Explain how to use spring security for automatic login authentication
In the previous blog's detailed configuration method of using spring MVC to create web projects and using spring security for permission control, we described how to configure a website system based on spring MVC and spring security framework. In this blog, we will continue to describe how to use spring security for login authentication. Summarize the key steps of login authentication for spring security:
1. Build three tables in the database, namely users, authorities and persistent_ Logins three. Note that the definition of fields can not be less, but can be more, and the name must be specified.
2. In the spring security configuration file, configure the login jump page, login processing page and encryption.
3. In the foreground JSP page, the login fields must be consistent with those in the background users table, generally username and password.
4. The registration page must be written by yourself, and the registration processing must also be written by yourself.
1、 Create data table
To use spring security for login verification, we need to build the corresponding table in the database, and the fields should be consistent with the built-in fields of spring security. There are three tables to be created. The first is the users table, which contains the user name, password and user status; The second is the authorities table, which indicates the of the user's role, which is convenient for role control, such as role_ User or role_ Admin (for example, the admin page may require the user's role_admin permission, but the role_user permission cannot log in to the management page); the last is the persistent_logins table, which is a record table of login status, which is mainly used to support the "remember me" function. The creation statements of the three tables are as follows:
Remember, these three table fields must contain at least the above fields. In this way, spring security can recognize. However, we can also add some additional fields, such as uid in users.
2、 Configure permission control for spring security
The control information for configuring spring security is to configure which pages need to be accessed by logged in users, which page is logged in, where to jump after successful login, etc. Take the following configuration as an example: all JS and other contents in the Resources folder do not need to be filtered because these are static resources. The home page (/), login page (/ sign) and registration page (/ register) do not require users to log in, but need to be filtered (because we may need to obtain some information of unlisted users). The two configuration methods are as follows. Finally, we use < form login login login page = "/ sign" authentication failure url = "/ sign? Login_error" default target URL= "/ query" / > this configuration indicates that the login page is "/ sign", that is, all the pages that require users to log in. If users are not logged in, they need to jump to this page to log in. Authentication failure URL configures the page where the user fails to log in, while default target URL configures the page to jump after the user logs in successfully.
Note that < beans: bean name = "bcryptencoder" class = "org. Springframework. Security. Crypto. Bcrypt. Bcryptpasswordencoder" / > is defined here, which indicates that the password will be encrypted when logging in. Then when we write the registration page later, we must encrypt the password before saving it into the database.
3、 Create login / registration page
This belongs to the foreground. If we want to use the authentication method provided by spring security, we need to configure the same information in the foreground to obtain the fields required for authentication, such as user name and password. So this is also a place to pay attention to. The specific core code of the page is as follows (our page uses the front-end tool of bootstrap, so we need to introduce external styles and scripting languages such as bootstrap and jQuery to display normally, but these displays will not affect the function, and the core fields will remain unchanged):
There are two tab page codes, one is login tab and the other is registration tab. The main reason is that the login tab should be consistent with spring security, that is, the login processing should be login, that is, action = "login", the ID and name of the user name should be username, and the password should be password, that is, the two parameters submitted to login verification should be username and password, and the processing request page should be login.
4、 Create a registration background and define login processing
After the login registration page is completed, you need to define the processing request, that is, the definition of jump. Then just write the background of registration. Note that the registration process of spring security needs to be written in the background. After the user submits the registration, we need to insert the user name and password into the database. Another thing to note is that since we have configured password encryption before, the user registration needs to be encrypted before inserting into the database, otherwise it cannot be verified later. When registering a user, we need to update the information in the users table and the information in the authorities table. The former inserts the user name and password and makes enabled = 1 (this field indicates whether the user is normal, and if = 0, the status is locked). The corresponding role (permission) of the user should be written in the authorities. The key codes for password encryption when registering a user are as follows:
The encrypted code is as follows:
In this way, users can register. After registering, you can use the login function.
Summarize the key steps of login authentication for spring security:
1. Build three tables in the database, namely users, authorities and persistent_ Logins three. Note that the definition of fields can not be less, but can be more, and the name must be specified. 2. In the spring security configuration file, configure the login jump page, login processing page and encryption. 3. In the foreground JSP page, the login fields must be consistent with those in the background users table, generally username and password. 4. The registration page must be written by yourself, and the registration processing must also be written by yourself.
The above is the whole content of this article. I hope it will be helpful to your study, and I hope you can support programming tips.