如何使用Spring Security / Spring MVC处理表单登录
简单的问题,我只需要一个正确方向的指针:
Simple question, I just need a pointer in the right direction:
我有一个简单的Spring MVC / Spring Security webapp。最初我设置了Spring Security,以便默认登录页面正确显示和验证(我使用 DaoAuthenticationProvider 实现了 UserDetailsService 要做到这一点)。
I have a simple Spring MVC/Spring Security webapp. Initially I set up Spring Security so that the default login page shows and authenticates properly (I implemented the UserDetailsService with the DaoAuthenticationProvider to do this).
下一步:用我的登录页面替换默认的春季登录页面并发布凭证。
Next step: replace the default spring login page with my login page and post the credentials.
但是我如何处理提交的登录凭据? 我假设我将表单发布到控制器,验证凭据,但我不清楚正确的步骤是在那之后。例如:
But what do I do with the submitted login credentials? I assume I post the form to a controller, verify the credentials, but I'm not clear what the right step is after that. E.g.:
- 我是否调用了AuthenticationManager的方法?
- 我是否需要定义一个bean为了这?
- 我需要像AuthenticationEntryPoint那样实现一个接口/服务吗?
我已经完成了3次文档,并没有完全遵循它们。我知道这很简单,所以我只需要听听流程应该如何流动。
I've hit the docs 3 times over and don't quite follow them. I know this is dirt simple, so I just need to hear how the process should flow.
Spring Security 参考文档概述了 5.4认证网络应用程序。有点#6:
Spring Security reference documentation outlines the basic processing flow in 5.4 Authentication in a Web Application. There is point #6:
接下来,服务器将决定提供的凭证是否有效。如果它们有效,则下一步将会发生。如果它们无效,通常会要求您的浏览器再次尝试(因此您将返回上面的第二步)。Next the server will decide whether or not the presented credentials are valid. If they're valid, the next step will happen. If they're invalid, usually your browser will be asked to try again (so you return to step two above)....
Spring Security有不同的类负责上述大多数步骤。主要参与者(按其使用顺序)是ExceptionTranslationFilter,AuthenticationEntryPoint和认证机制,它负责调用我们在上一节中看到的AuthenticationManager。
Spring Security has distinct classes responsible for most of the steps described above. The main participants (in the order that they are used) are the ExceptionTranslationFilter, an AuthenticationEntryPoint and an "authentication mechanism", which is responsible for calling the AuthenticationManager which we saw in the previous section.
我不得不承认,这里的文档有点令人困惑所以我会给你一些指示 - 提到的认证机制这是您所追求的事情,它负责处理浏览器发送的凭据。
I have to admit, the documentation here is a bit confusing so I will give you some more pointers - the "authentication mechanism" mentioned here is the thing you are after, it is responsible for processing the credentials that the browser is sending.
由于将凭据附加到HTTP请求的详细信息各不相同在不同的身份验证方法(表单数据与普通标题与摘要标题)之间,没有共同的身份验证机制 - 相反,每个方法都实现了自己的机制,在的情况下基于网络的身份验证,它通常是您必须的特殊过滤器在 web.xml中的onfigure 。
As the details of attaching the credentials to HTTP request(s) vary greatly among different authentication methods (form data vs. plain headers vs. digest headers), there is no common "authentication mechanism" - instead, each method implements its own mechanism and in the case of web-based authentication, it is typically a special filter that you have to configure in web.xml.
在你的情况下,你很可能对 UsernamePasswordAuthenticationFilter - 这个用于处理基于表单的基本登录信息。您的自定义登录表单和过滤器之间的合同是URL(表单已发布)+用户名和密码字段名称:
In your case, you are most probably interested in UsernamePasswordAuthenticationFilter - this is used for processing basic form-based login information. The contract between your custom login form and the filter is the URL (where form is posted) + username and password field names:
登录表单只包含j_username和j_password输入字段,以及过滤器监控的URL的帖子(默认情况下为/ j_spring_security_check)。