微信公眾號:一一小知
問題或建議,請公眾號留言;
SpringSecurity本身對于Login Parameter的登錄處理
本身自帶的請求頁面是這樣的:
登錄頁面
點擊login按鈕之后,requst如下,可以看到Content-Type的值是application/x-www-form-urlencoded,username、password、submit是作為Parameter參數做了請求。
完整的如下:
Request URL: http://localhost:8081/user/login
Request Method: POST
Status Code: 401
Remote Address: [::1]:8081
Referrer Policy: no-referrer-when-downgrade
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Content-Type: application/json;charset=utf-8
Date: Wed, 23 Jan 2019 02:12:40 GMT
Expires: 0
Pragma: no-cache
Transfer-Encoding: chunked
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cache-Control: max-age=0
Connection: keep-alive
Content-Length: 38
Content-Type: application/x-www-form-urlencoded
Cookie: JSESSIONID=A977E4AD3F578C5B8FA80BF2DC83C4FA
Host: localhost:8081
Origin: http://localhost:8081
Referer: http://localhost:8081/login
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
username: bianxh
password:
submit: Login
對應的username和password的接收和處理在WebSecurityConfigurerAdapter子實例中完成,如下:
package com.template.config;
//...
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
//...
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers(HttpMethod.OPTIONS).permitAll()
.withObjectPostProcessor(new ObjectPostProcessor<FilterSecurityInterceptor>() {
@Override
public <O extends FilterSecurityInterceptor> O postProcess(O o) {
o.setSecurityMetadataSource(metadataSource);
o.setAccessDecisionManager(urlAccessDecisionManager); // url攔截
return o;
}
})
.and()
// .formLogin().loginPage("/login_p").loginProcessingUrl("/login")
// 定義響應的url
.formLogin().loginProcessingUrl("/user/login")
.usernameParameter("username").passwordParameter("password")
.permitAll()
.and()
.logout().permitAll()
.and().csrf().disable()
.exceptionHandling().accessDeniedHandler(deniedHandler);
}
//...
}
在Vue項目配置中模擬這樣的請求如下:
import request from '@/utils/request'
export function login(username, password) {
return request({
url: '/user/login',
method: 'post',
params: { username, password }
})
}
Request參數如下:
Request URL: http://localhost:8080/user/login?username=bryan&password=1984
Request Method: POST
Status Code: 403 Forbidden
Remote Address: 127.0.0.1:8080
Referrer Policy: no-referrer-when-downgrade
cache-control: no-cache, no-store, max-age=0, must-revalidate
connection: close
content-length: 0
date: Wed, 23 Jan 2019 05:01:03 GMT
expires: 0
pragma: no-cache
x-content-type-options: nosniff
x-frame-options: DENY
X-Powered-By: Express
x-xss-protection: 1; mode=block
Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: keep-alive
Content-Length: 0
Cookie: JSESSIONID=DE7E824DB59383D63DA926C5DAA1048E
Host: localhost:8080
Origin: http://localhost:8080
Referer: http://localhost:8080/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
username=bryan&password=1984
換用JSON方式來登錄
SpringSecurity配置調整
spring security 是基于javax.servlet.Filter的,因此才能在spring mvc(DispatcherServlet基于Servlet)前起作用。
- UsernamePasswordAuthenticationFilter:實現Filter接口,負責攔截登錄處理的url,帳號和密碼會在這里獲取,然后封裝成
Authentication交給AuthenticationManager進行認證工作- Authentication:貫穿整個認證過程,封裝了認證的用戶名,密碼和權限角色等信息,接口有一個boolean isAuthenticated()方法來決定該
Authentication認證成功沒;- AuthenticationManager:認證管理器,但本身并不做認證工作,只是做個管理者的角色。例如默認實現
ProviderManager會持有一個AuthenticationProvider數組,把認證工作交給這些AuthenticationProvider,直到有一個AuthenticationProvider完成了認證工作。- AuthenticationProvider:認證提供者,默認實現,也是最常使用的是
DaoAuthenticationProvider。我們在配置時一般重寫一個UserDetailsService來從數據庫獲取正確的用戶名密碼,其實就是配置了DaoAuthenticationProvider的UserDetailsService屬性,DaoAuthenticationProvider會做帳號和密碼的比對,如果正常就返回給AuthenticationManager一個驗證成功的Authentication看
UsernamePasswordAuthenticationFilter源碼里的obtainUsername和obtainPassword方法只是簡單地調用request.getParameter方法,因此如果用json發送用戶名和密碼會導致DaoAuthenticationProvider檢查密碼時為空,拋出BadCredentialsException。
重寫UsernamePasswordAnthenticationFilter
package com.template.filter;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.template.bean.AuthenticationBean;
import org.springframework.http.MediaType;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.InputStream;
public class CustomAuthenticationFilter extends UsernamePasswordAuthenticationFilter {
@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
//attempt Authentication when Content-Type is json
if(request.getContentType().equals(MediaType.APPLICATION_JSON_UTF8_VALUE)
||request.getContentType().equals(MediaType.APPLICATION_JSON_VALUE)){
//use jackson to deserialize json
ObjectMapper mapper = new ObjectMapper();
UsernamePasswordAuthenticationToken authRequest = null;
try (InputStream is = request.getInputStream()){
AuthenticationBean authenticationBean = mapper.readValue(is,AuthenticationBean.class);
authRequest = new UsernamePasswordAuthenticationToken(
authenticationBean.getUsername(), authenticationBean.getPassword());
}catch (IOException e) {
e.printStackTrace();
authRequest = new UsernamePasswordAuthenticationToken(
"", "");
}finally {
setDetails(request, authRequest);
return this.getAuthenticationManager().authenticate(authRequest);
}
}
//transmit it to UsernamePasswordAuthenticationFilter
else {
return super.attemptAuthentication(request, response);
}
}
}
WebSecurityConfigurerAdapter配置
把這個CustomAuthenticationFilter加到spring security的眾多filter里面.
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.cors().and()
.antMatcher("/**").authorizeRequests()
.antMatchers("/", "/login**").permitAll()
.anyRequest().authenticated()
//這里必須要寫formLogin(),不然原有的UsernamePasswordAuthenticationFilter不會出現,也就無法配置我們重新的UsernamePasswordAuthenticationFilter
.and().formLogin().loginPage("/")
.and().csrf().disable();
//用重寫的Filter替換掉原有的UsernamePasswordAuthenticationFilter
http.addFilterAt(customAuthenticationFilter(),
UsernamePasswordAuthenticationFilter.class);
}
//注冊自定義的UsernamePasswordAuthenticationFilter
@Bean
CustomAuthenticationFilter customAuthenticationFilter() throws Exception {
CustomAuthenticationFilter filter = new CustomAuthenticationFilter();
filter.setAuthenticationSuccessHandler(new SuccessHandler());
filter.setAuthenticationFailureHandler(new FailureHandler());
filter.setFilterProcessesUrl("/login/self");
//這句很關鍵,重用WebSecurityConfigurerAdapter配置的AuthenticationManager,不然要自己組裝AuthenticationManager
filter.setAuthenticationManager(authenticationManagerBean());
return filter;
}
封裝AuthenticationBean類,用lombok簡化代碼
package com.template.bean;
import lombok.Getter;
import lombok.Setter;
@Getter
@Setter
public class AuthenticationBean {
private String username;
private String password;
}
Vue的配置
request配置
import request from '@/utils/request'
export function login(username, password) {
return request({
url: '/user/login',
method: 'post',
// 封裝JSON
data: {
username,
password
}
})
}
效果
登錄成功
在瀏覽器Network中查看Response
Network中查看Response
由于我們前后端分類,前端使用的是8080端口,后端使用的是8081端口。所以需要配置一下vue.config.js,允許跨域。
module.exports = {
devServer: {
proxy: {
'/': {
target: 'http://localhost:8081',
changeOrigin: true,
pathRewrite: {
'^/': ''
}
}
}
}
}
后話
Request.java可以debug htpp request請求,包位置和關鍵method如下:
package org.apache.catalina.connector;
/**
* Wrapper object for the Coyote request.
*
* @author Remy Maucherat
* @author Craig R. McClanahan
*/
public class Request implements org.apache.catalina.servlet4preview.http.HttpServletRequest {
/**
* Parse request parameters.
*/
protected void parseParameters() {
//...
}
}
參考網址
- Spring Security配置JSON登錄
- Spring Security and JSON Authentication
- 在客戶端側代碼中使用環境變量
- 跨域資源共享 CORS 詳解
- CORS support in Spring Framework
- [HTTP請求中的form data和request payload的區別]
-
未驗證:Spring Security攔截器引起Java CORS跨域失敗的問題
<a id="jump_1"></a>
