spring - Spring 4.0 + Security 3.2 + j_spring_security_check 的 JavaConfiguration

标签 spring spring-mvc spring-security spring-java-config

  1. 创建登录页面

    <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<!DOCTYPE html>
<html>
    <head>
        <meta charset="ISO-8859-1">
        <title>Test</title>
        <script src="static/js/jquery-1.10.2.min.js"></script>
        <script src="static/js/app-controller.js"></script>
    </head>
    <body>
        <div>Login</div>
        <form name="f" action="<c:url value="/j_spring_security_check"/>" method="POST">
            <label for="password">Username</label>&nbsp;<input type="text" id="j_username" name="j_username"><br/>
            <label for="password">Password</label>&nbsp;<input type="password" id="j_password" name="j_password"><br/>
            <input type="submit" value="Validate">&nbsp;<input name="reset" type="reset">
            <input type="hidden" id="${_csrf.parameterName}" name="${_csrf.parameterName}" value="${_csrf.token}"/>
        </form>
        <hr/>
        <c:if test="${param.error != null}">
            <div>
                Failed to login.
                <c:if test="${SPRING_SECURITY_LAST_EXCEPTION != null}">
                  Reason: <c:out value="${SPRING_SECURITY_LAST_EXCEPTION.message}" />
                </c:if>
            </div>
        </c:if>
        <hr/>
        <input type="button" value="Echo" id="echo" name="echo" onclick="AppController.echo();">
        <div id="echoContainer"></div>

    </body>
</html>

  2. 声明一个 WebSecurityConfigurer 这里是我缺少 j_username 和 j_password 的地方

    @Configuration
@EnableWebSecurity
@ComponentScan(basePackages = {"com.sample.init.security"})
public class WebSecurityConfigurer extends WebSecurityConfigurerAdapter {

    @Inject
    private AuthenticationProvider authenticationProvider;

    @Inject
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(authenticationProvider);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers(
                        "/resources/**", 
                        "/static/**", 
                        "/j_spring_security_check", 
                        "/AppController/echo.html").permitAll()
                .anyRequest().authenticated()
                .and()
            .formLogin()
                .usernameParameter("j_username") /* BY DEFAULT IS username!!! */
                .passwordParameter("j_password") /* BY DEFAULT IS password!!! */
                .loginProcessingUrl("/j_spring_security_check")
                .loginPage("/")
                .defaultSuccessUrl("/page")
                .permitAll()
                .and()
            .logout()
                .permitAll();
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        web
            .ignoring()
                .antMatchers("/static/**");
    }

}

  3. 声明一个 WebMvcConfigurer

    @EnableWebMvc
@Configuration
@ComponentScan(basePackages = {
        "com.app.controller",        
        "com.app.service",
        "com.app.dao"
})
public class WebMvcConfigurer extends WebMvcConfigurerAdapter {

    @Bean
    public ViewResolver viewResolver() {
        InternalResourceViewResolver viewResolver = new InternalResourceViewResolver();
        viewResolver.setPrefix("/WEB-INF/view/");
        viewResolver.setSuffix(".jsp");
        return viewResolver;
    }

    @Override
    public void addViewControllers(ViewControllerRegistry registry) {
      registry.addViewController("/page").setViewName("page");
    }

    @Override
    public void addResourceHandlers(ResourceHandlerRegistry registry) {
        registry.addResourceHandler("static/**").addResourceLocations("static/");
    }

}

  4. 声明一个安全初始化器

    public class SecurityWebAppInitializer 
    extends AbstractSecurityWebApplicationInitializer { }

  5. 声明一个应用初始化器

    public class Initializer extends AbstractAnnotationConfigDispatcherServletInitializer  {

    @Override
    protected Class<?>[] getRootConfigClasses() {       
        return new Class<?>[]{WebSecurityConfigurer.class};
    }

    @Override
    protected Class<?>[] getServletConfigClasses() {
        return new Class<?>[]{WebMvcConfigurer.class, DataSourceConfigurer.class};
    }

    @Override
    protected String[] getServletMappings() {
        return new String[]{"/"};
    }

}

  6. 实现您的自定义身份验证提供程序

    @Component
@ComponentScan(basePackages = {"com.app.service"})
public class CustomAuthenticationProvider implements AuthenticationProvider {

    private static final Logger LOG = LoggerFactory.getLogger(CustomAuthenticationProvider.class);

    @Inject
    private AppService service;

    @Override
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {

        //Thread.dumpStack();
        String username = authentication.getName();
        String password = authentication.getCredentials().toString();

        String message = String.format("Username: '%s' Password: '%s'", username, password);
        UserBean userBean = service.validate(username, password);       
        LOG.debug(message);
        if (userBean != null) {
            List<GrantedAuthority> grantedAuths = new ArrayList<>();
            grantedAuths.add(new SimpleGrantedAuthority("USER"));
            return new UsernamePasswordAuthenticationToken(userBean, authentication, grantedAuths); 
        } else {
            String error = String.format("Invalid credentials [%s]", message);
            throw new BadCredentialsException(error);
        }
    }

    @Override
    public boolean supports(Class<?> authentication) {
        return authentication.equals(UsernamePasswordAuthenticationToken.class);
    }

}

我正在跳过 EchoController、AppService、AppDao 和 UserBean。

谢谢。

最佳答案

在 3.2 版本中,post 参数已从 j_username 更改为 username 并将 j_password 更改为 password。登录 url 也从/j_spring_security_check 更改为/login。

请参阅此链接了解为何实现此更改:http://docs.spring.io/spring-security/site/docs/3.2.0.RELEASE/reference/htmlsingle/#jc-httpsecurity .这些是变化:

  • GET/login 呈现登录页面而不是/spring_security_login

  • POST/login 对用户进行身份验证,而不是/j_spring_security_check

  • username参数默认为username而不是j_username

  • password参数默认为password而不是j_password

以下是登录表单的示例:http://docs.spring.io/spring-security/site/docs/3.2.0.RELEASE/reference/htmlsingle/#jc-form

关于spring - Spring 4.0 + Security 3.2 + j_spring_security_check 的 JavaConfiguration,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/20704656/

上一篇:java - spring jndi NamingException : Name [spring. liveBeansView.mbeanDomain] 未绑定(bind)在此上下文中

下一篇:java - 如何在 Spring 启动服务器时启动守护进程

相关文章:

spring - 在 Tomcat 上使用 spring 部署 Quartz Scheduler 时出现 NullPointerException

mysql - 为什么在 Spring 应用程序中 mySQL 表上的 Null 列设置为 yes

java - Spring MVC @Sessionattributes 在多个浏览器选项卡中出现问题

spring-mvc - 没有可用于当前线程的实际事务的 EntityManager - 无法可靠地处理 'persist' 调用

java - 如何在所有模板中显示当前登录用户的信息,包括 Spring Security 应用程序中由 WebMvcConfigurerAdapter 管理的 View

java - Spring MVC - 不支持请求方法post

java - 未调用自定义参数解析器

java - 使用 JMockit 模拟 Autowiring 的接口(interface)实现

authentication - 将 Tomcat NTLM 与 Spring Security 结合使用

Spring Security 3.2 CSRF 禁用特定 URL

©2024 IT工具网  联系我们