Spring Security Form Login |
您所在的位置:网站首页 › spring security custom-filter › Spring Security Form Login |
|
1. Introduction
This tutorial will focus on Login with Spring Security. We're going to build on top of the previous Spring MVC example, as that's a necessary part of setting up the web application along with the login mechanism. Further reading: Spring Security - Redirect to the Previous URL After Login A short example of redirection after login in Spring Security Read more → Two Login Pages with Spring Security A quick and practical guide to configuring Spring Security with two separate login pages. Read more → Spring Security Form Login A Spring Login Example - How to Set Up a simple Login Form, a Basic Security XML Configuration and some more Advanced Configuration Techniques. Read more → 2. The Maven DependenciesWhen working with Spring Boot, the spring-boot-starter-security starter will automatically include all dependencies, such as spring-security-core, spring-security-web, and spring-security-config among others: org.springframework.boot spring-boot-starter-security 2.3.3.RELEASEIf we don't use Spring Boot, please see the Spring Security with Maven article, which describes how to add all required dependencies. Both standard spring-security-web and spring-security-config will be required. 3. Spring Security Java ConfigurationLet's start by creating a Spring Security configuration class that creates a SecurityFilterChain bean. By adding @EnableWebSecurity, we get Spring Security and MVC integration support: @Configuration @EnableWebSecurity public class SecSecurityConfig { @Bean public InMemoryUserDetailsManager userDetailsService() { // InMemoryUserDetailsManager (see below) } @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // http builder configurations for authorize requests and form login (see below) } }In this example, we used in-memory authentication and defined three users. Next we'll go through the elements we used to create the form login configuration. Let's start by building our Authentication Manager. 3.1. InMemoryUserDetailsManagerThe Authentication Provider is backed by a simple, in-memory implementation, InMemoryUserDetailsManager. This is useful for rapid prototyping when a full persistence mechanism is not yet necessary: @Bean public InMemoryUserDetailsManager userDetailsService() { UserDetails user1 = User.withUsername("user1") .password(passwordEncoder().encode("user1Pass")) .roles("USER") .build(); UserDetails user2 = User.withUsername("user2") .password(passwordEncoder().encode("user2Pass")) .roles("USER") .build(); UserDetails admin = User.withUsername("admin") .password(passwordEncoder().encode("adminPass")) .roles("ADMIN") .build(); return new InMemoryUserDetailsManager(user1, user2, admin); }Here we'll configure three users with the username, password, and role hard-coded. Starting with Spring 5, we also have to define a password encoder. In our example, we'll use the BCryptPasswordEncoder: @Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); }Next let's configure the HttpSecurity. 3.2. Configuration to Authorize RequestsWe'll start by doing the necessary configurations to Authorize Requests. Here we're allowing anonymous access on /login so that users can authenticate. We'll restrict /admin to ADMIN roles and securing everything else: @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http.csrf() .disable() .authorizeRequests() .antMatchers("/admin/**") .hasRole("ADMIN") .antMatchers("/anonymous*") .anonymous() .antMatchers("/login*") .permitAll() .anyRequest() .authenticated() .and() // ... }Note that the order of the antMatchers() elements is significant; the more specific rules need to come first, followed by the more general ones. 3.3. Configuration for Form LoginNext we'll extend the above configuration for form login and logout: @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http // ... .and() .formLogin() .loginPage("/login.html") .loginProcessingUrl("/perform_login") .defaultSuccessUrl("/homepage.html", true) .failureUrl("/login.html?error=true") .failureHandler(authenticationFailureHandler()) .and() .logout() .logoutUrl("/perform_logout") .deleteCookies("JSESSIONID") .logoutSuccessHandler(logoutSuccessHandler()); return http.build(); } loginPage() – the custom login page loginProcessingUrl() – the URL to submit the username and password to defaultSuccessUrl() – the landing page after a successful login failureUrl() – the landing page after an unsuccessful login logoutUrl() – the custom logout 4. Add Spring Security to the Web ApplicationTo use the above-defined Spring Security configuration, we need to attach it to the web application. We'll use the WebApplicationInitializer, so we don't need to provide any web.xml: public class AppInitializer implements WebApplicationInitializer { @Override public void onStartup(ServletContext sc) { AnnotationConfigWebApplicationContext root = new AnnotationConfigWebApplicationContext(); root.register(SecSecurityConfig.class); sc.addListener(new ContextLoaderListener(root)); sc.addFilter("securityFilter", new DelegatingFilterProxy("springSecurityFilterChain")) .addMappingForUrlPatterns(null, false, "/*"); } }Note that this initializer isn't necessary if we're using a Spring Boot application. For more details on how the security configuration is loaded in Spring Boot, have a look at our article on Spring Boot security auto-configuration. 5. The Spring Security XML ConfigurationLet's also have a look at the corresponding XML configuration. The overall project is using Java configuration, so we need to import the XML configuration file via a Java @Configuration class: @Configuration @ImportResource({ "classpath:webSecurityConfig.xml" }) public class SecSecurityConfig { public SecSecurityConfig() { super(); } }And the Spring Security XML Configuration, webSecurityConfig.xml: 6. The web.xmlBefore the introduction of Spring 4, we used to configure Spring Security in the web.xml; only an additional filter added to the standard Spring MVC web.xml: Spring Secured Application springSecurityFilterChain org.springframework.web.filter.DelegatingFilterProxy springSecurityFilterChain /*The filter – DelegatingFilterProxy – simply delegates to a Spring-managed bean – the FilterChainProxy – which itself is able to benefit from full Spring bean life-cycle management and such. 7. The Login FormThe login form page is going to be registered with Spring MVC using the straightforward mechanism to map views names to URLs. Furthermore, there is no need for an explicit controller in between: registry.addViewController("/login.html");This, of course, corresponds to the login.jsp: Login User: Password:The Spring Login form has the following relevant artifacts: login – the URL where the form is POSTed to trigger the authentication process username – the username password – the password 8. Further Configuring Spring LoginWe briefly discussed a few configurations of the login mechanism when we introduced the Spring Security Configuration above. Now let's go into some greater detail. One reason to override most of the defaults in Spring Security is to hide that the application is secured with Spring Security. We also want to minimize the information a potential attacker knows about the application. Fully configured, the login element looks like this: @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http.formLogin() .loginPage("/login.html") .loginProcessingUrl("/perform_login") .defaultSuccessUrl("/homepage.html",true) .failureUrl("/login.html?error=true") return http.build(); }Or the corresponding XML configuration: 8.1. The Login PageNext we'll configure a custom login page using the loginPage() method: http.formLogin() .loginPage("/login.html")Similarly, we can use the XML configuration: login-page='/login.html'If we don't specify this, Spring Security will generate a very basic Login Form at the /login URL. 8.2. The POST URL for LoginThe default URL where the Spring Login will POST to trigger the authentication process is /login, which used to be /j_spring_security_check before Spring Security 4. We can use the loginProcessingUrl method to override this URL: http.formLogin() .loginProcessingUrl("/perform_login")We can also use the XML configuration: login-processing-url="/perform_login"By overriding this default URL, we're concealing that the application is actually secured with Spring Security. This information should not be available externally. 8.3. The Landing Page on SuccessAfter successfully logging in, we will be redirected to a page that by default is the root of the web application. We can override this via the defaultSuccessUrl() method: http.formLogin() .defaultSuccessUrl("/homepage.html")Or with XML configuration: default-target-url="/homepage.html"If the always-use-default-target attribute is set to true, then the user is always redirected to this page. If that attribute is set to false, then the user will be redirected to the previous page they wanted to visit before being prompted to authenticate. 8.4. The Landing Page on FailureSimilar to the Login Page, the Login Failure Page is autogenerated by Spring Security at /login?error by default. To override this, we can use the failureUrl() method: http.formLogin() .failureUrl("/login.html?error=true")Or with XML: authentication-failure-url="/login.html?error=true" 9. ConclusionIn this Spring Login Example, we configured a simple authentication process. We also discussed the Spring Security Login Form, the Security Configuration, and some of the more advanced customizations available. The implementation of this article can be found in the GitHub project – this is an Eclipse-based project, so it should be easy to import and run as it is. When the project runs locally, the sample HTML can be accessed at: http://localhost:8080/spring-security-mvc-login/login.html |
| CopyRight 2018-2019 办公设备维修网 版权所有 豫ICP备15022753号-3 |