yeb02 - SpringSecurity自定义成功处理器与失败处理器

学习ing，一起成长…

需求：登录成功后跳转到百度页面

• 在SpringSecurity的配置类中配置successForwardUrl(“http://www.baidu.com”)

@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Bean
    public BCryptPasswordEncoder getBCryptPasswordEncoder(){
        return new BCryptPasswordEncoder();
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.formLogin()
                .loginProcessingUrl("/login")  //当发现/login时认为是登录，必须和表单提交地址一样
                .loginPage("/login.html")  //自定义登录的页面
                .successForwardUrl("http://www.baidu.com")
                .failureForwardUrl("/ToError");

        http.authorizeRequests()
                .antMatchers("/login.html","error.html").permitAll()  //login.html不需要认证
                .anyRequest().authenticated();   //所有请求都必须认证

        http.csrf().disable(); //关闭csrf认证
    }
}

但结果好像不是想象的那么样，出现404错误

我们可以到其源码中看

通过查看源码我们可以知道默认使用的登录成功处理器是ForwardAuthenticationSuccessHandler，而方法onAuthenticationSuccess()是转发，但是转发的特性之一：只能转发给当前web应用的资源。所以这里我们需要自定义成功处理器使用重定向可以重定向到任何资源。

自定义成功处理器

public class MyAuthenticationSuccessHandler implements AuthenticationSuccessHandler {

    private String url;

    public MyAuthenticationSuccessHandler(String url) {
        this.url = url;
    }

    @Override
    public void onAuthenticationSuccess(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) throws IOException, ServletException {
         User user = (User) authentication.getPrincipal();  //获取登录信息
        user.getUsername();  //用户名
        user.getPassword(); //密码，为null安全考虑
        user.getAuthorities();  //权限
        httpServletResponse.sendRedirect(url);  //重定向
    }
}

使用

successForwardUrl与successHandler不能一起使用，会冲突

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.formLogin()
                .loginProcessingUrl("/login")  //当发现/login时认为是登录，必须和表单提交地址一样
                .loginPage("/login.html")  //自定义登录的页面
                //.successForwardUrl("http://www.baidu.com")
                .successHandler(new MyAuthenticationSuccessHandler("http://www.baidu.com"))
                .failureForwardUrl("/ToError");

        http.authorizeRequests()
                .antMatchers("/login.html","error.html").permitAll()  //login.html不需要认证
                .anyRequest().authenticated();   //所有请求都必须认证

        http.csrf().disable(); //关闭csrf认证
    }

自定义失败处理器

public class MyAuthenticationFailureHandler implements AuthenticationFailureHandler {
    private String url;

    public MyAuthenticationFailureHandler(String url) {
        this.url = url;
    }

    @Override
    public void onAuthenticationFailure(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException e) throws IOException, ServletException {
        httpServletResponse.sendRedirect(url);
    }

 @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.formLogin()
                .loginProcessingUrl("/login")  //当发现/login时认为是登录，必须和表单提交地址一样
                .loginPage("/login.html")  //自定义登录的页面
                //.successForwardUrl("http://www.baidu.com")
                .successHandler(new MyAuthenticationSuccessHandler("http://www.baidu.com"))
                //.failureForwardUrl("/ToError");
                .failureHandler(new MyAuthenticationFailureHandler("/error.html"));
        http.authorizeRequests()
                .antMatchers("/login.html","error.html").permitAll()  //login.html不需要认证
                .anyRequest().authenticated();   //所有请求都必须认证

        http.csrf().disable(); //关闭csrf认证
    }