Separate front and rear ends
Discussed a number of commonly used functions springboot under security, other functions recommendations refer to the official documentation to learn. Log in form web version now is not the most popular, the most popular is the separation of the front and rear end login, front-end stand alone as a project, interact with the background, including login authentication and authorization are implemented by asynchronous interface. Not separated from the rear end of the previous application mode, to see the front page of the effect is controlled by the rear end, the rear end or redirect page rendering, i.e. the front end of the rear end of the display to be controlled, a high degree of coupling of the front and rear ends . This application mode is suitable for pure Web applications,
But when the back-end docking App, App may not require back-end returns an HTML page, but only the data itself, so the back-end interface of the original return to the page no longer apply to App front-end applications, back-end need to re-docking App develop a set of interfaces.
Separating the rear end of the previous application mode, only the data required for the rear end of the front end of return and no longer render HTML pages, no control effect of the front end. As for front-end user to see what effect the requested data from the back end to the front end of how to load, to determine their own by the front-end, web pages there are treatments, there are App App of the treatment, but either the front end, the required data basically the same, only to develop a back-end logic can provide external data. Separating the rear end of the previous application mode, the front end and the rear end of the coupling is relatively low.
Separating the rear end of the previous application mode, we will each view typically is called a front-end development interface, or the API, access through the front end interface to the data change search deletions.
Separation occurs before and after the end of the cross-domain problems
After separation of the front and rear end, there's the classic problem is the cross-domain issues. Cross-domain, referring to the browser can not execute scripts other sites. It is caused by the browser homologous (domain name, protocol, port) strategy is to browser security restrictions imposed on JavaScript. Specific cross-domain theory of cross-domain query their own learning. In security, the cross-domain to solve the problem is very simple. Just add a few lines of configuration can be.
A simple example
To write a simple example to implement asynchronous log on before and after the end of separation. First introduced depend on:
Springboot modify the default configuration file, add a default user:
Do not modify the startup class, add an interface:
Below to configure the security configuration class, first configure the login, no longer need to log asynchronous background configuration login page address, only you need to configure the login parameters and api address to:
Then add the configuration and login authorization process for success:
Finally add csrf configuration:
The simplest configuration has been completed, the final look at successful login process:
It returns a json form of login success message.
Simple test
To carry out a simple test to start the project, the use of direct access to postman hello interfaces:
Access unsuccessful, return the html page login process on without permission, will be back to do more friendly. Below to log in using the interface:
You can see the normal login is successful, postman also one more cookie information:
This browser cookie is the same, to become deleted after not logged in. Now hello access interface, you can see the normal effects:
Add cross-domain
Add cross-domain configuration is very simple, first call cors method in security configuration:
Then we open the official document springboot to view the cross-domain configuration:
It can be seen in springboot, the global cross-domain configuration is very simple, we have to mimic write a bean:
Such cross-domain configured.
Other processors
Take a look at the login fails (such as account number error) Processor:
Login failed processor configuration:
test:
Look at the exception handler to log out or unregistered:
Configuring the login timeout or not logged Processor:
Test, without logging in, direct access hello interfaces:
Now a lot of friendly and prompt. Finally, look at the lack of authority Processor:
Insufficient processor configuration permissions:
Permissions and then open method level annotations, configure permissions hello HELLO method above:
In the configuration file, to configure a default user admin Other roles:
Then restart the project, the first in the postman, the log, then visit hello interfaces:
At this point you will be prompted to insufficient permissions based on the results of the processor.
Explanation
The above is an example of a simple log separate front and rear ends. Here only the application of a few simple functions, but as discussed earlier queries the user from the database, dynamic permissions, sharing session, remember me, and so the function can also be added to the front and rear ends separate login function, these contents the use of the previous version of the login page is no different. Use these fully meet before and after the end of the separation login and authorization functions.
Code Address: https://gitee.com/blueses/spring-boot-security 12