【Spring Boot】Spring Security登陆异常出路
【Spring Boot】Spring Security登陆异常出路
Security 配置
package cn.young.greenhome.config; import cn.young.greenhome.module.auth.UserDetailsServiceImpl; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; /** * 安全配置类 * * @author ycx * @since 2020-02-02 */ @Configuration public class SecurityConfig extends WebSecurityConfigurerAdapter { @Autowired UserDetailsServiceImpl userDetailsService; /** * 配置拦截请求 * * @param http * @throws Exception */ @Override protected void configure(HttpSecurity http) throws Exception { http.headers().frameOptions().disable(); http.authorizeRequests() .antMatchers("/login", "/logout", "/getVerifyCode", "/validateVerifyCode") .permitAll() .anyRequest().authenticated() .and() .formLogin() .loginPage("/login") .successForwardUrl("/success") .failureForwardUrl("/failure") .and() .logout() .logoutUrl("/logout") .invalidateHttpSession(true) .and() .csrf().disable(); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { // 123456 // $2a$10$E0ypqva9V.tMStGszN8Zeu6mUAO2OkEUs1bbYGUIvnANVuwi5DfgO // 自定义用户服务和密码 auth.userDetailsService(userDetailsService).passwordEncoder(new BCryptPasswordEncoder()); } /** * 配置过滤器 * * @param web * @throws Exception */ @Override public void configure(WebSecurity web) throws Exception { // 忽略静态资源 web.ignoring().antMatchers("/static/**"); super.configure(web); } }
出异常时forward到 /failure
点击 failureForwardUrl 方法
public FormLoginConfigurer<H> failureForwardUrl(String forwardUrl) { this.failureHandler(new ForwardAuthenticationFailureHandler(forwardUrl)); return this; }
异常信息被存储在了request中
public class ForwardAuthenticationFailureHandler implements AuthenticationFailureHandler { private final String forwardUrl; /** * @param forwardUrl */ public ForwardAuthenticationFailureHandler(String forwardUrl) { Assert.isTrue(UrlUtils.isValidRedirectUrl(forwardUrl), () -> "'" + forwardUrl + "' is not a valid forward URL"); this.forwardUrl = forwardUrl; } public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException { request.setAttribute(WebAttributes.AUTHENTICATION_EXCEPTION, exception); request.getRequestDispatcher(forwardUrl).forward(request, response); } }
处理异常信息
/** * 失败 * * @return */ @RequestMapping("/failure") public String failure(HttpServletRequest request, Model model) { AuthenticationException exception = (AuthenticationException) request.getAttribute(WebAttributes.AUTHENTICATION_EXCEPTION); String error; if (exception instanceof UsernameNotFoundException || exception instanceof BadCredentialsException) { error = "用户名或密码错误"; } else if (exception instanceof DisabledException) { error = "账户已禁用"; } else if (exception instanceof LockedException) { error = "账户已锁定"; } else if (exception instanceof AccountExpiredException) { error = "账户已过期"; } else if (exception instanceof CredentialsExpiredException) { error = "证书已过期"; } else { error = "登录失败"; } model.addAttribute("error", error); return "login"; }
