Spring Security Config : HttpSecurity安全配置器 FormLoginConfigurer

概述

介绍

作为一个配置HttpSecurity的SecurityConfigurer,FormLoginConfigurer的配置任务如下 :

• 配置如下安全过滤器Filter

  • UsernamePasswordAuthenticationFilter

• 创建的共享对象

  • AuthenticationEntryPoint

FormLoginConfigurer使用到的共享对象有 :

• AuthenticationManager
• RememberMeServices
• SessionAuthenticationStrategy
• DefaultLoginPageGeneratingFilter

FormLoginConfigurer允许使用者做如下配置 :

• 设置登录页面URL – #loginPage

  缺省值为 /login。
  该方法没有被调用，并且使用了WebSecurityConfigurerAdapter时，会产生一个缺省的登录页面在缺省登录URL /login上。
  如果使用该方法指定了一个跟缺省值不同的登录页面URL,或者没有配合使用WebSecurityConfigurerAdapter,那么使用者也必须在指定的登录页面URL上提供自己的登录页面实现。
  一般情况下，所实现的登录页面必须提供一个登录表单，符合以下条件 :

  1. 必须发起HTTP POST请求；
  2. 必须提交到登录提交处理URL,也就是#createLoginProcessingUrlMatcher所设置；
  3. 用户名字段名称使用#usernameParameter所设置值；
  4. 密码字段名称使用#passwordParameter所设置值；

• 设置登录提交处理URL – #createLoginProcessingUrlMatcher

• 设置登录成功跳转页面URL – #successForwardUrl

• 设置登录失败跳转页面URL – #failureForwardUrl

• 设置登录页面中用户名字段名称 – #usernameParameter

  缺省值 : username

• 设置登录页面中密码字段名称 – #passwordParameter

  缺省值 : password

继承关系

使用

	// HttpSecurity 代码片段
    public FormLoginConfigurer<HttpSecurity> formLogin() throws Exception {
		return getOrApply(new FormLoginConfigurer<>());
	}

源代码

源代码版本 Spring Security Config 5.1.4.RELEASE

package org.springframework.security.config.annotation.web.configurers;

// 省略 imports


public final class FormLoginConfigurer<H extends HttpSecurityBuilder<H>> extends
		AbstractAuthenticationFilterConfigurer<H, FormLoginConfigurer<H>, 
		UsernamePasswordAuthenticationFilter> {

	/**
	 * Creates a new instance
	 * @see HttpSecurity#formLogin()
	 */
	public FormLoginConfigurer() {
		super(new UsernamePasswordAuthenticationFilter(), null);
		usernameParameter("username");
		passwordParameter("password");
	}


	@Override
	public FormLoginConfigurer<H> loginPage(String loginPage) {
		return super.loginPage(loginPage);
	}

	/**
	 * The HTTP parameter to look for the username when performing authentication. Default
	 * is "username".
	 *
	 * @param usernameParameter the HTTP parameter to look for the username when
	 * performing authentication
	 * @return the FormLoginConfigurer for additional customization
	 */
	public FormLoginConfigurer<H> usernameParameter(String usernameParameter) {
		getAuthenticationFilter().setUsernameParameter(usernameParameter);
		return this;
	}

	/**
	 * The HTTP parameter to look for the password when performing authentication. Default
	 * is "password".
	 *
	 * @param passwordParameter the HTTP parameter to look for the password when
	 * performing authentication
	 * @return the FormLoginConfigurer for additional customization
	 */
	public FormLoginConfigurer<H> passwordParameter(String passwordParameter) {
		getAuthenticationFilter().setPasswordParameter(passwordParameter);
		return this;
	}

	/**
	 * Forward Authentication Failure Handler
	 *
	 * @param forwardUrl the target URL in case of failure
	 * @return the FormLoginConfigurer for additional customization
	 */
	public FormLoginConfigurer<H> failureForwardUrl(String forwardUrl) {
		failureHandler(new ForwardAuthenticationFailureHandler(forwardUrl));
		return this;
	}

	/**
	 * Forward Authentication Success Handler
	 *
	 * @param forwardUrl the target URL in case of success
	 * @return the FormLoginConfigurer for additional customization
	 */
	public FormLoginConfigurer<H> successForwardUrl(String forwardUrl) {
		successHandler(new ForwardAuthenticationSuccessHandler(forwardUrl));
		return this;
	}

	@Override
	public void init(H http) throws Exception {
		super.init(http);
		initDefaultLoginFilter(http);
	}

	/*
	 * 
	 *
	 * @see org.springframework.security.config.annotation.web.configurers.
	 * AbstractAuthenticationFilterConfigurer
	 * #createLoginProcessingUrlMatcher(java.lang.String)
	 */
	@Override
	protected RequestMatcher createLoginProcessingUrlMatcher(String loginProcessingUrl) {
		return new AntPathRequestMatcher(loginProcessingUrl, "POST");
	}

	/**
	 * Gets the HTTP parameter that is used to submit the username.
	 *
	 * @return the HTTP parameter that is used to submit the username
	 */
	private String getUsernameParameter() {
		return getAuthenticationFilter().getUsernameParameter();
	}

	/**
	 * Gets the HTTP parameter that is used to submit the password.
	 *
	 * @return the HTTP parameter that is used to submit the password
	 */
	private String getPasswordParameter() {
		return getAuthenticationFilter().getPasswordParameter();
	}

	/**
	 * If available, initializes the DefaultLoginPageGeneratingFilter shared
	 * object.
	 *
	 * @param http the HttpSecurityBuilder to use
	 */
	private void initDefaultLoginFilter(H http) {
		DefaultLoginPageGeneratingFilter loginPageGeneratingFilter = http
				.getSharedObject(DefaultLoginPageGeneratingFilter.class);
		if (loginPageGeneratingFilter != null && !isCustomLoginPage()) {
			loginPageGeneratingFilter.setFormLoginEnabled(true);
			loginPageGeneratingFilter.setUsernameParameter(getUsernameParameter());
			loginPageGeneratingFilter.setPasswordParameter(getPasswordParameter());
			loginPageGeneratingFilter.setLoginPageUrl(getLoginPage());
			loginPageGeneratingFilter.setFailureUrl(getFailureUrl());
			loginPageGeneratingFilter.setAuthenticationUrl(getLoginProcessingUrl());
		}
	}
}

参考文章