微信公眾號(hào)：一一小知
問題或建議，請(qǐng)公眾號(hào)留言;

SpringSecurity本身對(duì)于Login Parameter的登錄處理

本身自帶的請(qǐng)求頁面是這樣的：

登錄頁面

點(diǎn)擊login按鈕之后逮刨，requst如下夕土，可以看到Content-Type的值是application/x-www-form-urlencoded，username大磺、password、submit是作為Parameter參數(shù)做了請(qǐng)求探膊。

完整的如下：

Request URL: http://localhost:8081/user/login
Request Method: POST
Status Code: 401 
Remote Address: [::1]:8081
Referrer Policy: no-referrer-when-downgrade
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Content-Type: application/json;charset=utf-8
Date: Wed, 23 Jan 2019 02:12:40 GMT
Expires: 0
Pragma: no-cache
Transfer-Encoding: chunked
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cache-Control: max-age=0
Connection: keep-alive
Content-Length: 38
Content-Type: application/x-www-form-urlencoded
Cookie: JSESSIONID=A977E4AD3F578C5B8FA80BF2DC83C4FA
Host: localhost:8081
Origin: http://localhost:8081
Referer: http://localhost:8081/login
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
username: bianxh
password: 
submit: Login

對(duì)應(yīng)的username和password的接收和處理在WebSecurityConfigurerAdapter子實(shí)例中完成杠愧，如下：

package com.template.config;
//...
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    //...
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().antMatchers(HttpMethod.OPTIONS).permitAll()
                .withObjectPostProcessor(new ObjectPostProcessor<FilterSecurityInterceptor>() {
                    @Override
                    public <O extends FilterSecurityInterceptor> O postProcess(O o) {
                        o.setSecurityMetadataSource(metadataSource);
                        o.setAccessDecisionManager(urlAccessDecisionManager); // url攔截
                        return o;
                    }
                })
                .and()
//                .formLogin().loginPage("/login_p").loginProcessingUrl("/login")
                // 定義響應(yīng)的url
                .formLogin().loginProcessingUrl("/user/login") 
                .usernameParameter("username").passwordParameter("password")
                .permitAll()
                .and()
                .logout().permitAll()
                .and().csrf().disable()
                .exceptionHandling().accessDeniedHandler(deniedHandler);
    }
    //...
}

在Vue項(xiàng)目配置中模擬這樣的請(qǐng)求如下：

import request from '@/utils/request'

export function login(username, password) {
  return request({
    url: '/user/login',
    method: 'post',
    params: { username, password }
  })
}

Request參數(shù)如下：

Request URL: http://localhost:8080/user/login?username=bryan&password=1984
Request Method: POST
Status Code: 403 Forbidden
Remote Address: 127.0.0.1:8080
Referrer Policy: no-referrer-when-downgrade
cache-control: no-cache, no-store, max-age=0, must-revalidate
connection: close
content-length: 0
date: Wed, 23 Jan 2019 05:01:03 GMT
expires: 0
pragma: no-cache
x-content-type-options: nosniff
x-frame-options: DENY
X-Powered-By: Express
x-xss-protection: 1; mode=block
Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: keep-alive
Content-Length: 0
Cookie: JSESSIONID=DE7E824DB59383D63DA926C5DAA1048E
Host: localhost:8080
Origin: http://localhost:8080
Referer: http://localhost:8080/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
username=bryan&password=1984

換用JSON方式來登錄

SpringSecurity配置調(diào)整

spring security 是基于javax.servlet.Filter的，因此才能在spring mvc（DispatcherServlet基于Servlet）前起作用逞壁。

• UsernamePasswordAuthenticationFilter:實(shí)現(xiàn)Filter接口流济，負(fù)責(zé)攔截登錄處理的url，帳號(hào)和密碼會(huì)在這里獲取腌闯，然后封裝成Authentication交給AuthenticationManager進(jìn)行認(rèn)證工作
• Authentication:貫穿整個(gè)認(rèn)證過程绳瘟，封裝了認(rèn)證的用戶名，密碼和權(quán)限角色等信息姿骏，接口有一個(gè)boolean isAuthenticated()方法來決定該Authentication認(rèn)證成功沒;
• AuthenticationManager:認(rèn)證管理器稽荧，但本身并不做認(rèn)證工作，只是做個(gè)管理者的角色工腋。例如默認(rèn)實(shí)現(xiàn)ProviderManager會(huì)持有一個(gè)AuthenticationProvider數(shù)組姨丈，把認(rèn)證工作交給這些AuthenticationProvider，直到有一個(gè)AuthenticationProvider完成了認(rèn)證工作擅腰。
• AuthenticationProvider:認(rèn)證提供者蟋恬，默認(rèn)實(shí)現(xiàn)，也是最常使用的是DaoAuthenticationProvider趁冈。我們?cè)谂渲脮r(shí)一般重寫一個(gè)UserDetailsService來從數(shù)據(jù)庫獲取正確的用戶名密碼歼争，其實(shí)就是配置了DaoAuthenticationProvider的UserDetailsService屬性拜马，DaoAuthenticationProvider會(huì)做帳號(hào)和密碼的比對(duì)，如果正常就返回給AuthenticationManager一個(gè)驗(yàn)證成功的Authentication

看UsernamePasswordAuthenticationFilter源碼里的obtainUsername和obtainPassword方法只是簡(jiǎn)單地調(diào)用request.getParameter方法沐绒，因此如果用json發(fā)送用戶名和密碼會(huì)導(dǎo)致DaoAuthenticationProvider檢查密碼時(shí)為空俩莽，拋出BadCredentialsException。

重寫UsernamePasswordAnthenticationFilter

package com.template.filter;

import com.fasterxml.jackson.databind.ObjectMapper;
import com.template.bean.AuthenticationBean;
import org.springframework.http.MediaType;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.InputStream;

public class CustomAuthenticationFilter extends UsernamePasswordAuthenticationFilter {
    @Override
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
        //attempt Authentication when Content-Type is json
        if(request.getContentType().equals(MediaType.APPLICATION_JSON_UTF8_VALUE)
                ||request.getContentType().equals(MediaType.APPLICATION_JSON_VALUE)){

            //use jackson to deserialize json
            ObjectMapper mapper = new ObjectMapper();
            UsernamePasswordAuthenticationToken authRequest = null;
            try (InputStream is = request.getInputStream()){
                AuthenticationBean authenticationBean = mapper.readValue(is,AuthenticationBean.class);
                authRequest = new UsernamePasswordAuthenticationToken(
                        authenticationBean.getUsername(), authenticationBean.getPassword());
            }catch (IOException e) {
                e.printStackTrace();
                authRequest = new UsernamePasswordAuthenticationToken(
                        "", "");
            }finally {
                setDetails(request, authRequest);
                return this.getAuthenticationManager().authenticate(authRequest);
            }
        }

        //transmit it to UsernamePasswordAuthenticationFilter
        else {
            return super.attemptAuthentication(request, response);
        }
    }
}

WebSecurityConfigurerAdapter配置

把這個(gè)CustomAuthenticationFilter加到spring security的眾多filter里面.

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .cors().and()
            .antMatcher("/**").authorizeRequests()
            .antMatchers("/", "/login**").permitAll()
            .anyRequest().authenticated()
            //這里必須要寫formLogin()乔遮，不然原有的UsernamePasswordAuthenticationFilter不會(huì)出現(xiàn)扮超，也就無法配置我們重新的UsernamePasswordAuthenticationFilter
            .and().formLogin().loginPage("/")
            .and().csrf().disable();

    //用重寫的Filter替換掉原有的UsernamePasswordAuthenticationFilter
    http.addFilterAt(customAuthenticationFilter(),
    UsernamePasswordAuthenticationFilter.class);
}

//注冊(cè)自定義的UsernamePasswordAuthenticationFilter
@Bean
CustomAuthenticationFilter customAuthenticationFilter() throws Exception {
    CustomAuthenticationFilter filter = new CustomAuthenticationFilter();
    filter.setAuthenticationSuccessHandler(new SuccessHandler());
    filter.setAuthenticationFailureHandler(new FailureHandler());
    filter.setFilterProcessesUrl("/login/self");

    //這句很關(guān)鍵，重用WebSecurityConfigurerAdapter配置的AuthenticationManager蹋肮，不然要自己組裝AuthenticationManager
    filter.setAuthenticationManager(authenticationManagerBean());
    return filter;
}

封裝AuthenticationBean類出刷，用lombok簡(jiǎn)化代碼

package com.template.bean;

import lombok.Getter;
import lombok.Setter;

@Getter
@Setter
public class AuthenticationBean {
    private String username;
    private String password;
}

Vue的配置

request配置

import request from '@/utils/request'

export function login(username, password) {
  return request({
    url: '/user/login',
    method: 'post',
    // 封裝JSON
    data: {
      username,
      password
    }
  })
}

效果

登錄成功

在瀏覽器Network中查看Response

Network中查看Response

由于我們前后端分類，前端使用的是8080端口坯辩，后端使用的是8081端口馁龟。所以需要配置一下vue.config.js,允許跨域。

module.exports = {
  devServer: {
    proxy: {
      '/': {
        target: 'http://localhost:8081',
        changeOrigin: true,
        pathRewrite: {
          '^/': ''
        }
      }
    }
  }  
}

后話

Request.java可以debug htpp request請(qǐng)求漆魔，包位置和關(guān)鍵method如下：

package org.apache.catalina.connector;
/**
 * Wrapper object for the Coyote request.
 *
 * @author Remy Maucherat
 * @author Craig R. McClanahan
 */
public class Request implements org.apache.catalina.servlet4preview.http.HttpServletRequest {
    /**
     * Parse request parameters.
     */
    protected void parseParameters() {
        //...
    }
}

參考網(wǎng)址

• Spring Security配置JSON登錄
• Spring Security and JSON Authentication
• 在客戶端側(cè)代碼中使用環(huán)境變量
• 跨域資源共享 CORS 詳解
• CORS support in Spring Framework
• [HTTP請(qǐng)求中的form data和request payload的區(qū)別]
• 未驗(yàn)證：Spring Security攔截器引起Java CORS跨域失敗的問題

<a id="jump_1"></a>