Spring Boot+Spring Security+Ajax 实现自定义登录

796 阅读5分钟

Spring Boot+Spring Security+Ajax 实现自定义登录

自定义的用户需要实现UserDetails接口,Security这个框架不关心你的应用时怎么存储用户和权限信息的。只要取出来的时候把它包装成一个UserDetails对象就OK。:

User.class:


package com.example.demo.model;


import lombok.AllArgsConstructor;
import lombok.Getter;
import lombok.NoArgsConstructor;
import lombok.Setter;
import lombok.extern.slf4j.Slf4j;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;

import java.util.ArrayList;
import java.util.Collection;
import java.util.List;


@Setter
@Getter
@AllArgsConstructor
@NoArgsConstructor
@Slf4j
public class User implements UserDetails{
    private Integer id;

    private String username;

    private String password;

    private List<Role> roles;

    // private String role;

    // private String status;

    // private boolean checkLockIsOrNot=true;

    public User(String username,String password){
        this.username = username;
        this.password = password;
    }



    //不涉及用户角色,直接赋予管理员角色
    @Override
    public Collection<? extends GrantedAuthority> getAuthorities() {
        List<GrantedAuthority> auths = new ArrayList<>();
        auths.add(new SimpleGrantedAuthority("ROLE_ADMIN");
        return auths;
    }


    //账户是否过期
    @Override
    public boolean isAccountNonExpired() {
        return true;
    }

    //账户是否锁定
    @Override
    public boolean isAccountNonLocked() {
        return true;
    }

    //密码是否过期
    @Override
    public boolean isCredentialsNonExpired() {
        return true;
    }

    //是否可用
    @Override
    public boolean isEnabled() {
        return true;
    }
}

UserDetailsService接口用来加载用户信息,然后在loadUserByUsername方法中,构造一个User对象返回,这里实现这个接口来定义自己的Service

MyUserDetailService.class:

package com.example.demo.service;

import com.example.demo.exception.ValidateCodeException;
import com.example.demo.mapper.LockUserMapper;
import com.example.demo.model.LockUser;
import com.example.demo.model.User;
import com.example.demo.model.UserLoginAttempts;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.social.connect.web.HttpSessionSessionStrategy;
import org.springframework.social.connect.web.SessionStrategy;
import org.springframework.stereotype.Component;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;

import javax.servlet.http.HttpServletRequest;
import java.util.ArrayList;
import java.util.List;

/**
 * Created by linziyu on 2019/2/9.
 *
 *
 */

@Component("MyUserDetailService")
@Slf4j
public class MyUserDetailService implements UserDetailsService{



    @Autowired
    private UserService userService;

    // @Autowired
    // private LockUserMapper lockUserMapper;

    // private SessionStrategy sessionStrategy = new HttpSessionSessionStrategy();



    @Override
    public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException {
        // List<GrantedAuthority> grantedAuthorityList = new ArrayList<>();
        // grantedAuthorityList.add(new GrantedAuthority() {
        //     @Override
        //     public String getAuthority() {
        //         return "admin";
        //     }
        // });
        User user = userService.findByUserName(s);//数据库查询 看用户是否存在
        // ServletRequestAttributes servletRequestAttributes = (ServletRequestAttributes) RequestContextHolder.getRequestAttributes();
        // HttpServletRequest request = servletRequestAttributes.getRequest();
        // request.setAttribute("username",s);

        if (user == null){
            throw new ValidateCodeException("用户不存在");
        }

//         LockUser lockUser = lockUserMapper.findLockUserById(user.getId());
//         log.info("{}",lockUser);
//         if ( lockUser != null) {
// //            throw new LockedException("LOCK");
//             user.setCheckLockIsOrNot(false);
//         }
        return user;

    }
}



Spring Security的核心配置类:

因为只聚焦登录验证这个操作,其它功能就先注释掉了。

BrowerSecurityConfig.class:


package com.example.demo.config;

import com.example.demo.filter.ValidateCodeFilter;
import com.example.demo.handle.UserAuthenticationAccessDeniedHandler;
import com.example.demo.handle.UserLoginAuthenticationFailureHandler;
import com.example.demo.handle.UserLoginAuthenticationSuccessHandler;
import com.example.demo.handle.UserLogoutSuccessHandler;
import com.example.demo.service.MyUserDetailService;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl;
import org.springframework.security.web.authentication.rememberme.PersistentTokenRepository;

import javax.annotation.Resource;
import javax.sql.DataSource;

/**
 * Created by linziyu on 2019/2/8.
 *
 *Spirng Security 核心配置类
 *
 */
@Configuration//标识为配置类
@EnableWebSecurity//启动Spring Security的安全管理
// @EnableGlobalMethodSecurity(securedEnabled = true)
// @Slf4j
public class BrowerSecurityConfig extends WebSecurityConfigurerAdapter {


    private final static BCryptPasswordEncoder ENCODER = new BCryptPasswordEncoder();

    // @Resource(name = "dataSource")
    // DataSource dataSource;

    @Bean
    public PasswordEncoder passwordEncoder(){//密码加密类
        return  new BCryptPasswordEncoder();
    }

    @Bean
    public MyUserDetailService myUserDetailService(){
        return new MyUserDetailService();
    }

//     @Bean
//     public PersistentTokenRepository persistentTokenRepository() {
//         JdbcTokenRepositoryImpl jdbcTokenRepository = new JdbcTokenRepositoryImpl();
//         // 配置数据源
//         jdbcTokenRepository.setDataSource(dataSource);
//         // 第一次启动的时候自动建表(可以不用这句话,自己手动建表,源码中有语句的)
// //         jdbcTokenRepository.setCreateTableOnStartup(true);
//         return jdbcTokenRepository;
//     }



    @Autowired
    private UserLoginAuthenticationFailureHandler userLoginAuthenticationFailureHandler;//验证失败的处理类

    @Autowired
    private UserLoginAuthenticationSuccessHandler userLoginAuthenticationSuccessHandler;//验证成功的处理类

    // @Autowired
    // private UserLogoutSuccessHandler userLogoutSuccessHandler;

    // @Autowired
    // private UserAuthenticationAccessDeniedHandler userAuthenticationAccessDeniedHandler;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // ValidateCodeFilter validateCodeFilter = new ValidateCodeFilter();
        // http
        //         .headers().frameOptions().sameOrigin();//设置弹出层

        // http
        //       .authorizeRequests()
        //         .and()
        //         .rememberMe()
        //  .tokenRepository(persistentTokenRepository())
        // .userDetailsService(myUserDetailService());;

        http
                .authorizeRequests()
                // .antMatchers("/admin/**","/setUserAdmin","/setUser","/deleteUserById")
                // .access("hasRole('ROLE_ADMIN')")//只有管理员才能访问
                .antMatchers("/home","/static/**","/getAllUser","/register_page",
                        "/register","/checkNameIsExistOrNot","/code/image")//静态资源等不需要验证
                .permitAll()//不需要身份认证
                .anyRequest().authenticated();//其他路径必须验证身份

        http   
                .formLogin()
                .loginPage("/login_page")//登录页面,加载登录的html页面
                .loginProcessingUrl("/login")//发送Ajax请求的路径
                .usernameParameter("username")//请求验证参数
                .passwordParameter("password")//请求验证参数
                .failureHandler(userLoginAuthenticationFailureHandler)//验证失败处理
                .successHandler(userLoginAuthenticationSuccessHandler)//验证成功处理
                .permitAll();//登录页面无需设置验证

               //  .and()
               //  .rememberMe()
               // .tokenRepository(persistentTokenRepository())
               //  // 失效时间
               //  .tokenValiditySeconds(3600)
               //  .userDetailsService(myUserDetailService());



        // http
        //         .logout()
        //         .logoutSuccessHandler(userLogoutSuccessHandler)//登出处理
        //         .permitAll()
        //         .and()
        //         .csrf().disable()
        //         .exceptionHandling().accessDeniedHandler(userAuthenticationAccessDeniedHandler);//无权限时的处理




    }



    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(myUserDetailService()).passwordEncoder(new PasswordEncoder() {
            @Override
            public String encode(CharSequence charSequence) {
                return ENCODER.encode(charSequence);
            }

            //密码匹配,看输入的密码经过加密与数据库中存放的是否一样
            @Override
            public boolean matches(CharSequence charSequence, String s) {
                return ENCODER.matches(charSequence,s);
            }
        });
    }

}

定义认证成功和失败时候的处理:

UserLoginAuthenticationSuccessHandler.class:

package com.example.demo.handle;

import com.example.demo.common.JsonData;
import com.google.gson.Gson;
import lombok.extern.slf4j.Slf4j;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler;
import org.springframework.stereotype.Component;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;

/**
 * Created by linziyu on 2019/2/9.
 *
 * 用户认证成功处理类
 */

@Component("UserLoginAuthenticationSuccessHandler")
@Slf4j
public class UserLoginAuthenticationSuccessHandler extends SimpleUrlAuthenticationSuccessHandler {


    @Override
    public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
        JsonData jsonData = new JsonData(200,"认证OK");
        String json = new Gson().toJson(jsonData);
        response.setContentType("application/json;charset=utf-8");
        PrintWriter out = response.getWriter();

        out.write(json);
        out.flush();
        out.close();
    }
}


UserLoginAuthenticationFailureHandler.class:


package com.example.demo.handle;

import com.example.demo.common.DateUtil;
import com.example.demo.common.JsonData;
import com.example.demo.model.User;
import com.example.demo.model.UserLoginAttempts;
import com.example.demo.service.UserService;
import com.google.gson.Gson;
import lombok.extern.slf4j.Slf4j;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
import org.springframework.stereotype.Component;

import javax.annotation.Resource;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;

/**
 * Created by linziyu on 2019/2/9.
 *
 * 用户认证失败处理类
 */

@Component("UserLoginAuthenticationFailureHandler")
@Slf4j
public class UserLoginAuthenticationFailureHandler extends SimpleUrlAuthenticationFailureHandler {

    @Resource
    private UserService userService;

    @Override
    public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,
                                        AuthenticationException exception) throws IOException, ServletException {
        // log.info("{}","认证失败");


        // log.info("{}",exception.getMessage());

        // String username = (String) request.getAttribute("username");


        JsonData jsonData = null;
        if (exception.getMessage().equals("用户不存在")){
            jsonData = new JsonData(402,"用户不存在");
        }


        if(exception.getMessage().equals("Bad credentials")){
            jsonData = new JsonData(403,"密码错误");
            // String user_name =userService.findByUserNameAttemps(username);
            // if (user_name == null){
            //     String time = DateUtil.getTimeToString();
            //     UserLoginAttempts userLoginAttempts = new UserLoginAttempts(username,1,time);
            //     userService.saveAttempts(userLoginAttempts);
            // }


            // if(userService.getAttempts(username) == 1){
            //     String time = DateUtil.getTimeToString();
            //     userService.setAttempts(username,time);
            //     jsonData = new JsonData(403,"密码错误,你还有2次机会进行登录操作");
            // }
            // else if(userService.getAttempts(username) == 3){
            //     User user = userService.findByUserName(username);
            //     userService.LockUser(user.getId());
            //     jsonData = new JsonData(403,"最后一次尝试登陆失败,你已经被冻结了");
            // }
            // else if (userService.getAttempts(username) ==2 ){
            //     String time = DateUtil.getTimeToString();
            //     userService.setAttempts(username,time);
            //     jsonData = new JsonData(403,"密码错误,你还有1次机会进行登录操作");
            // }


        }


        // if (exception.getMessage().equals("User account is locked")){
        //     jsonData = new JsonData(100,"LOCK");
        // }

        String json = new Gson().toJson(jsonData);//包装成Json 发送的前台
        response.setContentType("application/json;charset=utf-8");
        PrintWriter out = response.getWriter();

        out.write(json);
        out.flush();
        out.close();



    }
}

前台页面使用的是LayUI

登录页面:

用户不存在:

密码错误:

核心在login.js:


/**
 * Created by linziyu on 2019/2/9.
 */

// 登录处理
layui.use(['form','layer','jquery'], function () {


    var form = layui.form;
    var $ = layui.jquery;

    form.on('submit(login)',function (data) {
            var username = $('#username').val();
            var password = $('#password').val();
            var remember = $('input:checkbox:checked').val();
            var imageCode = $('#imgcode').val();
        $.ajax({

            url:"/login",//请求路径
            data:{
                "username": username,//字段和html页面的要对应  id和name一致
                "password": password,//字段和html页面的要对应
                // "remember-me":remember,
                // "imageCode": imageCode
            },
            dataType:"json",
            type:'post',
            async:false,
            success:function (data) {
                if (data.code == 402){
                    layer.alert("用户名不存在",function () {
                        window.location.href = "/login_page"
                    });
                }
                if (data.code == 403){
                    layer.alert(data.msg,function () {
                        window.location.href = "/login_page"
                    });

                }
                // if (data.code == 100){
                //     layer.alert("该用户已经被冻结,请联系管理员进行解冻",function () {
                //         window.location.href = "/login_page"
                //     });
                // }
                if(data.code == 200){
                    window.location.href = "/";
                }
                // if (data.code == 101){
                //     layer.alert(data.msg,function () {
                //         window.location.href = "/login_page"
                //     });
                // }


            }
        });

    })

});



关于Ajax请求路径为什么是”/login“可以看源码UsernamePasswordAuthenticationFilter.class这是Spring Security Filter 中的第一个进行执行的Filter可以看到在第26行有默认的设置


//
// Source code recreated from a .class file by IntelliJ IDEA
// (powered by Fernflower decompiler)
//

package org.springframework.security.web.authentication;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.util.Assert;

public class UsernamePasswordAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
    public static final String SPRING_SECURITY_FORM_USERNAME_KEY = "username";
    public static final String SPRING_SECURITY_FORM_PASSWORD_KEY = "password";
    private String usernameParameter = "username";
    private String passwordParameter = "password";
    private boolean postOnly = true;

    public UsernamePasswordAuthenticationFilter() {
        super(new AntPathRequestMatcher("/login", "POST"));
    }

    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
        if(this.postOnly && !request.getMethod().equals("POST")) {
            throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod());
        } else {
            String username = this.obtainUsername(request);
            String password = this.obtainPassword(request);
            if(username == null) {
                username = "";
            }

            if(password == null) {
                password = "";
            }

            username = username.trim();
            UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);
            this.setDetails(request, authRequest);
            return this.getAuthenticationManager().authenticate(authRequest);
        }
    }

    protected String obtainPassword(HttpServletRequest request) {
        return request.getParameter(this.passwordParameter);
    }

    protected String obtainUsername(HttpServletRequest request) {
        return request.getParameter(this.usernameParameter);
    }

    protected void setDetails(HttpServletRequest request, UsernamePasswordAuthenticationToken authRequest) {
        authRequest.setDetails(this.authenticationDetailsSource.buildDetails(request));
    }

    public void setUsernameParameter(String usernameParameter) {
        Assert.hasText(usernameParameter, "Username parameter must not be empty or null");
        this.usernameParameter = usernameParameter;
    }

    public void setPasswordParameter(String passwordParameter) {
        Assert.hasText(passwordParameter, "Password parameter must not be empty or null");
        this.passwordParameter = passwordParameter;
    }

    public void setPostOnly(boolean postOnly) {
        this.postOnly = postOnly;
    }

    public final String getUsernameParameter() {
        return this.usernameParameter;
    }

    public final String getPasswordParameter() {
        return this.passwordParameter;
    }
}

数据库操作就不啰嗦了,用的是Mybatis+Mysql组合,无非是CRUD了。

具体demo在我的github: github.com/LinZiYU1996…