如何为单个页面应用程序配置Spring Security？

Question

我遇到了针对单页面应用程序配置Spring Security的问题.

所以,defualt配置看起来像

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Autowired
    @Qualifier("customUserDetailsService")
    UserDetailsService userDetailsService;

    @Autowired
    public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/", "/list").permitAll()
                .antMatchers("/admin/**").access("hasRole('ADMIN')")
                .and().formLogin().loginPage("/login").permitAll()
                .usernameParameter("ssoId").passwordParameter("password")
                .and().csrf()
                .and().exceptionHandling().accessDeniedPage("/Access_Denied");
    }

    @Bean(name="authenticationManager")
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }


}

从Login()方法的文档.loginPage("/ login")表示它用于重定向到登录页面.对于单页,此配置不相关.我应该如何为单页面应用程序配置弹簧？我的意思是如何在控制器和配置文件中配置登录,注销.

Answer 1

Spring Lemon就是一个完整的例子,但让我总结一下下面的内容.

默认情况下,当用户成功登录时,Spring Security会将其重定向到主页.当登录失败或成功注销后,用户将被重定向回登录页面.此外,在尝试访问用户没有足够权限的URL时,他将被重定向到登录页面.

如你所说,这种行为不适合单页面应用程序.您的API应该发送200响应以及用户数据或4xx响应.这可以通过提供自己的处理程序来完成,如下所示:

@Override
protected void configure(HttpSecurity http) throws Exception {
http
    .formLogin()
        ...
        .successHandler(your authentication success handler object)
        .failureHandler(your authentication failure handler object)
        .and()
    .logout()
        ...
        .logoutSuccessHandler(your logout success handler object)
        .and()
    .exceptionHandling()
        .authenticationEntryPoint(new Http403ForbiddenEntryPoint())
    ...
}

您将在Internet上找到许多关于如何编写这些处理程序类的示例.例如,在spring-lemon项目中,这些编码如下.

身份验证成功处理程序

@Component
public class AuthenticationSuccessHandler
    extends SimpleUrlAuthenticationSuccessHandler {

    @Autowired    
    private ObjectMapper objectMapper;

    @Autowired    
    private LemonService<?,?> lemonService;

    @Override
    public void onAuthenticationSuccess(HttpServletRequest request,
            HttpServletResponse response,
            Authentication authentication)
    throws IOException, ServletException {

        response.setStatus(HttpServletResponse.SC_OK);
        response.setContentType(MediaType.APPLICATION_JSON_VALUE);

        AbstractUser<?,?> currentUser = lemonService.userForClient();

        response.getOutputStream().print(
                objectMapper.writeValueAsString(currentUser));

        clearAuthenticationAttributes(request);
    }
}

总之,它在响应数据中返回带有JSONified current-user的200响应.

身份验证失败处理程序

事实上,没有必要为身份验证失败处理程序编写一个类 - SimpleUrlAuthenticationFailureHandler由Spring提供,如果没有任何参数实例化,则按需运行.

注销成功处理程序

public class LemonLogoutSuccessHandler
    implements LogoutSuccessHandler {

    @Override
    public void onLogoutSuccess(HttpServletRequest request,
        HttpServletResponse response, Authentication authentication)
        throws IOException, ServletException {

          response.setStatus(HttpServletResponse.SC_OK);
    }
}

有关详细示例,请参阅 Spring Lemon的LemonSecurityConfig类以及其安全包中的其他类可能会有所帮助.