Implementing the authentication function with spring boot is a daily routine. However, in spite of Basic authentication, processing after successful authentication, lock processing after authentication failure, resetting the number of failures, or log output may be performed.
If it is a general formLogin or oauth2Login, The solution is to implement it in successHandler or failureHandler. .. ..
I will post it because there was not much information in Japanese.
dependency spring boot 2.0.4.RELEASE lombok using.
Implement Basic authentication in the security settings. Also, register a class that implements the RememberMeServices interface in SharedObject.
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
MyRememberMeServices myRememberMeServices;
@Override
protected void configure(HttpSecurity http) throws Exception {
//By replacing Remembe MeServise here, processing can be executed before and after Basic authentication.
http.setSharedObject(RememberMeServices.class,myRememberMeServices);
http.httpBasic()
.and()
.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); //No need to manage sessions with cookies;
}
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.passwordEncoder(NoOpPasswordEncoder.getInstance()) //Required from spring5?
.withUser("LLENN")
.password("p-chan")
.roles("GGO_USER");
}
}
The RememberMeServices interface can implement Success or Fail processing.
@Slf4j
@Service
public class MyRememberMeServices implements RememberMeServices {
@Override
public Authentication autoLogin(HttpServletRequest request, HttpServletResponse response) {
return null;
}
@Override
public void loginSuccess(HttpServletRequest request, HttpServletResponse response, Authentication successfulAuthentication) {
log.info("login:{}",successfulAuthentication.getName());
}
@Override
public void loginFail(HttpServletRequest request, HttpServletResponse response) {
//Get the user used for authentication.
String base64Credentials = request.getHeader("authorization").substring("Basic".length()).trim();
String credentialSting = new String(Base64.getDecoder().decode(base64Credentials), Charset.forName("UTF-8"));
String username = credentialSting.split(":")[0];
log.error("login fail:{}",username);
}
}
In the above implementation, only log is output, but since the class is `` `@ Service```, you can DI your favorite component.
However, be aware that ** loginSuccess and loginFail are called after the Basic authentication process **.
If you fail to log in, you will not have your credentials.
Therefore, at the time of loginFial, the user name used for authentication cannot be obtained from Authentication :: getName
, but it must be obtained from the header information of HttpServletRequest.
that's all.
I uploaded the source to github. I would appreciate it if you could refer to it. https://github.com/amanoese/spring-basic-auth-example
It's good to replace the process of RememberMe Services of Basic authentication, but what if the original implementation does a great job? .. When I looked at the source, I found the following code.
NullRememberMeServices
package org.springframework.security.web.authentication;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.core.Authentication;
public class NullRememberMeServices implements RememberMeServices {
public NullRememberMeServices() {
}
public Authentication autoLogin(HttpServletRequest request, HttpServletResponse response) {
return null;
}
public void loginFail(HttpServletRequest request, HttpServletResponse response) {
}
public void loginSuccess(HttpServletRequest request, HttpServletResponse response, Authentication successfulAuthentication) {
}
}
It looks like a class prepared for rewriting. As far as I followed the implementation, I was confused because I couldn't find the place where autoLogin was called. .. ..
spring is difficult.
Recommended Posts