Spring Security -- 自定义用户认证(转载)
在Spring Security -- Spring Boot中开启Spring Security一节中我们简单搭建了个Spring Boot + Spring Security的项目,认证的用户名和密码都是由Spring Security生成。Spring Security支持我们自定义认证的过程,如处理用户信息获取逻辑,使用我们自定义的登录页面替换Spring Security默认的登录页及自定义登录成功或失败后的处理逻辑等。这里将在上一节的源码基础上进行改造。
一、自定义认证过程
1、UserDetailService接口和UserDetails接口
自定义认证的过程需要实现Spring Security提供的UserDetailService接口,该接口只有一个抽象方法loadUserByUsername,源码如下:
package org.springframework.security.core.userdetails;
/**
* Core interface which loads user-specific data.
* <p>
* It is used throughout the framework as a user DAO and is the strategy used by the
* {@link org.springframework.security.authentication.dao.DaoAuthenticationProvider
* DaoAuthenticationProvider}.
*
* <p>
* The interface requires only one read-only method, which simplifies support for new
* data-access strategies.
*
* @see org.springframework.security.authentication.dao.DaoAuthenticationProvider
* @see UserDetails
*
* @author Ben Alex
*/
public interface UserDetailsService {
// ~ Methods
// ========================================================================================================
/**
* Locates the user based on the username. In the actual implementation, the search
* may possibly be case sensitive, or case insensitive depending on how the
* implementation instance is configured. In this case, the <code>UserDetails</code>
* object that comes back may have a username that is of a different case than what
* was actually requested..
*
* @param username the username identifying the user whose data is required.
*
* @return a fully populated user record (never <code>null</code>)
*
* @throws UsernameNotFoundException if the user could not be found or the user has no
* GrantedAuthority
*/
UserDetails loadUserByUsername(String username) throws UsernameNotFoundException;
}
loadUserByUsername方法返回一个UserDetails对象,UserDetails也是一个接口,包含一些用于描述用户信息的方法,源码如下:
/**
* Provides core user information.
*
* <p>
* Implementations are not used directly by Spring Security for security purposes. They
* simply store user information which is later encapsulated into {@link Authentication}
* objects. This allows non-security related user information (such as email addresses,
* telephone numbers etc) to be stored in a convenient location.
* <p>
* Concrete implementations must take particular care to ensure the non-null contract
* detailed for each method is enforced. See
* {@link org.springframework.security.core.userdetails.User} for a reference
* implementation (which you might like to extend or use in your code).
*
* @see UserDetailsService
* @see UserCache
*
* @author Ben Alex
*/
public interface UserDetails extends Serializable {
// ~ Methods
// ========================================================================================================
/**
* Returns the authorities granted to the user. Cannot return <code>null</code>.
*
* @return the authorities, sorted by natural key (never <code>null</code>)
*/
Collection<? extends GrantedAuthority> getAuthorities();
/**
* Returns the password used to authenticate the user.
*
* @return the password
*/
String getPassword();
/**
* Returns the username used to authenticate the user. Cannot return <code>null</code>.
*
* @return the username (never <code>null</code>)
*/
String getUsername();
/**
* Indicates whether the user's account has expired. An expired account cannot be
* authenticated.
*
* @return <code>true</code> if the user's account is valid (ie non-expired),
* <code>false</code> if no longer valid (ie expired)
*/
boolean isAccountNonExpired();
/**
* Indicates whether the user is locked or unlocked. A locked user cannot be
* authenticated.
*
* @return <code>true</code> if the user is not locked, <code>false</code> otherwise
*/
boolean isAccountNonLocked();
/**
* Indicates whether the user's credentials (password) has expired. Expired
* credentials prevent authentication.
*
* @return <code>true</code> if the user's credentials are valid (ie non-expired),
* <code>false</code> if no longer valid (ie expired)
*/
boolean isCredentialsNonExpired();
/**
* Indicates whether the user is enabled or disabled. A disabled user cannot be
* authenticated.
*
* @return <code>true</code> if the user is enabled, <code>false</code> otherwise
*/
boolean isEnabled();
}
这些方法的含义如下:、
- getAuthorities获取用户包含的权限,返回权限集合,权限是一个继承了GrantedAuthority的对象;
- getPassword和getUsername用于获取密码和用户名;
- isAccountNonExpired方法返回boolean类型,用于判断账户是否未过期,未过期返回true反之返回false;
- isAccountNonLocked方法用于判断账户是否未锁定;
- isCredentialsNonExpired用于判断用户凭证是否没过期,即密码是否未过期;
- isEnabled方法用于判断用户是否可用;
实际中我们可以自定义UserDetails接口的实现类,也可以直接使用Spring Security提供的UserDetails接口实现类org.springframework.security.core.userdetails.User。
2、自定义CustomUserDetailService和User
说了那么多,下面我们来开始实现UserDetailService接口的loadUserByUsername方法。
首先创建UserDetails接口的实现类User,用于存放模拟的用户数据(实际中一般从数据库获取,这里为了方便直接模拟):
package com.zy.example.entity;
import com.fasterxml.jackson.annotation.JsonIgnore;
import lombok.Data;
import lombok.NoArgsConstructor;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import java.util.*;
/**
* @Author: zy
* @Description: 用户实体类
* Spring Security框架提供了一个基础用户接口UserDetails,该接口提供了基本的用户相关的操作,比如获取用户名/密码、
* 用户账号是否过期和用户认证是否过期等,我们定义自己的User类时需要实现该接口。
* @Date: 2020-2-9
*/
@Data
@NoArgsConstructor
public class User implements UserDetails {
private static final PasswordEncoder PASSWORD_ENCODER = new BCryptPasswordEncoder();
private String id;
/**
* 用户登录名
*/
private String username;
/**
* 用户真实姓名
*/
private String realName;
/**
* 用户登录密码,用户的密码不应该暴露给客户端
*/
@JsonIgnore
private String password;
/**
* 用户创建者
*/
private int createdBy;
/**
* 创建时间
*/
private Long createdTime = System.currentTimeMillis();
/**
* 该用户关联的企业/区块id
*/
private Map<String, Object> associatedResources = new HashMap<>();
/**
* 用户关注的企业列表
*/
private List<String> favourite = new ArrayList<>();
/**
* 用户在系统中的角色列表,将根据角色对用户操作权限进行限制
*/
private List<String> roles = new ArrayList<>();
/**
* 设置密码
* @param password
*/
public void setPassword(String password) {
this.password = PASSWORD_ENCODER.encode(password);
}
/**
* 权限集合
*/
private Collection<? extends GrantedAuthority> authorities = null;
/**
* 账户是否未过期
*/
private boolean accountNonExpired = true;
/**
* 账户是否未锁定
*/
private boolean accountNonLocked= true;
/**
* 用户凭证是否没过期,即密码是否未过期
*/
private boolean credentialsNonExpired= true;
/**
* 用户是否可用
*/
private boolean enabled= true;
}
PasswordEncoder是一个密码加密接口,而BCryptPasswordEncoder是Spring Security提供的一个实现方法,我们也可以自己实现PasswordEncoder。不过Spring Security实现的BCryptPasswordEncoder已经足够强大,它对相同的密码进行加密后可以生成不同的结果。
此外,我们在com.zy.example.config下创建一个bean配置类,配置加密方式:
package com.zy.example.config;
import com.fasterxml.jackson.databind.ObjectMapper;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
/**
* @Author: zy
* @Description: 定义一些bean
* @Date: 2020-2-9
*/
@Configuration
public class BeanConfig {
/**
* 密码加密
* @return
*/
@Bean
public static PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
}
接着创建类CustomUserDetailService实现UserDetailService接口:
package com.zy.example.service; import com.zy.example.entity.User; import org.springframework.context.annotation.Configuration; import org.springframework.security.core.authority.AuthorityUtils; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.stereotype.Service; /** * @Author: zy * @Description: 自定义用户信息Service配置类 * @Date: 2020-2-9 */ @Service public class CustomUserDetailsService implements UserDetailsService { /** * 点击登录时会调用该函数、并传入登录名 根据用户名查询数据库获取用户信息 * @param username:登录用户名 * @return: 返回用户信息 * @throws UsernameNotFoundException */ @Override public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { //模拟一个用户 替代数据库获取逻辑 User user = new User(); user.setUsername(username); user.setPassword("123456"); // 输出加密后的密码 System.out.println(user.getPassword()); return new org.springframework.security.core.userdetails.User(user.getUsername(), user.getPassword(), user.isEnabled(), user.isAccountNonExpired(), user.isCredentialsNonExpired(), user.isAccountNonLocked(), AuthorityUtils.commaSeparatedStringToAuthorityList("admin")); } }
这里我们使用了org.springframework.security.core.userdetails.User类包含7个参数的构造器,其还包含一个三个参数的构造器User(String username, String password,Collection<? extends GrantedAuthority> authorities),由于权限参数不能为空,所以这里先使用AuthorityUtils.commaSeparatedStringToAuthorityList方法模拟一个admin的权限,该方法可以将逗号分隔的字符串转换为权限集合。
这时候重启项目,访问http://localhost:8080/login,便可以使用任意用户名以及123456作为密码登录系统。我们多次进行登录操作,可以看到控制台输出的加密后的密码如下:
$2a$10$QWhO2OtA6/o0c6P2/KIwzOIlS5xGpPHrYxbeVc8AvAf0LfmZaLCfq
$2a$10$3A6L/hDeb9OeM/5KzUMfHufwZtqTuV5gyi2vHN6N2w8U7TrA9GQa2
$2a$10$gWzh2cqGqYg4qzH8lmYlUeHWc8epTyh6.gMyVdW4xZDJLNU4s1pnW
可以看到,BCryptPasswordEncoder对相同的密码生成的结果每次都是不一样的。
二、替换默认表单页面
默认的登录页面过于简陋,我们可以自己定义一个登录页面。
1、使用Freemarker模板引擎渲染Web视图
pom文件引入依赖包:
<!-- 引入freemarker的依赖包 -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-freemarker</artifactId>
</dependency>
在src/main/resources/创建一个templates文件夹,并创建login.ftl文件:
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title></title>
<style type="text/css">
* {
margin: 0px;
}
#content {
margin: 150px auto;
width: 100%;
height: 460px;
border: 1px transparent solid;
background-color: #21D4FD;
background-image: linear-gradient(243deg, #21D4FD 0%, #B721FF 100%);
background-image: -webkit-linear-gradient(243deg, #21D4FD 0%, #B721FF 100%);
background-image: -moz-linear-gradient(243deg, #21D4FD 0%, #B721FF 100%);
background-image: -o-linear-gradient(243deg, #21D4FD 0%, #B721FF 100%);
}
#box {
margin: 50px auto;
width: 30%;
height: 360px;
background-color: #fff;
text-align: center;
border-radius: 15px;
border: 2px #fff solid;
box-shadow: 10px 10px 5px #000000;
}
.title {
line-height: 58px;
margin-top: 20px;
font-size: 36px;
color: #000;
height: 58px;
}
#box:hover {
border: 2px #fff solid;
}
.input {
margin-top: 20px;
}
input {
margin-top: 5px;
outline-style: none;
border: 1px solid #ccc;
border-radius: 3px;
padding: 13px 14px;
width: 70%;
font-size: 14px;
font-weight: 700;
font-family: "Microsoft soft";
}
button {
margin-top: 20px;
border: none;
color: #000;
padding: 15px 32px;
text-align: center;
text-decoration: none;
display: inline-block;
font-size: 16px;
border-radius: 15px;
background-color: #CCCCCC;
}
button:hover{
background-color: #B721FF;
color: #fff;
}
</style>
</head>
<body>
<div id="content">
<div id="box">
<div class="title">Login</div>
<div class="input">
<form name="f" action="/login" method="post">
<input type="text" id="username" name="username" value="" placeholder="用户名" />
<br>
<input type="password" id="password" name="password" placeholder="密码" />
<br>
<input type="submit" value="登录" onclick="getuser()"/>
</form>
</div>
</div>
</div>
<script type="text/javascript">
function getuser() {
var username = document.getElementById("username").value;
var password = document.getElementById("password").value;
var password1 = document.getElementById("password1").value;
testing(username, password,password1)
//alert("username:"+username+"\n"+"password:"+password);
}
function testing(username, password, password1) {
var tmp = username && password;
if (tmp == "") {
alert("请填写完整信息");
return 0;
}
if (username.length < 6 || username.length > 16) {
alert("用户名长度为:6-16位")
return 0;
}
if (password<6)
{
alert("密码长度错误");
}
}
</script>
</body>
</html>
在src/main/resources下新建freemarker配置文件application.yml:
spring:
## Freemarker 配置
freemarker:
##模版存放路径(默认为 classpath:/templates/)
template-loader-path: classpath:/templates/
##是否生成缓存,生成环境建议开启(默认为true)
cache: false
##编码
charset: UTF-8
check-template-location: true
##content-type类型(默认为text/html)
content-type: text/html
## 设定所有request的属性在merge到模板的时候,是否要都添加到model中(默认为false)
expose-request-attributes: false
##设定所有HttpSession的属性在merge到模板的时候,是否要都添加到model中.(默认为false)
expose-session-attributes: false
##RequestContext属性的名称(默认为-)
request-context-attribute: request
##模板后缀(默认为.ftl)
suffix: .ftl
2、LoginController
在com.zy.example.controller包下创建LoginController.java:
package com.zy.example.controller;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
/**
* @Author: zy
* @Description: 登陆页面
* @Date: 2020-2-9
*/
@Controller
public class LoginController {
/**
* 自定义登录页面
* @return
*/
@RequestMapping("/login")
public String login(){
return "/login";
}
}
3、修改BrowserSecurityConfig配置
要怎么做才能让Spring Security跳转到我们自己定义的登录页面呢?很简单,只需要在类BrowserSecurityConfig的configure中添加一些配置:
/**
* 配置拦截请求资源
* @param http:HTTP请求安全处理
* @throws Exception
*/
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests() // 授权配置
.anyRequest() // 任何请求
.authenticated() //都需要身份认证
.and()
.formLogin() // 或者httpBasic()
.loginPage("/login") // 指定登录页的路径
.loginProcessingUrl("/login") // 指定自定义form表单请求的路径
// 必须允许所有用户访问我们的登录页(例如未验证的用户,否则验证流程就会进入死循环)
// 这个formLogin().permitAll()方法允许所有用户基于表单登录访问/login这个page。
.permitAll()
.and()
.logout()
.permitAll()
.and()
//默认都会产生一个hiden标签 里面有安全相关的验证 防止请求伪造 这边我们暂时不需要 可禁用掉
.csrf().disable();
面代码中.loginPage("/login")指定了跳转到登录页面的请求URL,.loginProcessingUrl("/login")对应登录页面form表单的action="/login",如果两者不一样,UsernamePasswordAuthenticationFilter过滤器将不会生效,.permitAll()表示跳转到登录页面的请求不被拦截,否则会进入无限循环。
这时候启动系统,访问http://localhost:8080/hello,会看到页面已经被重定向到了http://localhost:8080/login:
输入admin、123456,跳转到/hello页面:
三、处理登录成功和失败
Spring Security有一套默认的处理登录成功和失败的方法:当用户登录成功时,页面会跳转到引发登录的页面,比如在未登录的情况下访问http://localhost:8080/hello,页面会跳转到登录页,登录成功后再跳转回来;登录失败时则是跳转到Spring Security默认的错误提示页面。下面我们通过一些自定义配置来替换这套默认的处理机制。
1、自定义登录成功逻辑
要改变默认的处理成功逻辑很简单,只需要实现org.springframework.security.web.authentication.AuthenticationSuccessHandler接口的onAuthenticationSuccess方法即可:
首先添加jackson依赖:
<!-- 对象json转换 -->
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>2.8.3</version>
</dependency>
创建包com.zy.example.handler,在包下创建CustomAuthenticationSucessHandler.java:
package com.zy.example.handler;
import com.fasterxml.jackson.databind.ObjectMapper;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.stereotype.Service;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
/**
* @Author: zy
* @Description: 自定义登录成功逻辑
* @Date: 2020-2-9
*/
@Service
public class CustomAuthenticationSucessHandler implements AuthenticationSuccessHandler {
@Autowired
private ObjectMapper mapper;
/**
* 登录成功
* @param request:请求
* @param response:响应
* @param authentication:Authentication参数既包含了认证请求的一些信息,比如IP,请求的SessionId等,
* 也包含了用户信息
* @throws IOException
* @throws ServletException
*/
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
response.setContentType("application/json;charset=utf-8");
response.getWriter().write(mapper.writeValueAsString(authentication));
}
}
其中Authentication参数既包含了认证请求的一些信息,比如IP,请求的SessionId等,也包含了用户信息,即前面提到的User对象。通过上面这个配置,用户登录成功后页面将打印出Authentication对象的信息。
此外我们注入了mapper对象,该对象用于将Authentication对象json序列化,注入前需要手动配置。我们在bean配置类配置它:
/**
* 对象Json序列化
* @return
*/
@Bean
public ObjectMapper mapper() {
return new ObjectMapper();
}
为了使CustomAuthenticationSucessHandler生效,我们还的在BrowserSecurityConfig的configure中配置:
@Autowired private AuthenticationSuccessHandler authenticationSucessHandler /** * 配置拦截请求资源 * @param http:HTTP请求安全处理 * @throws Exception */ @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() // 授权配置 .anyRequest() // 任何请求 .authenticated() //都需要身份认证 .and() .formLogin() // 或者httpBasic() .loginPage("/login") // 指定登录页的路径 .loginProcessingUrl("/login") // 指定自定义form表单请求的路径 .successHandler(authenticationSucessHandler) // 处理登录成功 // 必须允许所有用户访问我们的登录页(例如未验证的用户,否则验证流程就会进入死循环) // 这个formLogin().permitAll()方法允许所有用户基于表单登录访问/login这个page。 .permitAll() .and() .logout() .permitAll() .and() //默认都会产生一个hiden标签 里面有安全相关的验证 防止请求伪造 这边我们暂时不需要 可禁用掉 .csrf().disable(); }
我们将CustomAuthenticationSucessHandler注入进来,并通过successHandler方法进行配置。
这时候重启项目登录后页面将会输出如下JSON信息:
{
"authorities": [{
"authority": "admin"
}],
"details": {
"remoteAddress": "127.0.0.1",
"sessionId": "8C6774C31B224228BCC19CE5F44DA432"
},
"authenticated": true,
"principal": {
"password": null,
"username": "admin",
"authorities": [{
"authority": "admin"
}],
"accountNonExpired": true,
"accountNonLocked": true,
"credentialsNonExpired": true,
"enabled": true
},
"credentials": null,
"name": "admin"
}
像password,credentials这些敏感信息,Spring Security已经将其屏蔽。
除此之外,我们也可以在登录成功后做页面的跳转,修改CustomAuthenticationSucessHandler:
package com.zy.example.handler;
import com.fasterxml.jackson.databind.ObjectMapper;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.DefaultRedirectStrategy;
import org.springframework.security.web.RedirectStrategy;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.savedrequest.HttpSessionRequestCache;
import org.springframework.security.web.savedrequest.RequestCache;
import org.springframework.security.web.savedrequest.SavedRequest;
import org.springframework.stereotype.Service;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
/**
* @Author: zy
* @Description: 自定义登录成功逻辑
* @Date: 2020-2-9
*/
@Service
public class CustomAuthenticationSucessHandler implements AuthenticationSuccessHandler {
private RequestCache requestCache = new HttpSessionRequestCache();
private RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();
@Autowired
private ObjectMapper mapper;
/**
* 登录成功
* @param request:请求
* @param response:响应
* @param authentication:Authentication参数既包含了认证请求的一些信息,比如IP,请求的SessionId等,
* 也包含了用户信息
* @throws IOException
* @throws ServletException
*/
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
SavedRequest savedRequest = requestCache.getRequest(request, response);
redirectStrategy.sendRedirect(request, response, savedRequest.getRedirectUrl());
}
}
其中HttpSessionRequestCache为Spring Security提供的用于缓存请求的对象,通过调用它的getRequest方法可以获取到本次请求的HTTP信息。DefaultRedirectStrategy的sendRedirect为Spring Security提供的用于处理重定向的方法。
通过上面配置,登录成功后页面将跳转回引发跳转的页面。如果想指定跳转的页面,比如跳转到/index,可以将savedRequest.getRedirectUrl()修改为/index,修改TestController类,添加如下方法:
@GetMapping("index")
public Object index(){
return SecurityContextHolder.getContext().getAuthentication();
}
登录成功后,便可以使用SecurityContextHolder.getContext().getAuthentication()获取到Authentication对象信息。除了通过这种方式获取Authentication对象信息外,也可以使用下面这种方式:
@GetMapping("index")
public Object index(Authentication authentication) {
return authentication;
}
重启项目,登录成功后,页面将跳转到http://localhost:8080/index:
{
"authorities": [{
"authority": "admin"
}],
"details": {
"remoteAddress": "127.0.0.1",
"sessionId": "8C6774C31B224228BCC19CE5F44DA432"
},
"authenticated": true,
"principal": {
"password": null,
"username": "admin",
"authorities": [{
"authority": "admin"
}],
"accountNonExpired": true,
"accountNonLocked": true,
"credentialsNonExpired": true,
"enabled": true
},
"credentials": null,
"name": "admin"
}
2、自定义登录失败逻辑
和自定义登录成功处理逻辑类似,自定义登录失败处理逻辑需要实现org.springframework.security.web.authentication.AuthenticationFailureHandler的onAuthenticationFailure方法::
@Service
public class MyAuthenticationFailureHandler implements AuthenticationFailureHandler {
@Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,
AuthenticationException exception) throws IOException {
}
}
onAuthenticationFailure方法的AuthenticationException参数是一个抽象类,Spring Security根据登录失败的原因封装了许多对应的实现类,查看AuthenticationException的Hierarchy:
不同的失败原因对应不同的异常,比如用户名或密码错误对应的是BadCredentialsException,用户不存在对应的是UsernameNotFoundException,用户被锁定对应的是LockedException等。
假如我们需要在登录失败的时候返回失败信息,可以这样处理:
package com.zy.example.handler;
import com.fasterxml.jackson.databind.ObjectMapper;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpStatus;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.stereotype.Service;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
/**
* @Author: zy
* @Description: 自定义登录失败逻辑
* @Date: 2020-2-9
*/
@Service
public class CustomAuthenticationFailureHandler implements AuthenticationFailureHandler {
@Autowired
private ObjectMapper mapper;
/**
* 登录失败 返回错误状态码
* @param request
* @param response
* @param exception
* @throws IOException
* @throws ServletException
*/
@Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
response.setStatus(HttpStatus.INTERNAL_SERVER_ERROR.value());
response.setContentType("application/json;charset=utf-8");
response.getWriter().write(mapper.writeValueAsString(exception.getMessage()));
}
}
状态码定义为500(HttpStatus.INTERNAL_SERVER_ERROR.value()),即系统内部异常。
同样的,我们需要在BrowserSecurityConfig的configure中配置它:
@Autowired
private AuthenticationFailureHandler authenticationFailureHandler;
/**
* 配置拦截请求资源
* @param http:HTTP请求安全处理
* @throws Exception
*/
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests() // 授权配置
.anyRequest() // 任何请求
.authenticated() //都需要身份认证
.and()
.formLogin() // 或者httpBasic()
.loginPage("/login") // 指定登录页的路径
.loginProcessingUrl("/login") // 指定自定义form表单请求的路径
.successHandler(authenticationSucessHandler) // 处理登录成功
.failureHandler(authenticationFailureHandler) // 处理登录失败
// 必须允许所有用户访问我们的登录页(例如未验证的用户,否则验证流程就会进入死循环)
// 这个formLogin().permitAll()方法允许所有用户基于表单登录访问/login这个page。
.permitAll()
.and()
.logout()
.permitAll()
.and()
//默认都会产生一个hiden标签 里面有安全相关的验证 防止请求伪造 这边我们暂时不需要 可禁用掉
.csrf().disable();
}
重启项目,当输入错误的密码时,页面输出如下:
四、修改错误页面
当我们登录一个不存在页面时,http://localhost:8080/user,将会抛出404错误,如何修改这些默认错误页面呢:
1、创建ErrorPageConfig配置类
在包com.zy.example.config下创建类ErrorPageConfig:
package com.zy.example.config;
import org.springframework.boot.web.server.ErrorPage;
import org.springframework.boot.web.server.ErrorPageRegistrar;
import org.springframework.boot.web.server.ErrorPageRegistry;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpStatus;
/**
* @Author: zy
* @Description: spring boot 错误页面配置
* @Date: 2020-2-8
*/
@Configuration
public class ErrorPageConfig implements ErrorPageRegistrar {
@Override
public void registerErrorPages(ErrorPageRegistry registry) {
ErrorPage errorPage400 = new ErrorPage(HttpStatus.BAD_REQUEST,"/error/400");
ErrorPage errorPage401 = new ErrorPage(HttpStatus.UNAUTHORIZED,"/error/401");
ErrorPage errorPage403 = new ErrorPage(HttpStatus.FORBIDDEN,"/error/403");
ErrorPage errorPage404 = new ErrorPage(HttpStatus.NOT_FOUND,"/error/404");
ErrorPage errorPage415 = new ErrorPage(HttpStatus.UNSUPPORTED_MEDIA_TYPE,"/error/415");
ErrorPage errorPage500 = new ErrorPage(HttpStatus.INTERNAL_SERVER_ERROR,"/error/500");
registry.addErrorPages(errorPage400,errorPage401,errorPage403,errorPage404,errorPage415,errorPage500);
}
}
2、Controller
在com.zy.example.controller下创建类ErrorController:
package com.zy.example.controller;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
/**
* @Author: zy
* @Description: spring boot 错误页面配置
* @Date: 2020-2-8
*/
@Controller
@RequestMapping("/error")
public class ErrorController {
@RequestMapping("/403")
public String error403(){
return "/error/403";
}
@RequestMapping("/404")
public String error404(){
return "/error/404";
}
}
3、新增ftl文件
在src/java/resource/templates/error新建错误页面:
403页面:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>403</title>
<style>
html, body {
padding: 0;
margin: 0;
height: 100%;
}
.box {
width: 100%;
height: 100%;
background-color: wheat;
text-align: center; /*文本水平居中*/
line-height: 600px; /*文本垂直居中*/
}
</style>
</head>
<body>
<div class="box">
<h1 style="display: inline">Sorry, this page is Authorised by </h1>
<h1 style="display: inline"><a href="/login">zy</a></h1>
<h1 style="display: inline"> only.</h1>
</div>
</body>
</html>
404页面:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>404</title>
<style>
html, body {
padding: 0;
margin: 0;
height: 100%;
}
.box {
width: 100%;
height: 100%;
background-color: wheat;
text-align: center; /*文本水平居中*/
padding-top: 15%;
}
</style>
</head>
<body>
<div class="box">
<h1>404 您进入了无人区...</h1>
<span id="counter"></span>秒后 <a href="/login">返回登录首页</a>
</div>
<script>
var $counter = document.getElementById('counter');
function countDown(secs)
{
$counter.innerText=secs;
if(--secs>0)
{
setTimeout("countDown("+secs+")",1000);
}
if(secs==0)
{
location.href = '/login';
}
}
countDown(5);
</script>
</body>
</html>
四、代码下载
参考文章:
[1] Spring Security自定义用户认证
