Spring Security自定義表單登錄註釋示例

在本教程中,我們將以前的  Spring Security定製登錄表單(XML)項目 轉換爲一個純粹基於註解的項目。注意:由於在這一系列教程中使用的是Maven來創建工程,如果不瞭解 Mave 如何使用的,可以參考: http://www.yiibai.com/maven/create-a-maven-web-project-with-eclipse.html

需要用到的技術:

  1. Spring 3.2.8.RELEASE
  2. Spring Security 3.2.3.RELEASE
  3. Eclipse 4.2
  4. JDK 1.6
  5. Maven 3
  6. Tomcat 7 (Servlet 3.x)

注意
在這個例子中,上一個Spring Security hello world聲明示例 將被重用,增強這個以支持自定義登錄表單。

2. 工程目錄結構

我們來看看本教程的最終目錄結構。如下所示 - 
Spring

3. Spring Security配置

Spring Security通過註解配置,如下圖所示:

SecurityConfig.java

package com.yiibai.config;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
    auth.inMemoryAuthentication()
               .withUser("yiibai").password("123456").roles("USER");
}

//.csrf() is optional, enabled by default, if using WebSecurityConfigurerAdapter constructor
@Override
protected void configure(HttpSecurity http) throws Exception {

    http.authorizeRequests()
    .antMatchers("/admin/\*\*").access("hasRole('ROLE\_USER')")
    .and()
        .formLogin().loginPage("/login").failureUrl("/login?error")
        .usernameParameter("username").passwordParameter("password")        
    .and()
        .logout().logoutSuccessUrl("/login?logout")
    .and()
        .csrf();         
}

}

Spring Security的XML文件相當於以下配置:

<authentication-manager>
  <authentication-provider>
    <user-service>
    <user name="yiibai" password="123456" authorities="ROLE\_USER" />
    </user-service>
  </authentication-provider>
</authentication-manager>

4. 自定義登錄表單

4.1 這個頁面用於顯示自定義登錄表單。如果CSRF保護被啓用,記得要在登錄和註銷表單中添加${_csrf.token}。

login.jsp

<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>

Login Page

<h1>Spring Security Custom Login Form (Annotation)</h1>

<div id="login-box">

    <h2>Login with Username and Password</h2>

    <c:if test="${not empty error}">
        <div class="error">${error}</div>
    </c:if>
    <c:if test="${not empty msg}">
        <div class="msg">${msg}</div>
    </c:if>

    <form name='loginForm'
        action="<c:url value='j\_spring\_security\_check' />" method='POST'>

        <table>
        <tr>
            <td>User:</td>
            <td><input type='text' name='user' value=''></td>
        </tr>
        <tr>
            <td>Password:</td>
            <td><input type='password' name='pass' /></td>
        </tr>
        <tr>
                <td colspan='2'>
                            <input name="submit" type="submit" value="submit" />
                            </td>
        </tr>
       </table>

       <input type="hidden" 
                 name="${\_csrf.parameterName}" value="${\_csrf.token}" />
    </form>
</div>

4.2 這個頁面用來顯示歡迎信息,這是一個默認頁面。

hello.jsp

<%@page session="false"%>

Title : ${title}

Message : ${message}

4.3 這頁面有密碼保護,只有經過驗證的用戶才允許訪問。

admin.jsp + logout

<%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<%@page session="true"%>

Title : ${title}

Message : ${message}

<c:url value="/j\_spring\_security\_logout" var="logoutUrl" />

    <!-- csrt support -->
<form action="${logoutUrl}" method="post" id="logoutForm">
    <input type="hidden" 
        name="${\_csrf.parameterName}"
        value="${\_csrf.token}" />
</form>

<script>
    function formSubmit() {
        document.getElementById("logoutForm").submit();
    }
</script>

<c:if test="${pageContext.request.userPrincipal.name != null}">
    <h2>
        Welcome : ${pageContext.request.userPrincipal.name} | <a
            href="javascript:formSubmit()"> Logout</a>
    </h2>
</c:if>

5. Spring MVC控制器

一個簡單的控制器,如下所示:

HelloController.java

package com.yiibai.web.controller;

import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.servlet.ModelAndView;

@Controller
public class HelloController {

@RequestMapping(value = { "/", "/welcome\*\*" }, method = RequestMethod.GET)
public ModelAndView welcomePage() {

    ModelAndView model = new ModelAndView();
    model.addObject("title", "Spring Security Custom Login Form");
    model.addObject("message", "This is welcome page!");
    model.setViewName("hello");
    return model;

}

@RequestMapping(value = "/admin\*\*", method = RequestMethod.GET)
public ModelAndView adminPage() {

    ModelAndView model = new ModelAndView();
    model.addObject("title", "Spring Security Custom Login Form");
    model.addObject("message", "This is protected page!");
    model.setViewName("admin");

    return model;

}

//Spring Security see this :
@RequestMapping(value = "/login", method = RequestMethod.GET)
public ModelAndView login(
    @RequestParam(value = "error", required = false) String error,
    @RequestParam(value = "logout", required = false) String logout) {

    ModelAndView model = new ModelAndView();
    if (error != null) {
        model.addObject("error", "Invalid username and password!");
    }

    if (logout != null) {
        model.addObject("msg", "You've been logged out successfully.");
    }
    model.setViewName("login");

    return model;

}

}

6. 初始化類

下面是初始化類,使這個項目是純粹基於註解。

6.1 初始化類啓用Spring Security配置。

SpringSecurityInitializer.java

package com.yiibai.config.core;

import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;
public class SpringSecurityInitializer extends AbstractSecurityWebApplicationInitializer {

}

6.2 初始化類啓用Spring MVC。

SpringMvcInitializer.java

package com.yiibai.config.core;

import org.springframework.web.servlet.support.AbstractAnnotationConfigDispatcherServletInitializer;
import com.yiibai.config.AppConfig;

public class SpringMvcInitializer
extends AbstractAnnotationConfigDispatcherServletInitializer {

@Override
protected Class<?>\[\] getRootConfigClasses() {
    return new Class\[\] { AppConfig.class };
}

@Override
protected Class<?>\[\] getServletConfigClasses() {
    return null;
}

@Override
protected String\[\] getServletMappings() {
    return new String\[\] { "/" };
}

}

AppConfig.java

package com.yiibai.config;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Import;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import org.springframework.web.servlet.view.InternalResourceViewResolver;
import org.springframework.web.servlet.view.JstlView;

@EnableWebMvc
@Configuration
@ComponentScan({ "com.yiibai.web.*" })
@Import({ SecurityConfig.class })
public class AppConfig {

@Bean
public InternalResourceViewResolver viewResolver() {
    InternalResourceViewResolver viewResolver
                       = new InternalResourceViewResolver();
    viewResolver.setViewClass(JstlView.class);
    viewResolver.setPrefix("/WEB-INF/pages/");
    viewResolver.setSuffix(".jsp");
    return viewResolver;
}

}

7. 示例

7.1. 打開歡迎頁面 – http://localhost:8080/spsecurity-custom-login-form-annotation/welcome 
Spring

7.2 嘗試訪問 http://localhost:8080/spsecurity-custom-login-form-annotation/admin 頁面,它將會顯示自定義登錄表單。如下圖中所示:
Spring

7.3. 如果用戶名和密碼不正確,將顯示頁面: http://localhost:8080/spsecurity-custom-login-form-annotation/login?error
Spring

7.4. 如果用戶名和密碼都正確,Spring將請求重定向到原來請求的URL並顯示該網頁內容。
Spring

7.5. 嘗試註銷,它會重定向到  http://localhost:8080/spsecurity-custom-login-form-annotation/login?logout 頁面,如下所示:
Spring

下載源代碼

下載代碼 –  spsecurity-custom-login-form-annotation.zip (19 KB)

參考

  1. Spring Security Hello World註釋實例
  2. 創建一個自定義登錄表單
  3. Spring Security 3.2.0.RC1 Highlights: CSRF Protection
  4. Wikipedia : Cross-site request forgery