stackoom
  简体   繁体   中英

Spring Security for single user

 原文  2016-04-21 02:57:13       java/ spring/ spring-security/ spring-boot/ thymeleaf

Question

I have a web application in which a specific url '/newPost' should only be accessible to one user, the admin. When trying to navigate to '/newPost', the user should be redirected to a login page where he must verify his identity as admin.

This all works, except for when the user fills out the login form, the form gets posted to '/login' everytime. I am currently at a loss as to why it is posting to '/login' instead of the path I redirect to using thyme leafs: th:action="@{/newPost}"

TLDR; I keep getting redirected to /login after submitting login form. I am using Spring boot, Spring security, and thymeleaf.

Controller: 

/*Keeps getting called*/
@RequestMapping(value="/login", method=RequestMethod.GET)
public String login(Model model)
{   
    model.addAttribute("lc", new LoginCredentials());
    System.out.println("Login controller");
    return "login";
}

/*RequestMapping I want to be called*/
@RequestMapping(value="/newPost", method = RequestMethod.GET)
public String isLoggedIn(@ModelAttribute LoginCredentials lc, Model model)
{
    if(lc.isAdmin())
    {
        System.out.println("lc is admin");
        model.addAttribute("bp",new BlogPost());
        return "newPost";
    } else
    {
        System.out.println("lc is not admin");
        return "login";
    }
}

Login Form: 

 <form class="form-signin" th:action="@{/newPost}" th:object="${lc}" method = "post">
    <h2 class="form-signin-heading">Please sign in</h2>
    <label for="inputEmail" class="sr-only">Username</label>
    <input type="text" id="username" class="form-control" th:field="*{inputUsername}" placeholder="Username" required="required" autofocus="autofocus" />
    <label for="inputPassword" class="sr-only">Password</label>
    <input type="password" id="password" th:field="*{inputPsswd}" class="form-control" placeholder="Password" required ="required" />

    <button class="btn btn-lg btn-primary btn-block" type="submit" style="background-color:#F6358A;">Sign in</button>
  </form>

Security Configuration: 

    httpSecurity
    .authorizeRequests()
      .antMatchers("/","/videos","/BlogPost","/index","/aboutUs").permitAll()
      .anyRequest().authenticated()
      .and()
    .formLogin()
      .loginPage("/login")
      .permitAll();

2 answers

solution1
 0  2016-04-21 03:51:01

What's your login page jsp name? Is that "login.jsp"?

You login method return is "login", that means it will return to login.jsp.

User return "/newPost" instead.

solution2
 0 ACCPTED  2016-04-23 02:30:44

My above question was a mess. This was my first time trying to work with Java Spring and my question shows. I hope this explanation helps a future user.

Firstly:

The action should not be different from /login. I was essentially causing an infinite loop of logins because I was sending the user to /newPost by submitted the login form, but they could not access the /newPost until they provided the correct credentials. Spring dutifully redirected the user to /login in order to provide the correct credentials, repeating the process.

This: 

th:action="@{/newPost}"

should be: 

 th:action="@{/login}"

with a corresponding RequestMapping like so: 

@RequestMapping(value="/login", method=RequestMethod.POST)
public String loginPost(Model model)
{   
 //do foo
}

Secondly:

I attempted to do Spring Security's job for it. 

 if(lc.isAdmin())
{
    System.out.println("lc is admin");
    model.addAttribute("bp",new BlogPost());
    return "newPost";
} else
{
    System.out.println("lc is not admin");
    return "login";
}

Since I only needed security for a single user, I should have configured an AuthenticationManagerBuilder object in my security configuration like so: 

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth)
{
  try 
  {
    auth 
        .inMemoryAuthentication()
          .withUser("admin")
            .password("password")
            .roles("ADMIN");
  } catch (Exception e) {
    e.printStackTrace();
  }
}

Since I changed Springs global configuration, I should not pass in an object to login.html. The new form should use input fields like so: 

 <form class="form-signin" th:action="@{/login}" method = "post">
    <h2 class="form-signin-heading">Please sign in</h2>
    <label for="inputEmail" class="sr-only">Username</label>
    <input type="text" id="username" name="username" class="form-control" placeholder="Username" required="required" autofocus="autofocus" />
    <label for="inputPassword" class="sr-only">Password</label>
    <input type="password" id="password"  name="password" class="form-control" placeholder="Password" required ="required" />

    <button class="btn btn-lg btn-primary btn-block" type="submit" style="background-color:#F6358A;">Sign in</button>
  </form>

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Spring security single sign on Spring Security User Information Spring security not authenticate the user Spring security guest user Spring Security Authentication By User Spring security not authorizing user How can i add multiple user roles to single pathMatcher/Route in Spring WebFlux Security(Reactive Spring Security) Config? Register user to repository Spring Security Spring Security user authentication not working User account is disabled - Spring Security
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM