admin 发布于 2020-03-29T15:24:07 评论(0) 阅读(50)
分类:SpringBoot
标签:spring,boot,Spring Security
注意:本文章需要有spring security相关基础知识。
在自定义登录页面时,点击登录按钮时又跳转到了登录页面,而并不是跳转到登录成功页面。后来通过查看百度和官方源码才知道,spring security的默认登录地址为/login,并且只拦截post方式。所以要把自己的跳转登录页面设置为get方式请求,这样就不会出现错误。
Spring Security官方源码 UsernamePasswordAuthenticationFilter.java
public UsernamePasswordAuthenticationFilter() {
super(new AntPathRequestMatcher("/login", "POST"));
}
从源码中可以看出,默认登录地址为/login,method为post
接下来看一下登录跳转请求。
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
@Controller
public class LoginController {
private Logger logger = LoggerFactory.getLogger(LoginController.class);
@RequestMapping(value = "/customLogin", method = RequestMethod.GET)
public String gotoLogin() {
logger.debug("请求登录页面...");
return "login";
}
}
下面修改一下WebSecurityConfig.java (此类要继承WebSecurityConfigurerAdapter.java)
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
// 声明为配置类
@Configuration
// 启用 Spring Security web 安全的功能
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
// 设置登陆页
http.authorizeRequests()
.and()
.formLogin()
.loginPage("/customLogin") // 设置登录页面
.loginProcessingUrl("/login") //登录url,此配置要与form表单中的action保持一致
.and().csrf().disable();
}
@Override
public void configure(WebSecurity web) {
// 设置拦截忽略文件夹,可以对静态资源放行
web.ignoring().antMatchers(
"/"
, "/static/**"
, "/html/**"
, "/login.html"
, "/index.html"
, "/about.html"
, "/customLogin");
}
}
下面看一下login.html中form设置。form中action要与WebSecurityConfig设置的loginProcessingUrl一致,要不然会无法登录。
<form class="form-signin" method="post" action="/login">
<h2 class="form-signin-heading">登录</h2>
<label for="username" class="sr-only">用户名</label>
<input type="text" style="height: 46px;line-height: 46px;margin-bottom: 16px;" id="username" name="username" class="form-control" placeholder="请输入用户名" required autofocus>
<label for="password" class="sr-only">密码</label>
<input type="password" style="height: 46px;line-height: 46px;" id="password" name="password" class="form-control" placeholder="请输入密码" required>
<div class="checkbox">
<label>
<input type="checkbox" value="remember-me"> 记住密码
</label>
</div>
<button class="btn btn-lg btn-primary btn-block" type="submit">登录</button>
</form>