- 2. Spring Security 实战干货: 登陆成功后返回 JWT Token
- 3. Spring Security 实战干货: 登陆后返回 JWT Token
- 4. spring security登陆、登出、认证异常返回值的自定义实现
- 5. Spring Security配置JSON登陆
- 6. spring security整合QQ登陆
- 7. Spring Security 表单登陆
- 8. Spring Security(02)——关于登陆
- 9. Spring Security之短信登陆
- 10. 单点登陆:spring-security-cas