Spring Security自定義表單登錄註釋示例
在本教程中,我們將以前的 Spring Security定製登錄表單(XML)項目 轉換爲一個純粹基於註解的項目。注意:由於在這一系列教程中使用的是Maven來創建工程,如果不瞭解 Mave 如何使用的,可以參考: http://www.yiibai.com/maven/create-a-maven-web-project-with-eclipse.html
需要用到的技術:
- Spring 3.2.8.RELEASE
- Spring Security 3.2.3.RELEASE
- Eclipse 4.2
- JDK 1.6
- Maven 3
- Tomcat 7 (Servlet 3.x)
注意
在這個例子中,上一個Spring Security hello world聲明示例 將被重用,增強這個以支持自定義登錄表單。
2. 工程目錄結構
我們來看看本教程的最終目錄結構。如下所示 -
3. Spring Security配置
Spring Security通過註解配置,如下圖所示:
SecurityConfig.java
package com.yiibai.config;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("yiibai").password("123456").roles("USER");
}
//.csrf() is optional, enabled by default, if using WebSecurityConfigurerAdapter constructor
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/admin/\*\*").access("hasRole('ROLE\_USER')")
.and()
.formLogin().loginPage("/login").failureUrl("/login?error")
.usernameParameter("username").passwordParameter("password")
.and()
.logout().logoutSuccessUrl("/login?logout")
.and()
.csrf();
}
}
Spring Security的XML文件相當於以下配置:
<authentication-manager>
<authentication-provider>
<user-service>
<user name="yiibai" password="123456" authorities="ROLE\_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
4. 自定義登錄表單
4.1 這個頁面用於顯示自定義登錄表單。如果CSRF保護被啓用,記得要在登錄和註銷表單中添加${_csrf.token}。
login.jsp
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<h1>Spring Security Custom Login Form (Annotation)</h1>
<div id="login-box">
<h2>Login with Username and Password</h2>
<c:if test="${not empty error}">
<div class="error">${error}</div>
</c:if>
<c:if test="${not empty msg}">
<div class="msg">${msg}</div>
</c:if>
<form name='loginForm'
action="<c:url value='j\_spring\_security\_check' />" method='POST'>
<table>
<tr>
<td>User:</td>
<td><input type='text' name='user' value=''></td>
</tr>
<tr>
<td>Password:</td>
<td><input type='password' name='pass' /></td>
</tr>
<tr>
<td colspan='2'>
<input name="submit" type="submit" value="submit" />
</td>
</tr>
</table>
<input type="hidden"
name="${\_csrf.parameterName}" value="${\_csrf.token}" />
</form>
</div>
4.2 這個頁面用來顯示歡迎信息,這是一個默認頁面。
hello.jsp
<%@page session="false"%>
Title : ${title}
Message : ${message}
4.3 這頁面有密碼保護,只有經過驗證的用戶才允許訪問。
admin.jsp + logout
<%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<%@page session="true"%>
Title : ${title}
Message : ${message}
<c:url value="/j\_spring\_security\_logout" var="logoutUrl" />
<!-- csrt support -->
<form action="${logoutUrl}" method="post" id="logoutForm">
<input type="hidden"
name="${\_csrf.parameterName}"
value="${\_csrf.token}" />
</form>
<script>
function formSubmit() {
document.getElementById("logoutForm").submit();
}
</script>
<c:if test="${pageContext.request.userPrincipal.name != null}">
<h2>
Welcome : ${pageContext.request.userPrincipal.name} | <a
href="javascript:formSubmit()"> Logout</a>
</h2>
</c:if>
5. Spring MVC控制器
一個簡單的控制器,如下所示:
HelloController.java
package com.yiibai.web.controller;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.servlet.ModelAndView;
@Controller
public class HelloController {
@RequestMapping(value = { "/", "/welcome\*\*" }, method = RequestMethod.GET)
public ModelAndView welcomePage() {
ModelAndView model = new ModelAndView();
model.addObject("title", "Spring Security Custom Login Form");
model.addObject("message", "This is welcome page!");
model.setViewName("hello");
return model;
}
@RequestMapping(value = "/admin\*\*", method = RequestMethod.GET)
public ModelAndView adminPage() {
ModelAndView model = new ModelAndView();
model.addObject("title", "Spring Security Custom Login Form");
model.addObject("message", "This is protected page!");
model.setViewName("admin");
return model;
}
//Spring Security see this :
@RequestMapping(value = "/login", method = RequestMethod.GET)
public ModelAndView login(
@RequestParam(value = "error", required = false) String error,
@RequestParam(value = "logout", required = false) String logout) {
ModelAndView model = new ModelAndView();
if (error != null) {
model.addObject("error", "Invalid username and password!");
}
if (logout != null) {
model.addObject("msg", "You've been logged out successfully.");
}
model.setViewName("login");
return model;
}
}
6. 初始化類
下面是初始化類,使這個項目是純粹基於註解。
6.1 初始化類啓用Spring Security配置。
SpringSecurityInitializer.java
package com.yiibai.config.core;
import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;
public class SpringSecurityInitializer extends AbstractSecurityWebApplicationInitializer {
}
6.2 初始化類啓用Spring MVC。
SpringMvcInitializer.java
package com.yiibai.config.core;
import org.springframework.web.servlet.support.AbstractAnnotationConfigDispatcherServletInitializer;
import com.yiibai.config.AppConfig;
public class SpringMvcInitializer
extends AbstractAnnotationConfigDispatcherServletInitializer {
@Override
protected Class<?>\[\] getRootConfigClasses() {
return new Class\[\] { AppConfig.class };
}
@Override
protected Class<?>\[\] getServletConfigClasses() {
return null;
}
@Override
protected String\[\] getServletMappings() {
return new String\[\] { "/" };
}
}
AppConfig.java
package com.yiibai.config;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Import;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import org.springframework.web.servlet.view.InternalResourceViewResolver;
import org.springframework.web.servlet.view.JstlView;
@EnableWebMvc
@Configuration
@ComponentScan({ "com.yiibai.web.*" })
@Import({ SecurityConfig.class })
public class AppConfig {
@Bean
public InternalResourceViewResolver viewResolver() {
InternalResourceViewResolver viewResolver
= new InternalResourceViewResolver();
viewResolver.setViewClass(JstlView.class);
viewResolver.setPrefix("/WEB-INF/pages/");
viewResolver.setSuffix(".jsp");
return viewResolver;
}
}
7. 示例
7.1. 打開歡迎頁面 – http://localhost:8080/spsecurity-custom-login-form-annotation/welcome
7.2 嘗試訪問 http://localhost:8080/spsecurity-custom-login-form-annotation/admin 頁面,它將會顯示自定義登錄表單。如下圖中所示:
7.3. 如果用戶名和密碼不正確,將顯示頁面: http://localhost:8080/spsecurity-custom-login-form-annotation/login?error
7.4. 如果用戶名和密碼都正確,Spring將請求重定向到原來請求的URL並顯示該網頁內容。
7.5. 嘗試註銷,它會重定向到 http://localhost:8080/spsecurity-custom-login-form-annotation/login?logout 頁面,如下所示:
下載源代碼
下載代碼 – spsecurity-custom-login-form-annotation.zip (19 KB)
參考
- Spring Security Hello World註釋實例
- 創建一個自定義登錄表單
- Spring Security 3.2.0.RC1 Highlights: CSRF Protection
- Wikipedia : Cross-site request forgery