logo标签列表

Spring Security Ajax 登录

ajaxauthenticationspring-security
14

我在我的项目中实现了这个安全流程: Spring Security 3 - MVC Integration Tutorial (Part 2)

我的问题是,我需要将它转换为基于Ajax的登录。 为了让这个XML适合仅返回字符串/JSON给客户端,我需要做什么? 我明白问题可能出现在 form-login 标签中。

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xsi:schemaLocation="http://www.springframework.org/schema/beans 
                           http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                           http://www.springframework.org/schema/security 
                           http://www.springframework.org/schema/security/spring-security-3.0.xsd">

    <!-- This is where we configure Spring-Security  -->
    <http auto-config="true" use-expressions="true" access-denied-page="/Management/auth/denied" >

        <intercept-url pattern="/Management/auth/login" access="permitAll"/>
        <intercept-url pattern="/Management/main/admin" access="hasRole('ROLE_ADMIN')"/>
        <intercept-url pattern="/Management/main/common" access="hasRole('ROLE_USER')"/>

        <form-login 
                login-page="/Management/auth/login" 
                authentication-failure-url="/Management/auth/login?error=true" 
                default-target-url="/Management/main/common"/>

        <logout 
                invalidate-session="true" 
                logout-success-url="/Management/auth/login" 
                logout-url="/Management/auth/logout"/>

    </http>

    <!-- Declare an authentication-manager to use a custom userDetailsService -->
    <authentication-manager>
            <authentication-provider user-service-ref="customUserDetailsService">
                    <password-encoder ref="passwordEncoder"/>
            </authentication-provider>
    </authentication-manager>

    <!-- Use a Md5 encoder since the user's passwords are stored as Md5 in the database -->
    <beans:bean class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" id="passwordEncoder"/>

    <!-- A custom service where Spring will retrieve users and their corresponding access levels  -->
    <beans:bean id="customUserDetailsService" class="com.affiliates.service.CustomUserDetailsService"/>

</beans:beans>
4个回答
22
这是一个旧帖子,但仍然在“spring security ajax login”搜索结果中排名前列,所以我想分享我的解决方案。它遵循Spring Security标准,并且设置相当简单,关键是在安全配置中有两个<http>元素,一个用于REST / Ajax,另一个用于应用程序的其余部分(常规HTML页面)。 <http>的出现顺序很重要,必须从更具体的URL到更通用的URL,就像<http>内部的<url-intercept>元素一样。 步骤1:设置两个独立的<http> 
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security" 
    xmlns:p="http://www.springframework.org/schema/p"
    xmlns:beans="http://www.springframework.org/schema/beans" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">

    <!-- a shared request cache is required for multiple http elements -->
    <beans:bean id="requestCache" class="org.springframework.security.web.savedrequest.HttpSessionRequestCache" />

    <!-- remove security from static resources to avoid going through the security filter chain -->
    <http pattern="/resources/**" security="none" />

    <!-- http config for REST services (AJAX interface) 
    =================================================== -->
    <http auto-config="true" use-expressions="true" pattern="/rest/**">
        <!-- login configuration 
            login-processing-url="/rest/security/login-processing" front-end AJAX requests for authentication POST to this URL
            login-page="/rest/security/login-page" means "authentication is required"
            authentication-failure-url="/rest/security/authentication-failure" means "authentication failed, bad credentials or other security exception"
            default-target-url="/rest/security/default-target" front-end AJAX requests are redirected here after success authentication
        -->
        <form-login 
            login-processing-url="/rest/security/login-processing" 
            login-page="/rest/security/login-page" 
            authentication-failure-url="/rest/security/authentication-failure" 
            default-target-url="/rest/security/default-target" 
            always-use-default-target="true" />
        <logout logout-url="/rest/security/logout-url" />

        <!-- REST services can be secured here, will respond with JSON instead of HTML -->
        <intercept-url pattern="/rest/calendar/**" access="hasRole('ROLE_USER')" />

        <!-- other REST intercept-urls go here -->

        <!-- end it with a catch all -->
        <intercept-url pattern="/rest/**" access="isAuthenticated()" />

        <!-- reference to the shared request cache -->
        <request-cache ref="requestCache"/>
    </http>

    <!-- http config for regular HTML pages
    =================================================== -->
    <http auto-config="true" use-expressions="true">
        <form-login 
            login-processing-url="/security/j_spring_security_check" 
            login-page="/login" 
            authentication-failure-url="/login?login_error=t" />
        <logout logout-url="/security/j_spring_security_logout" />

        <intercept-url pattern="/calendar/**" access="hasRole('ROLE_USER')" />

        <!-- other intercept-urls go here -->

        <!-- in my app's case, the HTML config ends with permitting all users and requiring HTTPS
             it is always a good idea to send sensitive information like passwords over HTTPS -->
        <intercept-url pattern="/**" access="permitAll" requires-channel="https" />

        <!-- reference to the shared request cache -->
        <request-cache ref="requestCache"/>
    </http>

    <!-- authentication manager and other configuration go below -->
</beans:beans>

步骤2:REST身份验证控制器

import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;

import flexjson.JSONSerializer;

@Controller
@RequestMapping(value = "/rest/security")
public class RestAuthenticationController {

    public HttpHeaders getJsonHeaders() {
        HttpHeaders headers = new HttpHeaders();
        headers.add("Content-Type", "application/json");
        return headers;
    }

    @RequestMapping(value="/login-page", method = RequestMethod.GET)
    public ResponseEntity<String> apiLoginPage() {
        return new ResponseEntity<String>(getJsonHeaders(), HttpStatus.UNAUTHORIZED);
    }

    @RequestMapping(value="/authentication-failure", method = RequestMethod.GET)
    public ResponseEntity<String> apiAuthenticationFailure() {
        // return HttpStatus.OK to let your front-end know the request completed (no 401, it will cause you to go back to login again, loops, not good)
        // include some message code to indicate unsuccessful login
        return new ResponseEntity<String>("{\"success\" : false, \"message\" : \"authentication-failure\"}", getJsonHeaders(), HttpStatus.OK);
    }

    @RequestMapping(value="/default-target", method = RequestMethod.GET)
    public ResponseEntity<String> apiDefaultTarget() {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        // exclude/include whatever fields you need
        String userJson = new JSONSerializer().exclude("*.class", "*.password").serialize(authentication);
        return new ResponseEntity<String>(userJson, getJsonHeaders(), HttpStatus.OK);
    }
}

第三步:提交AJAX表单并处理响应,需要使用jQuery的ajaxForm库。
<form action="/rest/security/login-processing" method="POST">
...
</form>

$('form').ajaxForm({
    success: function(response, statusText, xhr, $form)  {
        console.log(response);
        if(response == null || response.username == null) {
            alert("authentication failure");
        } else {
            // response is JSON version of the Spring's Authentication
            alert("authentication success");
        }
    },
    error: function(response, statusText, error, $form)  { 
        if(response != null && response.message == "authentication-failure") {
            alert("authentication failure");
        }
    }
});
你的解决方案看起来不错,但是'/rest/security/login-processing'的控制器方法在哪里定义的? - Michael De Keyser
@MichaelDeKeyser - 它映射到SpringSecurity提供的UsernamePasswordAuthenticationFilter,查看文档并搜索“UsernamePasswordAuthenticationFilter”和“login-processing-url”。http://docs.spring.io/autorepo/docs/spring-security/3.2.0.RELEASE/reference/htmlsingle/ - SergeyB
1
我尝试使用Spring Security的JavaConfig来完成这个任务,最终不得不放弃并使用XML来实现! - Boon
@Boon - 看看这个例子:https://dev59.com/5m445IYBdhLWcg3wWI2L#27300215 - SergeyB
5

Spring正在从基于XML的配置转向Java @Configuration类。以下是在上述帖子中解释的设置的@Configuration版本(Spring Security Ajax登录)。步骤2和3保持不变,将步骤1替换为此代码。顺序再次很重要,更具体的定义需要在更通用的定义之前加载,使用@Order(1)@Order(2)来控制。

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.savedrequest.HttpSessionRequestCache;
import org.springframework.security.web.savedrequest.RequestCache;

@Configuration
@EnableWebSecurity
public class WebMvcSecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Bean(name = "requestCache")
    public RequestCache getRequestCache() {
        return new HttpSessionRequestCache();
    }

    @Configuration
    @Order(1)
    public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {

            @Autowired private RequestCache requestCache;

            @Override
            protected void configure(HttpSecurity http) throws Exception {
                http
                    .regexMatcher("/rest.*")
                    .authorizeRequests()
                        .antMatchers("/rest/calendar/**")
                            .hasAuthority("ROLE_USER")
                        .antMatchers("/rest/**")
                            .permitAll()
                        .and()
                   .headers()
                        .xssProtection()
                        .and()
                   .logout()
                       .logoutUrl("/rest/security/logout-url")
                       .and()
                    .requestCache()
                        .requestCache(requestCache)
                        .and()
                    .formLogin()
                        .loginProcessingUrl("/rest/security/login-processing")
                        .loginPage("/rest/security/login-page")
                        .failureUrl("/rest/security/authentication-failure")
                        .defaultSuccessUrl("/rest/security/default-target", false)
                        .and()
                    .httpBasic();
           }
    }

    @Configuration
    @Order(2)
    public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {

        @Autowired private RequestCache requestCache;

       @Override
       protected void configure(HttpSecurity http) throws Exception {
           http
                .authorizeRequests()
                    .regexMatchers("/calendar/.*")
                        .hasAuthority("ROLE_USER")
                    .regexMatchers("/.*")
                        .permitAll()
                   .and()
               .logout()
                   .logoutUrl("/security/j_spring_security_logout")
                   .and()
                .requestCache()
                    .requestCache(requestCache)
                    .and()
                .formLogin()
                    .loginProcessingUrl("/security/j_spring_security_check")
                    .loginPage("/login")
                    .failureUrl("/login?login_error=t" )
                    .and()
                .httpBasic();
       }
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        web
            .ignoring()
                .antMatchers("/resources/**")
                .antMatchers("/sitemap.xml");
    }
}
5
1
您可以使用HttpServletRequest.login(username,password)进行登录,就像这样:
@Controller
@RequestMapping("/login")
public class AjaxLoginController {

    @RequestMapping(method = RequestMethod.POST)
    @ResponseBody
    public String performLogin(
        @RequestParam("username") String username,
        @RequestParam("password") String password,
        HttpServletRequest request, HttpServletResponse response) {
    try {
        request.login(username,password);
        return "{\"status\": true}";
    } catch (Exception e) {
        return "{\"status\": false, \"error\": \"Bad Credentials\"}";
    }
}
网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接