【JAVA】自定义登录和注销

Spring Security的自定义登录和注销

Spring Security允许开发者根据具体需求，自定义登录和注销的处理方式。以下是详细介绍及示例。

1. 自定义登录页面

1.1 配置自定义登录页面

通过继承WebSecurityConfigurerAdapter，可以指定自定义的登录页面路径和登录处理逻辑。

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/", "/home", "/login").permitAll() // 允许所有人访问
                .anyRequest().authenticated() // 其他请求需要认证
                .and()
            .formLogin()
                .loginPage("/login") // 指定自定义的登录页面
                .loginProcessingUrl("/perform_login") // 指定处理登录请求的URL
                .defaultSuccessUrl("/home", true) // 登录成功后跳转的URL
                .failureUrl("/login?error=true") // 登录失败后跳转的URL
                .and()
            .logout()
                .logoutUrl("/perform_logout") // 指定注销的URL
                .logoutSuccessUrl("/login?logout=true") // 注销成功后跳转的URL
                .deleteCookies("JSESSIONID"); // 注销时删除JSESSIONID cookie
    }
}

1.2 实现自定义登录页面

在自定义登录页面中，需要创建一个简单的HTML表单，提交用户的登录信息。

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Login</title>
</head>
<body>
<h2>Login Page</h2>
<form method="post" action="/perform_login">
    <label for="username">Username:</label>
    <input type="text" id="username" name="username"/><br/>
    <label for="password">Password:</label>
    <input type="password" id="password" name="password"/><br/>
    <input type="submit" value="Login"/>
</form>
<p><a href="/register">Register here</a></p>
</body>
</html>

2. 自定义注销处理

2.1 配置自定义注销

注销操作涉及用户会话的结束以及相应的清理工作，如删除cookie等。可以在WebSecurityConfigurerAdapter中配置自定义的注销行为。

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/", "/home", "/login").permitAll()
                .anyRequest().authenticated()
                .and()
            .formLogin()
                .loginPage("/login")
                .loginProcessingUrl("/perform_login")
                .defaultSuccessUrl("/home", true)
                .failureUrl("/login?error=true")
                .and()
            .logout()
                .logoutUrl("/perform_logout") // 指定自定义的注销URL
                .logoutSuccessHandler(customLogoutSuccessHandler()) // 自定义注销成功处理器
                .invalidateHttpSession(true) // 注销时使HttpSession无效
                .deleteCookies("JSESSIONID"); // 注销时删除JSESSIONID cookie
    }

    // 自定义注销成功处理器
    private LogoutSuccessHandler customLogoutSuccessHandler() {
        return (request, response, authentication) -> {
            response.sendRedirect("/login?logout=true"); // 注销成功后重定向
        };
    }
}

3. 示例代码

以下是完整的Spring Boot应用示例，展示了自定义登录和注销功能的实现。

3.1 SecurityConfig

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/", "/home", "/login").permitAll()
                .anyRequest().authenticated()
                .and()
            .formLogin()
                .loginPage("/login")
                .loginProcessingUrl("/perform_login")
                .defaultSuccessUrl("/home", true)
                .failureUrl("/login?error=true")
                .and()
            .logout()
                .logoutUrl("/perform_logout")
                .logoutSuccessHandler(customLogoutSuccessHandler())
                .invalidateHttpSession(true)
                .deleteCookies("JSESSIONID");
    }

    private LogoutSuccessHandler customLogoutSuccessHandler() {
        return (request, response, authentication) -> {
            response.sendRedirect("/login?logout=true");
        };
    }
}

3.2 自定义登录页面 (login.html)

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Login</title>
</head>
<body>
<h2>Login Page</h2>
<form method="post" action="/perform_login">
    <label for="username">Username:</label>
    <input type="text" id="username" name="username"/><br/>
    <label for="password">Password:</label>
    <input type="password" id="password" name="password"/><br/>
    <input type="submit" value="Login"/>
</form>
<p><a href="/register">Register here</a></p>
</body>
</html>

3.3 HomeController

import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
public class HomeController {

    @GetMapping("/")
    public String home() {
        return "Welcome to the home page!";
    }

    @GetMapping("/login")
    public String login() {
        return "Please log in!";
    }

    @GetMapping("/home")
    public String userHome() {
        return "Welcome, authenticated user!";
    }
}

4. 总结

通过自定义Spring Security的登录和注销功能，开发者可以更加灵活地控制用户认证和会话管理流程，提供更符合业务需求的用户体验。