文章出處
login.css
login.jsp
HelloController
spring-security.xml
文章列表
以下內容參考了 http://www.mkyong.com/spring-security/spring-security-form-login-example/
接上回,在前面的Hello World示例中,Spring Security為我們自動生成了默認登錄頁,對于大多數項目而言,如此簡單的登錄頁并不能滿足實際需求,接下來,我們看看如何自定義登錄頁
一、項目結構
與前一個示例相比較,只是多了一個css樣式以及登錄頁login.jsp,這二個文件具體的內容如下:
1 @CHARSET "UTF-8"; 2 3 .error { 4 padding: 15px; 5 margin-bottom: 20px; 6 border: 1px solid transparent; 7 border-radius: 4px; 8 color: #a94442; 9 background-color: #f2dede; 10 border-color: #ebccd1; 11 } 12 13 .msg { 14 padding: 15px; 15 margin-bottom: 20px; 16 border: 1px solid transparent; 17 border-radius: 4px; 18 color: #31708f; 19 background-color: #d9edf7; 20 border-color: #bce8f1; 21 } 22 23 #login-box { 24 width: 300px; 25 padding: 20px; 26 margin: 100px auto; 27 background: #fff; 28 -webkit-border-radius: 2px; 29 -moz-border-radius: 2px; 30 border: 1px solid #000; 31 }
1 <%@ page language="java" contentType="text/html; charset=UTF-8" 2 pageEncoding="UTF-8"%> 3 <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%> 4 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> 5 <html> 6 <head> 7 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> 8 <title>Login Page</title> 9 <link rel="Stylesheet" type="text/css" href="${pageContext.request.contextPath}/resources/css/login.css" /> 10 </head> 11 <body onload='document.loginForm.username.focus();'> 12 <h1>Spring Security Custom Login Form (XML)</h1> 13 14 <div id="login-box"> 15 <h3>Login with Username and Password</h3> 16 <c:if test="${not empty error}"> 17 <div class="error">${error}</div> 18 </c:if> 19 <c:if test="${not empty msg}"> 20 <div class="msg">${msg}</div> 21 </c:if> 22 <form name='loginForm' 23 action="<c:url value='j_spring_security_check' />" method='POST'> 24 <table> 25 <tr> 26 <td>User:</td> 27 <td><input type='text' name='username' value=''></td> 28 </tr> 29 <tr> 30 <td>Password:</td> 31 <td><input type='password' name='password' /></td> 32 </tr> 33 <tr> 34 <td colspan='2'><input name="submit" type="submit" 35 value="submit" /></td> 36 </tr> 37 </table> 38 <input type="hidden" name="${_csrf.parameterName}" 39 value="${_csrf.token}" /> 40 </form> 41 </div> 42 </body> 43 </html>
有幾個地方解釋一下:
第9行,css靜態資源的引用方式,如果對Spring MVC不熟悉的人,可借此示例學習一下
15-20行,用了一個if標簽來判斷登錄驗證是否有錯,如果驗證失敗,則顯示錯誤信息,其中error,msg這二個變量,是從Controller里返回的信息(后面馬上會講到)
23行form表單的action地址留意一下,這個不能改,這是Spring Security的約定
38-39行的隱藏域_csrf,這是用來防止跨站提交攻擊的,如果看不懂,可暫時無視。
二、Controller
1 package com.cnblogs.yjmyzz; 2 3 import org.springframework.stereotype.Controller; 4 import org.springframework.web.bind.annotation.RequestMapping; 5 import org.springframework.web.bind.annotation.RequestMethod; 6 import org.springframework.web.bind.annotation.RequestParam; 7 import org.springframework.web.servlet.ModelAndView; 8 9 @Controller 10 public class HelloController { 11 12 @RequestMapping(value = { "/", "/welcome" }, method = RequestMethod.GET) 13 public ModelAndView welcome() { 14 15 ModelAndView model = new ModelAndView(); 16 model.addObject("title", "Spring Security Custom Login Form"); 17 model.addObject("message", "This is welcome page!"); 18 model.setViewName("hello"); 19 return model; 20 21 } 22 23 @RequestMapping(value = "/admin", method = RequestMethod.GET) 24 public ModelAndView admin() { 25 26 ModelAndView model = new ModelAndView(); 27 model.addObject("title", "Spring Security Custom Login Form"); 28 model.addObject("message", "This is protected page!"); 29 model.setViewName("admin"); 30 31 return model; 32 33 } 34 35 //新增加的Action方法,映射到 36 // 1. /login 登錄頁面的常規顯示 37 // 2. /login?error 登錄驗證失敗的展示 38 // 3. /login?logout 注銷登錄的處理 39 @RequestMapping(value = "/login", method = RequestMethod.GET) 40 public ModelAndView login( 41 @RequestParam(value = "error", required = false) String error, 42 @RequestParam(value = "logout", required = false) String logout) { 43 44 ModelAndView model = new ModelAndView(); 45 if (error != null) { 46 model.addObject("error", "Invalid username and password!"); 47 } 48 49 if (logout != null) { 50 model.addObject("msg", "You've been logged out successfully."); 51 } 52 model.setViewName("login"); 53 54 return model; 55 56 } 57 58 }
增加了一個login方法,映射到登錄的三種情況(常規顯示,出錯展示,注銷登錄)
三、spring-security.xml
1 <beans:beans xmlns="http://www.springframework.org/schema/security" 2 xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 3 xsi:schemaLocation="http://www.springframework.org/schema/beans 4 http://www.springframework.org/schema/beans/spring-beans-3.0.xsd 5 http://www.springframework.org/schema/security 6 http://www.springframework.org/schema/security/spring-security-3.2.xsd"> 7 8 <http auto-config="true"> 9 <intercept-url pattern="/admin" access="ROLE_USER" /> 10 <form-login login-page="/login" default-target-url="/welcome" 11 authentication-failure-url="/login?error" username-parameter="username" 12 password-parameter="password" /> 13 <logout logout-success-url="/login?logout" /> 14 <!-- enable csrf protection --> 15 <csrf /> 16 </http> 17 18 <authentication-manager> 19 <authentication-provider> 20 <user-service> 21 <user name="yjmyzz" password="123456" authorities="ROLE_USER" /> 22 </user-service> 23 </authentication-provider> 24 </authentication-manager> 25 26 </beans:beans>
注意8-16行的變化,一看即懂,就不多做解釋了
運行效果:
登錄頁正常顯示的截圖
登錄失敗的截圖
有興趣的還可以看下對應的html源代碼
防跨站提交攻擊的_csrf隱藏域,會生成一個隨機的類似guid字符串來做校驗,以確定本次http post確實是從本頁面發起的,這跟asp.net里mac ViewState的思路一致。
最后附示例源代碼下載:SpringSecurity-CustomLoginForm-XML(0717).zip
文章列表
全站熱搜
留言列表
