1、演示环境准备
- 创建springboot项目
- 引入spring security框架
- 引入thymeleaf模板引擎
2、自定义CustomWebSecurityConfigurerAdapter配置类formLogin使用详解
项目结构大体如下:
2.1 FormLogin-配置自定义登录表单页面
2.1.1 效果实现
2.1.1.1 自定义login.html
页面
2.1.1.2 Controller层显示login.html页面的前端控制器
package com.kkarma.web.controller;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
@Controller
public class LoginController {
@GetMapping("showLogin")
public String showLogin(){
return "login";
}
}
2.1.1.3 CustomWebSecurityConfigurerAdapter配置类设置
package com.kkarma.config;
import org.apache.coyote.Adapter;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.WebSecurityConfigurer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class CustomWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
/**
* 表单登录相关的配置
*/
http.formLogin()
// 当http请求的url是/login时,进行我们自定义的登录逻辑
.loginProcessingUrl("/login")
// 自定义登录的前端控制器
.loginPage("/showLogin")
}
/**
* 在内存中预置两个演示用户admin和common
*/
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("admin")
.password(bCryptPasswordEncoder().encode("123456"))
.roles("admin", "superAdmin")
.and()
.withUser("common")
.password(bCryptPasswordEncoder().encode("123456"))
.roles("common");
}
/**
* 强散列哈希加密实现
*/
@Bean
public BCryptPasswordEncoder bCryptPasswordEncoder()
{
return new BCryptPasswordEncoder();
}
}
启动项目, 访问http://localhost:8080,看看会不会显示我们的登录页
2.1.2 过程中问题记录及如何解决
请求没有被拦截, 直接访问到"/"了,没生效,怎么办, 增加请求需要登录认证的配置即可, 修改自定义配置类如下
2.1.2.1 **如何在配置类中设置请求需要登录认证**
package com.kkarma.config;
import org.apache.coyote.Adapter;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.WebSecurityConfigurer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class CustomWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
/**
* 表单登录相关的配置
*/
http.formLogin()
// 当http请求的url是/login时,进行我们自定义的登录逻辑
.loginProcessingUrl("/login")
// 自定义登录的前端控制器
.loginPage("/showLogin");
/**
* http请求是否要登录认证配置
*/
http.authorizeRequests()
// 所有的请求都需要登录认证
.anyRequest().authenticated();
}
/**
* 在内存中预置两个演示用户admin和common
*/
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("admin")
.password(bCryptPasswordEncoder().encode("123456"))
.roles("admin", "superAdmin")
.and()
.withUser("common")
.password(bCryptPasswordEncoder().encode("123456"))
.roles("common");
}
/**
* 强散列哈希加密实现
*/
@Bean
public BCryptPasswordEncoder bCryptPasswordEncoder()
{
return new BCryptPasswordEncoder();
}
}
启动项目, 访问http://localhost:8080,报错如下:
2.1.2.2 **如何在配置类中设置请求放行**
需要在自定义配置类中放行自定义登录页面的url放行, 让用户匿名可以访问登录页面,修改如下:
package com.kkarma.config;
import org.apache.coyote.Adapter;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.WebSecurityConfigurer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class CustomWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
/**
* 表单登录相关的配置
*/
http.formLogin()
// 当http请求的url是/login时,进行我们自定义的登录逻辑
.loginProcessingUrl("/login")
// 自定义登录的前端控制器
.loginPage("/showLogin")
.successForwardUrl("/home");
/**
* http请求是否要登录认证配置
*/
http.authorizeRequests()
// 允许登录页面匿名访问
.antMatchers("/showLogin").anonymous()
// 其他所有的请求都需要登录认证
.anyRequest().authenticated();
}
/**
* 在内存中预置两个演示用户admin和common
*/
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("admin")
.password(bCryptPasswordEncoder().encode("123456"))
.roles("admin", "superAdmin")
.and()
.withUser("common")
.password(bCryptPasswordEncoder().encode("123456"))
.roles("common");
}
/**
* 强散列哈希加密实现
*/
@Bean
public BCryptPasswordEncoder bCryptPasswordEncoder()
{
return new BCryptPasswordEncoder();
}
}
启动项目, 访问http://localhost:8080,
2.2.1.3 **如何在配置类中设置静态资源请求放行**
需要在自定义配置类中放行自定义登录页面的静态资源访问放行, 让用户匿名可以访问静态资源,修改如下:
package com.kkarma.config;
import org.apache.coyote.Adapter;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.WebSecurityConfigurer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class CustomWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
/**
* 表单登录相关的配置
*/
http.formLogin()
// 当http请求的url是/login时,进行我们自定义的登录逻辑
.loginProcessingUrl("/login")
// 自定义登录的前端控制器
.loginPage("/showLogin")
.successForwardUrl("/home");
/**
* http请求是否要登录认证配置
*/
http.authorizeRequests()
// 允许登录页面匿名访问
.antMatchers("/showLogin").anonymous()
// 所有的静态资源允许匿名访问
.antMatchers(
"/css/**",
"/js/**",
"/images/**",
"/fonts/**",
"/favicon.ico"
).anonymous()
// 其他所有的请求都需要登录认证
.anyRequest().authenticated();
}
/**
* 在内存中预置两个演示用户admin和common
*/
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("admin")
.password(bCryptPasswordEncoder().encode("123456"))
.roles("admin", "superAdmin")
.and()
.withUser("common")
.password(bCryptPasswordEncoder().encode("123456"))
.roles("common");
}
/**
* 强散列哈希加密实现
*/
@Bean
public BCryptPasswordEncoder bCryptPasswordEncoder()
{
return new BCryptPasswordEncoder();
}
}
重新启动项目, 访问http://localhost:8080,OK了。自定义登录页面的所有资源都能正常显示了。除了/showLogin
之外所有的请求都会自动跳转到自定义登录页面, 要求用户先登录认证。
2.2 FormLogin-配置登录成功的跳转页面方式一
2.2.1 效果实现
2.2.1.1 自定义home.html
页面,登录成功之后跳转到home.hml
页面
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Title</title>
</head>
<body>
登录成功默认欢迎页
</body>
</html>
2.2.1.2 Controller层显示home.html页面的前端控制器
package com.kkarma.web.controller;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
@Controller
public class LoginController {
@GetMapping("showLogin")
public String showLogin(){
return "login";
}
@RequestMapping("home")
public String home(){
return "home";
}
}
2.2.1.3 CustomWebSecurityConfigurerAdapter配置类设置
这里预置了两个测试用户admin
和common
,通过configure(AuthenticationManagerBuilder auth)
方法,具体实现如下:
package com.kkarma.config;
import org.apache.coyote.Adapter;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.WebSecurityConfigurer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
/**
* @Author: karma
* @Date: 2022/3/1 0001 - 03 - 01 - 16:03
* @Description: com.kkarma.config
* @version: 1.0
*/
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class CustomWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
/**
* 表单登录相关的配置
*/
http.formLogin()
// 当http请求的url是/login时,进行我们自定义的登录逻辑
.loginProcessingUrl("/login")
// 自定义登录的前端控制器
.loginPage("/showLogin")
// 登录成功的跳转链接
.successForwardUrl("/home");
/**
* http请求是否要登录认证配置
*/
http.authorizeRequests()
// 允许登录页面匿名访问
.antMatchers("/showLogin").anonymous()
// 所有的静态资源允许匿名访问
.antMatchers(
"/css/**",
"/js/**",
"/images/**",
"/fonts/**",
"/favicon.ico"
).anonymous()
// 其他所有的请求都需要登录认证
.anyRequest().authenticated();
}
/**
* 在内存中预置两个演示用户admin和common
*/
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("admin")
.password(bCryptPasswordEncoder().encode("123456"))
.roles("admin", "superAdmin")
.and()
.withUser("common")
.password(bCryptPasswordEncoder().encode("123456"))
.roles("common");
}
/**
* 强散列哈希加密实现
*/
@Bean
public BCryptPasswordEncoder bCryptPasswordEncoder()
{
return new BCryptPasswordEncoder();
}
}
重新启动项目, 访问http://localhost:8080,使用账号:admin
和密码:123456
登录
2.2.2 过程中问题记录及如何解决
点击立即登录成功之后,页面刷新一下又跳转到登录页面,这是怎么回事?
原因:
spring security框架默认开启了csrf
2.2.2.1 **如何在配置类中关闭csrf**
package com.kkarma.config;
import org.apache.coyote.Adapter;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.WebSecurityConfigurer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class CustomWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
/**
* 配置csrf开启关闭,默认是开启的
*/
http.csrf().disable();
/**
* 表单登录相关的配置
*/
http.formLogin()
// 当http请求的url是/login时,进行我们自定义的登录逻辑
.loginProcessingUrl("/login")
// 自定义登录的前端控制器
.loginPage("/showLogin")
.successForwardUrl("/home");
/**
* http请求是否要登录认证配置
*/
http.authorizeRequests()
// 允许登录页面匿名访问
.antMatchers("/showLogin").anonymous()
// 所有的静态资源允许匿名访问
.antMatchers(
"/css/**",
"/js/**",
"/images/**",
"/fonts/**",
"/favicon.ico"
).anonymous()
// 其他所有的请求都需要登录认证
.anyRequest().authenticated();
}
/**
* 在内存中预置两个演示用户admin和common
*/
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("admin")
.password(bCryptPasswordEncoder().encode("123456"))
.roles("admin", "superAdmin")
.and()
.withUser("common")
.password(bCryptPasswordEncoder().encode("123456"))
.roles("common");
}
/**
* 强散列哈希加密实现
*/
@Bean
public BCryptPasswordEncoder bCryptPasswordEncoder()
{
return new BCryptPasswordEncoder();
}
}
重新启动项目, 再次访问http://localhost:8080,使用账号:admin
和密码:123456
登录,登录成功,页面跳转成功。
2.2.2.2 **不关闭csrf,如何修复该问题**
在login.html页面上添加csrf.token的参数即可,这样就不用在配置类中关闭csrf了。
在配置类中注释掉关闭csrf的代码
重新启动项目, 再次访问http://localhost:8080,使用账号:admin
和密码:123456
登录,登录成功,页面跳转成功。
2.3 FormLogin-配置登录成功的跳转页面方式二
2.3.1 效果实现
其他不需要改变,只需要修改配置类
package com.kkarma.config;
import org.apache.coyote.Adapter;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.WebSecurityConfigurer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class CustomWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
/**
* 配置csrf开启关闭,默认是开启的
*/
// http.csrf().disable();
/**
* 表单登录相关的配置
*/
http.formLogin()
// 当http请求的url是/login时,进行我们自定义的登录逻辑
.loginProcessingUrl("/login")
// 自定义登录的前端控制器
.loginPage("/showLogin")
// 设置登录成功的跳转链接
// .successForwardUrl("/home");
// 通过successHandler进行设置
.successHandler(new AuthenticationSuccessHandler() {
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
System.out.println("登录成功,页面即将跳转...");
response.sendRedirect("/home");
}
});
/**
* http请求是否要登录认证配置
*/
http.authorizeRequests()
// 允许登录页面匿名访问
.antMatchers("/showLogin").anonymous()
// 所有的静态资源允许匿名访问
.antMatchers(
"/css/**",
"/js/**",
"/images/**",
"/fonts/**",
"/favicon.ico"
).anonymous()
// 其他所有的请求都需要登录认证
.anyRequest().authenticated();
}
/**
* 在内存中预置两个演示用户admin和common
*/
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("admin")
.password(bCryptPasswordEncoder().encode("123456"))
.roles("admin", "superAdmin")
.and()
.withUser("common")
.password(bCryptPasswordEncoder().encode("123456"))
.roles("common");
}
/**
* 强散列哈希加密实现
*/
@Bean
public BCryptPasswordEncoder bCryptPasswordEncoder()
{
return new BCryptPasswordEncoder();
}
}
注意这里我的配置类是开启csrf的,所以表单页面也需要添加_csrf.token
参数,如果不想在登录表单设置,需要关闭csrf,两种方式二选一,自由选择
重新启动项目, 再次访问http://localhost:8080,使用账号:admin
和密码:123456
登录,登录成功,页面跳转成功。
2.4 FormLogin-配置登录失败的跳转页面方式一
2.4.1 效果实现
2.4.1.1 自定义home.html
页面,登录成功之后跳转到home.hml
页面
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Title</title>
</head>
<body>
访问出错了!
</body>
</html>
2.4.1.2 Controller层显示error_page.html页面的前端控制器
package com.kkarma.web.controller;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
@Controller
public class LoginController {
@GetMapping("showLogin")
public String showLogin(){
return "login";
}
@RequestMapping("home")
public String home(){
return "home";
}
@RequestMapping("errPage")
public String errPage(){
return "error_page";
}
}
2.4.1.3 CustomWebSecurityConfigurerAdapter配置类设置
这里预置了两个测试用户admin
和common
,通过configure(AuthenticationManagerBuilder auth)
方法,具体实现如下:
package com.kkarma.config;
import org.apache.coyote.Adapter;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.WebSecurityConfigurer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class CustomWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
/**
* 配置csrf开启关闭,默认是开启的
*/
// http.csrf().disable();
/**
* 表单登录相关的配置
*/
http.formLogin()
// 当http请求的url是/login时,进行我们自定义的登录逻辑
.loginProcessingUrl("/login")
// 自定义登录的前端控制器
.loginPage("/showLogin")
// 设置登录成功的跳转链接
// .successForwardUrl("/home");
// 通过successHandler进行设置
.successHandler(new AuthenticationSuccessHandler() {
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
System.out.println("登录成功,页面即将跳转...");
response.sendRedirect("/home");
}
})
// 设置登录失败的跳转链接
.failureForwardUrl("/errPage");
/**
* http请求是否要登录认证配置
*/
http.authorizeRequests()
// 允许登录页面匿名访问
.antMatchers("/showLogin").anonymous()
// 所有的静态资源允许匿名访问
.antMatchers(
"/css/**",
"/js/**",
"/images/**",
"/fonts/**",
"/favicon.ico"
).anonymous()
// 其他所有的请求都需要登录认证
.anyRequest().authenticated();
}
/**
* 在内存中预置两个演示用户admin和common
*/
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("admin")
.password(bCryptPasswordEncoder().encode("123456"))
.roles("admin", "superAdmin")
.and()
.withUser("common")
.password(bCryptPasswordEncoder().encode("123456"))
.roles("common");
}
/**
* 强散列哈希加密实现
*/
@Bean
public BCryptPasswordEncoder bCryptPasswordEncoder()
{
return new BCryptPasswordEncoder();
}
}
重新启动项目, 访问http://localhost:8080,使用账号:admin
和密码:123123
登录,密码错误,跳转到默认的登录异常页面。
2.5 FormLogin-配置登录失败的跳转页面方式二
2.5.1 效果实现
其他不需要改变,只需要修改配置类
package com.kkarma.config;
import org.apache.coyote.Adapter;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.WebSecurityConfigurer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
/**
* @Author: karma
* @Date: 2022/3/1 0001 - 03 - 01 - 16:03
* @Description: com.kkarma.config
* @version: 1.0
*/
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class CustomWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
/**
* 配置csrf开启关闭,默认是开启的
*/
// http.csrf().disable();
/**
* 表单登录相关的配置
*/
http.formLogin()
// 当http请求的url是/login时,进行我们自定义的登录逻辑
.loginProcessingUrl("/login")
// 自定义登录的前端控制器
.loginPage("/showLogin")
// 设置登录成功的跳转链接
// .successForwardUrl("/home");
// 通过successHandler处理器进行登录成功之后的逻辑处理
.successHandler(new AuthenticationSuccessHandler() {
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
System.out.println("登录成功,页面即将跳转...");
response.sendRedirect("/home");
}
})
// 设置登录失败的跳转链接
// .failureForwardUrl("/errPage");
// 通过failureHandler处理器进行登录失败之后的逻辑处理
.failureHandler(new AuthenticationFailureHandler() {
@Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException e) throws IOException, ServletException {
e.printStackTrace();
System.out.println("登录失败,页面即将跳转到默认失败页...");
response.sendRedirect("/errPage");
}
});
/**
* http请求是否要登录认证配置
*/
http.authorizeRequests()
// 允许登录页面匿名访问
.antMatchers("/showLogin").anonymous()
// 所有的静态资源允许匿名访问
.antMatchers(
"/css/**",
"/js/**",
"/images/**",
"/fonts/**",
"/favicon.ico"
).anonymous()
// 其他所有的请求都需要登录认证
.anyRequest().authenticated();
}
/**
* 在内存中预置两个演示用户admin和common
*/
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("admin")
.password(bCryptPasswordEncoder().encode("123456"))
.roles("admin", "superAdmin")
.and()
.withUser("common")
.password(bCryptPasswordEncoder().encode("123456"))
.roles("common");
}
/**
* 强散列哈希加密实现
*/
@Bean
public BCryptPasswordEncoder bCryptPasswordEncoder()
{
return new BCryptPasswordEncoder();
}
}
重新启动项目, 访问http://localhost:8080,使用账号:admin
和密码:123123
登录,密码错误,页面一闪还是在默认的登录页面。怎么回事?
2.5.2. **过程中问题记录及如何解决**
原因:
/errPage路由需要登录认证
处理方法:
在配置类中将/errPage路由放行,允许用户匿名访问
重新启动项目, 访问http://localhost:8080,使用账号:admin
和密码:123123
登录,密码错误,页面正常重定向到默认登录异常页面。
2.6 FormLogin-前端表单参数获取
有这样一种场景:如果前端用户在定义login页面的时候,用户名和密码的dom元素的name属性美哦与设置成username
和password
,那会怎么样?spring security
还能正常获取到参数进行登录认证么?那肯定是不可以的,那么有没有什么办法解决这个问题呢?答案肯定是有的, 我们接着来看。
2.6.1 效果实现
2.6.1.1 修改login.html表单
2.6.1.1 修改自定义配置类CustomWebSecurityConfigurerAdapter
package com.kkarma.config;
import org.apache.coyote.Adapter;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.WebSecurityConfigurer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class CustomWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
/**
* 配置csrf开启关闭,默认是开启的
*/
// http.csrf().disable();
/**
* 表单登录相关的配置
*/
http.formLogin()
// 前端登录表单用户名别名, 从参数user中获取username参数取值
.usernameParameter("user")
// 前端登录表单密码别名, 从参数passwd中获取password参数取值
.passwordParameter("passwd")
// 当http请求的url是/login时,进行我们自定义的登录逻辑
.loginProcessingUrl("/login")
// 自定义登录的前端控制器
.loginPage("/showLogin")
// 设置登录成功的跳转链接
// .successForwardUrl("/home");
// 通过successHandler处理器进行登录成功之后的逻辑处理
.successHandler(new AuthenticationSuccessHandler() {
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
System.out.println("登录成功,页面即将跳转...");
response.sendRedirect("/home");
}
})
// 设置登录失败的跳转链接
// .failureForwardUrl("/errPage");
// 通过failureHandler处理器进行登录失败之后的逻辑处理
.failureHandler(new AuthenticationFailureHandler() {
@Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException e) throws IOException, ServletException {
e.printStackTrace();
System.out.println("登录失败,页面即将跳转到默认失败页...");
response.sendRedirect("/errPage");
}
});
/**
* http请求是否要登录认证配置
*/
http.authorizeRequests()
// 允许登录页面匿名访问
.antMatchers("/showLogin", "/errPage").anonymous()
// 所有的静态资源允许匿名访问
.antMatchers(
"/css/**",
"/js/**",
"/images/**",
"/fonts/**",
"/favicon.ico"
).anonymous()
// 其他所有的请求都需要登录认证
.anyRequest().authenticated();
}
/**
* 在内存中预置两个演示用户admin和common
*/
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("admin")
.password(bCryptPasswordEncoder().encode("123456"))
.roles("admin", "superAdmin")
.and()
.withUser("common")
.password(bCryptPasswordEncoder().encode("123456"))
.roles("common");
}
/**
* 强散列哈希加密实现
*/
@Bean
public BCryptPasswordEncoder bCryptPasswordEncoder()
{
return new BCryptPasswordEncoder();
}
}
重新启动项目, 访问http://localhost:8080,使用账号:admin
和密码:123456
登录
3、总结
以上就是spring security自定义配置类中关于表单FormLogin的所有配置的详细使用以及演示案例了。
后面继续讲解自定义配置类关于权限认证以及csrf配置相关的内容。