Spring boot整合Spring Security实现验证码登陆

验证码登陆在日常使用软件中是很常见的,甚至可以说超过了密码登陆。

如何通过Spring Security框架实现验证码登陆,并且登陆成功之后也同样返回和密码登陆类似的token?

  • 先看一张Spring Security拦截请求的流程图

 可以发现Spring Security默认有用户名密码登陆拦截器,查看 UsernamePasswordAuthenticationFilter 实现了 AbstractAuthenticationProcessingFilter类 。根据UsernamePasswordAuthenticationFilter的设计模式可以在Spring security的基础上拓展自己的拦截器,实现相应的功能。

  • 新增一个 SmsCodeAuthenticationToken 实体类,需要继承IrhAuthenticationToken,而IrhAuthenticationToken继承了 AbstractAuthenticationToken 用来封装验证码登陆时需要的信息,并且自定义一个AuthenticationToken的父类的作用就是用来在管理在具有多种登陆方式的系统中,能记录最核心的两个信息,一个是用户身份,一个是登陆口令;并且在后期能直接向上转型而不报错。
package top.imuster.auth.config;

import org.springframework.security.core.GrantedAuthority;

import java.util.Collection;

/**
 * @ClassName: SmsCodeAuthenticationToken
 * @Description: 验证码登录验证信息封装类
 * @author: hmr
 * @date: 2020/4/30 13:59
 */
public class SmsCodeAuthenticationToken extends IrhAuthenticationToken {
    public SmsCodeAuthenticationToken(Object principal, Object credentials) {
        super(principal, credentials);
    }

    public SmsCodeAuthenticationToken(Object principal, Object credentials, Collection<? extends GrantedAuthority> authorities) {
        super(principal, credentials, authorities);
    }
}
package top.imuster.auth.config;

import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.core.GrantedAuthority;

import java.util.Collection;

/**
 * @Author hmr
 * @Description 自定义AbstractAuthenticationToken
 * @Date: 2020/5/1 13:51
 * @param irh平台的认证实体类   可以通过继承该类来实现不同的登录逻辑
 * @reture:
 **/
public class IrhAuthenticationToken extends AbstractAuthenticationToken {

    private static final long serialVersionUID = 110L;

    //用户信息
    protected final Object principal;

    //密码或者邮箱验证码
    protected Object credentials;

    /**
     * This constructor can be safely used by any code that wishes to create a
     * <code>UsernamePasswordAuthenticationToken</code>, as the {@link
     * #isAuthenticated()} will return <code>false</code>.
     *
     */
    public IrhAuthenticationToken(Object principal, Object credentials) {
        super(null);
        this.principal = principal;
        this.credentials = credentials;
        this.setAuthenticated(false);
    }

    /**
     * This constructor should only be used by <code>AuthenticationManager</code> or <code>AuthenticationProvider</code>
     * implementations that are satisfied with producing a trusted (i.e. {@link #isAuthenticated()} = <code>true</code>)
     * token token.
     *
     * @param principal
     * @param credentials
     * @param authorities
     */
    public IrhAuthenticationToken(Object principal, Object credentials, Collection<? extends GrantedAuthority> authorities) {
        super(authorities);
        this.principal = principal;
        this.credentials = credentials;
        super.setAuthenticated(true);
    }


    @Override
    public Object getCredentials() {
        return this.credentials;
    }

    @Override
    public Object getPrincipal() {
        return this.principal;
    }


    public void setAuthenticated(boolean isAuthenticated) throws IllegalArgumentException {
        if(isAuthenticated) {
            throw new IllegalArgumentException("Cannot set this token to trusted - use constructor which takes a GrantedAuthority list instead");
        } else {
            super.setAuthenticated(false);
        }
    }

    public void eraseCredentials() {
        super.eraseCredentials();
        this.credentials = null;
    }
}

  • 继承AbstractAuthenticationProcessingFilter之后就可以将自定义的Filter假如到过滤器链中。所以自定义一个 SmsAuthenticationFilter 类并且继承 AbstractAuthenticationProcessingFilter 类,并且该Filter中只校验输入参数是否正确,如果不完整,则抛出 AuthenticationServiceException异常,如果抛出自定义异常,会被Security框架处理。用原生异常可以设置异常信息,直接返回给前端。
package top.imuster.auth.component.login;

import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import top.imuster.auth.config.SecurityConstants;
import top.imuster.auth.config.SmsCodeAuthenticationToken;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

/**
 * @ClassName: SmsCodeAuthenticationFilter
 * @Description: 自定义拦截器,拦截登录请求中的登录类型
 * @author: hmr
 * @date: 2020/4/30 12:16
 */
public class SmsCodeAuthenticationFilter extends AbstractAuthenticationProcessingFilter {

    private static final Logger log = LoggerFactory.getLogger(SmsCodeAuthenticationFilter.class);

    private static final String POST = "post";

    private boolean postOnly = true;

    public SmsCodeAuthenticationFilter(){
        super(new AntPathRequestMatcher("/emailCodeLogin", "POST"));
    }

    @Autowired
    AuthenticationManager authenticationManager;

    @Override
    @Autowired
    public void setAuthenticationManager(AuthenticationManager authenticationManager) {
        super.setAuthenticationManager(authenticationManager);
    }

    @Override
    public Authentication attemptAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws AuthenticationException, IOException, ServletException {
        if(postOnly && !POST.equalsIgnoreCase(httpServletRequest.getMethod())){
            throw new AuthenticationServiceException("不允许{}这种的请求方式: " + httpServletRequest.getMethod());
        }
        //邮箱地址
        String loginName = obtainParameter(httpServletRequest, SecurityConstants.LOGIN_PARAM_NAME);
        //验证码
        String credentials = obtainParameter(httpServletRequest, SecurityConstants.EMAIL_VERIFY_CODE);
        loginName = loginName.trim();

        if(StringUtils.isBlank(loginName)) throw new AuthenticationServiceException("登录名不能为空");
        if(StringUtils.isBlank(credentials)) throw new AuthenticationServiceException("验证码不能为空");

        SmsCodeAuthenticationToken authenticationToken = new SmsCodeAuthenticationToken(loginName, credentials);  //将输入的信息封装成一个SmsCodeAuthenicationToken对象,并向后传递
        setDetails(httpServletRequest, authenticationToken);
        return authenticationManager.authenticate(authenticationToken);
    }

    private void setDetails(HttpServletRequest request,
                            SmsCodeAuthenticationToken authRequest) {
        authRequest.setDetails(authenticationDetailsSource.buildDetails(request));
    }

    /**
     * @Author hmr
     * @Description 从request中获得参数
     * @Date: 2020/4/30 12:22
     * @param request
     * @reture: java.lang.String
     **/
    protected String obtainParameter(HttpServletRequest request, String type){
        return request.getParameter(type);
    }
}
  • 设置了Filter拦截到登陆请求之后,还需要一个具体的校验验证码是否正确的类  SmsAuthenticationProvider,该类才是具体的业务代码
package top.imuster.auth.component.login;

import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.data.redis.core.RedisTemplate;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import top.imuster.auth.config.SmsCodeAuthenticationToken;
import top.imuster.common.core.utils.RedisUtil;

/**
 * @ClassName: IrhAuthenticationProvider
 * @Description: IrhAuthenticationProvider
 * @author: hmr
 * @date: 2020/4/30 14:36
 */
public class SmsAuthenticationProvider implements AuthenticationProvider {
    private final Logger log = LoggerFactory.getLogger(this.getClass());

    @Autowired
    RedisTemplate redisTemplate;

    @Override
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        SmsCodeAuthenticationToken authenticationToken = (SmsCodeAuthenticationToken) authentication;     //先将authentication强转成SmsCodeAuthenticationToken
        //登录名
        String loginName = authenticationToken.getPrincipal() == null?"NONE_PROVIDED":authentication.getName(); 
        //验证码
        String verify = (String)authenticationToken.getCredentials();
        String redisCode = (String)redisTemplate.opsForValue().get(RedisUtil.getConsumerLoginByEmail(loginName));   //从redis中获得申请到的验证码
        if(StringUtils.isEmpty(redisCode) || !verify.equalsIgnoreCase(redisCode)){
            throw new AuthenticationServiceException("验证码失效或者错误");
        }
        return authentication;
    }

    @Override
    public boolean supports(Class<?> aClass) {
        return (SmsCodeAuthenticationToken.class.isAssignableFrom(aClass));
    }

}

 并且在一个继承了 WebSecurityConfigurerAdapter的类中将Filter和Provide声明成Bean

package top.imuster.auth.config;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.ProviderManager;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import top.imuster.auth.component.login.*;
import top.imuster.auth.service.Impl.UsernameUserDetailsServiceImpl;

import java.util.Arrays;

@Configuration
@EnableWebSecurity
@Order(2147483636)
class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Bean
public SmsCodeAuthenticationFilter smsCodeAuthenticationFilter(){
    SmsCodeAuthenticationFilter smsCodeAuthenticationFilter = new SmsCodeAuthenticationFilter();
try {
smsCodeAuthenticationFilter.setAuthenticationManager(this.authenticationManager());
} catch (Exception e) {
e.printStackTrace();
}
smsCodeAuthenticationFilter.setAuthenticationSuccessHandler(irhAuthenticationSuccessHandler());
smsCodeAuthenticationFilter.setAuthenticationFailureHandler(irhAuthenticationFailHandler());
return smsCodeAuthenticationFilter;
}
@Bean
public SmsAuthenticationProvider smsAuthenticationProvider(){
SmsAuthenticationProvider provider = new SmsAuthenticationProvider();
// 设置userDetailsService
// 禁止隐藏用户未找到异常
return provider;
}


@Bean
@Override
public AuthenticationManager authenticationManager() throws Exception {
ProviderManager authenticationManager = new ProviderManager(Arrays.asList(smsAuthenticationProvider()));
return authenticationManager;
}

}

 

说明:Filter是用来拦截Request请求,并且从request请求中将指定的信息提取出来,判断一些必要信息是否存在,不对信息进行校验,校验信息合法之后将其封装到token中,向后传递给provide如;provider则

将filter中得到的信息进行校验,在provider中,主要要注意的就是需要重写 supports(Class<?> aClass) 方法,该方法的作用就是假如在系统中有多个filter,并且向后传递了多个不同的token,那么对应的token只能传递到对应的provider中,所以该方法返回到是一个boolean类型,用来给Spring Security决策是否需要进入该provider。

  • 获取验证码
    /**
     * @Author hmr
     * @Description 发送email验证码
     * @Date: 2020/4/30 10:12
     * @param email  接受code的邮箱
     * @param type   1-注册  2-登录  3-忘记密码
     * @reture: top.imuster.common.base.wrapper.Message<java.lang.String>
     **/
    @ApiOperation(value = "发送email验证码",httpMethod = "GET")
    @Idempotent(submitTotal = 5, timeTotal = 30, timeUnit = TimeUnit.MINUTES)
    @GetMapping("/sendCode/{type}/{email}")
    public Message<String> getCode(@ApiParam("邮箱地址") @PathVariable("email") String email, @PathVariable("type") Integer type) throws Exception {
        if(type != 1 && type != 2 && type != 3 && type != 4){
            return Message.createByError("参数异常,请刷新后重试");
        }
        userLoginService.getCode(email, type);
        return Message.createBySuccess();
    }

具体代码我已经开源到GitHub上,仓库地址为https://github.com/HMingR/irh,该项目中还有利用Spring security实现微信小程序登陆,用户名密码登陆等。

posted @ 2020-09-04 18:12  HMingR  阅读(860)  评论(0编辑  收藏  举报