Shulou(Shulou.com)06/03 Report--

This article mainly explains the "SpringSecurity formLogin login authentication model example explanation", the article explains the content is simple and clear, easy to learn and understand, the following please follow the editor's ideas slowly in depth, together to study and learn "SpringSecurity formLogin login authentication mode example explanation" bar!

First, the application scenario of formLogin

In previous articles in this column, you have been introduced to Spring Security's HttpBasic mode, which is relatively simple, with simple login authentication through Header with Http, and no custom login page, so the usage scenario is narrow.

For a complete application system, the pages related to login authentication are highly customized, very beautiful and provide a variety of login methods. This requires Spring Security to support our own custom login page, that is, the formLogin mode login authentication mode introduced in this article.

Preparatory work

Create a new web application for Spring Boot and introduce Spring Security Starter. Prepare a login.html login page, the content of the page is very simple, a from form, user name and password input box, a submit button to prepare a home page index.html, after the login is successful, you need to go to the home page of index.html to see syslog (log management), sysuer (user management), biz1 (business 1), biz2 (business 2) four hypertext link options. Jump to the page through the controller control layer and write some iconic text on the corresponding page without writing specific business.

Demand

We hope that biz1 (Business 1) and biz2 (Business 2) ordinary operating users user can access all resources, including syslog (Log Management) and sysuser (user Management).

The above is the preparatory work and requirements of this article to introduce the formLogin pattern. Let's implement the core login verification logic. The preparation work is very simple. Please implement it yourself. To create a new spring boot application, the login page, home page and four business pages can be written as a very simple html, without the need to write the actual business and style. )

II. Explanation

Three elements of the formLogin model:

Login authentication logic resource access control rules, such as resource permissions, role permissions, user information

In general, the business system login authentication logic that uses the privilege authentication framework is fixed, while resource access control rules and user information are flexibly loaded from databases or other storage media. However, all the users, resources and permissions information in this article are written by code configuration. The purpose is to introduce the formLogin authentication mode and how to load authority authentication related information from the database. I will also rewrite the article in combination with the RBAC permission model.

Third, realize the basic configuration of formLogin mode.

First, we will inherit WebSecurityConfigurerAdapter and override the configure (HttpSecurity http) method, which is used to configure login authentication logic. Note the comment information in the following code.

@ Configurationpublic class SecurityConfig extends WebSecurityConfigurerAdapter {@ Override protected void configure (HttpSecurity http) throws Exception {http.csrf (). Disable () / disable cross-site csrf attack defense. The following chapters will specifically explain .formLogin () .loginPage ("/ login.html") / / when a user is not logged in, any resources accessed will be redirected to that path, that is, the address of action in the login page .loginProcessingUrl ("/ login") / / login form form That is, the name name of the user name input box input in the login form form, which is the path to handle the authentication request. If not modified, it defaults to the name name of the password input box input in username .passwordParameter ("pword") / / form If you do not modify it, the default is password .defaultSuccessUrl ("/ index") / / the default jump path after successful login authentication. And () .authorizeRequests () .antMatching ("/ login.html") "/ login") .permitAll () / / the path to the resource that can be accessed without login authentication .antMatrices ("/ biz1"). HasAnyAuthority ("biz1") / / is preceded by the access path of the resource, followed by the name of the resource or resource ID .antMatch. hasAnyAuthority ("biz2") .antMatching ("/ syslog"). HasAnyAuthority ("syslog") .antMatching ("/ sysuser"). HasAnyAuthority ("sysuser") .anyRequest (). Authenticated () }}

The above code is divided into two parts:

The first part is the formLogin configuration section, which is used to configure information related to the login authentication logic. Such as: login page, login success page, login request processing path and so on.

The second part is the authorizeRequests configuration side, which is used to configure access to resources. For example: open permitAll access to the development login page, "/ biz1" (business-page resources) requires users with a resource ID of "biz1" to access it.

At this time, we access through the browser, casually test a resource that does not have access, will jump to the login.html page.

IV. Requirements for realizing resource access restrictions

In the above, we have configured the permission rules for login authentication and resource access. We do not have a specific user yet, so let's configure a specific user. Override the configure (AuthenticationManagerBuilder auth) method of WebSecurityConfigurerAdapter

Public void configure (AuthenticationManagerBuilder auth) throws Exception {auth.inMemoryAuthentication () .withUser ("user") .password (passwordEncoder (). Encode ("123456")) .authorities ("biz1", "biz2") .and () .passwordEncoder (passwordEncoder ()); / / configure BCrypt encryption} @ Beanpublic PasswordEncoder passwordEncoder () {return new BCryptPasswordEncoder ();} inMemoryAuthentication refers to storing the user's authentication and authorization information in memory. The withUser ("user") user name is userpassword (passwordEncoder (). Encode ("123456")) the password is encrypted 123456authorities ("biz1", "biz2") means that the user user has access to resources ID for biz1 (Business 1) and biz2 (Business 2) resources.

In this way, we realize the requirement that ordinary users can only access biz1 (Business 1) and biz2 (Business 2) resources proposed at the beginning of the article. Do you know the way that administrator users can access all the resources? The same formula, the same way, you can try it!

5. Static resource access

In our actual development, the login page login.html and the control layer Controller login authentication'/ login' must be unconditionally open. In addition, some static resources such as css and js files usually do not need to verify permissions, and we need to open up their access rights. Here is the method to implement: override the configure (WebSecurity web) method of the WebSecurityConfigurerAdapter class

@ Override public void configure (WebSecurity web) {/ / Open the static resource path in the project web.ignoring () .antMatchers ("/ config/**", "/ css/**", "/ fonts/**", "/ img/**", "/ js/**");}

Thank you for your reading, the above is the "SpringSecurity formLogin login authentication mode example explanation" content, after the study of this article, I believe you have a deeper understanding of the SpringSecurity formLogin login authentication mode example explanation of this problem, the specific use also needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.