spring-security 默认登录页面(一)

已于 2024-02-24 10:53:47 修改
阅读量1.7k 收藏 16
点赞数 21
分类专栏: Spring Security 文章标签: spring spring security
于 2024-02-01 23:33:15 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/modelmd/article/details/135982664
版权

Spring Security是一个强大且高度可定制的身份验证和访问控制框架。天然与Spring整合,易扩展,引入jar包就可以用了,在boot自动装载下,不需要任何配置就可以控制资源访问。那么默认登录页是如何产生的呢?

spring-security 默认登录页面

版本信息

内容版本
JDK17
spring-boot-starter-web3.2.2
spring-boot-starter-security3.2.2
spring-security6.2.1

项目搭建步骤

  1. 访问 https://start.spring.io/ 自动生成项目
    在这里插入图片描述

  2. 添加依赖 Spring Web、Spring Security
    在这里插入图片描述

  3. 生成项目, 点击 GENERATE,会下载一个压缩包

  4. 添加 controller 代码

package com.example.security.controller;

import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
public class HelloController {

    @GetMapping(value = "/hello")
    public String hello() {
        return "Hello Security";
    }
}
  1. 启动项目, 访问 http://localhost:8080/hello,会重定向到登录页面
    在这里插入图片描述为啥为重定向到登录页面?登录页面如何生成的?

源码解析

  1. 先找一下 spring-boot-test-autoconfigure jar 包,找到文件org.springframework.boot.autoconfigure.AutoConfiguration.imports,检索 security, 发现有如下类
    在这里插入图片描述
    过滤器链是通过 SecurityAutoConfiguration 导入的类SpringBootWebSecurityConfiguration 配置的 org.springframework.boot.autoconfigure.security.servlet.SpringBootWebSecurityConfiguration.WebSecurityEnablerConfiguration
    在这里插入图片描述
    打印出默认过滤器链
2024-02-01T23:19:18.288+08:00  INFO 15696 --- [           main] o.s.s.web.DefaultSecurityFilterChain     : Will secure any request with [org.springframework.security.web.session.DisableEncodeUrlFilter@748ac6f3, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@68f6e55d, org.springframework.security.web.context.SecurityContextHolderFilter@3238e2aa, org.springframework.security.web.header.HeaderWriterFilter@71adfedd, org.springframework.web.filter.CorsFilter@6fff46bf, org.springframework.security.web.csrf.CsrfFilter@5f36c8e3, org.springframework.security.web.authentication.logout.LogoutFilter@217bf99e, org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@67022ea, org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter@38b3f208, org.springframework.security.web.authentication.ui.DefaultLogoutPageGeneratingFilter@1835dc92, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@7ec95456, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@2577a95d, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@1668919e, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@3aaa3c39, org.springframework.security.web.access.ExceptionTranslationFilter@17e9bc9e, org.springframework.security.web.access.intercept.AuthorizationFilter@7327a447]

	/**
	 * Adds the {@link EnableWebSecurity @EnableWebSecurity} annotation if Spring Security
	 * is on the classpath. This will make sure that the annotation is present with
	 * default security auto-configuration and also if the user adds custom security and
	 * forgets to add the annotation. If {@link EnableWebSecurity @EnableWebSecurity} has
	 * already been added or if a bean with name
	 * {@value BeanIds#SPRING_SECURITY_FILTER_CHAIN} has been configured by the user, this
	 * will back-off.
	 */
	@Configuration(proxyBeanMethods = false)
	@ConditionalOnMissingBean(name = BeanIds.SPRING_SECURITY_FILTER_CHAIN)
	@ConditionalOnClass(EnableWebSecurity.class)
	@EnableWebSecurity
	static class WebSecurityEnablerConfiguration {

	}

核心的注解类 org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
在这里插入图片描述
在这里插入图片描述
org.springframework.security.config.annotation.web.builders.WebSecurity#performBuild
在这里插入图片描述
在类org.springframework.security.web.FilterChainProxy.VirtualFilterChain#doFilter 加一个断点, 看每个过滤器做了啥
在这里插入图片描述
经过调试,发现默认页面在 org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter 这个类生成的,方法 generateLoginPageHtml
在这里插入图片描述

过滤器处理具体分析

spring-boot-starter-security 默认会加载以下过滤器

[DefaultSecurityFilterChain [RequestMatcher=any request, Filters=[
org.springframework.security.web.session.DisableEncodeUrlFilter@65a9ea3c, 
org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@70f68288, 
org.springframework.security.web.context.SecurityContextHolderFilter@22c53d82, 
org.springframework.security.web.header.HeaderWriterFilter@2577a95d, 
org.springframework.web.filter.CorsFilter@46911148, 
org.springframework.security.web.csrf.CsrfFilter@6d0be7ab, 
org.springframework.security.web.authentication.logout.LogoutFilter@58af5076, 
org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@1fbf088b, 
org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter@3b4a1a75, 
org.springframework.security.web.authentication.ui.DefaultLogoutPageGeneratingFilter@2db1b657, 
org.springframework.security.web.authentication.www.BasicAuthenticationFilter@650c405c, 
org.springframework.security.web.savedrequest.RequestCacheAwareFilter@68d6d775, 
org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@b67cc70, 
org.springframework.security.web.authentication.AnonymousAuthenticationFilter@7e351d7, 
org.springframework.security.web.access.ExceptionTranslationFilter@9301672, 
org.springframework.security.web.access.intercept.AuthorizationFilter@11d045b4]]]

开启 Trace 级别日志

修改 application.properties 文件,增加日志配置

logging.level.org.springframework.security=TRACE

访问地址 http://localhost:8080/hello, 可以看到有详细的日志输出

2024-02-03T09:24:07.863+08:00 TRACE 13892 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy        : Trying to match request against DefaultSecurityFilterChain [RequestMatcher=any request, Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter@4eaa375c, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@2404b5a, org.springframework.security.web.context.SecurityContextHolderFilter@6088451e, org.springframework.security.web.header.HeaderWriterFilter@3ba3d4b6, org.springframework.web.filter.CorsFilter@3af58f76, org.springframework.security.web.csrf.CsrfFilter@6bcb12e6, org.springframework.security.web.authentication.logout.LogoutFilter@3a7e365, org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@5f05c8d6, org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter@5416f8db, org.springframework.security.web.authentication.ui.DefaultLogoutPageGeneratingFilter@2ead6ba4, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@7885776b, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@2f10f633, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@1642eeae, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@31a2a9fa, org.springframework.security.web.access.ExceptionTranslationFilter@40de8f93, org.springframework.security.web.access.intercept.AuthorizationFilter@78422efb]] (1/1)
2024-02-03T09:24:07.864+08:00 DEBUG 13892 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy        : Securing GET /hello
2024-02-03T09:24:07.864+08:00 TRACE 13892 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy        : Invoking DisableEncodeUrlFilter (1/16)
2024-02-03T09:24:07.864+08:00 TRACE 13892 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy        : Invoking WebAsyncManagerIntegrationFilter (2/16)
2024-02-03T09:24:07.864+08:00 TRACE 13892 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy        : Invoking SecurityContextHolderFilter (3/16)
2024-02-03T09:24:07.864+08:00 TRACE 13892 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy        : Invoking HeaderWriterFilter (4/16)
2024-02-03T09:24:07.864+08:00 TRACE 13892 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy        : Invoking CorsFilter (5/16)
2024-02-03T09:24:07.865+08:00 TRACE 13892 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy        : Invoking CsrfFilter (6/16)
2024-02-03T09:24:07.865+08:00 TRACE 13892 --- [nio-8080-exec-7] o.s.security.web.csrf.CsrfFilter         : Did not protect against CSRF since request did not match CsrfNotRequired [TRACE, HEAD, GET, OPTIONS]
2024-02-03T09:24:07.865+08:00 TRACE 13892 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy        : Invoking LogoutFilter (7/16)
2024-02-03T09:24:07.865+08:00 TRACE 13892 --- [nio-8080-exec-7] o.s.s.w.a.logout.LogoutFilter            : Did not match request to Ant [pattern='/logout', POST]
2024-02-03T09:24:07.865+08:00 TRACE 13892 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy        : Invoking UsernamePasswordAuthenticationFilter (8/16)
2024-02-03T09:24:07.865+08:00 TRACE 13892 --- [nio-8080-exec-7] w.a.UsernamePasswordAuthenticationFilter : Did not match request to Ant [pattern='/login', POST]
2024-02-03T09:24:07.866+08:00 TRACE 13892 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy        : Invoking DefaultLoginPageGeneratingFilter (9/16)
2024-02-03T09:24:07.866+08:00 TRACE 13892 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy        : Invoking DefaultLogoutPageGeneratingFilter (10/16)
2024-02-03T09:24:07.866+08:00 TRACE 13892 --- [nio-8080-exec-7] .w.a.u.DefaultLogoutPageGeneratingFilter : Did not render default logout page since request did not match [Ant [pattern='/logout', GET]]
2024-02-03T09:24:07.866+08:00 TRACE 13892 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy        : Invoking BasicAuthenticationFilter (11/16)
2024-02-03T09:24:07.866+08:00 TRACE 13892 --- [nio-8080-exec-7] o.s.s.w.a.www.BasicAuthenticationFilter  : Did not process authentication request since failed to find username and password in Basic Authorization header
2024-02-03T09:24:07.866+08:00 TRACE 13892 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy        : Invoking RequestCacheAwareFilter (12/16)
2024-02-03T09:24:07.866+08:00 TRACE 13892 --- [nio-8080-exec-7] o.s.s.w.s.HttpSessionRequestCache        : matchingRequestParameterName is required for getMatchingRequest to lookup a value, but not provided
2024-02-03T09:24:07.866+08:00 TRACE 13892 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy        : Invoking SecurityContextHolderAwareRequestFilter (13/16)
2024-02-03T09:24:07.866+08:00 TRACE 13892 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy        : Invoking AnonymousAuthenticationFilter (14/16)
2024-02-03T09:24:07.866+08:00 TRACE 13892 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy        : Invoking ExceptionTranslationFilter (15/16)
2024-02-03T09:24:07.867+08:00 TRACE 13892 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy        : Invoking AuthorizationFilter (16/16)
2024-02-03T09:24:07.867+08:00 TRACE 13892 --- [nio-8080-exec-7] estMatcherDelegatingAuthorizationManager : Authorizing SecurityContextHolderAwareRequestWrapper[ org.springframework.security.web.header.HeaderWriterFilter$HeaderWriterRequest@219ea36b]
2024-02-03T09:24:07.867+08:00 TRACE 13892 --- [nio-8080-exec-7] estMatcherDelegatingAuthorizationManager : Checking authorization on SecurityContextHolderAwareRequestWrapper[ org.springframework.security.web.header.HeaderWriterFilter$HeaderWriterRequest@219ea36b] using org.springframework.security.authorization.AuthenticatedAuthorizationManager@2973568c
2024-02-03T09:24:07.867+08:00 TRACE 13892 --- [nio-8080-exec-7] w.c.HttpSessionSecurityContextRepository : Did not find SecurityContext in HttpSession 9103C6E281234FE6BA1B598A7FC64D41 using the SPRING_SECURITY_CONTEXT session attribute
2024-02-03T09:24:07.867+08:00 TRACE 13892 --- [nio-8080-exec-7] .s.s.w.c.SupplierDeferredSecurityContext : Created SecurityContextImpl [Null authentication]
2024-02-03T09:24:07.867+08:00 TRACE 13892 --- [nio-8080-exec-7] .s.s.w.c.SupplierDeferredSecurityContext : Created SecurityContextImpl [Null authentication]
2024-02-03T09:24:07.868+08:00 TRACE 13892 --- [nio-8080-exec-7] o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=9103C6E281234FE6BA1B598A7FC64D41], Granted Authorities=[ROLE_ANONYMOUS]]
2024-02-03T09:24:07.868+08:00 TRACE 13892 --- [nio-8080-exec-7] o.s.s.w.a.ExceptionTranslationFilter     : Sending AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=9103C6E281234FE6BA1B598A7FC64D41], Granted Authorities=[ROLE_ANONYMOUS]] to authentication entry point since access is denied

org.springframework.security.access.AccessDeniedException: Access Denied
	at org.springframework.security.web.access.intercept.AuthorizationFilter.doFilter(AuthorizationFilter.java:98) ~[spring-security-web-6.2.1.jar:6.2.1]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.1.jar:6.2.1]
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:126) ~[spring-security-web-6.2.1.jar:6.2.1]
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:120) ~[spring-security-web-6.2.1.jar:6.2.1]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.1.jar:6.2.1]
	at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:100) ~[spring-security-web-6.2.1.jar:6.2.1]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.1.jar:6.2.1]
	at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:179) ~[spring-security-web-6.2.1.jar:6.2.1]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.1.jar:6.2.1]
	at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63) ~[spring-security-web-6.2.1.jar:6.2.1]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.1.jar:6.2.1]
	at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:181) ~[spring-security-web-6.2.1.jar:6.2.1]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.3.jar:6.1.3]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.1.jar:6.2.1]
	at org.springframework.security.web.authentication.ui.DefaultLogoutPageGeneratingFilter.doFilterInternal(DefaultLogoutPageGeneratingFilter.java:58) ~[spring-security-web-6.2.1.jar:6.2.1]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.3.jar:6.1.3]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.1.jar:6.2.1]
	at org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter.doFilter(DefaultLoginPageGeneratingFilter.java:189) ~[spring-security-web-6.2.1.jar:6.2.1]
	at org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter.doFilter(DefaultLoginPageGeneratingFilter.java:175) ~[spring-security-web-6.2.1.jar:6.2.1]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.1.jar:6.2.1]
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:227) ~[spring-security-web-6.2.1.jar:6.2.1]
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:221) ~[spring-security-web-6.2.1.jar:6.2.1]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.1.jar:6.2.1]
	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:107) ~[spring-security-web-6.2.1.jar:6.2.1]
	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:93) ~[spring-security-web-6.2.1.jar:6.2.1]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.1.jar:6.2.1]
	at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:117) ~[spring-security-web-6.2.1.jar:6.2.1]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.3.jar:6.1.3]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.1.jar:6.2.1]
	at org.springframework.web.filter.CorsFilter.doFilterInternal(CorsFilter.java:91) ~[spring-web-6.1.3.jar:6.1.3]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.3.jar:6.1.3]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.1.jar:6.2.1]
	at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:90) ~[spring-security-web-6.2.1.jar:6.2.1]
	at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:75) ~[spring-security-web-6.2.1.jar:6.2.1]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.3.jar:6.1.3]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.1.jar:6.2.1]
	at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:82) ~[spring-security-web-6.2.1.jar:6.2.1]
	at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:69) ~[spring-security-web-6.2.1.jar:6.2.1]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.1.jar:6.2.1]
	at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:62) ~[spring-security-web-6.2.1.jar:6.2.1]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.3.jar:6.1.3]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.1.jar:6.2.1]
	at org.springframework.security.web.session.DisableEncodeUrlFilter.doFilterInternal(DisableEncodeUrlFilter.java:42) ~[spring-security-web-6.2.1.jar:6.2.1]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.3.jar:6.1.3]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.1.jar:6.2.1]
	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:233) ~[spring-security-web-6.2.1.jar:6.2.1]
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:191) ~[spring-security-web-6.2.1.jar:6.2.1]
	at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:113) ~[spring-web-6.1.3.jar:6.1.3]
	at org.springframework.web.servlet.handler.HandlerMappingIntrospector.lambda$createCacheFilter$3(HandlerMappingIntrospector.java:195) ~[spring-webmvc-6.1.3.jar:6.1.3]
	at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:113) ~[spring-web-6.1.3.jar:6.1.3]
	at org.springframework.web.filter.CompositeFilter.doFilter(CompositeFilter.java:74) ~[spring-web-6.1.3.jar:6.1.3]
	at org.springframework.security.config.annotation.web.configuration.WebMvcSecurityConfiguration$CompositeFilterChainProxy.doFilter(WebMvcSecurityConfiguration.java:225) ~[spring-security-config-6.2.1.jar:6.2.1]
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:352) ~[spring-web-6.1.3.jar:6.1.3]
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:268) ~[spring-web-6.1.3.jar:6.1.3]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
	at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) ~[spring-web-6.1.3.jar:6.1.3]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.3.jar:6.1.3]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
	at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) ~[spring-web-6.1.3.jar:6.1.3]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.3.jar:6.1.3]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
	at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) ~[spring-web-6.1.3.jar:6.1.3]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.3.jar:6.1.3]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:167) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:482) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:115) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:340) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:391) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:896) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1744) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
	at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
	at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
	at java.base/java.lang.Thread.run(Thread.java:842) ~[na:na]

2024-02-03T09:24:07.878+08:00 DEBUG 13892 --- [nio-8080-exec-7] o.s.s.w.s.HttpSessionRequestCache        : Saved request http://localhost:8080/hello?continue to session
2024-02-03T09:24:07.878+08:00 DEBUG 13892 --- [nio-8080-exec-7] s.w.a.DelegatingAuthenticationEntryPoint : Trying to match using And [Not [RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]], MediaTypeRequestMatcher [contentNegotiationStrategy=org.springframework.web.accept.ContentNegotiationManager@4f223bee, matchingMediaTypes=[application/xhtml+xml, image/*, text/html, text/plain], useEquals=false, ignoredMediaTypes=[*/*]]]
2024-02-03T09:24:07.878+08:00 DEBUG 13892 --- [nio-8080-exec-7] s.w.a.DelegatingAuthenticationEntryPoint : Match found! Executing org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint@d902300
2024-02-03T09:24:07.878+08:00 DEBUG 13892 --- [nio-8080-exec-7] o.s.s.web.DefaultRedirectStrategy        : Redirecting to http://localhost:8080/login
2024-02-03T09:24:07.878+08:00 TRACE 13892 --- [nio-8080-exec-7] o.s.s.w.header.writers.HstsHeaderWriter  : Not injecting HSTS header since it did not match request to [Is Secure]
2024-02-03T09:24:07.885+08:00 TRACE 13892 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy        : Trying to match request against DefaultSecurityFilterChain [RequestMatcher=any request, Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter@4eaa375c, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@2404b5a, org.springframework.security.web.context.SecurityContextHolderFilter@6088451e, org.springframework.security.web.header.HeaderWriterFilter@3ba3d4b6, org.springframework.web.filter.CorsFilter@3af58f76, org.springframework.security.web.csrf.CsrfFilter@6bcb12e6, org.springframework.security.web.authentication.logout.LogoutFilter@3a7e365, org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@5f05c8d6, org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter@5416f8db, org.springframework.security.web.authentication.ui.DefaultLogoutPageGeneratingFilter@2ead6ba4, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@7885776b, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@2f10f633, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@1642eeae, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@31a2a9fa, org.springframework.security.web.access.ExceptionTranslationFilter@40de8f93, org.springframework.security.web.access.intercept.AuthorizationFilter@78422efb]] (1/1)
2024-02-03T09:24:07.885+08:00 DEBUG 13892 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy        : Securing GET /login
2024-02-03T09:24:07.885+08:00 TRACE 13892 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy        : Invoking DisableEncodeUrlFilter (1/16)
2024-02-03T09:24:07.886+08:00 TRACE 13892 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy        : Invoking WebAsyncManagerIntegrationFilter (2/16)
2024-02-03T09:24:07.886+08:00 TRACE 13892 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy        : Invoking SecurityContextHolderFilter (3/16)
2024-02-03T09:24:07.886+08:00 TRACE 13892 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy        : Invoking HeaderWriterFilter (4/16)
2024-02-03T09:24:07.886+08:00 TRACE 13892 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy        : Invoking CorsFilter (5/16)
2024-02-03T09:24:07.886+08:00 TRACE 13892 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy        : Invoking CsrfFilter (6/16)
2024-02-03T09:24:07.886+08:00 TRACE 13892 --- [nio-8080-exec-8] o.s.security.web.csrf.CsrfFilter         : Did not protect against CSRF since request did not match CsrfNotRequired [TRACE, HEAD, GET, OPTIONS]
2024-02-03T09:24:07.886+08:00 TRACE 13892 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy        : Invoking LogoutFilter (7/16)
2024-02-03T09:24:07.886+08:00 TRACE 13892 --- [nio-8080-exec-8] o.s.s.w.a.logout.LogoutFilter            : Did not match request to Ant [pattern='/logout', POST]
2024-02-03T09:24:07.886+08:00 TRACE 13892 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy        : Invoking UsernamePasswordAuthenticationFilter (8/16)
2024-02-03T09:24:07.886+08:00 TRACE 13892 --- [nio-8080-exec-8] w.a.UsernamePasswordAuthenticationFilter : Did not match request to Ant [pattern='/login', POST]
2024-02-03T09:24:07.886+08:00 TRACE 13892 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy        : Invoking DefaultLoginPageGeneratingFilter (9/16)
2024-02-03T09:24:07.887+08:00 TRACE 13892 --- [nio-8080-exec-8] o.s.s.w.header.writers.HstsHeaderWriter  : Not injecting HSTS header since it did not match request to [Is Secure]

重定向到 /login 流程图

在这里插入图片描述

流程图说明

  1. 过滤器链,org.springframework.security.web.FilterChainProxy.VirtualFilterChain#doFilter,一个接着一个filter 执行
  2. DefaultLoginPageGeneratingFilter,默认登录页生成过滤器。判断当前url 是否是login、loginError,logout 的url,如果是,就生成登录页面,并且输出到浏览器
    在这里插入图片描述
  3. AuthorizationFilter,权限过滤器,判断当前用户是否有权限访问url。当浏览器访问 /hello 地址,经过 AnonymousAuthenticationFilter 过滤器,未获取到认证信息,会生成匿名的认证Token-AnonymousAuthenticationToken。
    在这里插入图片描述
    授权认证器校验到当前的AnonymousAuthenticationToken无权限访问/hello, 抛出AccessDeniedException异常
    在这里插入图片描述
  4. ExceptionTranslationFilter,异常处理过滤器,处理 AuthenticationException、AccessDeniedException异常。它catch 到 AuthorizationFilter 抛出的 AccessDeniedException异常,调用 handleSpringSecurityException 方法处理异常
    在这里插入图片描述
    根据不同的异常类型,不同的处理逻辑
    在这里插入图片描述处理AccessDeniedException 异常
    在这里插入图片描述
    由于是匿名的认证用户,执行sendStartAuthentication方法
    在这里插入图片描述
  5. DelegatingAuthenticationEntryPoint 开始处理异常 commence 方法
    在这里插入图片描述
    匹配到 LoginUrlAuthenticationEntryPoint,登录URL身份验证入口点,它生成重定向的URL http://localhost:8080/login。
    在这里插入图片描述
  6. DefaultRedirectStrategy,默认的重定向策略类,重定向到登录地址 http://localhost:8080/login
    在这里插入图片描述
Chengdu.S
关注
  • 21
    点赞
  • 16
    收藏
    觉得还不错? 一键收藏
  • 打赏
    打赏
  • 0
    评论
专栏目录
spring security 3.1 配置登陆页面
08-04
NULL 博文链接:https://zjy7554.iteye.com/blog/2021785
SpringSecurity:认证和自定义登陆界面
weixin_51992178的博客
10-23 2365
首先来看一下Spring Security的自定义界面,包含了一个重要的东西他是隐藏的,为了防止 CSRF 攻击而存在的。从 Spring Security 4.0 开始,默认情况下会启用 CSRF 保护,以防止 CSRF 攻击应用程序,Spring Security CSRF 会针对 PATCH,POST,PUT 和 DELETE 方法的请求(不仅仅只是登陆请求,这里指的是任何请求路径)进行防护。
springsecurity关闭默认登录页面
最新发布
w11117的博客
03-19 579
【代码】springsecurity关闭默认登录页面
SpringSecurity6从入门到上天系列第八篇:SpringSecurity当中的默认登录页面是如何产生的?
七叔的博客
12-15 1443
😉😉欢迎加入我们的学习交流群呀!✅✅1:这是孙哥suns给大家的福利!✨✨2:我们免费分享Netty、Dubbo、k8s、Mybatis、Spring等等很多应用和源码级别的高质量视频和笔记资料,你想学的我们这里都有!🥭🥭3:QQ群:583783824📚📚 工作微信:拉你进微信群,免费领取!🍎🍎4:本文章内容出自上述:Spring应用课程!💞💞💞💞5:以上内容,进群免费领取呦~ 💞💞💞💞。
SpringSecurity默认登录页的使用
无人罪的博客
11-30 1040
配置系统文件 配置扫描包 02 编写测试接口 测试类 测试用的控制层接口 03 启动项目 启动之后,会自动生成默认密码 Using generated security password: 8d97e198-138c-4093-9a5c-ac83e2dda426这时候访问接口被spring-security默认拦截,必须登录后才能访问
spring security默认登录页面登录用户,和自定义数据源
cristianoxm的博客
04-02 4004
一、默认登录页面 请求 /hello 接口,在引入 spring security 之后会先经过一些列过滤器 在请求到达 FilterSecurityInterceptor时,发现请求并未认证。请求拦截下来,并抛出 AccessDeniedException 异常。 抛出 AccessDeniedException 的异常会被 ExceptionTranslationFilter 捕获,这个 Filter 中会调用 LoginUrlAuthenticationEntryPoint#commence 方
SpringSecurity的简单概述以及配置SpringSecurity默认登录页面
weixin_46852039的博客
09-12 2946
SpringSecurity的简单概述 是什么:SpringSecurity融合Spring技术栈,提供JavaEE应 用的整体安全解决方案;提供全面的安全服务 有什么用:可以进行身份验证,就是证明你是谁;也可以进行授权,就是你可以做什么 配置SpringSecurity默认登录页面 搭建SpringSecurity环境 创建maven项目后,添加security-pom依赖 <!-- springboot项目都要继承boot父工程--> <parent>
Spring Security 默认登录页面
justlpf的专栏
04-14 195
通过这一方式,Spring Security默认过滤器中生成了登录页面
基于SpringSecurity的UsernamePasswordAuthenticationFilter实现默认/login接口(不写controller中的/login)登录
weixin_46037781的博客
12-03 1401
文章目录一、思路二、UsernamePasswordAuthenticationFilter三、AbstractAuthenticationProcessingFilter最后 一、思路 登录,首先有失败与成功两种情况 我们需要一个登录过滤器,进行两种情况的返回 所以,我们得知道SpringSecurity监听/login是怎样的。 二、UsernamePasswordAuthenticationFilter 看到这个过滤器,会先过滤/login接口,并获取两个主要的参数 这个过滤器的方法,有
【权限管理】使用spring security 实现默认登录,源码解析
燃尽余火的博客
05-06 1897
【权限管理】使用spring security 实现默认登录,源码解析 其他文章可以通过菜单查看:【BookCase 菜单】 1、前言 在springboot 之前使用shiro实现权限管理的比较多,现在使用springboot 整合spring security 更方便。 2、实现 创建子项目 bookcase-auth 添加配置 <dependency> <groupId>com.github.xiaoymin</groupId> <artifac
spring-security-login:SpringBoot-整合SpringSecurity实现登入登出简单例子
05-25
SpringBoot整合SpringSecurity简单实现登入登出从零搭建这是SpringSecurity实现登录和登出的一个简单示例,基于 Spring Boot 1.5.6基本实现 : 用户信息存储在数据库中,登陆时从数据库中查询匹配用户信息。...
spring-security-stateless-example:展示如何一起使用Cucumber和Spring Boot Integration测试
05-21
春天安全无状态的例子该项目演示了如何配置Spring Security,以提供无状态安全性以及大多数默认行为,例如,未登录时重定向到登录页面,登录后重定向到默认页面等等。
spring security 参考手册中文版
02-01
Spring Security 参考 1 第一部分前言 15 1.入门 16 2.介绍 17 2.1什么是Spring Security? 17 2.2历史 19 2.3版本编号 20 2.4获得Spring安全 21 2.4.1使用Maven 21 Maven仓库 21 Spring框架 22 2.4.2 Gradle 23 ...
oauth-boot:spring-boot和spring oauth2
02-05
spring-securityspring-security-oauth2,字符串启动学习 更新资料 当前 授权码模式,密码模式,简化模式(未测试),客户端模式(未测试) 智威汤逊 自定义登录页面和授权页面 自定义异常处理 配置 boot : ...
SpringSecurity6 | 默认登录页
分享思想,留下痕迹。
11-19 8586
大家好,我是Leo哥🫣🫣🫣,前面我们学习了有关SpringSecuritySpringBoot项目中是如何给我进行自动的添加鉴权功能,简单复习了一下SpirngBoot的自动配置。接下来我们就接着学习SpringSecurity相关知识点。这一节我们将要学习SpringSecurity默认登录页面是如何实现的。好了,话不多说让我们开始吧😎😎😎。以上便是本文的全部内容,本人才疏学浅,文章有什么错误的地方,欢迎大佬们批评指正!
SpringSecurity框架下的登录问题:登录页地址问题
lingfen的博客
11-22 63
意思三个地方的地址得一致。没有3的地址,登录不上去;没有2的地址登录不用验证码也能登录。博主本人就是在2和3卡了好一些时间。
SpringSecurity框架学习
xlsj雪松的博客
09-18 841
最近学习和研究了springboot+shiro框架的RBAC实现,顺便学习一下另一个权限框架SpringSecurity
SpringSecurity实现自定义登录页面
初栀的博客
09-11 2410
接着自定义用户名与密码后:https://blog.csdn.net/hjjjjjjj_/article/details/120235512 一、先创建登录页面 <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>登录页面</title> </head> <body> <form action="/
Spring security 认证授权登录页面
m0_71409306的博客
08-07 539
Spring security 认证授权登录页面
spring-boot-starter-security 配置
03-29
Spring Boot 项目中使用 Spring Security,需要添加 spring-boot-starter-security 依赖。以下是一个简单的配置示例: 1. 添加依赖 在 pom.xml 文件中添加以下依赖: ``` <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency> ``` 2. 配置权限 在 Spring Security 中,权限(Authority)是指用户可以执行的操作。可以通过配置权限来限制用户的访问。 ``` @Configuration @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers("/admin/**").hasRole("ADMIN") .antMatchers("/user/**").hasAnyRole("ADMIN", "USER") .antMatchers("/**").permitAll() .and().formLogin() .and().logout().logoutSuccessUrl("/login?logout"); } @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication() .withUser("admin").password("{noop}admin123").roles("ADMIN") .and() .withUser("user").password("{noop}user123").roles("USER"); } } ``` 在上面的配置中,我们定义了三个权限: - /admin/**:只有 ADMIN 角色的用户可以访问 - /user/**:只有 ADMIN 或 USER 角色的用户可以访问 - /**:所有用户都可以访问 最后,我们使用 inMemoryAuthentication() 方法来定义两个用户和它们的角色。 3. 配置登录和退出 在上面的配置中,我们使用 formLogin() 方法来配置登录页面和处理登录请求的 URL。同时,我们也使用 logout() 方法来配置退出登录的 URL 和成功退出后的跳转页面。 ``` .and().formLogin() .and().logout().logoutSuccessUrl("/login?logout"); ``` 这里我们配置了退出登录后跳转到登录页面,并添加了一个参数表示已经退出登录。 4. 配置 CSRF 在 Spring Security 中,默认开启了 CSRF(Cross-site Request Forgery)保护,可以有效防止跨站点攻击。如果你的应用程序不需要 CSRF 保护,可以通过以下配置关闭: ``` @Configuration @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.csrf().disable(); } } ``` 5. 配置 HTTPS 在 Spring Security 中,可以通过以下配置开启 HTTPS 支持: ``` @Configuration @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.requiresChannel() .anyRequest().requiresSecure(); } } ``` 以上就是使用 spring-boot-starter-security 进行 Spring Security 配置的示例。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

Chengdu.S

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值