[英]Spring Security — registration
我使用此模板https://github.com/hellokoding/registration-login-spring-xml-maven-jsp-mysql進行注冊。
調節器
@RequestMapping(value = "/register", method = POST)
public String registration(@ModelAttribute("userForm") User userForm) {
userService.add(userForm);
securityService.autologin(userForm.getUsername(), userForm.getPassword());
return "redirect:/notes/";
}
方法自動登錄:
@Override
public void autologin(final String username, final String password) {
UserDetails userDetails = userDetailsService.loadUserByUsername(username);
UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(userDetails, password, userDetails.getAuthorities());
authenticationManager.authenticate(usernamePasswordAuthenticationToken);
if (usernamePasswordAuthenticationToken.isAuthenticated()) {
SecurityContextHolder.getContext().setAuthentication(usernamePasswordAuthenticationToken);
}
}
方法loadUserByUsername:
@Override
@Transactional(readOnly = true)
public UserDetails loadUserByUsername(final String username) throws UsernameNotFoundException {
User user = userRepository.findByName(username);
Set<GrantedAuthority> grantedAuthorities = user.getRoles().stream().map(role -> new SimpleGrantedAuthority(role.getName())).collect(Collectors.toSet());
return new org.springframework.security.core.userdetails.User(user.getUsername(), user.getPassword(), grantedAuthorities);
}
http配置:
<http auto-config="true" >
<intercept-url pattern="/notes**" access="authenticated" />
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/auth**" access="permitAll" />
<intercept-url pattern="/accessDenied" access="permitAll" />
<access-denied-handler error-page="/accessDenied" />
<logout logout-success-url="/auth/login?logout" />
<form-login
default-target-url="/notes/"
login-page="/auth/login"
login-processing-url="/j_spring_security_check"
username-parameter="username"
password-parameter="password"
/>
<remember-me data-source-ref="dataSource" />
<session-management session-fixation-protection="newSession" >
<concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
</session-management>
</http>
但是,當我創建一個帳戶時,在“注冊”頁面之后,我進入了“登錄”頁面。 並將該用戶添加到數據庫中。 但是,我必須重定向:/ notes /。
AuthenticationManager的authenticate(Authentication auth)
方法返回一個新創建的Authentication對象,而不是您作為參數修改傳遞的對象。
實際上, autologin()
方法正在做應做的事情。 我會這樣嘗試:
public void autologin(final String username, final String password) {
UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken =
new UsernamePasswordAuthenticationToken(
username, password);
Authentication authResult = authenticationManager.authenticate(usernamePasswordAuthenticationToken);
if (authResult.isAuthenticated()) {
SecurityContextHolder.getContext().setAuthentication(usernamePasswordAuthenticationToken);
}
}
當您調用AuthenticationManager.authenticate(Authentication auth)
,AuthenticationManager本身將針對與AuthenticationProvider匹配的每個Authentication類嘗試進行身份驗證過程,后者本身必須調用UserDetailsService.loadUserByUsername(String username)
。
因此,首先繞過AuthenticationManager / AuthenticationProvider結構調用UserDetailsService
,然后針對Manager / Provider / UserDetailsService嘗試對服務中使用UserDetails創建的Authentication對象進行身份驗證,這有點煩人。
請嘗試使用我的“自動登錄”代碼段(而不是您自己的代碼段),看看它是否有效
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.