SpringSecurity實現短信驗證碼登錄驗證

原創 taojin12 2020-06-23 17:52

文章目錄


在這裏插入圖片描述
SpringSecurity進行用戶登錄認證時,通過UsernamePasswordAuthenticationFilter獲取用戶信息,獲取一個UsernamePasswordAuthenticationToken,將該token設置給AuthenticationManager進行管理,選擇不同的Provider進行認證處理,在Provider中通過UserDetaitlsService獲取用戶信息進行認證,生成新的認證信息。

在短信驗證時,我們只要按照登錄驗證的步驟進行重新寫一個自己的過濾器、token類、provider即可。

1、自己實現一個SmsAuthenticationToken類

/**
 *  短信驗證碼token
 *
 *  仿照UsernamePasswordAuthenticationToken
 */
public class SmsCodeAuthenticationToken extends AbstractAuthenticationToken {
    private static final long serialVersionUID = 520L;
    /**
     *  該屬性沒登錄前放手機號,登錄後的放用戶信息
     */
    private final Object principal;


    public SmsCodeAuthenticationToken(String mobile) {
        super((Collection)null);
        this.principal = mobile;
        this.setAuthenticated(false);
    }

    public SmsCodeAuthenticationToken(Object principal, Collection<? extends GrantedAuthority> authorities) {
        super(authorities);
        this.principal = principal;
        super.setAuthenticated(true);
    }

    @Override
    public Object getCredentials() {
        return null;
    }

    @Override
    public Object getPrincipal() {
        return this.principal;
    }

    @Override
    public void setAuthenticated(boolean isAuthenticated) throws IllegalArgumentException {
        if (isAuthenticated) {
            throw new IllegalArgumentException("Cannot set this token to trusted - use constructor which takes a GrantedAuthority list instead");
        } else {
            super.setAuthenticated(false);
        }
    }

    @Override
    public void eraseCredentials() {
        super.eraseCredentials();
    }
}

2、自己實現一個SmsCodeAuthenticationFilter,驗證用戶

/**
 *  仿照UsernamePasswordAuthenticationFilter
 */
public class SmsCodeAuthenticationFilter extends AbstractAuthenticationProcessingFilter {

    public static final String IMOOC_FROM_MOBILE_KEY = "mobile";
    private String mobileParameter = "username";
    private boolean postOnly = true;

    public SmsCodeAuthenticationFilter() {
        super(new AntPathRequestMatcher("/authentication/mobile", "POST"));
    }

    @Override
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
        if (this.postOnly && !request.getMethod().equals("POST")) {
            throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod());
        } else {
            String mobile = this.obtainMobile(request);
            if (mobile == null) {
                mobile = "";
            }



            mobile = mobile.trim();
            // 生成token
            SmsCodeAuthenticationToken authRequest = new SmsCodeAuthenticationToken(mobile);
            this.setDetails(request, authRequest);
            // 調用 AuthenticationManager
            return this.getAuthenticationManager().authenticate(authRequest);
        }
    }

    /**
     *  獲取手機號
     * @param request
     * @return
     */
    @Nullable
    protected String obtainMobile(HttpServletRequest request) {
        return request.getParameter(this.mobileParameter);
    }

    protected void setDetails(HttpServletRequest request, SmsCodeAuthenticationToken authRequest) {
        authRequest.setDetails(this.authenticationDetailsSource.buildDetails(request));
    }

    public void setUsernameParameter(String mobileParameter) {
        Assert.hasText(mobileParameter, "Username parameter must not be empty or null");
        this.mobileParameter = mobileParameter;
    }



    public void setPostOnly(boolean postOnly) {
        this.postOnly = postOnly;
    }

    public final String getMobileParameter() {
        return this.mobileParameter;
    }

}

3、自己實現一個SmsCodeAuthenticationProvider

public class SmsCodeAuthenticationProvider implements AuthenticationProvider {

    private UserDetailsService userDetailsService;
    /**
     *   進行身份認證的邏輯
     * @param authentication
     * @return
     * @throws AuthenticationException
     */
    @Override
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        SmsCodeAuthenticationToken authenticationToken = (SmsCodeAuthenticationToken)authentication;
        UserDetails user = userDetailsService.loadUserByUsername((String) authenticationToken.getPrincipal());
        if (user == null) {
            throw new InternalAuthenticationServiceException("無法獲取用戶信息");
        }
        SmsCodeAuthenticationToken authenticationResult = new SmsCodeAuthenticationToken(user, user.getAuthorities());
        authenticationResult.setDetails(authenticationToken.getDetails());
        return authenticationResult;
    }

    /**
     *  根據該方法判斷 AuthenticationManager選擇哪個 Provider進行認證處理
     * @param authentication
     * @return
     */
    @Override
    public boolean supports(Class<?> authentication) {
        return SmsCodeAuthenticationToken.class.isAssignableFrom(authentication);
    }
}

4、驗證碼驗證過濾器

/**
 *  繼承一個過濾器,實現驗證碼驗證
 */
public class SmsCodeFilter extends OncePerRequestFilter implements InitializingBean {

    private AuthenticationFailureHandler authenticationFailureHandler;

    private SessionStrategy sessionStrategy = new HttpSessionSessionStrategy();

    private Set<String> urls = new HashSet<>();

    private SecurityProperties securityProperties;

    private AntPathMatcher pathMatcher = new AntPathMatcher();

    /**
     *  初始化設置
     *   將配置文件中的值讀取,存在urls中
     * @throws ServletException
     */
    @Override
    public void afterPropertiesSet() throws ServletException {
       super.afterPropertiesSet();
       String[] configUrls = StringUtils.split(securityProperties.getCode().getSms().getUrl(),",");
       // 添加配置的url
        for (String configUrl : configUrls) {
            urls.add(configUrl);
        }
        // 添加攔截的url
        urls.add("authentication/mobile");
    }

    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
        /**
         *  如果是登錄請求,並且是post請求就執行驗證
         *
         */
        boolean action = false;
        for (String url : urls) {
            if (pathMatcher.match(url, request.getRequestURI())) {
                action = true;
            }
        }
        if (action) {
            try {
                validate(new ServletWebRequest(request));
            } catch (ValidateCodeException e) {
                authenticationFailureHandler.onAuthenticationFailure(request,response,e);
                return ;
            }
        }
//        if (StringUtils.equals("authentication/from", request.getRequestURI())
//            && StringUtils.equalsIgnoreCase(request.getMethod(),"post")){
//
//            try {
//                validate(new ServletWebRequest(request));
//            } catch (ValidateCodeException e) {
//                authenticationFailureHandler.onAuthenticationFailure(request,response,e);
//                return ;
//            }
//        }
        filterChain.doFilter(request, response);
    }

    private void validate(ServletWebRequest request) throws ServletRequestBindingException {
        // 讀取session
        ValidateCode codeInSession = (ValidateCode) sessionStrategy.getAttribute(request,
                ValidateCodeController.SESSION_KEY);
       // 獲取驗證碼的值
        String codeInRequest = ServletRequestUtils.getStringParameter(request.getRequest(),"smsCode");

        if (StringUtils.isEmpty(codeInRequest)) {
            throw new ValidateCodeException("驗證碼的值不能爲空");
        }
        if (codeInSession == null) {
            throw  new ValidateCodeException("驗證碼不存在");
        }
        if (codeInSession.isExpried()) {
            sessionStrategy.removeAttribute(request, ValidateCodeController.SESSION_KEY);
            throw  new ValidateCodeException("驗證碼已過期");
        }
        if (!StringUtils.equals(codeInSession.getCode(),codeInRequest)) {
            throw  new ValidateCodeException("驗證碼不匹配");
        }

        sessionStrategy.removeAttribute(request,ValidateCodeController.SESSION_KEY);
    }

    public AuthenticationFailureHandler getAuthenticationFailureHandler() {
        return authenticationFailureHandler;
    }

    public void setAuthenticationFailureHandler(AuthenticationFailureHandler authenticationFailureHandler) {
        this.authenticationFailureHandler = authenticationFailureHandler;
    }

    public SessionStrategy getSessionStrategy() {
        return sessionStrategy;
    }

    public void setSessionStrategy(SessionStrategy sessionStrategy) {
        this.sessionStrategy = sessionStrategy;
    }

    public Set<String> getUrls() {
        return urls;
    }

    public void setUrls(Set<String> urls) {
        this.urls = urls;
    }

    public SecurityProperties getSecurityProperties() {
        return securityProperties;
    }

    public void setSecurityProperties(SecurityProperties securityProperties) {
        this.securityProperties = securityProperties;
    }
}

5、將SmsCodeAuthenticationFitler和SmsCodeAuthenticationProvider進行配置

將短信驗證碼登錄驗證的filter和provider,進行單獨配置。一般在項目中,短信驗證碼會是一個公共項目組件。

/**
 *  配置SmsCodeAuthenticationFilter
 *   和SmsCodeAuthenticationProvider
 */
@Component
public class SmsCodeAuthenticationSecurityConfig extends SecurityConfigurerAdapter<DefaultSecurityFilterChain, HttpSecurity> {

    @Autowired
    private AuthenticationFailureHandler authenticationFailureHandler;

    @Autowired
    private AuthenticationSuccessHandler authenticationSuccessHandler;

    @Autowired
    private UserDetailsService userDetailsService;

    @Override
    public void configure(HttpSecurity http) throws Exception {
       SmsCodeAuthenticationFilter smsCodeAuthenticationFilter = new SmsCodeAuthenticationFilter();
       smsCodeAuthenticationFilter.setAuthenticationManager(http.getSharedObject(AuthenticationManager.class));
       smsCodeAuthenticationFilter.setAuthenticationSuccessHandler(authenticationSuccessHandler);
       smsCodeAuthenticationFilter.setAuthenticationFailureHandler(authenticationFailureHandler);

       SmsCodeAuthenticationProvider smsCodeAuthenticationProvider = new SmsCodeAuthenticationProvider();
        smsCodeAuthenticationProvider.setUserDetailsService(userDetailsService);

        http.authenticationProvider(smsCodeAuthenticationProvider)
                .addFilterAfter(smsCodeAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
    }
}

6、驗證碼的驗證進行配置

/**
 * 覆蓋springboot對security的默認配置
 */
@Configuration
public class BrowserSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private SecurityProperties securityProperties;

    /**
     * 注入登錄成功操作類
     */
    @Autowired
    private AuthenticationSuccessHandler imoocAutheticationSuccessHandler;
    /**
     * 注入登錄失敗的處理器
     */
    @Autowired
    private AuthenticationFailureHandler imoocAuthenticationFailuredHandler;

    @Autowired
    private DataSource dataSource;

    @Autowired
    private UserDetailsService userDetailsService;
    /**
    *  將短信驗證的單獨配置引入進來,通過HttpSecurity 的apply()方法進行配置
    */
    @Autowired
    private SmsCodeAuthenticationSecurityConfig smsCodeAuthenticationSecurityConfig;

    /**
     * 用戶密碼加密類配置
     *
     * @return
     */
    @Bean
    public PasswordEncoder passwordEncoder() {
        // 這裏可以返回自己實現的加密類
        return new BCryptPasswordEncoder();
    }

    /**
     *  記住我的配置
     * @return
     */
    @Bean
    public PersistentTokenRepository persistentTokenRepository () {
        JdbcTokenRepositoryImpl tokenRepository = new JdbcTokenRepositoryImpl();
        tokenRepository.setDataSource(dataSource);
        // 啓動的時候創建表
//        tokenRepository.setCreateTableOnStartup(true);
        return tokenRepository;
    }


    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // 驗證碼過濾器配置
        ValidateCodeFilter validateCodeFilter = new ValidateCodeFilter();
        // 設置失敗處理器
        validateCodeFilter.setAuthenticationFailureHandler(imoocAuthenticationFailuredHandler);
        validateCodeFilter.setSecurityProperties(securityProperties);
        validateCodeFilter.afterPropertiesSet();

        // 短信驗證碼過濾器配置
        SmsCodeFilter smsCodeFilter = new SmsCodeFilter();
        // 設置失敗處理器
        smsCodeFilter.setAuthenticationFailureHandler(imoocAuthenticationFailuredHandler);
        smsCodeFilter.setSecurityProperties(securityProperties);
        smsCodeFilter.afterPropertiesSet();

        http.addFilterBefore(smsCodeFilter, UsernamePasswordAuthenticationFilter.class)
                .addFilterBefore(validateCodeFilter, UsernamePasswordAuthenticationFilter.class)
                .formLogin() // 表單登錄  http.httpBasic() httpbasic登錄
//                .loginPage("/imooc-signIn.html")  // 配置登錄頁面
                .loginPage("/authentication/require")
                .loginProcessingUrl("/authentication/from") // 配置登錄請求
                .successHandler(imoocAutheticationSuccessHandler) // 登錄成功處理器
                .failureHandler(imoocAuthenticationFailuredHandler)
                .and()
                .rememberMe()  // 配置記住我
                .tokenRepository(persistentTokenRepository())
                .tokenValiditySeconds(securityProperties.getBrowser().getRememberMeSeconds())
                 .userDetailsService(userDetailsService)
                .and()
                .authorizeRequests()  // 請求驗證
//                .antMatchers("/imooc-signIn.html").permitAll()// 匹配不需要身份認證的路徑
                .antMatchers("/authentication/require",
                        securityProperties.getBrowser().getLoginPage(),
                        "/code/*").permitAll()
                .anyRequest() // 任何請求
                .authenticated() // 都需要身份認證
                .and()
                .csrf().disable()
                .apply(smsCodeAuthenticationSecurityConfig); // 關閉僞造跨站請求防護功能
    }
}
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章

1. SpringSecurity 快速入門與簡單使用

Spring 官網對 SpringSecurity 的簡介 Spring Security is a powerful and highly customizable authentication and access-cont

Earth_Programer 2020-07-03 16:58:10

Spring Security自定義登錄驗證(不使用userDetailsService)

一:功能說明 實現了自定義登錄驗證(AuthenticationProvider)   二:具體代碼 1.自定義AuthenticationProvider /** * @author LEI * Created by LEI on

云海梦尘 2020-07-03 16:11:01

BCrypt初體驗之加密與驗證

版權聲明:本文爲 小異常 原創文章,非商用自由轉載-保持署名-註明出處,謝謝! 本文網址:https://blog.csdn.net/sun8112133/article/details/107057062 BCryp

小异常 2020-07-02 20:33:30

關於There is no PasswordEncoder mapped for the id null的報錯

版權聲明:本文爲 小異常 原創文章,非商用自由轉載-保持署名-註明出處,謝謝! 本文網址:https://blog.csdn.net/sun8112133/article/details/107056906 最近在做 Sp

小异常 2020-07-02 20:33:29

前後分離之後SpringBoot+SpringSecurity放行Swagger訪問後,security跨域配置失效的問題

問題背景: 項目用的swagger生成的接口文檔,同時也有security權限驗證,爲了方便後端自己測試,所以接口測試直接訪問swagger; 但是security如果沒有放行swagger的話,本地是訪問不到swagger的,同時前端要

额JS稀饭 2020-07-01 04:30:46

Spring Security學習之第(一)章

SpringSecurity是一個非常好得權限控制框架,和shiro有異曲同工之處。 我得SpringSecurity第一個程序: 一丶建一個微服務工程導入核心依賴 <!-- https://mvnrepository.com/a

明知路难偏偏行 2020-06-28 03:54:38

前後端分離 SpringBoot整合SpringSecurity權限控制(動態攔截url)

前後端分離 SpringBoot整合SpringSecurity權限控制(動態攔截url) Spring Security是一個功能強大且可高度自定義的身份驗證和訪問控制框架。它是保護基於Spring的應用程序的事實上的標準。

玄月 ⁡⁢ 2020-06-27 20:06:20

SpringSecurity入門3---過濾器實現圖形驗證碼

代碼地址 思路 後端生成驗證碼保存在Session中(Redis也可以),當前端輸入驗證碼進行登錄時,在校驗用戶名密碼之前校驗驗證碼是否正確,不正確就拋出異常,由失敗處理器進行處理 實現 使用Kaptcha進行驗證碼以及圖片的生成

Anntly 2020-06-24 09:44:21

SpringSecurity入門2---基於數據庫的登錄

代碼地址 在上文中實現了基於內存的登錄,書接上文,這次我們用基於數據庫的方式實現登錄 使用SpringSecurity默認提供的 創建數據庫即對應的表,在application.properties配置好數據源 DROP TA

Anntly 2020-06-24 09:44:21

SpringSecurity入門1---基於內存的登錄

代碼地址 開啓SpringBoot項目登錄校驗 在SpringBoot項目中引入SpringSecurity的依賴之後,項目就會默認開始基於HttpBasic的校驗,用戶默認爲user,密碼在項目啓動的時候會在控制檯中進行打印,隨

Anntly 2020-06-24 09:44:21

SpringSecurity入門4---自定義登錄認證實現圖形驗證碼

代碼地址 在上文中基於過濾器實現了圖形驗證碼的操作,這次我們深入研究一下自定義登錄認證,並基於自定義登錄認證來完成圖形驗證碼的驗證操作。 Authentication 在SpringSecurity中將用戶權限、其他系統和設備等包

Anntly 2020-06-24 09:44:21

SpringSecurity入門6---註銷登錄

代碼地址 實現 SpringSecurity爲我們實現了註銷的邏輯,修改配置即可實現註銷 @Override protected void configure(HttpSecurity http) throws Excep

Anntly 2020-06-24 09:44:21

SpringSecurity入門5---自動登錄(RememberMe)

代碼地址 實現方式 SpringSecurity提供了兩種令牌 散列算法加密用戶必要的登錄信息並生成令牌 數據庫等持久性數據存儲機制用的持久化令牌 散列加密方式 使用方式很簡單,修改配置文件,加入RememberMe即可 pr

Anntly 2020-06-24 09:44:21

詳細介紹OAuth2.0及實現和SpringSecurity的整合應用

一、OAuth2.0介紹 GitHub地址案例代碼地址 1.概念說明   先說OAuth,OAuth是Open Authorization的簡寫。   OAuth協議爲用戶資源的授權提供了一個安全的、開放而又簡易的標準。與以往的授

波波烤鸭 2020-06-23 11:23:31

漫步SpringSecurity---小短文搞懂分佈式中的單點登錄、JWT與RSA是個啥?

基本上每一個系統都會有一個認證功能,這個認證功能其實就是我們平時所做的登錄。用戶通過輸入自己的用戶名和密碼,我們後臺查詢數據庫,如果輸入都正確,那麼就給你登錄進入系統,同時後端保存下session信息。反之如果用戶名或密碼不正確則

这Leslie_Lau 2020-06-23 10:36:31