update

imooc-security-authorize/src/main/java/com/imooc/security/rbac/authorize/RbacAuthorizeConfigProvider.java

@@ -27,6 +27,7 @@ public void config(ExpressionUrlAuthorizationConfigurer<HttpSecurity>.Expression
 		config
 		.antMatchers(HttpMethod.GET, "/fonts/**").permitAll()
 		.antMatchers(HttpMethod.GET, 
+				"**/*.html",
 				"/admin/me",
 				"/resource").authenticated()
 		.anyRequest()

imooc-security-browser/src/main/java/com/imooc/security/browser/BrowserSecurityBeanConfig.java

@@ -17,6 +17,9 @@
 import com.imooc.security.core.properties.SecurityProperties;
 
 /**
+ * 浏览器环境下扩展点配置，配置在这里的bean，业务系统都可以通过声明同类型或同名的bean来覆盖安全
+ * 模块默认的配置。
+ * 
  * @author zhailiang
  *
  */
@@ -26,18 +29,31 @@ public class BrowserSecurityBeanConfig {
 	@Autowired
 	private SecurityProperties securityProperties;
 
+	/**
+	 * session失效时的处理策略配置
+	 * @return
+	 */
 	@Bean
 	@ConditionalOnMissingBean(InvalidSessionStrategy.class)
 	public InvalidSessionStrategy invalidSessionStrategy(){
 		return new ImoocInvalidSessionStrategy(securityProperties.getBrowser().getSession().getSessionInvalidUrl());
 	}
 
+	/**
+	 * 并发登录导致前一个session失效时的处理策略配置
+	 * @return
+	 */
 	@Bean
 	@ConditionalOnMissingBean(SessionInformationExpiredStrategy.class)
 	public SessionInformationExpiredStrategy sessionInformationExpiredStrategy(){
 		return new ImoocExpiredSessionStrategy(securityProperties.getBrowser().getSession().getSessionInvalidUrl());
 	}
 
+	/**
+	 * 退出时的处理策略配置
+	 * 
+	 * @return
+	 */
 	@Bean
 	@ConditionalOnMissingBean(LogoutSuccessHandler.class)
 	public LogoutSuccessHandler logoutSuccessHandler(){

imooc-security-browser/src/main/java/com/imooc/security/browser/BrowserSecurityConfig.java

@@ -9,6 +9,7 @@
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
 import org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl;
@@ -17,18 +18,20 @@
 import org.springframework.security.web.session.SessionInformationExpiredStrategy;
 import org.springframework.social.security.SpringSocialConfigurer;
 
-import com.imooc.security.core.authentication.AbstractChannelSecurityConfig;
+import com.imooc.security.core.authentication.FormLoginSecurityConfig;
 import com.imooc.security.core.authentication.mobile.SmsCodeAuthenticationSecurityConfig;
 import com.imooc.security.core.authorize.AuthorizeConfigManager;
 import com.imooc.security.core.properties.SecurityProperties;
 import com.imooc.security.core.validate.code.ValidateCodeSecurityConfig;
 
 /**
+ * 浏览器环境下安全配置主类
+ * 
  * @author zhailiang
  *
  */
 @Configuration
-public class BrowserSecurityConfig extends AbstractChannelSecurityConfig {
+public class BrowserSecurityConfig extends WebSecurityConfigurerAdapter {
 
 	@Autowired
 	private SecurityProperties securityProperties;
@@ -60,10 +63,13 @@ public class BrowserSecurityConfig extends AbstractChannelSecurityConfig {
 	@Autowired
 	private AuthorizeConfigManager authorizeConfigManager;
 
+	@Autowired
+	private FormLoginSecurityConfig formLoginSecurityConfig;
+
 	@Override
 	protected void configure(HttpSecurity http) throws Exception {
 
-		applyPasswordAuthenticationConfig(http);
+		formLoginSecurityConfig.configure(http);
 
 		http.apply(validateCodeSecurityConfig)
 				.and()

imooc-security-browser/src/main/java/com/imooc/security/browser/BrowserSecurityController.java

@@ -32,6 +32,8 @@
 import com.imooc.security.core.support.SocialUserInfo;
 
 /**
+ * 浏览器环境下与安全相关的服务
+ * 
  * @author zhailiang
  *
  */
@@ -76,6 +78,12 @@ public SimpleResponse requireAuthentication(HttpServletRequest request, HttpServ
 		return new SimpleResponse("访问的服务需要身份认证，请引导用户到登录页");
 	}
 
+	/**
+	 * 用户第一次社交登录时，会引导用户进行用户注册或绑定，此服务用于在注册或绑定页面获取社交网站用户信息
+	 * 
+	 * @param request
+	 * @return
+	 */
 	@GetMapping("/social/user")
 	public SocialUserInfo getSocialUserInfo(HttpServletRequest request) {
 		SocialUserInfo userInfo = new SocialUserInfo();

imooc-security-browser/src/main/java/com/imooc/security/browser/authentication/ImoocAuthenctiationFailureHandler.java

@@ -23,6 +23,8 @@
 import com.imooc.security.core.support.SimpleResponse;
 
 /**
+ * 浏览器环境下登录失败的处理器
+ * 
  * @author zhailiang
  *
  */
@@ -36,7 +38,6 @@ public class ImoocAuthenctiationFailureHandler extends SimpleUrlAuthenticationFa
 
 	@Autowired
 	private SecurityProperties securityProperties;
-
 
 	/* (non-Javadoc)
 	 * @see org.springframework.security.web.authentication.AuthenticationFailureHandler#onAuthenticationFailure(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, org.springframework.security.core.AuthenticationException)

imooc-security-browser/src/main/java/com/imooc/security/browser/authentication/ImoocAuthenticationSuccessHandler.java

@@ -9,11 +9,14 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.commons.lang.StringUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
+import org.springframework.security.web.savedrequest.HttpSessionRequestCache;
+import org.springframework.security.web.savedrequest.RequestCache;
 import org.springframework.stereotype.Component;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
@@ -22,8 +25,9 @@
 import com.imooc.security.core.support.SimpleResponse;
 
 /**
+ * 浏览器环境下登录成功的处理器
+ * 
  * @author zhailiang
- *
  */
 @Component("imoocAuthenticationSuccessHandler")
 public class ImoocAuthenticationSuccessHandler extends SavedRequestAwareAuthenticationSuccessHandler {
@@ -36,6 +40,8 @@ public class ImoocAuthenticationSuccessHandler extends SavedRequestAwareAuthenti
 	@Autowired
 	private SecurityProperties securityProperties;
 
+	private RequestCache requestCache = new HttpSessionRequestCache();
+
 	/*
 	 * (non-Javadoc)
 	 * 
@@ -54,6 +60,13 @@ public void onAuthenticationSuccess(HttpServletRequest request, HttpServletRespo
 			response.setContentType("application/json;charset=UTF-8");
 			response.getWriter().write(objectMapper.writeValueAsString(new SimpleResponse("FORM")));
 		} else {
+			//如果设置了imooc.security.browser.singInSuccessUrl，总是跳到设置的地址上
+			//如果没设置，则尝试跳转到登录之前访问的地址上，如果登录前访问地址为空，则跳到网站根路径上
+			if(StringUtils.isNotBlank(securityProperties.getBrowser().getSingInSuccessUrl())){
+				requestCache.removeRequest(request, response);
+				setAlwaysUseDefaultTargetUrl(true);
+				setDefaultTargetUrl(securityProperties.getBrowser().getSingInSuccessUrl());
+			}
 			super.onAuthenticationSuccess(request, response, authentication);
 		}
 

imooc-security-browser/src/main/java/com/imooc/security/browser/authorize/BrowserAuthorizeConfigProvider.java

@@ -12,6 +12,8 @@
 import com.imooc.security.core.authorize.AuthorizeConfigProvider;
 
 /**
+ * 浏览器环境默认的授权配置，对常见的静态资源，如js,css，图片等不验证身份
+ * 
  * @author zhailiang
  *
  */
@@ -25,7 +27,6 @@ public class BrowserAuthorizeConfigProvider implements AuthorizeConfigProvider {
 	@Override
 	public void config(ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry config) {
 		config.antMatchers(HttpMethod.GET, 
-			"/**/*.html",
 			"/**/*.js",
 			"/**/*.css",
 			"/**/*.jpg",

imooc-security-browser/src/main/java/com/imooc/security/browser/logout/ImoocLogoutSuccessHandler.java

@@ -19,6 +19,9 @@
 import com.imooc.security.core.support.SimpleResponse;
 
 /**
+ * 默认的退出成功处理器，如果设置了imooc.security.browser.signOutUrl，则跳到配置的地址上，
+ * 如果没配置，则返回json格式的响应。
+ * 
  * @author zhailiang
  *
  */

imooc-security-browser/src/main/java/com/imooc/security/browser/session/AbstractSessionStrategy.java

@@ -21,6 +21,8 @@
 import com.imooc.security.core.support.SimpleResponse;
 
 /**
+ * 抽象的session失效处理器
+ * 
  * @author zhailiang
  *
  */

imooc-security-browser/src/main/java/com/imooc/security/browser/session/ImoocExpiredSessionStrategy.java

@@ -11,6 +11,8 @@
 import org.springframework.security.web.session.SessionInformationExpiredStrategy;
 
 /**
+ * 并发登录导致session失效时，默认的处理策略
+ * 
  * @author zhailiang
  *
  */

imooc-security-browser/src/main/java/com/imooc/security/browser/session/ImoocInvalidSessionStrategy.java

@@ -12,6 +12,8 @@
 import org.springframework.security.web.session.InvalidSessionStrategy;
 
 /**
+ * 默认的session失效处理策略
+ * 
  * @author zhailiang
  *
  */

imooc-security-browser/src/main/java/com/imooc/security/browser/validate/code/impl/SessionValidateCodeRepository.java

@@ -13,6 +13,8 @@
 import com.imooc.security.core.validate.code.ValidateCodeType;
 
 /**
+ * 基于session的验证码存取器
+ * 
  * @author zhailiang
  *
  */

imooc-security-browser/src/main/resources/resources/imooc-session-invalid.html

@@ -7,5 +7,9 @@
 <body>
 	<h2>安全模块默认的session失效提示页面</h2>
 	<h3>请通过imooc.security.browser.session.sessionInvalidUrl配置自己的页面URL</h3>
+	<h3>此页面将在5秒后跳转到登录页</h3>
+	<script type="text/javascript">
+		setInterval(function(){window.location.href = "/imooc-signIn.html"}, 5000);
+	</script>
 </body>
 </html>

imooc-security-core/src/main/java/com/imooc/security/core/authentication/AbstractChannelSecurityConfig.java → imooc-security-core/src/main/java/com/imooc/security/core/authentication/FormLoginSecurityConfig.java

@@ -5,25 +5,26 @@
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.web.authentication.AuthenticationFailureHandler;
 import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
+import org.springframework.stereotype.Component;
 
 import com.imooc.security.core.properties.SecurityConstants;
 
 /**
  * @author zhailiang
  *
  */
-public class AbstractChannelSecurityConfig extends WebSecurityConfigurerAdapter {
+@Component
+public class FormLoginSecurityConfig {
 
 	@Autowired
 	protected AuthenticationSuccessHandler imoocAuthenticationSuccessHandler;
 
 	@Autowired
 	protected AuthenticationFailureHandler imoocAuthenticationFailureHandler;
 
-	protected void applyPasswordAuthenticationConfig(HttpSecurity http) throws Exception {
+	public void configure(HttpSecurity http) throws Exception {
 		http.formLogin()
 			.loginPage(SecurityConstants.DEFAULT_UNAUTHENTICATION_URL)
 			.loginProcessingUrl(SecurityConstants.DEFAULT_LOGIN_PROCESSING_URL_FORM)

imooc-security-core/src/main/java/com/imooc/security/core/properties/BrowserProperties.java

@@ -11,15 +11,20 @@ public class BrowserProperties {
 
 	private SessionProperties session = new SessionProperties();
 
-	private String signUpUrl = "/imooc-signUp.html";
+	private String loginPage = SecurityConstants.DEFAULT_LOGIN_PAGE_URL;
+
+	private int rememberMeSeconds = 3600;
 
 	private String signOutUrl;
 
-	private String loginPage = SecurityConstants.DEFAULT_LOGIN_PAGE_URL;
+	private String signUpUrl = "/imooc-signUp.html";
 
 	private LoginResponseType loginType = LoginResponseType.JSON;
+	/**
+	 * 登录成功后跳转的地址，如果设置了此属性，则登录成功后总是会跳到这个地址上。
+	 */
+	private String singInSuccessUrl;
 
-	private int rememberMeSeconds = 3600;
 
 	public String getLoginPage() {
 		return loginPage;
@@ -68,5 +73,13 @@ public String getSignOutUrl() {
 	public void setSignOutUrl(String signOutUrl) {
 		this.signOutUrl = signOutUrl;
 	}
+
+	public String getSingInSuccessUrl() {
+		return singInSuccessUrl;
+	}
+
+	public void setSingInSuccessUrl(String singInSuccessUrl) {
+		this.singInSuccessUrl = singInSuccessUrl;
+	}
 
 }

imooc-security-demo/src/main/resources/application.properties

@@ -33,6 +33,7 @@ server.port = 8080
 imooc.security.browser.loginType = REDIRECT
 
 imooc.security.browser.signOutUrl = /demo-logout.html
+imooc.security.browser.singInSuccessUrl = /manage.html
 
 #imooc.security.code.image.length = 6
 #imooc.security.code.image.width = 100