Use of spring security

[Transfer from: http://haohaoxuexi.iteye.com/blog/2154714]

About Login

Directory

1.1 Form-login Element Introduction

1.1.1 Using a custom login page

1.1.2 Specify the page after login

1.1.3 Specify a page after a failed login

1.2 Http-basic

1.1 Form-login Element Introduction

The Form-login element under the HTTP element is used to define the form login information. Spring security generates a default login page for us when none of our properties are specified. If you do not want to use the default login page, we can specify our own login page.

1.1.1 Using a custom login page

The custom login page is specified by the Login-page property. Referring to Login-page we have to mention several other attributes.

• Username-parameter: Indicates which parameter is used by the user name at logon and the default is "J_username".
• Password-parameter: Indicates which parameter is used by the password at logon and the default is "J_password".
• Login-processing-url: Indicates the address submitted at login, default is "/j-spring-security-check". This is just the submission address that spring security uses to mark the login page, and the real sign-in request does not need to be handled by the user.

Therefore, we can enable spring security to jump to our custom login page when a user is required to log in by defining the following.

<security:http auto-config="true">

<security:form-login login-page="/login.jsp"

Login-processing-url= "/login.do " username-parameter="username "

password-parameter="password" />

<!--means that anonymous users can access

<security:intercept-url pattern="/login.jsp"access="is_authenticated_anonymously"/>

<security:intercept-url pattern="/**" access="Role_user" />

</security:http>

It is important to note that we previously configured all requests to require Role_user permissions, which means that our custom "/login.jsp" also requires this permission, thus forming a dead loop. The solution is that we need to release the "/login.jsp". This effect can be achieved by specifying the access permission for "/login.jsp" to "is_authenticated_anonymously" or "role_anonymous". In addition, we can achieve the same effect by specifying the security of an HTTP element as none. Such as:

<security:http security="None" pattern="/login.jsp" />

<security:http auto-config="true">

<security:form-login login-page="/login.jsp"

Login-processing-url= "/login.do " username-parameter="username "

password-parameter="password" />

<security:intercept-url pattern="/**" access="Role_user" />

</security:http>

The difference between them is that the former will enter a series of filter for security control defined by spring security, which does not. When specifying the security attribute of an HTTP element to none, the filter chain representing its corresponding pattern is empty. Starting with 3.1, Spring security allows us to define multiple HTTP elements to accommodate a filter chain that cannot be used for different pattern requests. When the pattern attribute is specified, the corresponding HTTP element definition will function for all requests.

Depending on the configuration above, the contents of our custom login page should look like this:

<form action="login.do " method="POST">

<table>

<tr>

<td> User name:</td>

<td><input type="text" name="username"/></td>

</tr>

<tr>

<td> Password:</td>

<td><input type="password" name="password"/></td>

</tr>

<tr>

<TD colspan="2" align="center">

<input type="Submit" value=" login "/>

<input type=" reset" value= "Reset"/>

</td>

</tr>

</table>

</form>

1.1.2 Specify the page after login

through Default-target-url Specify

By default, we return to the previously restricted page when the login is successful. But if the user is a direct request login page, login success should jump to where? By default it jumps to the root path of the current app, which is the Welcome page. By specifying the Default-target-url attribute of the form-login element, we can let the user jump to the specified page after logging in directly. If you want to let the user directly request the login page, or through spring security to boot, after the login to jump to the specified page, We can achieve this effect by specifying the Always-use-default-target property of the Form-login element to true.

through Authentication-success-handler-ref Specify

The authentication-success-handler-ref corresponds to a reference to a Authencticationsuccesshandler implementation class. If AUTHENTICATION-SUCCESS-HANDLER-REF is specified, the Onauthenticationsuccess method of the specified Authenticationsuccesshandler is called when the login authentication succeeds. We need to process the authentication successfully in the body of the method, and then return to the corresponding authentication Success page. After using Authentication-success-handler-ref, the process of successful authentication is handled by the specified authenticationsuccesshandler. The previous default-target-url and the like are not working.

The following is a custom implementation class for a authenticationsuccesshandler.

Public class Authenticationsuccesshandlerimpl implements

Authenticationsuccesshandler {

Public void onauthenticationsuccess (httpservletrequest request,

HttpServletResponse response, authentication authentication)

throws IOException, Servletexception {

Response.sendredirect (Request.getcontextpath ());

}

}

The corresponding configuration using the Authentication-success-handler-ref property is this:

<security:http auto-config="true">

<security:form-login login-page="/login.jsp"

Login-processing-url= "/login.do " username-parameter="username "

password-parameter="Password"

authentication-success-handler-ref="authsuccess"/>

<!--means that anonymous users can access

<security:intercept-url pattern="/login.jsp"

access="is_authenticated_anonymously" />

<security:intercept-url pattern="/**" access="Role_user" />

</security:http>

<!--certification after successful processing class--

<bean id="authsuccess" class="Com.xxx.AuthenticationSuccessHandlerImpl"/>

1.1.3 Specify a page after a failed login

In addition to the ability to specify the page and corresponding Authenticationsuccesshandler after the login authentication is successful, Form-login also allows us to specify the page after authentication failure and the processor Authenticationfailurehandler after the failed authentication.

through Authentication-failure-url Specify

The login page is returned by default when the login fails, and we can also specify the page after the failed login through the authentication-failure-url of the form-login element. It is important to note that the login failure page is the same as the login page and needs to be configured to be accessible without logging in, otherwise the request failed after the login failed page will be redirected to the login page by spring security.

<security:http auto-config="true">

<security:form-login login-page="/login.jsp"

Login-processing-url= "/login.do " username-parameter="username "

password-parameter="Password"

Authentication-failure-url="/login_failure.jsp"

/>

<!--means that anonymous users can access

<security:intercept-url pattern="/login*.jsp*"

access="is_authenticated_anonymously" />

<security:intercept-url pattern="/**" access="Role_user" />

</security:http>

through Authentication-failure-handler-ref Specify

Similar to Authentication-success-handler-ref, The authentication-failure-handler-ref corresponds to a Authenticationfailurehandler implementation class that handles authentication failures. This property is specified, and Spring security calls the Onauthenticationfailure method of the specified Authenticationfailurehandler after authentication fails to process the authentication failure. The Authentication-failure-url property will no longer function at this time.

1.2 Http-basic

Previously described are based on form-login form login, in fact, spring Security also support pop Windows certification. This effect can be achieved by defining the http-basic element under the HTTP element.

<security:http auto-config="true">

<security:http-basic/>

<security:intercept-url pattern="/**" access="Role_user" />

</security:http>

At this point, if we visit a resource protected by spring Security, a window will pop up asking us to sign in for authentication. The effect is as follows:

Of course, our form login is also available at this point, but spring security does not automatically jump to the login page when we access the included resources. This requires us to request the login page to log in.

It is important to note that Form-login will have a higher priority when we define both the Http-basic and form-login elements. That is, when authentication is required, Spring Security will guide us to the login page instead of a popup window.

(Note: This article is written based on spring Security3.1.6)

Use of spring security