1.增加图片验证代码
// 图片验证码信息
public class ImageCode {
// 图片
private BufferedImage image;
// 随机数
private String code;
// 过期时间
private LocalDateTime expireTime;
public ImageCode() {}
public ImageCode(BufferedImage image, String code, LocalDateTime expireTime) {
this.image = image;
this.code = code;
this.expireTime = expireTime;
}
// expireIn 过多久图形验证码 过期
public ImageCode(BufferedImage image, String code, int expireIn) {
this.image = image;
this.code = code;
this.expireTime = LocalDateTime.now().plusSeconds(expireIn);
}
// 验证是否过期
public boolean isExpire () {
return LocalDateTime.now().isAfter(expireTime);
}
public BufferedImage getImage() {
return image;
}
public void setImage(BufferedImage image) {
this.image = image;
}
public String getCode() {
return code;
}
public void setCode(String code) {
this.code = code;
}
public LocalDateTime getExpireTime() {
return expireTime;
}
public void setExpireTime(LocalDateTime expireTime) {
this.expireTime = expireTime;
}
}
2.编写 imageController 用来给前端提供图片验证码,并且把图片信息写入session
// 生成校验码的请求处理器
@RestController
public class imageController {
public static final String SESSION_KEY = "SESSION_KEY_IMAGE_CODE";
private SessionStrategy sessionStrategy = new HttpSessionSessionStrategy();
@GetMapping("/code/image")
public void createCode (HttpServletRequest request, HttpServletResponse response) throws IOException {
ImageCode imageCode = createImage(request);
sessionStrategy.setAttribute(new ServletWebRequest(request), SESSION_KEY, imageCode);
ImageIO.write(imageCode.getImage(), "JPEG", response.getOutputStream());
}
private ImageCode createImage(HttpServletRequest request) {
int width = 67;
int height = 23;
BufferedImage image = new BufferedImage(width, height, BufferedImage.TYPE_INT_RGB);
Graphics g = image.getGraphics();
Random random = new Random();
g.setColor(getRandColor(200, 250));
g.fillRect(0, 0, width, height);
g.setFont(new Font("Times New Roman", Font.ITALIC, 20));
g.setColor(getRandColor(160, 200));
for (int i = 0; i < 155; i++) {
int x = random.nextInt(width);
int y = random.nextInt(height);
int xl = random.nextInt(12);
int yl = random.nextInt(12);
g.drawLine(x, y, x + xl, y + yl);
}
String sRand = "";
for (int i = 0; i < 4; i++) {
String rand = String.valueOf(random.nextInt(10));
sRand += rand;
g.setColor(new Color(20 + random.nextInt(110), 20 + random.nextInt(110), 20 + random.nextInt(110)));
g.drawString(rand, 13 * i + 6, 16);
}
g.dispose();
// 有效期
return new ImageCode(image, sRand, 60);
}
/**
* 生成随机背景条纹
*
* @param fc
* @param bc
* @return
*/
private Color getRandColor(int fc, int bc) {
Random random = new Random();
if (fc > 255) {
fc = 255;
}
if (bc > 255) {
bc = 255;
}
int r = fc + random.nextInt(bc - fc);
int g = fc + random.nextInt(bc - fc);
int b = fc + random.nextInt(bc - fc);
return new Color(r, g, b);
}
}
3.前端代码增加验证码输入框
<form action="/login/form" method="post">
<table>
<tr>
<td>用户名:</td>
<td><input type="text" name="username"></td>
</tr>
<tr>
<td>密码:</td>
<td><input type="password" name="password"></td>
</tr>
<tr>
<td>图形验证码:</td>
<td>
<input type="text" name="imageCode">
<img src="/code/image">
</td>
</tr>
<tr>
<td colspan="2"><button type="submit">登录</button></td>
</tr>
</table>
</form>
4.增加验证码过滤器
// OncePerRequestFilter : 保证过滤器只被调用一次
public class ValidateCodeFilter extends OncePerRequestFilter {
private AuthenticationFailureHandler authenctiationFailureHandler;
private SessionStrategy sessionStrategy = new HttpSessionSessionStrategy();
// 过滤 逻辑
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
// 是一个登陆请求
if (StringUtils.equals("/login/form", request.getRequestURI())
&& StringUtils.equalsIgnoreCase(request.getMethod(), "POST")) {
try {
validate(new ServletWebRequest(request));
} catch (ValidateCodeException e) {
// 有异常就返回自定义失败处理器
authenctiationFailureHandler.onAuthenticationFailure(request, response, e);
return;
}
}
// 不是一个登录请求,不做校验 直接通过
filterChain.doFilter(request, response);
}
private void validate(ServletWebRequest request) throws ServletRequestBindingException {
ImageCode codeInSession = (ImageCode) sessionStrategy.getAttribute(request, imageController.SESSION_KEY);
String codeInRequest = ServletRequestUtils.getStringParameter(request.getRequest(), "imageCode");
if (StringUtils.isBlank(codeInRequest)) {
throw new ValidateCodeException("验证码不能为空!");
}
if (codeInSession == null) {
throw new ValidateCodeException("验证码不存在");
}
if (codeInSession.isExpire()) {
sessionStrategy.removeAttribute(request, imageController.SESSION_KEY);
throw new ValidateCodeException("验证码已过期");
}
if (!StringUtils.equals(codeInSession.getCode(), codeInRequest)) {
throw new ValidateCodeException("验证码不匹配");
}
sessionStrategy.removeAttribute(request, imageController.SESSION_KEY);
}
public AuthenticationFailureHandler getAuthenctiationFailureHandler() {
return authenctiationFailureHandler;
}
public void setAuthenctiationFailureHandler(AuthenticationFailureHandler authenctiationFailureHandler) {
this.authenctiationFailureHandler = authenctiationFailureHandler;
}
}
AuthenticationException 自定义一个异常处理
/**
* @author zhailiang
*
*/
public class ValidateCodeException extends AuthenticationException {
/**
*
*/
private static final long serialVersionUID = -7285211528095468156L;
public ValidateCodeException(String msg) {
super(msg);
}
}
5.修改Security 配置文件WebSecurityConfigurerAdapter增加前置过滤器
http.addFilterBefore(validateCodeFilter, UsernamePasswordAuthenticationFilter.class)
@Configuration
public class MySecurityConfigurer extends WebSecurityConfigurerAdapter {
@Autowired
AuthenticationSuccessHandler MyAuthenticationSuccessHandler;
@Autowired
AuthenticationFailureHandler MyAuthenticationFailureHandler;
@Bean
PasswordEncoder passwordEncoder()
{
// return NoOpPasswordEncoder.getInstance();
return new BCryptPasswordEncoder();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
ValidateCodeFilter validateCodeFilter = new ValidateCodeFilter();
validateCodeFilter.setAuthenctiationFailureHandler(MyAuthenticationFailureHandler);
//把 图片验证码 过滤器加到 UsernamePasswordAuthenticationFilter 前面
http.addFilterBefore(validateCodeFilter, UsernamePasswordAuthenticationFilter.class)
//formlogin登录
.formLogin()
//自定义的登录页面
.loginPage("/login.html")
//让form表单的用户名和密码走 系统认证
.loginProcessingUrl("/login/form")
.successHandler(MyAuthenticationSuccessHandler)
.failureHandler(MyAuthenticationFailureHandler)
.and()
//任何请求都进行拦截
.authorizeRequests()
//不需要身份认证的项目。匹配器
.antMatchers("/code/image","/login.html").permitAll()
//所有的请求
.anyRequest()
//都要身份认证
.authenticated()
.and()
//跨站请求关掉
.csrf().disable();
}
}
7.前台演示