基于Spring-Security自定义登陆错误提示信息
作者:doinbb 发布时间:2021-09-20 17:33:40
标签:Spring,Security,登陆,错误
实现效果如图所示:
首先公布实现代码:
一. 自定义实现
import.org.springframework.security.core.userdetails.UserDetailsService类
并且抛出BadCredentialsException异常,否则页面无法获取到错误信息。
@Slf4j
@Service
public class MyUserDetailsServiceImpl implements UserDetailsService {
@Autowired
private PasswordEncoder passwordEncoder;
@Autowired
private UserService userService;
@Autowired
private PermissionService permissionService;
private String passwordParameter = "password";
@Override
public UserDetails loadUserByUsername(String username) throws AuthenticationException {
HttpServletRequest request = ContextHolderUtils.getRequest();
String password = request.getParameter(passwordParameter);
log.error("password = {}", password);
SysUser sysUser = userService.getByUsername(username);
if (null == sysUser) {
log.error("用户{}不存在", username);
throw new BadCredentialsException("帐号不存在,请重新输入");
}
// 自定义业务逻辑校验
if ("userli".equals(sysUser.getUsername())) {
throw new BadCredentialsException("您的帐号有违规记录,无法登录!");
}
// 自定义密码验证
if (!password.equals(sysUser.getPassword())){
throw new BadCredentialsException("密码错误,请重新输入");
}
List<SysPermission> permissionList = permissionService.findByUserId(sysUser.getId());
List<SimpleGrantedAuthority> authorityList = new ArrayList<>();
if (!CollectionUtils.isEmpty(permissionList)) {
for (SysPermission sysPermission : permissionList) {
authorityList.add(new SimpleGrantedAuthority(sysPermission.getCode()));
}
}
User myUser = new User(sysUser.getUsername(), passwordEncoder.encode(sysUser.getPassword()), authorityList);
log.info("登录成功!用户: {}", myUser);
return myUser;
}
}
二. 实现自定义登陆页面
前提是,你们已经解决了自定义登陆页面配置的问题,这里不做讨论。
通过 thymeleaf 表达式获取错误信息(我们选择thymeleaf模板引擎)
<p style="color: red" th:if="${param.error}" th:text="${session.SPRING_SECURITY_LAST_EXCEPTION.message}"></p>
<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<title>XX相亲网</title>
<meta name="description" content="Ela Admin - HTML5 Admin Template">
<meta name="viewport" content="width=device-width, initial-scale=1">
</head>
<body class="mui-content">
<div id="d1">
<div class="first">
<img class="hosp" th:src="@{/images/dashboard/hospital.png}"/>
<div class="hospital">XX相亲网</div>
</div>
<div class="sufee-login d-flex align-content-center flex-wrap">
<div class="container">
<div class="login-content">
<div class="login-logo">
<h1 style="color: #385978;font-size: 24px">XX相亲网</h1>
<h1 style="color: #385978;font-size: 24px">登录</h1>
</div>
<div class="login-form">
<form th:action="@{/login}" method="post">
<div class="form-group">
<input type="text" class="form-control" name="username" placeholder="请输入帐号">
</div>
<div class="form-group">
<input type="password" class="form-control" name="password" placeholder="请输入密码">
</div>
<div>
<button type="submit" class="button-style">
<span class="in">登录</span>
</button>
</div>
<p style="color: red" th:if="${param.error}"
th:text="${session.SPRING_SECURITY_LAST_EXCEPTION.message}">
</p>
</form>
</div>
</div>
</div>
</div>
</div>
</body>
</html>
Spring-Security登陆表单提交过程
当用户从登录页提交账号密码的时候,首先由
org.springframework.security.web.authentication包下的UsernamePasswordAuthenticationFilter类attemptAuthentication()
方法来处理登陆逻辑。
public Authentication attemptAuthentication(HttpServletRequest request,
HttpServletResponse response) throws AuthenticationException {
if (postOnly && !request.getMethod().equals("POST")) {
throw new AuthenticationServiceException(
"Authentication method not supported: " + request.getMethod());
}
String username = obtainUsername(request);
String password = obtainPassword(request);
if (username == null) {
username = "";
}
if (password == null) {
password = "";
}
username = username.trim();
UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(
username, password);
// Allow subclasses to set the "details" property
setDetails(request, authRequest);
return this.getAuthenticationManager().authenticate(authRequest);
}
1. 该类内部默认的登录请求url是"/login",并且只允许POST方式的请求。
2. obtainUsername()方法参数名为"username"和"password"从HttpServletRequest中获取用户名和密码(由此可以找到突破口,我们可以在自定义实现的loadUserByUsername方法中获取到提交的账号和密码,进而检查正则性)。
3. 通过构造方法UsernamePasswordAuthenticationToken,将用户名和密码分别赋值给principal和credentials。
public UsernamePasswordAuthenticationToken(Object principal, Object credentials) {
super((Collection)null);
this.principal = principal;
this.credentials = credentials;
this.setAuthenticated(false);
}
super(null)调用的是父类的构造方法,传入的是权限集合,因为目前还没有认证通过,所以不知道有什么权限信息,这里设置为null,然后将用户名和密码分别赋值给principal和credentials,同样因为此时还未进行身份认证,所以setAuthenticated(false)。
到此为止,用户提交的表单信息已加载完成,继续往下则是校验表单提交的账号和密码是否正确。
那么异常一下是如何传递给前端的呢
前面提到用户登录验证的过滤器是UsernamePasswordAuthenticationFilter,它继承自AbstractAuthenticationProcessingFilter。
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
if (!requiresAuthentication(request, response)) {
chain.doFilter(request, response);
return;
}
if (logger.isDebugEnabled()) {
logger.debug("Request is to process authentication");
}
Authentication authResult;
try {
authResult = attemptAuthentication(request, response);
if (authResult == null) {
// return immediately as subclass has indicated that it hasn't completed
// authentication
return;
}
sessionStrategy.onAuthentication(authResult, request, response);
}
catch (InternalAuthenticationServiceException failed) {
logger.error(
"An internal error occurred while trying to authenticate the user.",
failed);
unsuccessfulAuthentication(request, response, failed);
return;
}
catch (AuthenticationException failed) {
// Authentication failed
unsuccessfulAuthentication(request, response, failed);
return;
}
// Authentication success
if (continueChainBeforeSuccessfulAuthentication) {
chain.doFilter(request, response);
}
successfulAuthentication(request, response, chain, authResult);
}
从代码片段中看到Spring将异常捕获后交给了unsuccessfulAuthentication这个方法来处理。
unsuccessfulAuthentication又交给了failureHandler(AuthenticationFailureHandler)来处理,然后追踪failureHandler
protected void unsuccessfulAuthentication(HttpServletRequest request,
HttpServletResponse response, AuthenticationException failed)
throws IOException, ServletException {
SecurityContextHolder.clearContext();
if (logger.isDebugEnabled()) {
logger.debug("Authentication request failed: " + failed.toString(), failed);
logger.debug("Updated SecurityContextHolder to contain null Authentication");
logger.debug("Delegating to authentication failure handler " + failureHandler);
}
rememberMeServices.loginFail(request, response);
failureHandler.onAuthenticationFailure(request, response, failed);
}
Ctrl + 左键 追踪failureHandler引用的类是,SimpleUrlAuthenticationFailureHandler。
private AuthenticationSuccessHandler successHandler = new SavedRequestAwareAuthenticationSuccessHandler();
private AuthenticationFailureHandler failureHandler = new SimpleUrlAuthenticationFailureHandler();
找到SimpleUrlAuthenticationFailureHandler类中的,onAuthenticationFailure()方法。
public void onAuthenticationFailure(HttpServletRequest request,
HttpServletResponse response, AuthenticationException exception)
throws IOException, ServletException {
if (defaultFailureUrl == null) {
logger.debug("No failure URL set, sending 401 Unauthorized error");
response.sendError(HttpServletResponse.SC_UNAUTHORIZED,
"Authentication Failed: " + exception.getMessage());
}
else {
saveException(request, exception);
if (forwardToDestination) {
logger.debug("Forwarding to " + defaultFailureUrl);
request.getRequestDispatcher(defaultFailureUrl)
.forward(request, response);
}
else {
logger.debug("Redirecting to " + defaultFailureUrl);
redirectStrategy.sendRedirect(request, response, defaultFailureUrl);
}
}
}
追踪到saveException(request, exception)的内部实现。
protected final void saveException(HttpServletRequest request,
AuthenticationException exception) {
if (forwardToDestination) {
request.setAttribute(WebAttributes.AUTHENTICATION_EXCEPTION, exception);
}
else {
HttpSession session = request.getSession(false);
if (session != null || allowSessionCreation) {
request.getSession().setAttribute(WebAttributes.AUTHENTICATION_EXCEPTION,
exception);
}
}
}
此处的
request.getSession().setAttribute(WebAttributes.AUTHENTICATION_EXCEPTION, exception);
就是存储到session中的错误信息,key就是
public static final String AUTHENTICATION_EXCEPTION =
"SPRING_SECURITY_LAST_EXCEPTION";
因此我们通过thymeleaf模板引擎的表达式可获得session的信息。
获取方式
<p style="color: red" th:if="${param.error}"
th:text="${session.SPRING_SECURITY_LAST_EXCEPTION.message}">
</p>
需要注意:saveException保存的是Session对象所以需要使用${SPRING_SECURITY_LAST_EXCEPTION.message}获取。
来源:https://blog.csdn.net/doinbb/article/details/98729818
0
投稿猜你喜欢
- /// <summary> /// 字符串转16进制字节数组 /// </summary> /// <para
- createCoroutine 和 startCoroutine协程到底是怎么创建和启动的?本篇文章带你揭晓。在Continuation.k
- 最近因为fastjson安全漏洞,升级jar包时,踩了一些坑。新版本FastJsonHttpMessageConverter初始化,默认设置
传输层安全性协议(英语:Transport Layer Security,缩写作 TLS),及其前身安全套接层(Secure Sockets- <profiles> <profile> <
- 前言标签(Label)控件是最常用的控件,在任何Windows应用程序中都可以中都可以看到标签控件。标签控件用于显示用户不能编辑的文件或图像
- 本文实例讲述了Java基于Tcp协议的socket编程方法,分享给大家供大家参考。具体分析如下:以下是一对一的通信编程实现,后续会继续学习一
- 本文实例为大家分享了Android实现计步器功能的具体代码,供大家参考,具体内容如下计步器的原理是通过手机的前后摆动模拟步伐节奏检测。我们本
- 前言这是上周在开发 C# 中使用 Proxy 代理时开发的一些思考和实践。主要需求是这样的,用户可以配置每次请求是否需要代理,用户可以配置
- SpringBoot集成Mybatis+xml格式的sql配置文件最近一直在研究SpringBoot技术,由于项目需要,必须使用Mybati
- 常规调用方式:(这个肯定会弹出cmd窗口)Runtime.getRuntime().exec("cmd.exe &nbs
- 原理和listview一样 ,都是重写Android原生控件Activitypackage com.example.refreshgridv
- 一般来说在Android里要实现树形菜单,都是用ExpandableList(也有高手自己继承ListView或者LinearLayout来
- SlidingDrawer效果想必大家也见到过,它就是1.5模拟器上进入应用程序列表的效果。下面是截图一、简介 SlidingDr
- 一、线程间等待与唤醒机制wait()和notify()是Object类的方法,用于线程的等待与唤醒,必须搭配synchronized 锁来使
- 1、StatefulWidget的背后flutter开发过程中,我们经常会用到两个组件StatelessWidget和StatefulWid
- 可能开发安卓的人大多数都用过很多下拉刷新的开源组件,但是今天用了官方v4支持包的SwipeRefreshLayout觉得效果也蛮不错的,特拿
- RestTemplate第一次请求响应速度较慢问题使用RestTemplate请求微信的接口发现第一次请求需要8秒左右的时间,查阅了JDK资
- 这篇文章主要介绍了如何基于Java实现对象List排序,文中通过示例代码介绍的非常详细,对大家的学习或者工作具有一定的参考学习价值,需要的朋
- 一、为什么按值调用和按引用调用?方法或函数可以通过两种方式调用。一种是按值调用,另一种是按引用调用,这两种方式通常根据作为输入或参数传递给它
