7. Spring Boot + Spring Security 短信功能（验证）

1.SmsAuthenticationFilter用于验证短信登陆信息，并且把信息封装到SmsAuthenticationToken！
2.将生成的SmsAuthenticationToken发送到AuthenticationManager中，AutenticationManager会从所有的Token中 选取一个进行验证比对
3.SmsAuthenticationProvider调用UserDetailsService进行具体的Token逻辑验证比对

• SmsCodeAuthenticationFilter继承AbstractAuthenticationProcessingFilter，并且改成自己自己的Filter
  package com.imooc.security.core.authentication.moblie;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;

public class SmsCodeAuthenticationFilter extends AbstractAuthenticationProcessingFilter {

public static final String IMOOC_FROM_mobile_KEY = "mobile";

private String mobileParmeter = IMOOC_FROM_mobile_KEY;
private boolean postOnly = true;

// ~ Constructors
// ===================================================================================================

public SmsCodeAuthenticationFilter() {
	super(new AntPathRequestMatcher("/authentication/mobile", "POST"));
}

// ~ Methods
// ========================================================================================================

public Authentication attemptAuthentication(HttpServletRequest request,
		HttpServletResponse response) throws AuthenticationException {
	if (postOnly && !request.getMethod().equals("POST")) {
		throw new AuthenticationServiceException(
				"Authentication method not supported: " + request.getMethod());
	}

	String mobile = obtainmobile(request);
	

	if (mobile == null) {
		mobile = "";
	}

	mobile = mobile.trim();

	SmsCodeAuthenticationToken authRequest = new SmsCodeAuthenticationToken(mobile);

	// Allow subclasses to set the "details" property
	setDetails(request, authRequest);

	return this.getAuthenticationManager().authenticate(authRequest);
}


/**
 * 获取前端传入的手机号
 */
protected String obtainmobile(HttpServletRequest request) {
	return request.getParameter(mobileParmeter);
}

/**
 * 将请求的ip sessionID 等设置到验证请求里面去 
 *
 * @param request that an authentication request is being created for
 * @param authRequest the authentication request object that should have its details
 * set
 */
protected void setDetails(HttpServletRequest request,
		SmsCodeAuthenticationToken authRequest) {
	authRequest.setDetails(authenticationDetailsSource.buildDetails(request));
}



/**
 * Defines whether only HTTP POST requests will be allowed by this filter. If set to
 * true, and an authentication request is received which is not a POST request, an
 * exception will be raised immediately and authentication will not be attempted. The
 * <tt>unsuccessfulAuthentication()</tt> method will be called as if handling a failed
 * authentication.
 * <p>
 * Defaults to <tt>true</tt> but may be overridden by subclasses.
 */
public void setPostOnly(boolean postOnly) {
	this.postOnly = postOnly;
}

}

• SmsCodeAuthenticationProvider继承AuthenticationProvider

package com.imooc.security.core.authentication.moblie;

import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.InternalAuthenticationServiceException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;

/**
 * @author cjj
 * @date 2019年1月29日
 * @email 729165621@qq.com
 * @blog blog.csdn.net/qq_29451823
 */
public class SmsCodeAuthenticationProvider implements AuthenticationProvider{
	
	private UserDetailsService userDetailsService;
	
	/**
	 * 进行身份认证的逻辑
	 */
	@Override
	public Authentication authenticate(Authentication authentication) throws AuthenticationException {
		
		SmsCodeAuthenticationToken authenticationToken = (SmsCodeAuthenticationToken)authentication;
		
		UserDetails user = userDetailsService.loadUserByUsername((String) authenticationToken.getPrincipal());
		
		if(user == null) {
			throw new InternalAuthenticationServiceException("无法获取用户信息");
		}
		//token 认证 
		SmsCodeAuthenticationToken authenticationResult = new SmsCodeAuthenticationToken(user,user.getAuthorities());
		authenticationResult.setDetails(authenticationToken.getDetails());
		return authenticationResult;
	}
	/**
	 * 在AuthenticationManageer里面挑选一个Provider 来处理传进来的token
	 */
	@Override
	public boolean supports(Class<?> authentication) {
		// 判断传入的authentication是不是SmsCodeAuthenticationToken这种类型的
		return SmsCodeAuthenticationToken.class.isAssignableFrom(authentication);
	}
	public UserDetailsService getUserDetailsService() {
		return userDetailsService;
	}
	public void setUserDetailsService(UserDetailsService userDetailsService) {
		this.userDetailsService = userDetailsService;
	}
	
	

}

• SmsCodeAuthenticationToken

package com.imooc.security.core.authentication.moblie;

import java.util.Collection;

import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.SpringSecurityCoreVersion;

/**
 * 封装用户信息(登陆前或者登陆后)
 * @author cjj
 * @date 2019年1月29日
 * @email 729165621@qq.com
 * @blog blog.csdn.net/qq_29451823
 */
public class SmsCodeAuthenticationToken extends AbstractAuthenticationToken{
	private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;

	// ~ Instance fields
	// ================================================================================================

	private final Object principal;
	// ~ Constructors
	// ===================================================================================================

	/**
	 * This constructor can be safely used by any code that wishes to create a
	 * <code>UsernamePasswordAuthenticationToken</code>, as the {@link #isAuthenticated()}
	 * will return <code>false</code>.
	 *
	 */
	public SmsCodeAuthenticationToken(String mobile) {
		super(null);
		this.principal = mobile;
		
		setAuthenticated(false);//是否认证
	}

	/**
	 * This constructor should only be used by <code>AuthenticationManager</code> or
	 * <code>AuthenticationProvider</code> implementations that are satisfied with
	 * producing a trusted (i.e. {@link #isAuthenticated()} = <code>true</code>)
	 * authentication token.
	 *
	 * @param principal
	 * @param credentials
	 * @param authorities
	 */
	public SmsCodeAuthenticationToken(Object principal, 
			Collection<? extends GrantedAuthority> authorities) {
		super(authorities);
		this.principal = principal;
		super.setAuthenticated(true); // must use super, as we override
	}

	// ~ Methods
	// ========================================================================================================


	public void setAuthenticated(boolean isAuthenticated) throws IllegalArgumentException {
		if (isAuthenticated) {
			throw new IllegalArgumentException(
					"Cannot set this token to trusted - use constructor which takes a GrantedAuthority list instead");
		}

		super.setAuthenticated(false);
	}
	
	public Object getPrincipal() {
		return this.principal;
	}
	
	@Override
	public Object getCredentials() {
	
		return null;
	}
	
	@Override
	public void eraseCredentials() {
		super.eraseCredentials();
	}
}

• SmsCodeAuthenticationSecurityConfig进行文件配置

package com.imooc.security.core.authentication.moblie;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.SecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.web.DefaultSecurityFilterChain;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.stereotype.Component;

/**
 * 短信验证码的安全配置
 * @author cjj
 * @date 2019年1月29日
 * @email 729165621@qq.com
 * @blog blog.csdn.net/qq_29451823
 */
@Component("smsCodeAuthenticationSecurityConfig")
public class SmsCodeAuthenticationSecurityConfig extends SecurityConfigurerAdapter<DefaultSecurityFilterChain, HttpSecurity>{
	
	@Autowired
	private AuthenticationSuccessHandler imoocAuthenticationSuccessHandler;
	
	@Autowired
	private AuthenticationFailureHandler imoocAuthenticationFailureHandler;
	
	@Autowired
	private UserDetailsService userDetailsService;
	 
	@Override
	public void configure(HttpSecurity http) throws Exception {
		SmsCodeAuthenticationFilter smsCodeAuthenticationFilter = new SmsCodeAuthenticationFilter();
		smsCodeAuthenticationFilter.setAuthenticationManager(http.getSharedObject(AuthenticationManager.class));
		smsCodeAuthenticationFilter.setAuthenticationSuccessHandler(imoocAuthenticationSuccessHandler);
		smsCodeAuthenticationFilter.setAuthenticationFailureHandler(imoocAuthenticationFailureHandler);
		
		SmsCodeAuthenticationProvider smsCodeAuthenticationProvider = new SmsCodeAuthenticationProvider();
		smsCodeAuthenticationProvider.setUserDetailsService(userDetailsService);
		
		http.authenticationProvider(smsCodeAuthenticationProvider)
			.addFilterAfter(smsCodeAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
	}
}
 

• 然后在BrowserSecurityConfig里面加入SmsCodeAuthenticationSecurityConfig配置文件

package com.imooc.security.browser;

import javax.sql.DataSource;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl;
import org.springframework.security.web.authentication.rememberme.PersistentTokenRepository;

import com.imooc.security.core.authentication.moblie.SmsCodeAuthenticationSecurityConfig;
import com.imooc.security.core.properties.SecurityProperties;
import com.imooc.security.core.validate.code.SmsCodeFilter;
import com.imooc.security.core.validate.code.ValidateCodeFilter;

/**
 * 
 * @author cjj
 * @date 2018年9月26日
 * @email 729165621@qq.com
 * @blog blog.csdn.net/qq_29451823
 */
@Configuration
public class BrowserSecurityConfig extends WebSecurityConfigurerAdapter{
	
	@Autowired
	private SmsCodeAuthenticationSecurityConfig smsCodeAuthenticationSecurityConfig;
	
	@Autowired
	private SecurityProperties securityProperties;
	
	@Autowired
	private AuthenticationSuccessHandler imoccAuthenticationSuccessHandler;
	
	@Autowired
	private AuthenticationFailureHandler imoccAuthenticationFailUrlHandler;
	
	@Autowired
	private DataSource dataSource;
	
	@Autowired
	private UserDetailsService userDetailsService;
	
	@Bean
	public PersistentTokenRepository persistentTokenRepository() {
		JdbcTokenRepositoryImpl tokenRepositoryImpl = new JdbcTokenRepositoryImpl();
		tokenRepositoryImpl.setDataSource(dataSource);
		//tokenRepositoryImpl.setCreateTableOnStartup(true);//自动创建用户信息表
		return tokenRepositoryImpl;
		
	}
	/**
	 * 处理密码加密解密
	 * @return
	 */
	@Bean
	public PasswordEncoder passwordEncode() {
		//PasswordEncoder的一个实现类
		return new BCryptPasswordEncoder();
	}
	
	@Override
	protected void configure(HttpSecurity http) throws Exception {
		
		ValidateCodeFilter validateCodeFilter = new ValidateCodeFilter();
		validateCodeFilter.setAuthenticationFailureHandler(imoccAuthenticationFailUrlHandler);
		validateCodeFilter.setSecurityProperties(securityProperties);
		validateCodeFilter.afterPropertiesSet();
		
		SmsCodeFilter smsCodeFilter = new SmsCodeFilter();
		smsCodeFilter.setAuthenticationFailureHandler(imoccAuthenticationFailUrlHandler);
		smsCodeFilter.setSecurityProperties(securityProperties);
		smsCodeFilter.afterPropertiesSet();
		
		http.addFilterBefore(smsCodeFilter,UsernamePasswordAuthenticationFilter.class)//smsCodeFilter过滤器加载到用户名密码过滤器校验的前面
			.addFilterBefore(validateCodeFilter,UsernamePasswordAuthenticationFilter.class)//validatecodeFilter过滤器加载到用户名密码过滤器校验的前面
		    .formLogin()//表单认证
			.loginPage("/authentication/require")//添加自定义登陆界面
			.loginProcessingUrl("/authentication/from")//这个URL用UsernamePasswordAuthenticationFilter来处理
			.successHandler(imoccAuthenticationSuccessHandler)
			.failureHandler(imoccAuthenticationFailUrlHandler)
			.and()
		//配置记住我
			.rememberMe()
			.tokenRepository(persistentTokenRepository())
			.tokenValiditySeconds(securityProperties.getBrowser().getRemeberMeSeconds())
			.userDetailsService(userDetailsService)
		//http.httpBasic()//弹出框认证
			.and()
			.authorizeRequests()//对请求做一个授权
			.antMatchers("/authentication/require"
					,securityProperties.getBrowser().getLoginPage()
					,"/code/*").permitAll()//访问这个页面的时候不需要授权
			.anyRequest()//任何请求
			.authenticated()//身份认证
			.and()
			.csrf().disable()//关闭跨站请求伪造
			.apply(smsCodeAuthenticationSecurityConfig);
	}
}

• 效果展示

不输入短信验证码直接登陆

输入错误的短信验证码

发送短信验证码后，后台会受到一个6位数字的短信验证码（这儿是手动随机模拟生成），然后输入正确的短信验证码，这儿是设置将Token信息发送到前台页面

如果重复页面验证，就是返回登陆页面，再登陆一次

注解：整体代码有一个重复的地方，需要重构。