SpringSecurity自定義Form表單使用方法講解

更新時(shí)間：2023年01月17日 09:51:25 作者：做網(wǎng)安的小王

這篇文章主要介紹了Spring Security自定義Form表單使用方法，雖然 Spring Security 提供了默認(rèn)的登錄表單，實(shí)際項(xiàng)目里肯定是不可以直接使用的，當(dāng)然 Spring Security 也提供了自定義登錄表單的功能

背景
實(shí)驗(yàn)-HttpBasic
實(shí)驗(yàn)-自定義登錄頁面
實(shí)驗(yàn)-自定義登錄接口
實(shí)驗(yàn)-自定義登錄數(shù)據(jù)參數(shù)
實(shí)驗(yàn)-自定義登錄失敗、成功處理器
實(shí)驗(yàn)-自定義登錄成功跳轉(zhuǎn)頁面
實(shí)驗(yàn)-自定義退出接口

背景

本系列教程，是作為團(tuán)隊(duì)內(nèi)部的培訓(xùn)資料準(zhǔn)備的。主要以實(shí)驗(yàn)的方式來體驗(yàn)SpringSecurity的各項(xiàng)Feature。

新建一個(gè)SpringBoot項(xiàng)目，起名springboot-security-form，核心依賴為Web，SpringSecurity與Thymeleaf。

<dependencies><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-web</artifactId></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-thymeleaf</artifactId></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-security</artifactId></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-devtools</artifactId><scope>runtime</scope><optional>true</optional></dependency><dependency><groupId>org.projectlombok</groupId><artifactId>lombok</artifactId><optional>true</optional></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-test</artifactId><scope>test</scope></dependency>
</dependencies>

實(shí)驗(yàn)-HttpBasic

@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {// There is no PasswordEncoder mapped for the id "null"PasswordEncoder encoder = PasswordEncoderFactories.createDelegatingPasswordEncoder();String yourPassword = "123";System.out.println("Encoded password: " + encoder.encode(yourPassword));// Config account info and permissionsauth.inMemoryAuthentication().withUser("dev").password(encoder.encode(yourPassword)).authorities("p1").and().withUser("test").password(encoder.encode(yourPassword)).authorities("p2");
}
@Override
protected void configure(HttpSecurity http) throws Exception {http.authorizeRequests().antMatchers("/user/add").hasAuthority("p1").antMatchers("/user/query").hasAuthority("p2").antMatchers("/user/**").authenticated().anyRequest().permitAll() // Let other request pass.and().httpBasic();
}

實(shí)驗(yàn)-自定義登錄頁面

登錄頁面配置

@Override
protected void configure(HttpSecurity http) throws Exception {http.authorizeRequests().antMatchers("/user/add").hasAuthority("p1").antMatchers("/user/query").hasAuthority("p2").antMatchers("/user/**").authenticated().anyRequest().permitAll() // Let other request pass.and().csrf().disable() // turn off csrf, or will be 403 forbidden.formLogin() // Support form and HTTPBasic.loginPage("/login");
}

后端登錄頁面接口

@Controller
public class LoginController {@GetMapping("/login")public String login() {return "login";}@GetMapping(value = "/user/add")@ResponseBodypublic String accessResource1() {return " Access Resource 1: Add User";}@GetMapping(value = "/user/query")@ResponseBodypublic String accessResource2() {return " Access Resource 2: Query User";}
}

前端模板

<!DOCTYPE html>
<html lang="en">
<head><meta charset="UTF-8"><title>Login</title>
</head>
<body>
<form action="login" method="post"><span>用戶名</span><input type="text" name="username" /> <br><span>密碼</span><input type="password" name="password" /> <br><input type="submit" value="登錄">
</form>
</body>
</html>

Note：此時(shí)，需要先關(guān)閉CSRF，.csrf().disable()，否則報(bào)403；

實(shí)驗(yàn)-自定義登錄接口

默認(rèn)登錄頁面接口與登錄數(shù)據(jù)提交接口是同一個(gè)：/login，順著.loginPage，進(jìn)入FormLoginConfigurer，源碼如下：

@Override
public FormLoginConfigurer<H> loginPage(String loginPage) {return super.loginPage(loginPage);
}

繼續(xù)進(jìn)入父類的loginPage方法，

protected T loginPage(String loginPage) {setLoginPage(loginPage);updateAuthenticationDefaults();this.customLoginPage = true;return getSelf();
}

繼續(xù)跟蹤進(jìn)入方法updateAuthenticationDefaults();，可以看到，如果沒有配置loginProcessingUrl，那么loginProcessingUrl與loginPage便相同。

protected final void updateAuthenticationDefaults() {if (loginProcessingUrl == null) {loginProcessingUrl(loginPage);}if (failureHandler == null) {failureUrl(loginPage + "?error");}final LogoutConfigurer<B> logoutConfigurer = getBuilder().getConfigurer(LogoutConfigurer.class);if (logoutConfigurer != null && !logoutConfigurer.isCustomLogoutSuccess()) {logoutConfigurer.logoutSuccessUrl(loginPage + "?logout");}
}

下面我們自定義登錄數(shù)據(jù)提交接口為/formLogin，此時(shí)相應(yīng)的前端action也要修改。

@Override
protected void configure(HttpSecurity http) throws Exception {http.authorizeRequests().antMatchers("/user/add").hasAuthority("p1").antMatchers("/user/query").hasAuthority("p2").antMatchers("/user/**").authenticated().anyRequest().permitAll() // Let other request pass.and().csrf().disable() // turn off csrf, or will be 403 forbidden.formLogin() // Support form and HTTPBasic.loginPage("/login").loginProcessingUrl("/formLogin");
}

<form action="formLogin" method="post"><span>用戶名</span><input type="text" name="username" /> <br><span>密碼</span><input type="password" name="password" /> <br><input type="submit" value="登錄">
</form>

實(shí)驗(yàn)-自定義登錄數(shù)據(jù)參數(shù)

前面我們自定義了登錄頁面，在form表單中設(shè)置用戶名、密碼分別為username, password，那為什么這樣寫呢，可以改成別的嘛？可以倒是可以，但是不能隨便改；

如果這里我們把username改為name，再次嘗試登錄，后端接口將報(bào)錯(cuò)：org.springframework.security.authentication.BadCredentialsException: Bad credentials。?？墒菍?shí)際項(xiàng)目中我們的用戶名密碼就是不叫這個(gè)名字呢？我們可以進(jìn)行配置.usernameParameter("name")：

@Override
protected void configure(HttpSecurity http) throws Exception {http.authorizeRequests().antMatchers("/user/add").hasAuthority("p1").antMatchers("/user/query").hasAuthority("p2").antMatchers("/user/**").authenticated().anyRequest().permitAll() // Let other request pass.and().csrf().disable() // turn off csrf, or will be 403 forbidden.formLogin() // Support form and HTTPBasic.loginPage("/login").loginProcessingUrl("/formLogin").usernameParameter("name");
}

<form action="formLogin" method="post"><span>用戶名</span><input type="text" name="name" /> <br><span>密碼</span><input type="password" name="password" /> <br><input type="submit" value="登錄">
</form>

默認(rèn)的用戶名、密碼分別為username, password，我們看下SpringSecurity的源碼：

public final class FormLoginConfigurer<H extends HttpSecurityBuilder<H>> extends
		AbstractAuthenticationFilterConfigurer<H, FormLoginConfigurer<H>, UsernamePasswordAuthenticationFilter> {
	/**
	 * Creates a new instance
	 * @see HttpSecurity#formLogin()
	 */
	public FormLoginConfigurer() {
		super(new UsernamePasswordAuthenticationFilter(), null);
		usernameParameter("username");
		passwordParameter("password");
	}
}

實(shí)驗(yàn)-自定義登錄失敗、成功處理器

問題：就以上個(gè)實(shí)驗(yàn)3中的報(bào)錯(cuò)信息為例，或當(dāng)用戶名、密碼輸錯(cuò)后，如何在后臺(tái)看到錯(cuò)誤信息？

@Override
protected void configure(HttpSecurity http) throws Exception {http.authorizeRequests().antMatchers("/user/add").hasAuthority("p1").antMatchers("/user/query").hasAuthority("p2").antMatchers("/user/**").authenticated().anyRequest().permitAll() // Let other request pass.and().csrf().disable() // turn off csrf, or will be 403 forbidden.formLogin() // Support form and HTTPBasic.loginPage("/login").loginProcessingUrl("/formLogin").usernameParameter("name").failureHandler(new AuthenticationFailureHandler(){@Overridepublic void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {exception.printStackTrace();request.getRequestDispatcher(request.getRequestURL().toString()).forward(request, response);}});
}

常見的認(rèn)證異常，這里可以看到AuthenticationException共有18個(gè)子類：

上述增加了在認(rèn)證失敗時(shí)的處理：輸出錯(cuò)誤信息。同理，如果想在登錄成功時(shí)直接進(jìn)行一些處理（eg: 數(shù)據(jù)初始化等），可以使用以下配置：

.successHandler(new AuthenticationSuccessHandler() {@Overridepublic void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,Authentication authentication) throws IOException, ServletException {System.out.println("Login Successfully~");// do something here: initial work or forward to different url regarding different roles...request.getRequestDispatcher("").forward(request, response);}
})

實(shí)驗(yàn)-自定義登錄成功跳轉(zhuǎn)頁面

經(jīng)歷千難萬險(xiǎn)，終于要登錄成功了。進(jìn)來之后要跳轉(zhuǎn)到哪里呢？看你嘍~想跳哪里跳哪里。。

@Override
protected void configure(HttpSecurity http) throws Exception {http.authorizeRequests().antMatchers("/user/add").hasAuthority("p1").antMatchers("/user/query").hasAuthority("p2").antMatchers("/user/**").authenticated().anyRequest().permitAll() // Let other request pass.and().csrf().disable() // turn off csrf, or will be 403 forbidden.formLogin() // Support form and HTTPBasic.loginPage("/login").loginProcessingUrl("/formLogin").usernameParameter("name").failureHandler(new AuthenticationFailureHandler(){@Overridepublic void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {exception.printStackTrace();request.getRequestDispatcher(request.getRequestURL().toString()).forward(request, response);}}).successForwardUrl("/ok"); // custom login success page, a POST request
}

@Controller
public class LoginController {...@PostMapping(value = "/ok")@ResponseBodypublic String ok() {return "ok";}
}

通過.successForwardUrl("/ok")配置了登錄成功之后要跳轉(zhuǎn)的頁面路徑或接口，同時(shí)需要在后端新增/ok接口。

Note:

注意這里successForwardUrl的接口必須為POST接口；
除了.successForwardUrl("/ok");，還可以使用.defaultSuccessUrl("/ok");或者.defaultSuccessUrl("/ok", true); 第二個(gè)參數(shù)true表示不管是從哪個(gè)地址進(jìn)來，登錄后全部跳轉(zhuǎn)到指定的地址，此時(shí)與successForwardUrl效果相同，默認(rèn)為false
當(dāng)然，除了登錄成功后的跳轉(zhuǎn)，還有登錄失敗后的跳轉(zhuǎn)：failureForwardUrl。

實(shí)驗(yàn)-自定義退出接口

默認(rèn)的退出接口是/logout，可進(jìn)行配置：

@Override
protected void configure(HttpSecurity http) throws Exception {http.authorizeRequests().antMatchers("/user/add").hasAuthority("p1").antMatchers("/user/query").hasAuthority("p2").antMatchers("/user/**").authenticated().anyRequest().permitAll() // Let other request pass.and().csrf().disable() // turn off csrf, or will be 403 forbidden.formLogin() // Support form and HTTPBasic.loginPage("/login").loginProcessingUrl("/formLogin").usernameParameter("name").failureHandler(new AuthenticationFailureHandler(){@Overridepublic void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {exception.printStackTrace();request.getRequestDispatcher(request.getRequestURL().toString()).forward(request, response);}}).successForwardUrl("/ok") // custom login success page, a POST request.and().logout().logoutUrl("/leave");}

上述配置將退出接口改為/leave。在默認(rèn)的退出過程中，還做了諸如清除認(rèn)證信息和使Session失效等工作：

public class SecurityContextLogoutHandler implements LogoutHandler {
	protected final Log logger = LogFactory.getLog(this.getClass());
	private boolean invalidateHttpSession = true;
	private boolean clearAuthentication = true;
	// ~ Methods
	// ==========================================
	/**
	 * Requires the request to be passed in.
	 *
	 * @param request from which to obtain a HTTP session (cannot be null)
	 * @param response not used (can be <code>null</code>)
	 * @param authentication not used (can be <code>null</code>)
	 */
	public void logout(HttpServletRequest request, HttpServletResponse response,
			Authentication authentication) {
		Assert.notNull(request, "HttpServletRequest required");
		if (invalidateHttpSession) {
			HttpSession session = request.getSession(false);
			if (session != null) {
				logger.debug("Invalidating session: " + session.getId());
				session.invalidate();
			}
		}
		if (clearAuthentication) {
			SecurityContext context = SecurityContextHolder.getContext();
			context.setAuthentication(null);
		}
		SecurityContextHolder.clearContext();
	}
}

到此這篇關(guān)于SpringSecurity自定義Form表單使用方法講解的文章就介紹到這了,更多相關(guān)SpringSecurity Form表單內(nèi)容請(qǐng)搜索腳本之家以前的文章或繼續(xù)瀏覽下面的相關(guān)文章希望大家以后多多支持腳本之家！

您可能感興趣的文章: