springSecurity

1.登录

• 创建 SecurityConfig 配置类 继承 SecurityConfig 重写 configure方法

• http.formLogin() 启用表单登录

• http.loginPage（"/authentication/require"） 当请求需要身份认证时，默认跳转的url，就是登录页面

• http.loginProcessingUrl（"/authentication/form"）默认的用户名密码登录请求处理url，form表单action的url

• 登录时候需要判断 是html请求还是 app这样的请求 ，登录时 springSecurity 判断需要身份认证时候将请求信 缓存到 RequestCache 里面，当跳转到 登录页面controller时候从 RequestCache 里面取出 请求类型 在判断返回页面还是 json

private RequestCache requestCache = new RequestCache ();

• 将html页面 地址配置在 yml里面 用实体类 映射yml，实体类中的url设置默认值，如果配置文件没有设置去默认值

2.登录成功处理

• springSecurity 登录成功 默认访问之前 登录之前输入的网址，比如查询用户列表，登录成功后 会跳转的到用户列表页面 ，如果前端用ajax访问登录成功后跳转就不合适了
• 创建类继承 extends SavedRequestAwareAuthenticationSuccessHandler ，重写onAuthenticationSuccess 方法 处理登录成功后的 逻辑

@Component("imoocAuthenticationSuccessHandler")
public class ImoocAuthenticationSuccessHandler extends SavedRequestAwareAuthenticationSuccessHandler {
	private Logger logger = LoggerFactory.getLogger(getClass());
	@Autowired
	private ObjectMapper objectMapper;
	@Autowired
	private SecurityProperties securityProperties;
	@Override
	public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
			Authentication authentication) throws IOException, ServletException {
		logger.info("登录成功");
		if (LoginResponseType.JSON.equals(securityProperties.getBrowser().getLoginType())) {
			response.setContentType("application/json;charset=UTF-8");
			response.getWriter().write(objectMapper.writeValueAsString(authentication));
		} else {
			super.onAuthenticationSuccess(request, response, authentication);
		}
	}
}

• http.successHandler() 配置登录成功后的controller

public class AbstractChannelSecurityConfig extends WebSecurityConfigurerAdapter {

	@Autowired
	protected AuthenticationSuccessHandler imoocAuthenticationSuccessHandler;
	
	@Autowired
	protected AuthenticationFailureHandler imoocAuthenticationFailureHandler;
	
	protected void applyPasswordAuthenticationConfig(HttpSecurity http) throws Exception {
		http.formLogin()
			.loginPage(SecurityConstants.DEFAULT_UNAUTHENTICATION_URL)
			.loginProcessingUrl(SecurityConstants.DEFAULT_LOGIN_PROCESSING_URL_FORM)
			.successHandler(imoocAuthenticationSuccessHandler)
			.failureHandler(imoocAuthenticationFailureHandler);
	}
	
}

3 登录失败处理

• 登录失败与登录成功处理类似
• failureHandler(imoocAuthenticationFailureHandler); 登录失败处理controller

@Component("imoocAuthenctiationFailureHandler")
public class ImoocAuthenctiationFailureHandler extends SimpleUrlAuthenticationFailureHandler {
	private Logger logger = LoggerFactory.getLogger(getClass());
	@Autowired
	private ObjectMapper objectMapper;
	@Autowired
	private SecurityProperties securityProperties;

	@Override
	public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,
			AuthenticationException exception) throws IOException, ServletException {
		logger.info("登录失败");
		if (LoginResponseType.JSON.equals(securityProperties.getBrowser().getLoginType())) {
			response.setStatus(HttpStatus.INTERNAL_SERVER_ERROR.value());
			response.setContentType("application/json;charset=UTF-8");
			response.getWriter().write(objectMapper.writeValueAsString(new SimpleResponse(exception.getMessage())));
		}else{
			super.onAuthenticationFailure(request, response, exception);
		}
	}
}

4 用户信息共享

• securityContext 过滤器检查 session是否有 用户信息 有 放到线程，当结束时 securityContext滤器 检查线程是否有 contgext 有放到session