依赖:
<dependencies>
<!-- Security依赖,安全框架-->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<!-- JWT依赖-->
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt</artifactId>
<version>0.9.0</version>
</dependency>
<!--SpringWeb依赖-->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<!--简化实体工具类-->
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<optional>true</optional>
</dependency>
<!-- 验证码 kaptcha依赖 -->
<dependency>
<groupId>com.github.axet</groupId>
<artifactId>kaptcha</artifactId>
<version>0.0.9</version>
</dependency>
</dependencies>
验证码配置:
package com.example.security02.config;
import com.google.code.kaptcha.Producer;
import com.google.code.kaptcha.impl.DefaultKaptcha;
import com.google.code.kaptcha.util.Config;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import java.util.Properties;
/**
* 验证码配置类
*
* @author zhoubin
* @since 1.0.0
*/
@Configuration
public class CaptchaConfig {
@Bean
public Producer kapthca(){
Properties properties=new Properties();
properties.setProperty("kaptcha.image.width", "150");
properties.setProperty("kaptcha.image.height", "50");
properties.setProperty("kaptcha.textproducer.char.string", "0123456789");
properties.setProperty("kaptcha.textproducer.char.length", "4");
Config config = new Config(properties);
//验证码生成器
DefaultKaptcha defaultKaptcha=new DefaultKaptcha();
defaultKaptcha.setConfig(config);
return defaultKaptcha;
}
}
security配置:
package com.example.security02.config;
import com.fasterxml.jackson.databind.ObjectMapper;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpStatus;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import java.util.HashMap;
import java.util.Map;
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Bean
public UserDetailsService userDetailsService() {
InMemoryUserDetailsManager userDetailsManager = new InMemoryUserDetailsManager();
userDetailsManager.createUser(User.withUsername("aaa").password("{noop}123").roles("admin").build()); // {noop} 明文意思
return userDetailsManager;
}
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService());
}
// 自定义 filter 交给工厂管理
@Bean
public LoginFilter loginFilter() throws Exception {
LoginFilter loginFilter = new LoginFilter();
loginFilter.setFilterProcessesUrl("/doLogin"); // 指定认证 URL
loginFilter.setUsernameParameter("uname"); // 指定接受 json 用户名 key
loginFilter.setPasswordParameter("passwd");// 指定接受 json 密码 key
loginFilter.setKapychaParameter("kaptcha");
loginFilter.setAuthenticationManager(authenticationManager());
// 认证成功处理
loginFilter.setAuthenticationSuccessHandler((req, resp, authentication) -> {
Map<String, Object> result = new HashMap<>();
result.put("msg", "登录成功");
result.put("用户信息", (User) authentication.getPrincipal());
// 状态码
resp.setStatus(HttpStatus.OK.value());
// JSON格式响应
resp.setContentType("application/json;charset=UTF-8");
String s = new ObjectMapper().writeValueAsString(result);
resp.getWriter().println(s);
});
// 认证失败处理
loginFilter.setAuthenticationFailureHandler((req, resp, ex) -> {
Map<String, Object> result = new HashMap<>();
result.put("msg", "登录失败" + ex.getMessage());
result.put("status", 500);
// 状态码
resp.setStatus(HttpStatus.INTERNAL_SERVER_ERROR.value());
// JSON格式响应
resp.setContentType("application/json;charset=UTF-8");
// 状态码
resp.setStatus(HttpStatus.INTERNAL_SERVER_ERROR.value());
// 打印到页面
String s = new ObjectMapper().writeValueAsString(result);
resp.getWriter().println(s);
});
return loginFilter;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.mvcMatchers("/vc.jpg").permitAll()
.mvcMatchers("/test").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.and()
.exceptionHandling()
.authenticationEntryPoint((request, response, authExc) -> {
response.setContentType("application/json;charset=UTF-8");
// response.setContentType(MediaType.APPLICATION_JSON_VALUE);
// 状态码
response.setStatus(HttpStatus.UNAUTHORIZED.value());
response.getWriter().println("请认证之后进行处理!" + response);
})
.and()
.logout()
.and().csrf().disable()
;
// At 用来某个 filter 替换过滤器中哪个 filter
// before 放在过滤器中哪个 filter 之前
// after 放在过滤器中哪个 filter 之后
http.addFilterAt(loginFilter(), UsernamePasswordAuthenticationFilter.class);
}
// 作用: 用来将自定义(本地) AuthenticationManager 在工厂中暴漏,可以在任何位置注入
@Bean
@Override
public AuthenticationManager authenticationManager() throws Exception {
return super.authenticationManager();
}
}
验证码接口:
package com.example.security02.controller;
import com.google.code.kaptcha.Producer;
import com.google.code.kaptcha.impl.DefaultKaptcha;
import org.apache.tomcat.util.codec.binary.Base64;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.User;
import org.springframework.util.FastByteArrayOutputStream;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
import javax.imageio.ImageIO;
import javax.servlet.http.HttpSession;
import java.awt.image.BufferedImage;
import java.io.IOException;
@RestController
//@Controller
public class UsersController {
private final Producer defaultKaptcha;
@Autowired
public UsersController(Producer defaultKaptcha) {
this.defaultKaptcha = defaultKaptcha;
}
@RequestMapping("vc.jpg")
public String verifyCode(HttpSession httpSession) throws IOException {
// 1.生成验证码
String verifyCode = defaultKaptcha.createText();
// 2.保存到 session 中
httpSession.setAttribute("kaptcha", verifyCode);
// 3.生成图片
BufferedImage bi = defaultKaptcha.createImage(verifyCode);
// 图片转成内存中的byte数组
FastByteArrayOutputStream fos = new FastByteArrayOutputStream();
// 把图片以jpg格式输出到fos这里就是内存中,字节流
ImageIO.write(bi, "jpg", fos);
// 4. 返回 base64
return Base64.encodeBase64String(fos.toByteArray());
}
}
自定义filer:
package com.example.security02.config;
import com.fasterxml.jackson.databind.ObjectMapper;
import lombok.SneakyThrows;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.util.ObjectUtils;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.util.Map;
/**
* 自定义前后端分离认证 Filter
*/
public class LoginFilter extends UsernamePasswordAuthenticationFilter {
public static final String FORM_KAPYCHA_KEY = "kapycha";
private String kapychaParameter = FORM_KAPYCHA_KEY;
public String getKapychaParameter() {
return kapychaParameter;
}
public void setKapychaParameter(String kapychaParameter) {
this.kapychaParameter = kapychaParameter;
}
@SneakyThrows
@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
// 1.判断是否是 post 方式请求
if (!request.getMethod().equals("POST")) {
throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod());
}
// 2.从 json 数据中获取用户输入用户名和密码进行认证
try {
// 获取请求数据
Map userInfo = new ObjectMapper().readValue(request.getInputStream(), Map.class);
String username = (String) userInfo.get(getUsernameParameter());
String password = (String) userInfo.get(getPasswordParameter());
String kapycha = (String) userInfo.get(getKapychaParameter());
System.out.println("用户名:" + username + "密码:" + password + "验证码:" + kapycha);
String sessionCode = (String) request.getSession().getAttribute("kaptcha");
if (!ObjectUtils.isEmpty(kapycha) && !ObjectUtils.isEmpty(sessionCode) && kapycha.equalsIgnoreCase(sessionCode)) {
UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);
this.setDetails(request, authRequest);
return this.getAuthenticationManager().authenticate(authRequest);
}
} catch (Exception e) {
e.printStackTrace();
}
throw new KaptchaNotMatchException("验证码不匹配!");
}
}
自定义异常:
package com.example.security02.config;
import org.springframework.security.core.AuthenticationException;
public class KaptchaNotMatchException extends AuthenticationException {
public KaptchaNotMatchException(String msg, Throwable cause) {
super(msg, cause);
}
public KaptchaNotMatchException(String msg) {
super(msg);
}
}