Spring Security实现用户认证二:前后端分离时自定义返回Json内容
- 1 前后端分离
- 2 准备工作
- 依赖
- WebSecurityConfig配置类
- 2 自定义登录页面
- 2.1 Spring Security的默认登录页面
- 2.2 自定义配置formLogin
- 3 自定义登录成功处理器
- 4 自定义登录失败处理器
- 5 自定义登出处理器
- 6 自定义回话过期处理器
- 7 定义认证失败接入点
1 前后端分离
在现在大多数web开发中,采用的开发模式均是前后端分离类型的。往往后端给前端返回的数据格式为json类型:
{
"code":"200",
"message":"success",
"data":"登录成功"
}
2 准备工作
依赖
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-springsecurity6</artifactId>
</dependency>
<dependency>
<groupId>com.alibaba.fastjson2</groupId>
<artifactId>fastjson2</artifactId>
</dependency>
WebSecurityConfig配置类
import com.alibaba.fastjson2.JSON;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import java.io.IOException;
import java.util.HashMap;
import java.util.Map;
public class MyAuthenticationSuccessHandler implements AuthenticationSuccessHandler {
//为存储在内存中的基于用户名/密码的认证提供支持。
@Bean
public UserDetailsService userDetailsService() {
InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
manager.createUser(User.withDefaultPasswordEncoder().username("root").password("root").roles("USER").build());
return manager;
}
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
// ResultData<String> result = ResultData.success("登录成功");
Map<String, Object> result = new HashMap<>();
result.put("code", "200");
result.put("message", "登录成功");
result.put("data", "");
//将结果转换成字符串
String json = JSON.toJSONString(result);
//返回json数据
response.setContentType("application/json;charset=UTF-8");
response.getWriter().println(json);
}
}
2 自定义登录页面
2.1 Spring Security的默认登录页面
.httpBasic(withDefaults())
.formLogin(withDefaults()):
2.2 自定义配置formLogin
注释掉原来的formLogin和httpBasic。
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.authorizeRequests(authorize ->
authorize
.anyRequest()
.authenticated()
);
// .formLogin(withDefaults())
// .httpBasic(withDefaults());
http.formLogin(login ->
login.loginPage("/login").permitAll() // 一定加上这个,不然会一直重定向,导致报错
);
return http.build();
}
在resources下创建目录templates,用来存放thymeleaf写的页面,在这个目录下面创建login.html页面
<html xmlns:th="https://www.thymeleaf.org">
<head>
<title>login</title>
</head>
<body>
<h1>Login</h1>
<div th:if="${param.error}">错误的用户名或密码.
</div>
<form th:action="@{/login}" method="post">
<div>
<input type="text" name="username" placeholder="请输入用户名">
</div>
<div>
<input type="password" name="password" placeholder="请输入密码">
</div>
<input type="submit" value="登录">
</form>
</body>
</html>
创建LoginController :
@GetMapping("/login")
public String login(){
return "login";
}
效果如下:
3 自定义登录成功处理器
定义MyAuthenticationSuccessHandler
import com.alibaba.fastjson2.JSON;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import java.io.IOException;
import java.util.HashMap;
import java.util.Map;
public class MyAuthenticationSuccessHandler implements AuthenticationSuccessHandler {
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
Map<String, Object> result = new HashMap<>();
result.put("code", "200");
result.put("message", "登录成功");
result.put("data", "");
//将结果转换成字符串
String json = JSON.toJSONString(result);
//返回json数据
response.setContentType("application/json;charset=UTF-8");
response.getWriter().println(json);
}
}
添加配置
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// ...
http.formLogin(login -> {
login.loginPage("/login").permitAll();
login.successHandler(new MyAuthenticationSuccessHandler());
});
return http.build();
}
效果
4 自定义登录失败处理器
定义MyAuthenticationFailureHandler
import com.alibaba.fastjson2.JSON;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import java.io.IOException;
import java.util.HashMap;
import java.util.Map;
public class MyAuthenticationFailureHandler implements AuthenticationFailureHandler {
@Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
Map<String, Object> result = new HashMap<>();
result.put("code", "401");
result.put("message", "登录失败");
result.put("data", "");
//将结果转换成字符串
String json = JSON.toJSONString(result);
//返回json数据
response.setContentType("application/json;charset=UTF-8");
response.getWriter().println(json);
}
}
添加配置
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// ...
http.formLogin(login -> {
login.loginPage("/login").permitAll();
login.successHandler(new MyAuthenticationSuccessHandler());
login.failureHandler(new MyAuthenticationFailureHandler());
});
return http.build();
}
效果
5 自定义登出处理器
定义MyLogoutSuccessHandler
import com.alibaba.fastjson2.JSON;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
import java.io.IOException;
import java.util.HashMap;
import java.util.Map;
public class MyLogoutSuccessHandler implements LogoutSuccessHandler {
@Override
public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
Map<String, Object> result = new HashMap<>();
result.put("code", "200");
result.put("message", "登出成功");
//将结果转换成字符串
String json = JSON.toJSONString(result);
//返回json数据
response.setContentType("application/json;charset=UTF-8");
response.getWriter().println(json);
}
}
添加配置
为了能够正确登出,需要将csrf配置关闭,否则只接受post请求登出。
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// ...
http.logout(logout -> {
logout.logoutSuccessHandler(new MyLogoutSuccessHandler());
});
http.csrf(csrf->csrf.disable());
return http.build();
}
效果
6 自定义回话过期处理器
这个当会话过期或者超出登录数量时。
定义MyLogoutSuccessHandler
import com.alibaba.fastjson2.JSON;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
import java.io.IOException;
import java.util.HashMap;
import java.util.Map;
public class MyLogoutSuccessHandler implements LogoutSuccessHandler {
@Override
public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
Map<String, Object> result = new HashMap<>();
result.put("code", "200");
result.put("message", "登出成功");
//将结果转换成字符串
String json = JSON.toJSONString(result);
//返回json数据
response.setContentType("application/json;charset=UTF-8");
response.getWriter().println(json);
}
}
添加配置
将最大的session数限制为1,则只允许一个session在线。expiredSessionStrategy指定过期策略。
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// ...
http.sessionManagement(session ->{
session.maximumSessions(1).expiredSessionStrategy(new MySessionInformationExpiredStrategy());
});
return http.build();
}
先登录一个浏览器,在登录另一个浏览器,在刷新第一个浏览器。
效果
7 定义认证失败接入点
创建:MyAuthenticationEntryPoint 实现 AuthenticationEntryPoint接口
import com.alibaba.fastjson2.JSON;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.AuthenticationEntryPoint;
import java.io.IOException;
import java.util.HashMap;
import java.util.Map;
public class MyAuthenticationEntryPoint implements AuthenticationEntryPoint {
@Override
public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {
String localizedMessage = authException.getLocalizedMessage();
Map<String, Object> result = new HashMap<>();
result.put("code", "500");
result.put("message", localizedMessage);
String jsonString = JSON.toJSONString(result);
response.setContentType("application/json;charset=UTF-8");
response.getWriter().println(jsonString);
}
}
配置WebSecurityConfig:
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// ...
http.exceptionHandling(exception ->{
exception.authenticationEntryPoint(new MyAuthenticationEntryPoint());
});
return http.build();
}
在我们没有登录时。直接访问主页,会发生异常。
效果
![回文数[简单]](https://img-blog.csdnimg.cn/direct/ef7c33904a7c4607878be6503d1b088e.png)
