页，如果登录表单自定义表单成功

Question

我是春天保安的新手。在角度上，我有一个自定义表单，它向这个控制器发送一个post：

@RestController
public class LoginController {
    @PostMapping("/login")
    public ResponseEntity<String> login(@RequestBody User user) {
        if (user.getUsername().equals("linda") && user.getPassword().equals("pass")) {
            return ResponseEntity.ok("Access granted");
        }
        return ResponseEntity.badRequest().body("Access denied");
    }
}

如果登录成功，用户应该可以访问页面/welcome，否则该页面将被禁止。

这就是我尝试过的：

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class Config {
    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder(10);
    }

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http.csrf().disable()
                .authorizeRequests()
                .antMatchers("/login").permitAll()
                .antMatchers("/welcome").hasAnyRole("ADMIN")
                .anyRequest()
                .authenticated()
                .and()
                .formLogin(form -> form.loginPage("/login").permitAll());
        return http.build();
    }

    @Bean
    public InMemoryUserDetailsManager userDetailsManager() {
        var linda = User.builder()
                .username("linda")
                .password(passwordEncoder().encode("pass"))
                .roles("ADMIN")
                .build();
        return new InMemoryUserDetailsManager(linda);
    }
}

当我调用/login时，我得到了不允许的状态405 -方法。

​

​

可能我什么都做错了。如何才能正确地做到这一点？

Answer 1

在您的登录端点中应该更新两件事：

1. @PostMapping("login")应该是@PostMapping("/login")
2. 您应该将包含用户名和密码的类定义为字段，并将端点参数更新为以下内容： public ResponseEntity<String> login(@RequestBody CustomUser customUser) { 或者您可以如下所示使用它：public ResponseEntity<String> login(@RequestParam(value = "username") String username, @RequestParam(value = "password") String password) {

更新:

Following your update, i've resimulate your scenario and the configuration is wrong as you've already mentioned.

配置应该如下所示，不需要创建登录端点：

@Bean
public PasswordEncoder passwordEncoder() {
    return new BCryptPasswordEncoder(10);
}

@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    http.csrf().disable().authorizeRequests().antMatchers("/login", "/loginFailed").permitAll()
            .antMatchers("/welcome").hasAnyRole("ADMIN").anyRequest()
            .authenticated().and()
            .formLogin(form -> form.loginPage("/login")
                    .usernameParameter("username")
                    .passwordParameter("password")
                    .defaultSuccessUrl("/welcome")
                    .failureUrl("/loginFailed"));
    return http.build();
}

@Bean
public InMemoryUserDetailsManager userDetailsManager() {
    UserDetails linda = User.builder().username("linda")
            .password(passwordEncoder().encode("pass")).roles("ADMIN")
            .build();
    return new InMemoryUserDetailsManager(linda);
}

但是，用户名和密码应该按照"UsernamePasswordAuthenticationFilter“中的默认配置在查询param中提交。您可以通过实现自定义UsernamePasswordAuthenticationFilter来更改默认行为。(检查这)

​

​

端点：

@GetMapping("/welcome")
public ResponseEntity<String> welcome(Authentication authentication) {
    return ResponseEntity.ok("Weclome [" + authentication.getName() + "]");
}

@GetMapping("/loginFailed")
public ResponseEntity<String> login() {
    return ResponseEntity.ok("Failed to login");
}

希望它能帮上忙