如何使用 Spring Security/Spring MVC 处理表单登录 [英] How to process a form login using Spring Security / Spring MVC
问题描述
简单的问题,我只需要一个指向正确方向的指针:
Simple question, I just need a pointer in the right direction:
我有一个简单的 Spring MVC/Spring Security webapp.最初我设置了 Spring Security,以便默认登录页面正确显示和身份验证(我使用 DaoAuthenticationProvider 实现了 UserDetailsService 来做到这一点).
I have a simple Spring MVC/Spring Security webapp. Initially I set up Spring Security so that the default login page shows and authenticates properly (I implemented the UserDetailsService with the DaoAuthenticationProvider to do this).
下一步:用我的登录页面替换默认的 spring 登录页面并发布凭据.
Next step: replace the default spring login page with my login page and post the credentials.
但是我如何处理提交的登录凭据?我假设我将表单发布到控制器,验证凭据,但我不清楚是什么正确的步骤是在那之后.例如:
But what do I do with the submitted login credentials? I assume I post the form to a controller, verify the credentials, but I'm not clear what the right step is after that. E.g.:
- 我是否正在调用 AuthenticationManager 的方法?
- 我需要为此定义一个 bean 吗?
- 是否有我需要实现的接口/服务,例如 AuthenticationEntryPoint 之类的?
我已经阅读了 3 次文档,但并没有完全遵循它们.我知道这很简单,所以我只需要了解流程应该如何进行.
I've hit the docs 3 times over and don't quite follow them. I know this is dirt simple, so I just need to hear how the process should flow.
推荐答案
Spring Security 参考文档 概述了 5.4 Web 应用程序中的身份验证.第 6 点:
Spring Security reference documentation outlines the basic processing flow in 5.4 Authentication in a Web Application. There is point #6:
接下来,服务器将决定所提供的凭据是否有效.如果它们有效,下一步就会发生.如果它们无效,通常会要求您的浏览器重试(因此您返回到上面的第二步).Next the server will decide whether or not the presented credentials are valid. If they're valid, the next step will happen. If they're invalid, usually your browser will be asked to try again (so you return to step two above)....
Spring Security 有不同的类负责上述大部分步骤.主要参与者(按使用顺序)是 ExceptionTranslationFilter、AuthenticationEntryPoint 和身份验证机制",负责调用我们在上一节中看到的 AuthenticationManager.
Spring Security has distinct classes responsible for most of the steps described above. The main participants (in the order that they are used) are the ExceptionTranslationFilter, an AuthenticationEntryPoint and an "authentication mechanism", which is responsible for calling the AuthenticationManager which we saw in the previous section.
我不得不承认,这里的文档有点混乱,所以我会给你更多的提示——这里提到的身份验证机制"是你所追求的,它负责处理浏览器发送的凭据.
I have to admit, the documentation here is a bit confusing so I will give you some more pointers - the "authentication mechanism" mentioned here is the thing you are after, it is responsible for processing the credentials that the browser is sending.
由于将凭据附加到 HTTP 请求的细节因不同的身份验证方法(表单数据、普通标头与摘要标头)而异,因此没有通用的身份验证机制"- 相反,每种方法都实现了自己的机制,在基于网络的身份验证的情况下,通常是您必须在 web.xml 中配置的特殊过滤器.xml.
As the details of attaching the credentials to HTTP request(s) vary greatly among different authentication methods (form data vs. plain headers vs. digest headers), there is no common "authentication mechanism" - instead, each method implements its own mechanism and in the case of web-based authentication, it is typically a special filter that you have to configure in web.xml.
就您而言,您最有可能对 UsernamePasswordAuthenticationFilter - 用于处理基于表单的基本登录信息.您的自定义登录表单和过滤器之间的约定是 URL(表单发布的位置)+ 用户名和密码字段名称:
In your case, you are most probably interested in UsernamePasswordAuthenticationFilter - this is used for processing basic form-based login information. The contract between your custom login form and the filter is the URL (where form is posted) + username and password field names:
登录表单只包含 j_username 和 j_password 输入字段,并发布到过滤器监控的 URL(默认为/j_spring_security_check).
这篇关于如何使用 Spring Security/Spring MVC 处理表单登录的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
