看慕课网的课程,发现需要设置一个logginPage,但并不清楚为什么要设置
public void configure(HttpSecurity http) throws Exception {
http.formLogin()
.loginPage("/authentication/require")//control拦截这个url
.loginProcessingUrl(SecurityConstants.DEFAULT_SIGN_IN_PROCESSING_URL_FORM)//登陆页面中的表单提交url
.successHandler(imoocAuthenticationSuccessHandler)
.failureHandler(imoocAuthenticationFailureHandler);
}
从字面意思是log in 的登陆页面,但是很明显不是,一般登陆页面都是一个html页面或者其它什么的
- any request in browser
- analyse the process
org.springframework.security.web.authentication.AnonymousAuthenticationFilter#doFilter
->org.springframework.security.web.session.SessionManagementFilter#doFilter
->org.springframework.security.web.access.ExceptionTranslationFilter#doFilter
->org.springframework.security.web.access.intercept.FilterSecurityInterceptor#invoke
in this method, invoke the
org.springframework.security.access.intercept.AbstractSecurityInterceptor#beforeInvocation
in this step, will throw exception
try {
this.accessDecisionManager.decide(authenticated, object, attributes);
}
catch (AccessDeniedException accessDeniedException) {
publishEvent(new AuthorizationFailureEvent(object, attributes, authenticated,
accessDeniedException));
throw accessDeniedException;
}
process the exception in the ExceptionTranslationFilter
if (ase != null) {
handleSpringSecurityException(request, response, chain, ase);
}
if the exception is AccessDeniedException and is Anonymous
private void handleSpringSecurityException(HttpServletRequest request,
HttpServletResponse response, FilterChain chain, RuntimeException exception)
throws IOException, ServletException {
if (exception instanceof AuthenticationException) {
sendStartAuthentication(request, response, chain,
(AuthenticationException) exception);
}
else if (exception instanceof AccessDeniedException) {
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
if (authenticationTrustResolver.isAnonymous(authentication) || authenticationTrustResolver.isRememberMe(authentication)) {
sendStartAuthentication(
request,
response,
chain,
new InsufficientAuthenticationException(
"Full authentication is required to access this resource"));
}
go into the sendStartAuthentication
SecurityContextHolder.getContext().setAuthentication(null);
requestCache.saveRequest(request, response);
logger.debug("Calling Authentication entry point.");
authenticationEntryPoint.commence(request, response, reason);
in the commence method:
1. redirectUrl = buildRedirectUrlToLoginPage(request, response, authException)
2. redirectStrategy.sendRedirect(request, response, redirectUrl);
in the above step1, get the loginForm url