本篇文章为你整理了Form Login :: Spring Security()的详细内容,包含有 Form Login :: Spring Security,希望能帮助你了解 Form Login :: Spring Security。
Form LoginSpring Security provides support for username and password being provided through an HTML form.This section provides details on how form based authentication works within Spring Security.
This section examines how form-based login works within Spring Security.First, we see how the user is redirected to the login form:
Figure 1. Redirecting to the Login PageThe preceding figure builds off our SecurityFilterChain diagram.
First, a user makes an unauthenticated request to the resource (/private) for which it is not authorized.
Spring Security s FilterSecurityInterceptor indicates that the unauthenticated request is Denied by throwing an AccessDeniedException.
The browser requests the login page to which it was redirected.
When the username and password are submitted, the UsernamePasswordAuthenticationFilter authenticates the username and password.
The UsernamePasswordAuthenticationFilter extends AbstractAuthenticationProcessingFilter, so the following diagram should look pretty similar:
When the user submits their username and password, the UsernamePasswordAuthenticationFilter creates a UsernamePasswordAuthenticationToken, which is a type of Authentication, by extracting the username and password from the HttpServletRequest instance.
Next, the UsernamePasswordAuthenticationToken is passed into the AuthenticationManager instance to be authenticated.
The details of what AuthenticationManager looks like depend on how the user information is stored.
RememberMeServices.loginFail is invoked.
If remember me is not configured, this is a no-op.
See the RememberMeServices interface in the Javadoc.
If authentication is successful, then Success.
RememberMeServices.loginSuccess is invoked.
If remember me is not configured, this is a no-op.
See the RememberMeServices interface in the Javadoc.
The AuthenticationSuccessHandler is invoked. Typically, this is a SimpleUrlAuthenticationSuccessHandler, which redirects to a request saved by ExceptionTranslationFilter when we redirect to the login page.
By default, Spring Security form login is enabled.
However, as soon as any servlet-based configuration is provided, form based login must be explicitly provided.
The following example shows a minimal, explicit Java configuration:
In the preceding configuration, Spring Security renders a default login page.
Most production applications require a custom login form.
intercept-url pattern="/login" access="permitAll" /
form-login login-page="/login" /
/http
When the login page is specified in the Spring Security configuration, you are responsible for rendering the page.
The following Thymeleaf template produces an HTML login form that complies with a login page of /login.:
!DOCTYPE html
html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="https://www.thymeleaf.org"
head
title Please Log In /title
/head
body
h1 Please Log In /h1
div th:if="${param.error}"
Invalid username and password. /div
div th:if="${param.logout}"
You have been logged out. /div
form th:action="@{/login}" method="post"
div
input type="text" name="username" placeholder="Username"/
/div
div
input type="password" name="password" placeholder="Password"/
/div
input type="submit" value="Log in" /
/form
/body
/html
If the HTTP parameter named error is found, it indicates the user failed to provide a valid username or password.
If the HTTP parameter named logout is found, it indicates the user has logged out successfully.
Many users do not need much more than to customize the login page.
However, if needed, you can customize everything shown earlier with additional configuration.
If you use Spring MVC, you need a controller that maps GET /login to the login template we created.
The following example shows a minimal LoginController:
以上就是Form Login :: Spring Security()的详细内容,想要了解更多 Form Login :: Spring Security的内容,请持续关注盛行IT软件开发工作室。
郑重声明:本文由网友发布,不代表盛行IT的观点,版权归原作者所有,仅为传播更多信息之目的,如有侵权请联系,我们将第一时间修改或删除,多谢。