Spring Security(十三):5.2 HttpSecurity
Thus far our WebSecurityConfig only contains information about how to authenticate our users. How does Spring Security know that we want to require all users to be authenticated? How does Spring Security know we want to support form based authentication? The reason for this is that the WebSecurityConfigurerAdapterprovides a default configuration in the configure(HttpSecurity http) method that looks like:
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.formLogin()
.and()
.httpBasic();
}
The default configuration above:
- Ensures that any request to our application requires the user to be authenticated
- 确保对我们的应用程序的任何请求都要求用户进行身份验证
- Allows users to authenticate with form based login
- 允许用户使用基于表单的登录进行身份验证
- Allows users to authenticate with HTTP Basic authentication
- 允许用户使用HTTP基本身份验证进行身份验证
You will notice that this configuration is quite similar the XML Namespace configuration:
<http>
<intercept-url pattern="/**" access="authenticated"/>
<form-login />
<http-basic />
</http>
The Java Configuration equivalent of closing an XML tag is expressed using the and() method which allows us to continue configuring the parent. If you read the code it also makes sense. I want to configure authorized requests and configure form login and configure HTTP Basic authentication.
5.3 Java Configuration and Form Login (Java配置和表单登录)
You might be wondering where the login form came from when you were prompted to log in, since we made no mention of any HTML files or JSPs. Since Spring Security’s default configuration does not explicitly set a URL for the login page, Spring Security generates one automatically, based on the features that are enabled and using standard values for the URL which processes the submitted login, the default target URL the user will be sent to after logging in and so on.
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login") 1
.permitAll(); 2
}
formLogin().permitAll() method allows granting access to all users for all URLs associated with form based log in.The login page below represents our current configuration. We could easily update our configuration if some of the defaults do not meet our needs.
<c:url value="/login" var="loginUrl"/>
<form action="${loginUrl}" method="post"> 1
<c:if test="${param.error != null}"> 2
<p>
Invalid username and password.
</p>
</c:if>
<c:if test="${param.logout != null}"> 3
<p>
You have been logged out.
</p>
</c:if>
<p>
<label for="username">Username</label>
<input type="text" id="username" name="username"/> 4
</p>
<p>
<label for="password">Password</label>
<input type="password" id="password" name="password"/> 5
</p>
<input type="hidden" 6
name="${_csrf.parameterName}"
value="${_csrf.token}"/>
<button type="submit" class="btn">Log in</button>
</form>
1、A POST to the /login URL will attempt to authenticate the user
2、If the query parameter error exists, authentication was attempted and failed
logout exists, the user was successfully logged outSpring Security(十三):5.2 HttpSecurity的更多相关文章
- Spring Security框架下实现两周内自动登录"记住我"功能
本文是Spring Security系列中的一篇.在上一篇文章中,我们通过实现UserDetailsService和UserDetails接口,实现了动态的从数据库加载用户.角色.权限相关信息,从而实 ...
- oauth2 Spring Security
oauth2四种授权方式小结 http://www.ruanyifeng.com/blog/2019/04/oauth-grant-types.html 密码模式(resource owner pas ...
- spring security之httpSecurity使用示例
如果在HttpSecurity中配置需要authenticate(),则如果没有登陆,或没有相关权限,则会无法访问 2017-01-02 23:39:32.027 DEBUG 10396 --- [n ...
- spring security之httpSecurity 专题
37.5.2 Resolving the CsrfToken Spring Security provides CsrfTokenArgumentResolver which can automati ...
- SpringBoot第二十三篇:安全性之Spring Security
作者:追梦1819 原文:https://www.cnblogs.com/yanfei1819/p/11350255.html 版权声明:本文为博主原创文章,转载请附上博文链接! 引言 系统的安全 ...
- spring security 继承 WebSecurityConfigurerAdapter 的重写方法configure() 参数 HttpSecurity 常用方法及说明
HttpSecurity 常用方法及说明 方法 说明 openidLogin() 用于基于 OpenId 的验证 headers() 将安全标头添加到响应 cors() 配置跨域资源共享( CORS ...
- Spring Security(三十三):10.3 Password Encoding
Spring Security’s PasswordEncoder interface is used to support the use of passwords which are encode ...
- Spring Security(二十三):6.5 The Default AccessDecisionManager(默认接入策略管理)
This section assumes you have some knowledge of the underlying architecture for access-control withi ...
- 使用Spring MVC测试Spring Security Oauth2 API
不是因为看到希望了才去坚持,而坚持了才知道没有希望. 前言 在Spring Security源码分析十一:Spring Security OAuth2整合JWT和Spring Boot 2.0 整合 ...
随机推荐
- JS对url进行编码和解码(三种方式区别)
Javascript语言用于编码的函数,一共有三个,最古老的一个就是escape().虽然这个函数现在已经不提倡使用了,但是由于历史原因,很多地方还在使用它,所以有必要先从它讲起. escape 和 ...
- leetcode-977. 有序数组的平方
leetcode-977. 有序数组的平方 (来自 120周赛) 题意 给定一个按非递减顺序排序的整数数组 A,返回每个数字的平方组成的新数组,要求也按非递减顺序排序. 示例 1: 输入:[-4,-1 ...
- 杨学明老师推出全新课程--《敏捷开发&IPD和敏捷开发结合的实践》
课时:13小时(2天) 敏捷开发&IPD和敏捷开发结合的实践 讲 师:杨学明 [课程背景] 集成产品开发(IPD).集成能力成熟度模型(CMMI).敏捷开发(Agile Developmen ...
- JavaScript中的原型链和继承
理解原型链 在 JavaScript 的世界中,函数是一等公民. 上面这句话在很多地方都看到过.用我自己的话来理解就是:函数既当爹又当妈."当爹"是因为我们用函数去处理各种&quo ...
- 应用生命周期终极 DevOps 工具包
[编者按]本文作者为 Kevin Goldberg,主要介绍了在开发.运营应用的完整生命周期当中,可能用到的 DevOps 工具大集合.文章系 OneAPM 工程师编译整理. DevOps工具包中合适 ...
- MySQL线程处于Waiting for table flush的分析
最近遇到一个案例,很多查询被阻塞没有返回结果,使用show processlist查看,发现不少MySQL线程处于Waiting for table flush状态,查询语句一直被阻塞,只能通过K ...
- OSWatcher使用过程中小问题解决方法
本文介绍一下在使用OSWatcher过程当中遇到的两个问题的解决方法.如有更好的方法,敬请留言. 1:OSWatcher在配置文件里面设置了参数OSW_COMPRESSION为gzip后,OSWatc ...
- Mysql----修改MySQL5.7的root的密码
在开始服务的情况之下 进入mysql 更改密码:update mysql.user set authentication_string=password('新的密码') where user='r ...
- Process 0:0:0 (0x1ffc) Worker 0x00000001E580A1A0 appears to be non-yielding on Scheduler 3. Thread creation time: 13153975602106.
现场报错如下: Process 0:0:0 (0x1ffc) Worker 0x00000001E580A1A0 appears to be non-yielding on Scheduler 3. ...
- python数据类型分类以及运算类型
一.python数据类型 目录: 1.数字(整数.小数) 2.字符串(单引号.双引号.三引号) 3.元组 #元素确定之后不能修改 4.列表 #元素可以修改 5.集合 #不讲顺序,得到的结果没有重复元 ...