在一个项目中引入了Spring Security之后,会发现首页等这些不需要登录的页面访问的时候也会跳转到登录页,要如何处理?(如果整个工程就是一个管理系统的话就不会面临这个问题)
在做一个web网站的时候,一般会分为前台和后台。前台不需要登录就可以访问,后台需要登录之后才可以访问。这时候可以使用Spring Security的模块进行相关的认证和授权。
- 认证:就是填写帐号和密码后,从某个地方(数据库)中查找记录是否存在。
- 授权:就是验证认证过的帐号是否有某些资源的访问权限。
自定义登录页面:(两步)
- 继承并重写WebSecurityConfigurerAdapter的config方法(HttpSecurity 参数的)
- 实现接口AuthenticationProvider
SecurityConfig.java
package com.xxx.config;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@EnableWebSecurity // 必须加注解
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/admin/loginPage") // 自定义登录页面(使用controller),页面上的表单要post到/admin/loginPage
.usernameParameter("uname").passwordParameter("pwd") // 自定义登录表单输入框名称
.permitAll()
.and()
.logout()
.logoutUrl("/admin/logoutPage") // 自定义登出页面(使用controller),页面上的表单要POST到/admin/logoutPage
.logoutSuccessUrl("/admin/loginPage?logout") // 登出后跳转到的页面
.permitAll();
}
}
MyAuthenticationProvider.java
package com.xxx.config;
import java.util.ArrayList;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.crypto.bcrypt.BCrypt;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.stereotype.Component;
@Component // 必须加注解
public class MyAuthenticationProvider implements AuthenticationProvider {
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
String username = authentication.getName(); // 获取提交的帐号
String password = authentication.getCredentials().toString(); // 获取提交的密码
String usernameDb = "uss"; // 帐号(模拟从数据库中取出来)
String passwordDb = "$2a$10$nt24iQDnTy0OFgM3i5cS2ufghcP1/T/ygn8NWxfLzMzkFn9bsMoVW"; // 密码是:abc
boolean isPassword = BCrypt.checkpw(password, passwordDb); // 比较密码是否一致
if(username.equals(usernameDb) && isPassword) {
// 登录成功返回
return new UsernamePasswordAuthenticationToken(username, password, new ArrayList());
}else {
// 帐号或密码校验失败
throw new BadCredentialsException("username or password invalid.");
}
}
@Override
public boolean supports(Class<?> authentication) {
return true; // 改为返回true
}
}
页面:
login_page.html
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>Insert title here</title>
</head>
<body>
<h1>自定义登录</h1>
<form method="post" th:action="@{/admin/loginPage}">
<input type="text" name="uname">
<input type="password" name="pwd">
<input type="submit" value="Login">
</form>
</body>
</html>
logout_page.html
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>Insert title here</title>
</head>
<body>
<h1>退出登录</h1>
<form method="post" th:action="@{/admin/logoutPage}">
<input type="submit" value="Login">
</form>
</body>
</html>
index.html
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>Insert title here</title>
</head>
<body>
<h1>INdex page...</h1>
</body>
</html>
HomeController.java
package com.xxx.controller;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
@Controller
public class HomeController {
@GetMapping(value = {"/", "home"})
public String index() {
return "index";
}
}
LoginController.java
package com.xxx.controller;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
@Controller
public class LoginController {
@GetMapping("/admin/loginPage")
public String login() {
return "login_page";
}
@GetMapping("/admin/logoutPage")
public String logout() {
return "logout_page";
}
}
使用数据库进行帐号认证:https://blog.csdn.net/nece001/article/details/106689719