013 个性化用户认证流程

一：任务

1.任务

　　自定义登录页面

　　自定义登录成功处理

　　自定义登录失败处理

二：自定义登录页面

1.说明

　　在security中，默认的登录处理是

　　

2.BrowserSecurityConfig

　　这里从新定义登录的页面，与登录方法

package com.cao.security.browser;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
/**
 * 覆盖掉security原有的配置
 * @author dell
 *
 */
@Configuration
public class BrowserSecurityConfig extends WebSecurityConfigurerAdapter{
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        //表单登陆的一个安全认证环境
        http.formLogin()
            .loginPage("/index.html")
            .loginProcessingUrl("/authentication/form")
//        http.httpBasic()
            .and()
            .authorizeRequests()    //请求授权
            .antMatchers("/index.html").permitAll()  //这个url不需要认证
            .anyRequest()            //任何请求
            .authenticated()         //都需要认证
            .and()
            .csrf().disable();      //去掉csrf的防护
        
    }
    
    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }
}

3.index.htnl

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>登录</title>
</head>
<body>
    <h2>标准登录页面</h2>
    <h3>表单登录</h3>
    <form action="/authentication/form" method="post">
        <table>
            <tr>
                <td>用户名</td>
                <td><input type="text" name="username"></td>
            </tr>
            <tr>
                <td>密码</td>
                <td><input type="password" name="password"></td>
            </tr>
            <tr>
                <td colspan="2"><button type="submit">登录</button></td>
            </tr>
        </table>
    </form>
</body>
</html>

4.登录界面

　　

三：优化

1.问题

　　现在的处理是接收到html请求，然后直接跳转到了html登录页面

　　因为，这里优化一下比较好，做到统一处理。

　　现在的优化方法如下：

　　

2.先修改配置类

　　这里说明，进入的显示控制类，然后由控制类进行决定走哪里

　　这里还包含了自定义的url不进过认证，这里的程序先粘贴过来了。

package com.cao.security.browser;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;

import com.cao.security.core.properties.SecurityProperties;
/**
 * 覆盖掉security原有的配置
 * @author dell
 *
 */
@Configuration
public class BrowserSecurityConfig extends WebSecurityConfigurerAdapter{
    @Autowired
    private SecurityProperties securityProperties;
    
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        //表单登陆的一个安全认证环境
        http.formLogin()
            .loginPage("/authentication/require")
            .loginProcessingUrl("/authentication/form")
//        http.httpBasic()
            .and()
            .authorizeRequests()    //请求授权
            .antMatchers("/authentication/require",
                    securityProperties.getBrowser().getLoginPage()).permitAll()  //这个url不需要认证，包含自定义的登录页
            .anyRequest()            //任何请求
            .authenticated()         //都需要认证
            .and()
            .csrf().disable();      //去掉csrf的防护
        
    }
    
    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }
}

3.控制类

　　这里直接读取的是可以自定义的页面，后续会添加如何引入的。

/**
 * 
 */
package com.cao.security.browser;

import java.io.IOException;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpStatus;
import org.springframework.security.web.DefaultRedirectStrategy;
import org.springframework.security.web.RedirectStrategy;
import org.springframework.security.web.savedrequest.HttpSessionRequestCache;
import org.springframework.security.web.savedrequest.RequestCache;
import org.springframework.security.web.savedrequest.SavedRequest;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseStatus;
import org.springframework.web.bind.annotation.RestController;

import com.cao.security.browser.support.SimpleResponse;
import com.cao.security.core.properties.SecurityProperties;

/**
 * @author dell
 *
 */
@RestController
public class BrowserSecurityController {
    private Logger logger=LoggerFactory.getLogger(getClass());
    //拿到引气身份跳转的请求
    //因为在跳转之前，security会将请求缓存到session中
    private RequestCache requestCache=new HttpSessionRequestCache();
    
    //跳转
    private RedirectStrategy redirectStrategy=new DefaultRedirectStrategy();
    
    //方便读取自定义登录页的配置项
    @Autowired
    private SecurityProperties securityProperties;

    /**
     * 当需要身份认证的时候，跳转到这里
     * @param request
     * @param response
     * @return
     * @throws Exception 
     */
    @RequestMapping("/authentication/require")
    @ResponseStatus(code=HttpStatus.UNAUTHORIZED)
    public SimpleResponse requiredAuthentication(HttpServletRequest request,HttpServletResponse response) throws Exception {
        SavedRequest saveRequest=requestCache.getRequest(request, response);
        if(saveRequest!=null) {
            String target=saveRequest.getRedirectUrl();
            logger.info("引发跳转的请求："+target);
            if(StringUtils.endsWithIgnoreCase(target, ".html")) {
                //跳转到一个自定义的登录页
                redirectStrategy.sendRedirect(request, response, securityProperties.getBrowser().getLoginPage());
            }
        }
        return new SimpleResponse("访问的服务需要身份认证，请引导到登录页");
    }
}

 　　返回值，需要一个类。SimpleResponse.java

package com.cao.security.browser.support;

public class SimpleResponse {
    public SimpleResponse(Object content) {
        this.content=content;
    }
    
    private Object content;

    public Object getContent() {
        return content;
    }

    public void setContent(Object content) {
        this.content = content;
    }
    
}

4.系统配置封装

　　方便统一管理用户的配置项。

　　

5.新建SecurityProperties

　　这里是最外层的一层包装

　　同时。这里需要放入在core的项目下。

　　

　　首先，这里会读取的是jun.security开头的配置项，同时会把配置项的第三个字段读取到同browser相同的类中。所以，后续还要写browser的类。

package com.cao.security.core.properties;

import org.springframework.boot.context.properties.ConfigurationProperties;

@ConfigurationProperties(prefix="jun.security")
public class SecurityProperties {
    private BrowserProperties browser=new BrowserProperties();

    public BrowserProperties getBrowser() {
        return browser;
    }

    public void setBrowser(BrowserProperties browser) {
        this.browser = browser;
    }

    
}

6.BrowserProperties.java

　　这里要读取的是配置项的第四个字段，这里需要的是不能乱写。

　　loginPage这里有一个默认值，如果用户没有给，就使用初始化的值。

package com.cao.security.core.properties;

public class BrowserProperties {

    private String loginPage="/index.html";

    public String getLoginPage() {
        return loginPage;
    }

    public void setLoginPage(String loginPage) {
        this.loginPage = loginPage;
    }
    
}

7.SecurityConfig.java

　　这里是的配置项的类生效，这里的类写最外层的即可。

package com.cao.security.core.properties;

import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.context.annotation.Configuration;

@Configuration
//让SecurityProperties读取器生效
@EnableConfigurationProperties(SecurityProperties.class)
public class SecurityCoreConfig {

}

8.自定义的配置项

　　这里写在demo项目中。

##JDBC
spring.datasource.driver-class-name = com.mysql.jdbc.Driver
spring.datasource.url= jdbc:mysql://127.0.0.1:3308/test?useUnicode=yes&characterEncoding=UTF-8&useSSL=false
spring.datasource.username = root
spring.datasource.password = 123456

##session store type
spring.session.store-type=none

##server port
#server.port=8060

##security login
#security.basic.enabled = false

jun.security.browser.loginPage=/newIndex.html

9.效果

　　访问：http://localhost:8080/user/

　　

　　访问：newIndex.html

　　

　　访问：http://localhost:8080/index.html

　　

四：登录成功后的处理

1.修改初始化的配置

　　主要是说明登录成功后使用自定义的类

package com.cao.security.browser;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;

import com.cao.security.browser.authentication.BrowserAuthenticationSucceswsHandler;
import com.cao.security.core.properties.SecurityProperties;
/**
 * @Description 覆盖掉security原有的配置
 * @author dell
 *
 */
@Configuration
public class BrowserSecurityConfig extends WebSecurityConfigurerAdapter{
    //获取自定义的登录页面
    @Autowired
    private SecurityProperties securityProperties;
    
    //使用自己的登录成功后的处理类
    @Autowired
    private AuthenticationSuccessHandler browserAuthenticationSucceswsHandler;
    
    
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        //表单登陆的一个安全认证环境
        http.formLogin()
            .loginPage("/authentication/require")
            .loginProcessingUrl("/authentication/form")
            .successHandler(browserAuthenticationSucceswsHandler)
//        http.httpBasic()
            .and()
            .authorizeRequests()    //请求授权
            .antMatchers("/authentication/require",
                    securityProperties.getBrowser().getLoginPage()).permitAll()  //这个url不需要认证，包含自定义的登录页
            .anyRequest()            //任何请求
            .authenticated()         //都需要认证
            .and()
            .csrf().disable();      //去掉csrf的防护
        
    }
    
    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }
}

2.登录成功处理类

package com.cao.security.browser.authentication;

import java.io.IOException;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.stereotype.Component;

import com.fasterxml.jackson.databind.ObjectMapper;

@Component(value="browserAuthenticationSucceswsHandler")
public class BrowserAuthenticationSucceswsHandler implements AuthenticationSuccessHandler {
    private Logger logger=LoggerFactory.getLogger(getClass());
    
    @Autowired
    private ObjectMapper objectMapper;

    /**
     * @Description 登录成功会被调用
     */
    @Override
    public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
            Authentication authentication) throws IOException, ServletException {
        //Authentication 封装了认证信息
        logger.info("登录成功");
        response.setContentType("application/json;charset=UTF-8");
        //将authentication转为json字符串
        response.getWriter().write(objectMapper.writeValueAsString(authentication));
    }

}

3.效果

　　登录成功后的authentication的json格式如下：

　　

五：登录失败后的处理

1.修改初始化的配置

package com.cao.security.browser;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;

import com.cao.security.browser.authentication.BrowserAuthenticationFailHandler;
import com.cao.security.browser.authentication.BrowserAuthenticationSucceswsHandler;
import com.cao.security.core.properties.SecurityProperties;
/**
 * @Description 覆盖掉security原有的配置
 * @author dell
 *
 */
@Configuration
public class BrowserSecurityConfig extends WebSecurityConfigurerAdapter{
    //获取自定义的登录页面
    @Autowired
    private SecurityProperties securityProperties;
    
    //使用自己的登录成功后的处理类
    @Autowired
    private AuthenticationSuccessHandler browserAuthenticationSucceswsHandler;
    
    //使用自己的登录失败后的处理类
    @Autowired
    private BrowserAuthenticationFailHandler browserAuthenticationFailHandler;
    
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        //表单登陆的一个安全认证环境
        http.formLogin()
            .loginPage("/authentication/require")
            .loginProcessingUrl("/authentication/form")
            .successHandler(browserAuthenticationSucceswsHandler)
            .failureHandler(browserAuthenticationFailHandler)
//        http.httpBasic()
            .and()
            .authorizeRequests()    //请求授权
            .antMatchers("/authentication/require",
                    securityProperties.getBrowser().getLoginPage()).permitAll()  //这个url不需要认证，包含自定义的登录页
            .anyRequest()            //任何请求
            .authenticated()         //都需要认证
            .and()
            .csrf().disable();      //去掉csrf的防护
        
    }
    
    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }
}

2.失败控制类

package com.cao.security.browser.authentication;

import java.io.IOException;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpStatus;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.stereotype.Component;

import com.fasterxml.jackson.databind.ObjectMapper;
/**
 * @Description 登录失败后的处理
 * @author dell
 *
 */
@Component(value="browserAuthenticationFailHandler")
public class BrowserAuthenticationFailHandler implements AuthenticationFailureHandler {
    private Logger logger=LoggerFactory.getLogger(getClass());
    
    @Autowired
    private ObjectMapper objectMapper;

    @Override
    public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,
            AuthenticationException exception) throws IOException, ServletException {
        //这里不会有Authentication
        logger.info("登录失败");
        response.setStatus(HttpStatus.INTERNAL_SERVER_ERROR.value());
        response.setContentType("application/json;charset=UTF-8");
        response.getWriter().write(objectMapper.writeValueAsString(exception));

    }

}

3.效果

　　

六：优化

1.问题

　　返回的只是json格式的信息

　　因为有时候，前端是模板语言的形式

　　所以，要继续优化，让返回的可以是js0n，也可以是返回的跳转。

2.定义一个枚举

　　包含redirect，json

package com.cao.security.core.properties;

public enum LoginType {
    REDIRECT,
    JSON;
}

3.读取器

　　添加一个字段

package com.cao.security.core.properties;

public class BrowserProperties {

    private String loginPage="/index.html";
    
    private LoginType loginType=LoginType.JSON;

    public String getLoginPage() {
        return loginPage;
    }

    public void setLoginPage(String loginPage) {
        this.loginPage = loginPage;
    }

    public LoginType getLoginType() {
        return loginType;
    }

    public void setLoginType(LoginType loginType) {
        this.loginType = loginType;
    }
    
}

4.成功处理处理器

　　注意继承的类

package com.cao.security.browser.authentication;

import java.io.IOException;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
import org.springframework.stereotype.Component;

import com.cao.security.core.properties.LoginType;
import com.cao.security.core.properties.SecurityProperties;
import com.fasterxml.jackson.databind.ObjectMapper;
/**
 * @Description 登录成功后的处理
 * @author dell
 *
 */
@Component(value="browserAuthenticationSucceswsHandler")
public class BrowserAuthenticationSucceswsHandler extends SavedRequestAwareAuthenticationSuccessHandler {
    private Logger logger=LoggerFactory.getLogger(getClass());
    
    @Autowired
    private ObjectMapper objectMapper;
    
    @Autowired
    private SecurityProperties securityProperties;

    /**
     * @Description 登录成功会被调用
     */
    @Override
    public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
            Authentication authentication) throws IOException, ServletException {
        //Authentication 封装了认证信息
        logger.info("登录成功");
        
        if(LoginType.JSON.equals(securityProperties.getBrowser().getLoginType())) {
            response.setContentType("application/json;charset=UTF-8");
            //将authentication转为json字符串
            response.getWriter().write(objectMapper.writeValueAsString(authentication));
        }else {
            //跳转
            super.onAuthenticationSuccess(request, response, authentication);
        }
        
        
    }

}

5.失败处理处理器

　　注意继承的类

package com.cao.security.browser.authentication;

import java.io.IOException;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpStatus;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
import org.springframework.stereotype.Component;

import com.cao.security.core.properties.LoginType;
import com.cao.security.core.properties.SecurityProperties;
import com.fasterxml.jackson.databind.ObjectMapper;
/**
 * @Description 登录失败后的处理
 * @author dell
 *
 */
@Component(value="browserAuthenticationFailHandler")
public class BrowserAuthenticationFailHandler extends SimpleUrlAuthenticationFailureHandler {
    private Logger logger=LoggerFactory.getLogger(getClass());
    
    @Autowired
    private ObjectMapper objectMapper;
    
    @Autowired
    private SecurityProperties securityProperties;

    @Override
    public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,
            AuthenticationException exception) throws IOException, ServletException {
        //这里不会有Authentication
        logger.info("登录失败");
        if(LoginType.JSON.equals(securityProperties.getBrowser().getLoginType())) {
            response.setStatus(HttpStatus.INTERNAL_SERVER_ERROR.value());
            response.setContentType("application/json;charset=UTF-8");
            response.getWriter().write(objectMapper.writeValueAsString(exception));
        }else {
            //跳转
            super.onAuthenticationFailure(request, response, exception);
        }
    }

}

6.效果

　　随意输入一个xxxxxx.html

　　就可以跳转到了index.html登录页、