使用 Ajax 使用 Spring security 登录 [英] Login with Spring security using Ajax

问题描述

我正在尝试使用 Spring Security 在基于 Ajax 的登录系统上工作并且它工作正常，直到我遇到另一个需要配置 authentication-success-handler 的要求，以便我可以一旦用户通过 Spring 安全认证，做一些后处理.

I am trying to work on Ajax based login system using Spring Security and it was working fine, till I got with another requirement where I need to configure authentication-success-handler, so as I can do some post processing once user is authenticated by Spring security.

之前我没有使用 <form-login/> 来显示登录页面.我的登录部分是一个下拉列表，是整个应用程序常见的标题部分的一部分.

Earlier I was not using <form-login/> for showing Login page.My Login section is a drop down and part of header section which is common for entire application.

这就是我尝试配置 Spring 安全性的方式

This is how I am trying to configure Spring security

<http pattern="/customer/**" auto-config="true" use-expressions="true" authentication-manager-ref="customerAuthenticationManager">
<!--<http pattern="/customer/**" auto-config="true" use-expressions="true">-->
<intercept-url pattern="/customer/logon.html*" access="permitAll" />
<intercept-url pattern="/customer/denied.html" access="permitAll"/>
<intercept-url pattern="/customer" access="hasRole('AUTH_CUSTOMER')" />
<intercept-url pattern="/customer/" access="hasRole('AUTH_CUSTOMER')" />
<intercept-url pattern="/customer/*.html" access="hasRole('AUTH_CUSTOMER')" />
<intercept-url pattern="/customer/*/*.html" access="hasRole('AUTH_CUSTOMER')" />

<form-login login-processing-url="/customer/logon.html" login-page="/shop/home.html" 
authentication-success-handler-ref="webshopAuthenticationSuccessHandler" />

<logout invalidate-session="true" 
   logout-success-url="/customer/home.html" 
    logout-url="/customer/j_spring_security_logout" />
 <access-denied-handler error-page="/customer/denied.html"/>
    </http>

使用这些配置，当我使用正确的凭据点击登录按钮时，我会收到 HTTP 302 错误

With these configuration, when ever I am clicking on login button with correct credentials, i am getting HTTP 302 error

http://localhost:8080/shop/customer/logon.html 302 found

不确定我到底做错了什么?

Not sure what exactly I am doing wrong?

<form id="login" method="post" accept-charset="UTF-8">
    <input id="userName" type="text" name="userName" size="30" />
    <button type="submit" class="btn">Login</button>
</form>

Ajax 代码

 var data = $(this).serializeObject();
  $.ajax({
  'type': 'POST',
  'url': "<c:url value="/customer/logon.html"/>",
   'contentType': 'application/json',
    'data': JSON.stringify(data),
     'dataType': 'json',
....
}}:

登录部分

 Authentication authenticationToken = new UsernamePasswordAuthenticationToken(customer.getUserName(), customer.getPassword());
   try {
       Authentication authentication = customerAuthenticationManager.authenticate(authenticationToken);
        SecurityContextHolder.getContext().setAuthentication(authentication);
        resp.setStatus(AjaxResponse.RESPONSE_STATUS_SUCCESS);
           } catch (AuthenticationException ex) {

            resp.setStatus(AjaxResponse.RESPONSE_STATUS_FAIURE);
   }

有任何输入吗?经过我所有的努力，我仍然得到 302 和上述配置，即使我的 logon.html 控制器也没有被调用.

Any inputs? With all my efforts, I am still getting 302 and with above configuration, even my logon.html controller is not getting called.

我的主要问题是当我使用

My main issue is when I am enabling Spring security using

<form-login login-processing-url="/customer/logon.html" login-page="/shop/home.html" 
    authentication-success-handler-ref="webshopAuthenticationSuccessHandler" />

我从 logon.html 得到 302 甚至 logon.html 控制器没有被触发(在它上面放置了调试器)

I am getting 302 from logon.html and even logon.html Controller is not being triggered (placed debugger on it)

推荐答案

首先你不需要控制器，spring security 会为你处理这一切.所以放下控制器.

First you don't need a controller, spring security handles all this for you. So drop the controller.

当前问题是由于您的基于 JSON 的帖子造成的.这是由处理登录的普通过滤器处理的，但它没有看到 j_username 和 j_password 字段，因此将(302)重定向到登录页面(在您的情况下 /shop/home.html) 要求这些字段.

The current problem is due to your JSON based post. This is handled by the normal filter which handles login, but it doesn't see a j_username and j_password field and as such will redirect (the 302) to the login page (in your case /shop/home.html) asking for those fields.

基本上，您将数据作为 JSON 发布，而它应该只是一个 ajaxified 表单发布.这允许您编写一个简单的 AuthenticationSuccessHandler，当一切正常时，它只返回 401 或 200 状态代码(可能还有正文).

Basically you are posting the data as JSON whereas it simply should be just an ajaxified form post. This allows you to write a simple AuthenticationSuccessHandler which simply returns a 401 or a 200 status-code (and maybe a body) when things are ok.

将您的 ajax 提交更改为这样的内容应该可以使事情正常进行.

Changing your ajax submit to something like this should make things work.

var data = $(this).serializeObject();
$.ajax({
    'type': $(this).action,
    'url': $(this).target,
    'data': data
}):

这应该创建一个 ajax 表单帖子.可能是您需要在周围的方法中调用 preventDefault() 来阻止表单实际发布.

This should create a ajax form post. Might be that you need a call to preventDefault() in the surrounding method to stop the form from actual posting.

这篇关于使用 Ajax 使用 Spring security 登录的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！