Springbootsecurity learning (03) web version login add custom login page

Time:2020-1-13

Custom login page

Whether using the default configuration or the custom configuration class, the previous one is the login page of springboot security. Although the design of the login page is very good in this version, we usually use our own login page in the actual development. Here is a very simple login page:

file

This page is only where the user name and password are filled in, and then a form form is submitted, without any other content. Special attention!! Although the page here introduces the thymeleaf template, it does not use any tag attributes of thymeleaf, but uses native HTML tags. Continue below, then define the path to the login page:

file

The login page is added.

Modify configuration class

It is easy to add a custom login page in the configuration class. Define the login page link:

file

After the configuration is completed, start the project and visit the login page. You can see the following error:

file

Too many redirects to display. Originally, when we authorized the configuration, all customized paths would be redirected to the login page without logging in. Now, the login path is also customized, so it has been self redirecting. The login path itself should be configured to be accessible without authorization. The configuration method is very simple. You only need to add a permitall method:

file

Now restart the project, the access login can be accessed normally, and the input account can also be accessed normally!

CSRF configuration

After the above page and configuration class are modified, you enter the account to log in, but you find that the login has not been successful, and you will always jump to the login page. What’s the reason? As mentioned above, the page uses native HTML tags and does not use the properties of the thmeleaf template. First of all, in this native case, the reason why the login is not successful is that spring security turns on CSRF by default, so it needs to include the token information of CSRF in the request. In its official document, it provides embedding a hidden tag in the form to obtain the token information. The principle is that the hidden tag uses the tags provided by spring security, namely ${\\\\\\\ Token}, in the background page rendering process, the value corresponding to this tag solution is parsed out. In this way, our form form embeds the token information required by spring security. When submitting the login request later, there will be no exception without CSRF token. The method is as follows:

file

At this time, you can log in and find that you can succeed. In springboot2.1. X, there is a second better solution, which is to use the form tag attribute of the thymeleaf template:

file

In the form tag, use the th: action attribute to add a hidden input tag in the form by default. The effect is similar to that of the first solution. If you look at the source code, you can see:

file

In addition, another solution is to turn off CSRF, which can solve this problem in almost any scene (the above solution may not be able to resolve the token value in some rendering templates, but you can get the token value through the background program, and then define your own variables to render to the form, which is also possible). The specific method is to close it by modifying the configuration file. I use the project developed by springboot. The configuration file is written directly in the configuration class and closed by. Csrf(). Disable(). However, this scheme will usher in CSRF attacks, and it is not recommended to use it in the production environment. If the system is isolated from the outside world, it is also possible to do so. Most of the production environments adopt this scheme.

file

The above three solutions can solve the problem of unsuccessful login.

Configure the default page after successful login

Now, after the security login succeeds, it will jump to a path by default. This path is to remove the / login after the login link. This default jump can also be configured:

file

Then change the default page to the / home path:

file

Now we have successfully logged in. The jump is / home:

file

Configuration logout

In addition to login, security has its own login, that is, exit system function. The default path is / logout. We can add a logout operation in the home page:

file

After exiting, the default entry is the login page, but on the browser path, it will show that you just exited the system. So the path that should be displayed is / login? Logout, but since this path is not authorized, it will jump to the login page again, and the displayed path is / login, so we also need to authorize logout:

file

Now the normal exit path is displayed:

file

Code address: https://gitee.com/blueses/spring-boot-security 03