Springcurity⾃定义登录与注销【⾯试+⼯作】
Spring curity⾃定义登录与注销【⾯试+⼯作】
spring curity⾃定义登录与注销
⼀、spring boot框架下配置
A:登录配置(在WebSecurityConfigurerAdpater实现类的configure()⽅法中配置)
B:登录成功配置
默认情况下,⽤户登录成功后由于RequestCache中保存着登录之前的url,将⾃动跳转到该页⾯;如果⽤户需要在登录成功后执
⾏⼀些操作,就需要⾃定义登录成功操作;
A、默认的成功处理类:SavedRequestAwareAuthenticationSuccessHandler
B、⾃定义处理:
实现AuthenticationSuccessHandler接⼝,并复写onAnthenticationSuccesss()⽅法;
要使得⾃定义登录成功认证⽣效,需要在WebSecurityConfigurerAdapter接⼝实现类的configure()⽅法中添加
successHandler(⾃定义接⼝实现类对象)
C:登录失败配置
默认情况下,⽤户登录失败后会⾃动跳转到登录页;如果⽤户需要在登录失败后执⾏⼀些操作,就需要⾃定义登录失败操作
A、默认的失败处理类:SimpleUrlAuthenticationFailureHandler
B、⾃定义处理:
实现AnthenticationFailureHandler接⼝,并复写onAuthenticationFailure()⽅法;
要使得⾃定义登录成功认证⽣效,需要在WebSecurityConfigurerAdapter接⼝实现类的configure()⽅法中添加
failureHandler(⾃定义接⼝实现类对象)
D:注销配置⽰例(在WebSecurityConfigurerAdapter实现类的configure()⽅法中配置)
⼆、spring mvc框架下的配置
A:登录基本配置流程:
a、⾸先专门为spring curity建⽴⼀个配置⽂件(xml)【这⾥定义为l】
(注意:配置⽂件需要引⼊spring curity的NameSpace)
b、在 l中定义哪些请求有哪些权限才能通过认证;
c、在 l中定义AuthenticationManager进⾏认证;
lastyeard、在 l 中通过<context-param>将l 指定为Spring的初始配置⽂件,告诉spring要加载这个⽂件;
e、在 l 中定义⼀个filter,⽤来拦截需要交给Spring Security处理的请求;(注意:该filter⼀定要定义在其他拦截请求
之前)
B:⾃定义登录页、登录成功、登录失败(在上述配置基础上)
1、⾃定义登录页
当指定了http元素的curity属性为none时,表⽰其对应pattern的filter链为空;
2、登录成功 --- 通过 authentication-success-handler-ref 指定
authentication-success-handler-ref 对应⼀个 AuthencticationSuccessHandler 实现类的引⽤
3、登录失败 --- 通过 authentication-failure-handler-ref 指定
authentication-failure-handler-ref 对应⼀个 AuthencticationFailureHandler 实现类的引⽤
Spring Boot Spring Security 后台注销⽤户
最近在开发⼀个基于Oauth2的认证服务器,其中有⼀个需求,就是⽤户在注销客户端应⽤的同时,也要注销认证服务器上的登录状态。⽹上查了⼀下资料,基本上都是使⽤SessionRegistry实现的
幸运星英文1.⾸先配置WebSecurityConfigurerAdapter
@Configuration
@EnableWebSecurity
public class CustomWebSecurityConfig extends WebSecurityConfigurerAdapter {
@Bean
public SessionRegistry getSessionRegistry() {
SessionRegistry ssionRegistry = new SessionRegistryImpl();
return ssionRegistry;
}
integrity
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/").permitAll().antMatchers("/ur/**").hasRole("USER"); http.formLogin().loginPage("/login").defaultSuccessUrl("/ur");
http.logout().logoutUrl("/logout").logoutSuccessUrl("/login");
http
.ssionManagement()
.invalidSessionUrl("/login")
.maximumSessions(-1)
.ssionRegistry(getSessionRegistry());
}
}
2.注销的类
@Controller
public class LogoutDemo{
@Autowired
SessionRegistry ssionRegistry;
@Autowired
private CustomUrDetailsService rvice;
@RequestMapping(value = "/logout_demo")
public void logout() {
UrDetails ur = rvice.loadUrByUrname("admin");
List<SessionInformation> allSessions = AllSessions(ur, fal);
if (allSessions != null) {
for (int i = 0; i < allSessions.size(); i++) {
SessionInformation ssionInformation = (i);
SessionInformation ssionInformation = (i);
}
}
}
}
3.产⽣错误
然⽽这种实现⽅式是存在问题的,当java后台将⽤户注销后,⽤户在浏览器再次访问,页⾯显⽰错误信息,只有⼀句话。
错误来⾃ConcurrentSessionFilter的doFilter⽅法,内容如下:
This ssion has been expired (possibly due to multiple concurrent logins being attempted as the same ur).
然后⽤户刷新浏览器,就可以重新跳转到登录页⾯。这绝对是有问题的,严重影响⽤户体验,⽽对于我的认证服务来说,这更是致命的。
⽤户刷新浏览器,然后登录,这之后浏览器会跳转到defaultSuccessUrl,不会重定向到客户端应⽤的页⾯。
4.错误分析
开始分析报错的原因,下⾯是ConcurrentSessionFilter的部分源码
public void doFilter(ServletRequest req, ServletRespon res, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletRespon respon = (HttpServletRespon) res;
HttpSession ssion = Session(fal);
if (ssion != null) {上海环球雅思
文洛克SessionInformation info = SessionInformation(ssion
.getId());
if (info != null) {
if (info.isExpired()) {
// Expired - abort processing
doLogout(request, respon);
抱歉英语doLogout(request, respon);
String targetUrl = determineExpiredUrl(request, info);
topic是什么意思if (targetUrl != null) {
redirectStrategy.ndRedirect(request, respon, targetUrl);
return;
}
el {
"This ssion has been expired (possibly due to multiple concurrent "
+ "logins being attempted as the same ur).");长裙英文
respon.flushBuffer();
}
return;
}
el {
// Non-expired - update last request date/time
}
}
}
苜蓿的营养价值chain.doFilter(request, respon);
}
后台注销⽤户会导致报错,⽽正常的⽤户ssion过期就不会产⽣这种错误,正常的ssion过期,会导致
verifyemail
HttpServletRequest的getSession(boolean create)⽅法有如下说明:
Returns the current HttpSession associated with this request or, if there is no current ssion and create is true, returns a new ssion.
If create is fal and the request has no valid HttpSession, this method returns null.
To make sure the ssion is properly maintained, you must call this method before the respon is committed. If the