本次項(xiàng)目中使用了SpringSecurity驗(yàn)證框架來(lái)對(duì)項(xiàng)目進(jìn)行一個(gè)驗(yàn)證阔墩。
以下是對(duì)框架的使用做一下記錄。
框架搭建
maven配置
主要的是導(dǎo)入三個(gè)包:
<!--Spring Security相關(guān)-->
<!-- https://mvnrepository.com/artifact/org.springframework.security/spring-security-core -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>4.2.2.RELEASE</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.springframework.security/spring-security-web -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>4.2.2.RELEASE</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.springframework.security/spring-security-config -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>4.2.2.RELEASE</version>
</dependency>
web.xml配置
主要是配置SpringSecurity的過(guò)濾鏈
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
然后就是SpringSecurity配置文件
我們從最簡(jiǎn)單的配置開(kāi)始
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<security:http pattern="/**" auto-config="true">
<security:intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
<security:form-login />
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<security:user name="myName" authorities="ROLE_USER" password="123456"/>
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
</beans>
如果后端配置好的話彩扔,運(yùn)行后的頁(yè)面會(huì)被SpringSecurity攔截到登錄頁(yè)面馒索。這個(gè)登錄頁(yè)面是SpringSecurity自動(dòng)生成的。
Paste_Image.png
在配置文件中我們?cè)?lt;security:authentication-manager></security:authentication-manager>中配置了賬號(hào)密碼 輸入 賬號(hào):myName 密碼:123456 即可登錄成功繼續(xù)訪問(wèn)該系統(tǒng)頁(yè)面唱遭。
自定義登錄頁(yè)面
使用框架自動(dòng)為我們生成的頁(yè)面自然不能滿足我們的需求幻梯,所以我們需要自定義登錄頁(yè)面兜畸。
配置文件
修改<security:http>標(biāo)簽
<security:http pattern="/**" auto-config="true">
<security:intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
<security:form-login login-page="/html/myLogin.html" login-processing-url="/myLogin" always-use-default-target="true"
username-parameter="name" password-parameter="password"
default-target-url="/html/home.html"
authentication-failure-url="/html/login_failure.html"
<security:csrf disabled="true"/>
/>
login-page:指定登錄頁(yè)面
login-processing-url:指定登錄數(shù)據(jù)提交的uri,即相當(dāng)于是提交驗(yàn)證的uri
default-target-url:登陸成功后跳轉(zhuǎn)的頁(yè)面
authentication-failure-url:登錄失敗后跳轉(zhuǎn)的頁(yè)面
always-use-default-target:讓用戶默認(rèn)先跳轉(zhuǎn)到target-url碘梢,如果沒(méi)有登錄便會(huì)強(qiáng)制跳轉(zhuǎn)回登錄頁(yè)面咬摇。
parameter元素:指定登錄時(shí)的用戶名和密碼所對(duì)應(yīng)的對(duì)象名稱。
關(guān)于csrf 這玩意我玩不轉(zhuǎn) 所以直接禁用了煞躬。不禁用的話登錄時(shí)會(huì)多加一步csrf驗(yàn)證肛鹏。
在配置完<security:http>標(biāo)簽后逸邦,我們?nèi)绻苯舆\(yùn)行,則會(huì)發(fā)現(xiàn)頁(yè)面在無(wú)限地被轉(zhuǎn)發(fā)在扰。因?yàn)槲覀冏远x了登錄頁(yè)面缕减,而SpringSecurity又會(huì)將我們自定義的頁(yè)面進(jìn)行攔截跳轉(zhuǎn),所以而到了登錄頁(yè)面又會(huì)被繼續(xù)攔截跳轉(zhuǎn)健田,陷入一個(gè)死循環(huán)中烛卧。所以我們需要通知框架 這個(gè)頁(yè)面不需要被攔截佛纫。
在配置文件中加入:
<security:http pattern="/html/myLogin.html" security="none"/>
<security:http pattern="/html/login_failure.html" security="none"/>
即完整的配置文件應(yīng)該是:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<security:http pattern="/html/myLogin.html" security="none"/>
<security:http pattern="/html/login_failure.html" security="none"/>
<security:http pattern="/**" auto-config="true">
<security:intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
<security:form-login login-page="/html/myLogin.html"
login-processing-url="/myLogin"
always-use-default-target="true"
username-parameter="name" password-parameter="password"
default-target-url="/html/home.html"
authentication-failure-forward-url="/html/login_failure.html" />
<security:csrf disabled="true"/>
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<security:user name="myName" authorities="ROLE_USER" password="123456"/>
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
</beans>
登錄的html
這里的話主要通過(guò)一個(gè)表單提交
<html lang="en">
<head>
<meta charset="UTF-8">
<title>用戶</title>
</head>
<script type="text/javascript" src="/js/jquery.min.js"></script>
<body>
<div>
<form name='f'
action='/myLogin'
method='GET'>
<table class="formtable">
<tr>
<td class="title">輸入姓名:</td>
<td><input class="control" type='text' name='name' id="name"></td>
</tr>
<tr>
<td class="title">輸入密碼:</td>
<td><input class="control" type='password' name='password' id="password"/></td>
</tr>
<tr>
<td colspan='2'><input name="submit" type="submit"
value="登錄" /></td>
</tr>
</table>
</form>
</div>
</body>
</html>
這樣直接運(yùn)行就可以看到我們自定義的登錄頁(yè)面了
Paste_Image.png
