Spring Security（二十）：6.2.3 Form and Basic Login Options

You might be wondering where the login form came from when you were prompted to log in, since we made no mention of any HTML files or JSPs. In fact, since we didn’t explicitly set a URL for the login page, Spring Security generates one automatically, based on the features that are enabled and using standard values for the URL which processes the submitted login, the default target URL the user will be sent to after logging in and so on. However, the namespace offers plenty of support to allow you to customize these options. For example, if you want to supply your own login page, you could use:

当您被提示登录时，您可能想知道登录表单的来源，因为我们没有提及任何HTML文件或JSP。事实上，由于我们没有明确设置登录页面的URL，因此Spring Security会根据启用的功能自动生成一个URL，并使用处理提交的登录的URL的标准值，即用户将使用的默认目标URL登录后发送，等等。但是，命名空间提供了大量支持，允许您自定义这些选项。例如，如果要提供自己的登录页面，可以使用：

<http>

<intercept-url pattern="/login.jsp*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>

<intercept-url pattern="/**" access="ROLE_USER" />

<form-login login-page='/login.jsp'/>

</http>

Also note that we’ve added an extra intercept-url element to say that any requests for the login page should be available to anonymous users ^[3] and also the AuthenticatedVoter class for more details on how the value IS_AUTHENTICATED_ANONYMOUSLY is processed.]. Otherwise the request would be matched by the pattern /** and it wouldn’t be possible to access the login page itself! This is a common configuration error and will result in an infinite loop in the application. Spring Security will emit a warning in the log if your login page appears to be secured. It is also possible to have all requests matching a particular pattern bypass the security filter chain completely, by defining a separate http element for the pattern like this:

另请注意，我们添加了一个额外的intercept-url元素，表示对匿名用户[3]以及AuthenticatedVoter类的任何请求都应该可用于有关如何处理值IS_AUTHENTICATED_ANONYMOUSLY的更多详细信息。否则，请求将与模式/ **匹配，并且无法访问登录页面本身！这是一个常见的配置错误，将导致应用程序中出现无限循环。如果您的登录页面看起来是安全的，Spring Security将在日志中发出警告。通过为模式定义单独的http元素，也可以使与特定模式匹配的所有请求完全绕过安全过滤器链：

<http pattern="/css/**" security="none"/>

<http pattern="/login.jsp*" security="none"/>

<http use-expressions="false">

<intercept-url pattern="/**" access="ROLE_USER" />

<form-login login-page='/login.jsp'/>

</http>

From Spring Security 3.1 it is now possible to use multiple http elements to define separate security filter chain configurations for different request patterns. If the pattern attribute is omitted from an http element, it matches all requests. Creating an unsecured pattern is a simple example of this syntax, where the pattern is mapped to an empty filter chain ^[4]. We’ll look at this new syntax in more detail in the chapter on the Security Filter Chain.

从Spring Security 3.1开始，现在可以使用多个http元素为不同的请求模式定义单独的安全过滤器链配置。如果从http元素中省略了pattern属性，它将匹配所有请求。创建不安全模式是此语法的一个简单示例，其中模式映射到空过滤器链[4]。我们将在有关安全过滤器链的章节中更详细地介绍这种新语法。

It’s important to realise that these unsecured requests will be completely oblivious to any Spring Security web-related configuration or additional attributes such as requires-channel, so you will not be able to access information on the current user or call secured methods during the request. Use access='IS_AUTHENTICATED_ANONYMOUSLY' as an alternative if you still want the security filter chain to be applied.

重要的是要意识到这些不安全的请求将完全忽略任何Spring Security Web相关配置或其他属性（例如requires-channel），因此您将无法访问当前用户的信息或在请求期间调用安全方法。如果您仍希望应用安全过滤器链，请使用access ='IS_AUTHENTICATED_ANONYMOUSLY'作为替代方案。

If you want to use basic authentication instead of form login, then change the configuration to

如果要使用基本身份验证而不是表单登录，请将配置更改为

<http use-expressions="false">

<intercept-url pattern="/**" access="ROLE_USER" />

<http-basic />

</http>

Basic authentication will then take precedence and will be used to prompt for a login when a user attempts to access a protected resource. Form login is still available in this configuration if you wish to use it, for example through a login form embedded in another web page.

然后，基本身份验证将优先，并将用于在用户尝试访问受保护资源时提示登录。如果您希望使用表单登录，则仍可在此配置中使用表单登录，例如通过嵌入在其他网页中的登录表单。

<http use-expressions="false">

<intercept-url pattern="/**" access="ROLE_USER" />

<http-basic />

</http>

Setting a Default Post-Login Destination（设置默认的登录后目的地）

If a form login isn’t prompted by an attempt to access a protected resource, the default-target-url option comes into play. This is the URL the user will be taken to after successfully logging in, and defaults to "/". You can also configure things so that the user always ends up at this page (regardless of whether the login was "on-demand" or they explicitly chose to log in) by setting the always-use-default-target attribute to "true". This is useful if your application always requires that the user starts at a "home" page, for example:

如果尝试访问受保护资源未提示表单登录，则default-target-url选项将起作用。这是用户成功登录后将使用的URL，默认为“/”。您还可以通过将always-use-default-target属性设置为“true”来配置事物，以便用户始终在此页面结束（无论登录是“按需”还是明确选择登录）。如果您的应用程序始终要求用户在“主页”页面启动，则此选项非常有用，例如：

<http pattern="/login.htm*" security="none"/>

<http use-expressions="false">

<intercept-url pattern='/**' access='ROLE_USER' />

<form-login login-page='/login.htm' default-target-url='/home.htm'

		always-use-default-target='true' />

</http>

For even more control over the destination, you can use the authentication-success-handler-ref attribute as an alternative to default-target-url. The referenced bean should be an instance of AuthenticationSuccessHandler. You’ll find more on this in the Core Filters chapter and also in the namespace appendix, as well as information on how to customize the flow when authentication fails.

6.2.4 Logout Handling

The logout element adds support for logging out by navigating to a particular URL. The default logout URL is /logout, but you can set it to something else using the logout-url attribute. More information on other available attributes may be found in the namespace appendix.

logout元素通过导航到特定URL添加了对注销的支持。默认的注销URL是/ logout，但您可以使用logout-url属性将其设置为其他内容。有关其他可用属性的更多信息，请参见命名空间附录。

6.2.5 Using other Authentication Providers（使用其他身份验证提供程序）

In practice you will need a more scalable source of user information than a few names added to the application context file. Most likely you will want to store your user information in something like a database or an LDAP server. LDAP namespace configuration is dealt with in the LDAP chapter, so we won’t cover it here. If you have a custom implementation of Spring Security’s UserDetailsService, called "myUserDetailsService" in your application context, then you can authenticate against this using

实际上，除了添加到应用程序上下文文件中的一些名称之外，您还需要一个更具伸缩性的用户信息源。您很可能希望将用户信息存储在数据库或LDAP服务器中。 LDAP命名空间配置在LDAP章节中处理，因此我们不在此处介绍它。如果您在应用程序上下文中有一个名为“myUserDetailsService”的Spring Security的UserDetailsService的自定义实现，那么您可以使用它进行身份验证

<authentication-manager>

	<authentication-provider user-service-ref='myUserDetailsService'/>

</authentication-manager>

If you want to use a database, then you can use

如果要使用数据库，则可以使用

<authentication-manager>

<authentication-provider>

	<jdbc-user-service data-source-ref="securityDataSource"/>

</authentication-provider>

</authentication-manager>

Where "securityDataSource" is the name of a DataSource bean in the application context, pointing at a database containing the standard Spring Security user data tables. Alternatively, you could configure a Spring Security JdbcDaoImpl bean and point at that using the user-service-ref attribute:

其中“securityDataSource”是应用程序上下文中DataSource bean的名称，指向包含标准Spring Security用户数据表的数据库。或者，您可以使用user-service-ref属性配置Spring Security JdbcDaoImpl bean并指向它：

<authentication-manager>

<authentication-provider user-service-ref='myUserDetailsService'/>

</authentication-manager>

<beans:bean id="myUserDetailsService"

	class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl">

<beans:property name="dataSource" ref="dataSource"/>

</beans:bean>

You can also use standard AuthenticationProvider beans as follows

您还可以使用标准AuthenticationProvider bean，如下所示

<authentication-manager>

	<authentication-provider ref='myAuthenticationProvider'/>

</authentication-manager>

where myAuthenticationProvider is the name of a bean in your application context which implements AuthenticationProvider. You can use multiple authentication-provider elements, in which case the providers will be queried in the order they are declared. See Section 6.6, “The Authentication Manager and the Namespace” for more on information on how the Spring Security AuthenticationManager is configured using the namespace.

其中myAuthenticationProvider是应用程序上下文中实现AuthenticationProvider的bean的名称。您可以使用多个身份验证提供程序元素，在这种情况下，将按照声明的顺序查询提供程序。有关如何使用命名空间配置Spring Security AuthenticationManager的信息，请参见第6.6节“身份验证管理器和命名空间”。

Adding a Password Encoder（添加密码编码器）

Passwords should always be encoded using a secure hashing algorithm designed for the purpose (not a standard algorithm like SHA or MD5). This is supported by the <password-encoder> element. With bcrypt encoded passwords, the original authentication provider configuration would look like this:

应始终使用为此目的设计的安全散列算法对密码进行编码（不是像SHA或MD5这样的标准算法）。这是<password-encoder>元素支持的。使用bcrypt编码的密码，原始身份验证提供程序配置如下所示：

<beans:bean name="bcryptEncoder"

	class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>

<authentication-manager>

<authentication-provider>

	<password-encoder ref="bcryptEncoder"/>

	<user-service>

	<user name="jimi" password="d7e6351eaa13189a5a3641bab846c8e8c69ba39f"

			authorities="ROLE_USER, ROLE_ADMIN" />

	<user name="bob" password="4e7421b1b8765d8f9406d87e7cc6aa784c4ab97f"

			authorities="ROLE_USER" />

	</user-service>

</authentication-provider>

</authentication-manager>

bcrypt is a good choice for most cases, unless you have a legacy system which forces you to use a different algorithm. If you are using a simple hashing algorithm or, even worse, storing plain text passwords, then you should consider migrating to a more secure option like bcrypt.

对于大多数情况，bcrypt是一个不错的选择，除非你有一个强制你使用不同算法的遗留系统。如果您使用简单的散列算法，或者更糟糕的是，存储纯文本密码，那么您应该考虑迁移到更安全的选项，如bcrypt。