Failureforwardurl and failureurl

The same thing
All of them deal with the situation of jumping to the page after authentication failure

Difference

1. failureForwardUrl yes forward Jump ,failureUrl yes redirect Jump
2. failureForwardUrl Exception information is stored in request in ,failureUrl The authentication failure exception information is stored in session in

failureForwardUrl

Because it's form authentication , So from formLogin() Method to enter and have a look , The bottom is through UsernamePasswordAuthenticationFilter The of this filter attemptAuthentication Method for certification , So in attemptAuthentication Break point in method , It can be debugged . Find that you will enter ForwardAuthenticationFailureHandler processor .

package com.example.config;

import com.example.handler.MyAuthenticationSuccessHandler;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
public class WebSecurityConfigurer extends WebSecurityConfigurerAdapter {
    


    @Override
    public void configure(HttpSecurity http) throws Exception {
    

        //【 matters needing attention 】 Release resources should be put in front , The certified ones are in the back 
        http.authorizeRequests()
                .mvcMatchers("/index").permitAll() // On behalf of release index All requests for 
                .mvcMatchers("/loginHtml").permitAll() // release loginHtml request 
                .anyRequest().authenticated()// Authentication is required on behalf of other requests 
                .and()
                .formLogin()// Indicates that other requests requiring authentication have passed the form authentication 
                //loginPage  Once you customize this login page , Then you have to make it clear SpringSecurity Which one in the future url Process your login request 
                .loginPage("/loginHtml")// Used to specify user-defined login interface , Don't use SpringSecurity Default login interface   Be careful ： Once you customize the login page , Login must be specified url
                //loginProcessingUrl  This doLogin The request itself is not , Because we just need to tell SpringSecurity, In the future, as long as the front-end initiates a doLogin Such a request ,
                // that SpringSecurity You should be username and password To capture 
                .loginProcessingUrl("/doLogin")// Specified login request processing url
                .usernameParameter("uname") // Specifies the name of the login interface user name text box name value , If not specified , The default property name must be username
                .passwordParameter("passwd")// Specify the password box of the login interface name value , If not specified , The default property name must be password
// .successForwardUrl("/index")// Authentication success  forward  Jump path ,forward Represents the jump inside the server , The address bar doesn't change   Always jump to the specified request after successful authentication 
// .defaultSuccessUrl("/index")// Authentication success   Then jump , Redirect  redirect  After the jump , The address will change   Successfully jump according to the last save request 
                .successHandler(new MyAuthenticationSuccessHandler()) // Handle when authentication is successful   Front and back end separation solution 
                .failureForwardUrl("/loginHtml")// After the authentication fails  forward  Jump 
// .failureUrl("/login.html")// After the authentication fails  redirect  Jump 
                .and()
                .csrf().disable(); // prohibit csrf  Cross site request protection 
    }
}

matters needing attention
failureForwardUrl Set to /login.html, Can't get exception information , Because when the browser initiates doLogin When the request reaches the server , After we enter the wrong authentication message , The server will initiate /login.html request , But this /login.html Although there is an interface , But it is not open in our configuration , So we'll find out he's a 302 The return code of

mvcMatchers Acting only on the back-end interface is controller, image html,js,img Resources are written without controller Jump , It's invalid

Actually failureUrl Set up /login.html It's the same

<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org/" lang="en">
<head>
    <meta charset="UTF-8">
    <title> The user login </title>
</head>
<body>
    <h2 th:text="${#request.getAttribute('SPRING_SECURITY_LAST_EXCEPTION')}">
    </h2>
    <h1> The user login </h1>
    <form th:action="@{/doLogin}" method="post">
         user name ：<input type="text" name="uname"> <br>
         password ：<input type="text" name="passwd"><br>
        <input type="submit" value=" Sign in ">
    </form>
</body>
</html>

failureUrl

Because it's form authentication , So from formLogin() Method to enter and have a look , The bottom is through UsernamePasswordAuthenticationFilter The of this filter attemptAuthentication Method for certification , So in attemptAuthentication Break point in method , It can be debugged . Find that you will enter SimpleUrlAuthenticationFailureHandler processor .

package com.example.config;

import com.example.handler.MyAuthenticationSuccessHandler;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
public class WebSecurityConfigurer extends WebSecurityConfigurerAdapter {
    


    @Override
    public void configure(HttpSecurity http) throws Exception {
    

        //【 matters needing attention 】 Release resources should be put in front , The certified ones are in the back 
        http.authorizeRequests()
                .mvcMatchers("/index").permitAll() // On behalf of release index All requests for 
                .mvcMatchers("/loginHtml").permitAll() // release loginHtml request 
                .anyRequest().authenticated()// Authentication is required on behalf of other requests 
                .and()
                .formLogin()// Indicates that other requests requiring authentication have passed the form authentication 
                //loginPage  Once you customize this login page , Then you have to make it clear SpringSecurity Which one in the future url Process your login request 
                .loginPage("/loginHtml")// Used to specify user-defined login interface , Don't use SpringSecurity Default login interface   Be careful ： Once you customize the login page , Login must be specified url
                //loginProcessingUrl  This doLogin The request itself is not , Because we just need to tell SpringSecurity, In the future, as long as the front-end initiates a doLogin Such a request ,
                // that SpringSecurity You should be username and password To capture 
                .loginProcessingUrl("/doLogin")// Specified login request processing url
                .usernameParameter("uname") // Specifies the name of the login interface user name text box name value , If not specified , The default property name must be username
                .passwordParameter("passwd")// Specify the password box of the login interface name value , If not specified , The default property name must be password
// .successForwardUrl("/index")// Authentication success  forward  Jump path ,forward Represents the jump inside the server , The address bar doesn't change   Always jump to the specified request after successful authentication 
// .defaultSuccessUrl("/index")// Authentication success   Then jump , Redirect  redirect  After the jump , The address will change   Successfully jump according to the last save request 
                .successHandler(new MyAuthenticationSuccessHandler()) // Handle when authentication is successful   Front and back end separation solution 
// .failureForwardUrl("/login.html")// After the authentication fails  forward  Jump 
                .failureUrl("/login.html")// After the authentication fails  redirect  Jump 
                .and()
                .csrf().disable(); // prohibit csrf  Cross site request protection 
    }
}

<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org/" lang="en">
<head>
    <meta charset="UTF-8">
    <title> The user login </title>
</head>
<body>
    <h2 th:text="${#httpSession.getAttribute('SPRING_SECURITY_LAST_EXCEPTION')}">
    </h2>
    <h1> The user login </h1>
    <form th:action="@{/doLogin}" method="post">
         user name ：<input type="text" name="uname"> <br>
         password ：<input type="text" name="passwd"><br>
        <input type="submit" value=" Sign in ">
    </form>
</body>
</html>