【Spring Security系列】Spring Security使用自定义认证实现图形验证码

前面使用过滤器的方式实现了带图形验证码的验证功能，属于Servlet层面，简单、易理解。其实，Spring Security还提供了一种更优雅的实现图形验证码的方式，即自定义认证。

1.认识AuthenticationProvider

在学习Spring Security的自定义认证之前，有必要了解Spring Security是如何灵活集成多种认证技术的。

我们所面对的系统中的用户，在Spring Security中被称为主体（principal）。主体包含了所有能够经过验证而获得系统访问权限的用户、设备或其他系统。主体的概念实际上来自 Java Security,Spring Security通过一层包装将其定义为一个Authentication。

public interface Authentication extends Principal, Serializable {
	/**
	 * 获取主体权限列表
	 */
	Collection<? extends GrantedAuthority> getAuthorities();

	/**
	 * 获取主体凭证，通常为用户密码
	 */
	Object getCredentials();

	/**
	 * 获取主体携带的详细信息
	 */
	Object getDetails();

	/**
	 * 获取主体，通常为一个用户名
	 */
	Object getPrincipal();

	/**
	 * 主体是否认证成功
	 */
	boolean isAuthenticated();

	void setAuthenticated(boolean isAuthenticated) throws IllegalArgumentException;
}

Authentication中包含主体权限列表、主体凭据、主体详细信息，以及主体是否验证成功等信息。由于大部分场景下身份验证都是基于用户名和密码进行的，所以Spring Security提供了一个 UsernamePasswordAuthenticationToken用于代指这一类证明（例如，用SSH KEY也可以登录，但它不属于用户名和密码登录这个范畴，如有必要，也可以自定义提供）。在前面使用的表单登录中，每一个登录用户都被包装为一UsernamePasswordAuthenticationToken，从而在Spring Security的各个AuthenticationProvider中流动。

AuthenticationProvider被Spring Security定义为一个验证过程。

public interface AuthenticationProvider {
	/**
	 * 验证过程，验证成功返回一个验证完成的Authentication
	 */
	Authentication authenticate(Authentication authentication) throws AuthenticationException;

	/**
	 * 是否支持当前的authentication类型
	 */
	boolean supports(Class<?> authentication);
}

一次完整的认证可以包含多个AuthenticationProvider，一般由ProviderManager管理。

public class ProviderManager implements AuthenticationManager, MessageSourceAware, InitializingBean {
	public Authentication authenticate(Authentication authentication) throws AuthenticationException {
		Class<? extends Authentication> toTest = authentication.getClass();
		AuthenticationException lastException = null;
		AuthenticationException parentException = null;
		Authentication result = null;
		Authentication parentResult = null;
		boolean debug = logger.isDebugEnabled();

		for (AuthenticationProvider provider : getProviders()) {
			if (!provider.supports(toTest)) {
				continue;
			}

			if (debug) {
				logger.debug("Authentication attempt using "
						+ provider.getClass().getName());
			}

			try {
				result = provider.authenticate(authentication);

				if (result != null) {
					copyDetails(authentication, result);
					break;
				}
			}
			catch (AccountStatusException | InternalAuthenticationServiceException e) {
				prepareException(e, authentication);
				// SEC-546: Avoid polling additional providers if auth failure is due to
				// invalid account status
				throw e;
			} catch (AuthenticationException e) {
				lastException = e;
			}
		}

		if (result == null && parent != null) {
			// Allow the parent to try.
			try {
				result = parentResult = parent.authenticate(authentication);
			}
			catch (ProviderNotFoundException e) {
				// ignore as we will throw below if no other exception occurred prior to
				// calling parent and the parent
				// may throw ProviderNotFound even though a provider in the child already
				// handled the request
			}
			catch (AuthenticationException e) {
				lastException = parentException = e;
			}
		}

		if (result != null) {
			if (eraseCredentialsAfterAuthentication
					&& (result instanceof CredentialsContainer)) {
				// Authentication is complete. Remove credentials and other secret data
				// from authentication
				((CredentialsContainer) result).eraseCredentials();
			}

			// If the parent AuthenticationManager was attempted and successful than it will publish an AuthenticationSuccessEvent
			// This check prevents a duplicate AuthenticationSuccessEvent if the parent AuthenticationManager already published it
			if (parentResult == null) {
				eventPublisher.publishAuthenticationSuccess(result);
			}
			return result;
		}

		// Parent was null, or didn't authenticate (or throw an exception).

		if (lastException == null) {
			lastException = new ProviderNotFoundException(messages.getMessage(
					"ProviderManager.providerNotFound",
					new Object[] { toTest.getName() },
					"No AuthenticationProvider found for {0}"));
		}

		// If the parent AuthenticationManager was attempted and failed than it will publish an AbstractAuthenticationFailureEvent
		// This check prevents a duplicate AbstractAuthenticationFailureEvent if the parent AuthenticationManager already published it
		if (parentException == null) {
			prepareException(lastException, authentication);
		}

		throw lastException;
	}
}

2.自定义AuthenticationProvider

Spring Security提供了多种常见的认证技术，包括但不限于以下几种：

• HTTP层面的认证技术，包括HTTP基本认证和HTTP摘要认证两种。
• 基于LDAP的认证技术（Lightweight Directory Access Protocol，轻量目录访问协议）。
• 聚焦于证明用户身份的OpenID认证技术。
• 聚焦于授权的OAuth认证技术。
• 系统内维护的用户名和密码认证技术。

其中，使用最为广泛的是由系统维护的用户名和密码认证技术，通常会涉及数据库访问。为了更好地按需定制，Spring Security 并没有直接糅合整个认证过程，而是提供了一个抽象的AuthenticationProvider。

public abstract class AbstractUserDetailsAuthenticationProvider implements
		AuthenticationProvider, InitializingBean, MessageSourceAware {

	protected final Log logger = LogFactory.getLog(getClass());

	// ~ Instance fields
	// ================================================================================================

	protected MessageSourceAccessor messages = SpringSecurityMessageSource.getAccessor();
	private UserCache userCache = new NullUserCache();
	private boolean forcePrincipalAsString = false;
	protected boolean hideUserNotFoundExceptions = true;
	private UserDetailsChecker preAuthenticationChecks = new DefaultPreAuthenticationChecks();
	private UserDetailsChecker postAuthenticationChecks = new DefaultPostAuthenticationChecks();
	private GrantedAuthoritiesMapper authoritiesMapper = new NullAuthoritiesMapper();

	// ~ Methods
	// ========================================================================================================

	/**
	 * Allows subclasses to perform any additional checks of a returned (or cached)
	 * <code>UserDetails</code> for a given authentication request. Generally a subclass
	 * will at least compare the {@link Authentication#getCredentials()} with a
	 * {@link UserDetails#getPassword()}. If custom logic is needed to compare additional
	 * properties of <code>UserDetails</code> and/or
	 * <code>UsernamePasswordAuthenticationToken</code>, these should also appear in this
	 * method.
	 *
	 * @param userDetails as retrieved from the
	 * {@link #retrieveUser(String, UsernamePasswordAuthenticationToken)} or
	 * <code>UserCache</code>
	 * @param authentication the current request that needs to be authenticated
	 *
	 * @throws AuthenticationException AuthenticationException if the credentials could
	 * not be validated (generally a <code>BadCredentialsException</code>, an
	 * <code>AuthenticationServiceException</code>)
	 */
	protected abstract void additionalAuthenticationChecks(UserDetails userDetails,
			UsernamePasswordAuthenticationToken authentication)
			throws AuthenticationException;

	public final void afterPropertiesSet() throws Exception {
		Assert.notNull(this.userCache, "A user cache must be set");
		Assert.notNull(this.messages, "A message source must be set");
		doAfterPropertiesSet();
	}

	public Authentication authenticate(Authentication authentication)
			throws AuthenticationException {
		Assert.isInstanceOf(UsernamePasswordAuthenticationToken.class, authentication,
				() -> messages