java 如何使用 Spring Security 自定义登录页面?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/41787219/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to use Spring Security to custom login page?
提问by RKR
I am using Spring Security to my application and here is the security part which authenticates the user but the login page is given by Spring Security:
我在我的应用程序中使用 Spring Security,这里是对用户进行身份验证的安全部分,但登录页面由 Spring Security 提供:
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
public void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity
.authorizeRequests()
.antMatchers("/home*").hasRole("USER")
.and()
.formLogin();
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("user")
.password("password")
.roles("USER")
}
}
Instead of Spring's login page I want to use my login page which is below:
我想使用我的登录页面而不是 Spring 的登录页面,如下所示:
login.html:
login.html:
<html lang='en'>
<head>
<title>WebApp</title>
<meta charset='utf-8' />
<script src="https://code.jquery.com/jquery-1.11.3.min.js"></script>
<link rel="stylesheet" type="text/css" href="css/bootstrap.css" />
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.2/css/bootstrap.min.css" />
<link rel="stylesheet" href="css/login.css" />
</head>
<body>
<div class="login-page">
<img src='img/taxi_.jpg' style='width: 180px; margin-left: auto; margin-right: auto; display: block; padding-top: 20px; padding-bottom:20px;' />
<div class="heading">
<center>Dashboard</center>
</div>
<div class="form">
<form action ="home.html" class="register-form">
<input type="text" placeholder="name"/>
<input type="password" placeholder="password"/>
<input type="text" placeholder="email address"/>
<button>create</button>
<p class="message">Already registered? <a href="#">Sign In</a></p>
</form>
<form action="home.html" class="login-form">
<input type="text" placeholder="username"/>
<input type="password" placeholder="password"/>
<button id="button_login">login</button>
<p class="message">Not registered? <a href="#">Create an account</a></p>
</form>
</div>
</div>
</body>
</html>
How can I use my custom login page to be shown instead of Spring Security's login page?
如何使用我的自定义登录页面而不是 Spring Security 的登录页面显示?
采纳答案by dur
See Spring Security Reference:
请参阅Spring 安全参考:
While the automatically generated log in page is convenient to get up and running quickly, most applications will want to provide their own log in page. To do so we can update our configuration as seen below:
protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .anyRequest().authenticated() .and() .formLogin() .loginPage("/login") 1 .permitAll(); 2 }1The updated configuration specifies the location of the log in page.
2We must grant all users (i.e. unauthenticated users) access to our log in page. The formLogin().permitAll() method allows granting access to all users for all URLs associated with form based log in.
虽然自动生成的登录页面便于快速启动和运行,但大多数应用程序都希望提供自己的登录页面。为此,我们可以更新我们的配置,如下所示:
protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .anyRequest().authenticated() .and() .formLogin() .loginPage("/login") 1 .permitAll(); 2 }1更新后的配置指定了登录页面的位置。
2我们必须授予所有用户(即未经身份验证的用户)访问我们的登录页面的权限。formLogin().permitAll() 方法允许授予所有用户访问与基于表单的登录相关联的所有 URL 的权限。
Your modified code:
您修改后的代码:
public void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity
.authorizeRequests()
.antMatchers("/home*").hasRole("USER")
.and()
.formLogin()
.loginPage("/login.html")
.permitAll();
}
回答by LexSav
Just want to pinpoint a few moments that were not clarified here.
只是想指出这里没有澄清的一些时刻。
1) First of all, .loginPage("/login.html")won't do the trick (it didn't in my case anyway). What is in quotes here is an URL path that will be searched for in your controller. Here is the snippet from my security config file:
1)首先,.loginPage("/login.html")不会成功(无论如何在我的情况下没有)。此处引号中的内容是将在您的控制器中搜索的 URL 路径。这是我的安全配置文件中的片段:
.formLogin().loginPage("/login")
.loginProcessingUrl("/authentication").permitAll();
Here I wrote "/login". So now in your controller define that the /loginpath should point to your login.htmlpage.
我在这里写了"/login"。所以现在在你的控制器中定义/login路径应该指向你的login.html页面。
@GetMapping("/login")
public String login() {
return "login";
}
Only then it should redirect to the required view page. I usually place view pages under the /webapp/WEB-INF/viewfolder.
P.S. I hope you configured your ViewResolverbean right, cos otherwise it won't work :)
只有这样它才应该重定向到所需的视图页面。我通常将查看页面放在/webapp/WEB-INF/view文件夹下。
PS我希望你ViewResolver正确配置了你的bean,否则它将无法工作:)
2) And one more thing. I see you wanna use some CSS for the page. To enable CSS and other static resources for your custom login page, you should add this line
2)还有一件事。我看到你想为页面使用一些 CSS。要为您的自定义登录页面启用 CSS 和其他静态资源,您应该添加这一行
.antMatchers("/resources/**").permitAll()
.antMatchers("/resources/**").permitAll()
So, in the end it will be like that (very short and creepy version, but your custom login should work):
所以,最后它会是这样(非常简短和令人毛骨悚然的版本,但您的自定义登录应该可以工作):
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/resources/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin().loginPage("/login")
.loginProcessingUrl("/authentication").permitAll();
}
FYI, place your resources under /webapp/resources/. Also, you should configure your resource handler in your spring configuration file.
仅供参考,将您的资源放在/webapp/resources/. 此外,您应该在 spring 配置文件中配置资源处理程序。
My explanation is pretty lame, but hope someone will get it. Hope it works :)
我的解释很蹩脚,但希望有人能理解。希望它有效:)
Here is also a nice link to wrap your head around it:
这也是一个很好的链接,可以让您了解它:
回答by chaoluo
httpSecurity.authorizeRequests()
.antMatchers("/home*").hasRo??le("USER").and()
.formLogin()
.loginPage("/login.html")
.permitAll();
loginFormUrlmust be started with "/" or a absolute url. and make sure the request /login.htmlcan be handled right.
loginFormUrl必须以“/”或绝对网址开头。并确保/login.html可以正确处理请求。
BTW: if you didn't config the processing url, the processing url will be same with login page(/login.html) url with postmethod, but in your login page, the action url is /home.html, please config the processing url to '/home.html'
BTW:如果你没有配置处理url,处理url和login page( /login.html) url with postmethod 一样,但是在你的登录页面中,action url是/home.html,请将处理url配置为'/home.html'
.formLogin()
.loginProcessingUrl("/home.html")
.loginPage("/login.html")
.permitAll();
And CSRFis enabled by default, I can't find any CSRFtoken in your login form. you can disable csrf or request with token.
并且CSRF默认启用,我CSRF在您的登录表单中找不到任何令牌。您可以禁用 csrf 或使用令牌请求。
http.csrf().disable();
