Spring Security(十三):5.2 HttpSecurity

时间:2021-04-02 14:00:09

Thus far our WebSecurityConfig only contains information about how to authenticate our users. How does Spring Security know that we want to require all users to be authenticated? How does Spring Security know we want to support form based authentication? The reason for this is that the WebSecurityConfigurerAdapterprovides a default configuration in the configure(HttpSecurity http) method that looks like:

到目前为止,我们的WebSecurityConfig仅包含有关如何验证用户身份的信息。 Spring Security如何知道我们要求所有用户进行身份验证? Spring Security如何知道我们想要支持基于表单的身份验证?原因是WebSecurityConfigurerAdapter在configure(HttpSecurity http)方法中提供了一个默认配置,如下所示:
 
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.formLogin()
.and()
.httpBasic();
}

The default configuration above:

上面的默认配置:
  • Ensures that any request to our application requires the user to be authenticated
  • 确保对我们的应用程序的任何请求都要求用户进行身份验证
  • Allows users to authenticate with form based login
  • 允许用户使用基于表单的登录进行身份验证
  • Allows users to authenticate with HTTP Basic authentication
  • 允许用户使用HTTP基本身份验证进行身份验证

You will notice that this configuration is quite similar the XML Namespace configuration:

您会注意到此配置与XML命名空间配置非常相似:
 
<http>
<intercept-url pattern="/**" access="authenticated"/>
<form-login />
<http-basic />
</http>

The Java Configuration equivalent of closing an XML tag is expressed using the and() method which allows us to continue configuring the parent. If you read the code it also makes sense. I want to configure authorized requests and configure form login and configure HTTP Basic authentication.

使用and()方法表示关闭XML标记的Java配置,这允许我们继续配置父标记。如果您阅读代码,它也是有道理的。我想配置授权请求并配置表单登录并配置HTTP基本身份验证。
 
However, Java Configuration has different defaults URLs and parameters. Keep this in mind when creating custom login pages. The result is that our URLs are more RESTful. Additionally, it is not quite so obvious we are using Spring Security which helps to prevent information leaks. For example:
 
但是,Java Configuration具有不同的默认URL和参数。创建自定义登录页面时请记住这一点。结果是我们的URL更加RESTful。此外,我们使用Spring Security有助于防止信息泄露,这一点并不十分明显。例如:
 

5.3 Java Configuration and Form Login (Java配置和表单登录)

You might be wondering where the login form came from when you were prompted to log in, since we made no mention of any HTML files or JSPs. Since Spring Security’s default configuration does not explicitly set a URL for the login page, Spring Security generates one automatically, based on the features that are enabled and using standard values for the URL which processes the submitted login, the default target URL the user will be sent to after logging in and so on.

当您被提示登录时,您可能想知道登录表单的来源,因为我们没有提及任何HTML文件或JSP。由于Spring Security的默认配置未明确设置登录页面的URL,因此Spring Security会根据启用的功能自动生成一个URL,并使用处理提交的登录的URL的标准值,用户将使用的默认目标URL登录后发送给等等。
 
While the automatically generated log in page is convenient to get up and running quickly, most applications will want to provide their own log in page. To do so we can update our configuration as seen below:
 
虽然自动生成的登录页面便于快速启动和运行,但大多数应用程序都希望提供自己的登录页面。为此,我们可以更新我们的配置,如下所示:
 
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login") 1
.permitAll(); 2
}
 
 1、The updated configuration specifies the location of the log in page.
更新的配置指定登录页面的位置。
 
 2、We must grant all users (i.e. unauthenticated users) access to our log in page. The formLogin().permitAll() method allows granting access to all users for all URLs associated with form based log in.
我们必须授予所有用户(即未经身份验证的用户)访问我们的登录页面的权限。 formLogin()。permitAll()方法允许为与基于表单的登录相关联的所有URL授予对所有用户的访问权限。
 
An example log in page implemented with JSPs for our current configuration can be seen below:
使用JSP为我们当前配置实现的示例登录页面如下所示:
 

The login page below represents our current configuration. We could easily update our configuration if some of the defaults do not meet our needs.

下面的登录页面代表我们当前的配置。如果某些默认设置不符合我们的需求,我们可以轻松更新配置。
 
<c:url value="/login" var="loginUrl"/>
<form action="${loginUrl}" method="post"> 1
<c:if test="${param.error != null}"> 2
<p>
Invalid username and password.
</p>
</c:if>
<c:if test="${param.logout != null}"> 3
<p>
You have been logged out.
</p>
</c:if>
<p>
<label for="username">Username</label>
<input type="text" id="username" name="username"/> 4
</p>
<p>
<label for="password">Password</label>
<input type="password" id="password" name="password"/> 5
</p>
<input type="hidden" 6
name="${_csrf.parameterName}"
value="${_csrf.token}"/>
<button type="submit" class="btn">Log in</button>
</form>

1、A POST to the /login URL will attempt to authenticate the user 

对/ login URL的POST将尝试对用户进行身份验证

2、If the query parameter error exists, authentication was attempted and failed

如果存在查询参数错误,则尝试进行身份验证并失败
3、If the query parameter logout exists, the user was successfully logged out
如果存在查询参数注销,则表示用户已成功注销
 4、The username must be present as the HTTP parameter named username
用户名必须作为名为username的HTTP参数出现
 5、The password must be present as the HTTP parameter named password
密码必须作为名为password的HTTP参数出现
 6、We must Section 18.4.3, “Include the CSRF Token” To learn more read the Chapter 18, Cross Site Request Forgery (CSRF) section of the reference
我们必须在第18.4.3节“包含CSRF令牌”中了解更多信息,请参阅第18章,跨站点请求伪造(CSRF)部分的参考