1:场景
在用户登录时,只要对浏览网页有点基础的人都知道,打开浏览器控制台,可以在请求抓包块中可以获取到post请求的头部信息,而我们用户登录的账号密码恰恰就保存在这里,加入没有加密的话,别人可以爬取到用户的信息,一点都不安全,所以纠结问题,我们在请求中对账号密码全部加密传后台解密,这样这个问题就解决了,思路就是这么个逻辑,而具体怎么实现就是我们接下来要讲的问题;如下
2:技术点
采用springsecurity实现用户认证和授权,RAS非对称加密对数据进行加密
3:技术描述
RAS简称非对称加密,安全系数算是非常高的,他采用了钥匙对对数据加密,首先后台生成一对钥匙(公钥 , 私钥),公钥是可以给用户的,也可以给多个人,它只负责对数据加密,而私钥不能够泄漏,他能对对应的公钥解密.而公钥解密只有这一钟方式,所以只要你对应公钥的私钥不泄漏,别人就获取不到你对应的加密方式了.
springsecuritysecurity认证方式要纠结源码,所以先不再本文中讲解,后期会出一篇对应的文章讲解怎么自定义用户认证以及动态授权,从源码的角度来讲
4:话不多说,上代码
RSAUtils:封装了RSA生成规则已经解密方式,调用即可
public class RSAUtils {
/** */
/**
* 加密算法RSA
*/
public static final String KEY_ALGORITHM = "RSA";
/** */
/**
* 签名算法
*/
public static final String SIGNATURE_ALGORITHM = "MD5withRSA";
/** */
/**
* 获取公钥的key
*/
private static final String PUBLIC_KEY = "RSAPublicKey";
/** */
/**
* 获取私钥的key
*/
private static final String PRIVATE_KEY = "RSAPrivateKey";
/** */
/**
* RSA最大加密明文大小
*/
private static final int MAX_ENCRYPT_BLOCK = 117;
/** */
/**
* RSA最大解密密文大小
*/
private static final int MAX_DECRYPT_BLOCK = 128;
/** */
/**
* RSA 位数 如果采用2048 上面最大加密和最大解密则须填写: 245 256
*/
private static final int INITIALIZE_LENGTH = 1024;
/** */
/**
* <p>
* 生成密钥对(公钥和私钥)
* </p>
*
* @return
* @throws Exception
*/
public static Map<String, Object> genKeyPair() throws Exception {
KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance(KEY_ALGORITHM);
keyPairGen.initialize(INITIALIZE_LENGTH);
KeyPair keyPair = keyPairGen.generateKeyPair();
RSAPublicKey publicKey = (RSAPublicKey) keyPair.getPublic();
RSAPrivateKey privateKey = (RSAPrivateKey) keyPair.getPrivate();
Map<String, Object> keyMap = new HashMap<String, Object>(2);
keyMap.put(PUBLIC_KEY, publicKey);
keyMap.put(PRIVATE_KEY, privateKey);
return keyMap;
}
/** */
/**
* <p>
* 用私钥对信息生成数字签名
* </p>
*
* @param data
* 已加密数据
* @param privateKey
* 私钥(BASE64编码)
*
* @return
* @throws Exception
*/
public static String sign(byte[] data, String privateKey) throws Exception {
byte[] keyBytes = Base64.decodeBase64(privateKey);
PKCS8EncodedKeySpec pkcs8KeySpec = new PKCS8EncodedKeySpec(keyBytes);
KeyFactory keyFactory = KeyFactory.getInstance(KEY_ALGORITHM);
PrivateKey privateK = keyFactory.generatePrivate(pkcs8KeySpec);
Signature signature = Signature.getInstance(SIGNATURE_ALGORITHM);
signature.initSign(privateK);
signature.update(data);
return Base64.encodeBase64String(signature.sign());
}
/** */
/**
* <p>
* 校验数字签名
* </p>
*
* @param data
* 已加密数据
* @param publicKey
* 公钥(BASE64编码)
* @param sign
* 数字签名
*
* @return
* @throws Exception
*
*/
public static boolean verify(byte[] data, String publicKey, String sign) throws Exception {
byte[] keyBytes = Base64.decodeBase64(publicKey);
X509EncodedKeySpec keySpec = new X509EncodedKeySpec(keyBytes);
KeyFactory keyFactory = KeyFactory.getInstance(KEY_ALGORITHM);
PublicKey publicK = keyFactory.generatePublic(keySpec);
Signature signature = Signature.getInstance(SIGNATURE_ALGORITHM);
signature.initVerify(publicK);
signature.update(data);
return signature.verify(Base64.decodeBase64(sign));
}
/** */
/**
* <P>
* 私钥解密
* </p>
*
* @param encryptedData
* 已加密数据
* @param privateKey
* 私钥(BASE64编码)
* @return
* @throws Exception
*/
public static byte[] decryptByPrivateKey(byte[] encryptedData, String privateKey) throws Exception {
byte[] keyBytes = Base64.decodeBase64(privateKey);
PKCS8EncodedKeySpec pkcs8KeySpec = new PKCS8EncodedKeySpec(keyBytes);
KeyFactory keyFactory = KeyFactory.getInstance(KEY_ALGORITHM);
Key privateK = keyFactory.generatePrivate(pkcs8KeySpec);
Cipher cipher = Cipher.getInstance(keyFactory.getAlgorithm());
cipher.init(Cipher.DECRYPT_MODE, privateK);
int inputLen = encryptedData.length;
ByteArrayOutputStream out = new ByteArrayOutputStream();
int offSet = 0;
byte[] cache;
int i = 0;
// 对数据分段解密
while (inputLen - offSet > 0) {
if (inputLen - offSet > MAX_DECRYPT_BLOCK) {
cache = cipher.doFinal(encryptedData, offSet, MAX_DECRYPT_BLOCK);
} else {
cache = cipher.doFinal(encryptedData, offSet, inputLen - offSet);
}
out.write(cache, 0, cache.length);
i++;
offSet = i * MAX_DECRYPT_BLOCK;
}
byte[] decryptedData = out.toByteArray();
out.close();
return decryptedData;
}
/** */
/**
* <p>
* 公钥解密
* </p>
*
* @param encryptedData
* 已加密数据
* @param publicKey
* 公钥(BASE64编码)
* @return
* @throws Exception
*/
public static byte[] decryptByPublicKey(byte[] encryptedData, String publicKey) throws Exception {
byte[] keyBytes = Base64.decodeBase64(publicKey);
X509EncodedKeySpec x509KeySpec = new X509EncodedKeySpec(keyBytes);
KeyFactory keyFactory = KeyFactory.getInstance(KEY_ALGORITHM);
Key publicK = keyFactory.generatePublic(x509KeySpec);
Cipher cipher = Cipher.getInstance(keyFactory.getAlgorithm());
cipher.init(Cipher.DECRYPT_MODE, publicK);
int inputLen = encryptedData.length;
ByteArrayOutputStream out = new ByteArrayOutputStream();
int offSet = 0;
byte[] cache;
int i = 0;
// 对数据分段解密
while (inputLen - offSet > 0) {
if (inputLen - offSet > MAX_DECRYPT_BLOCK) {
cache = cipher.doFinal(encryptedData, offSet, MAX_DECRYPT_BLOCK);
} else {
cache = cipher.doFinal(encryptedData, offSet, inputLen - offSet);
}
out.write(cache, 0, cache.length);
i++;
offSet = i * MAX_DECRYPT_BLOCK;
}
byte[] decryptedData = out.toByteArray();
out.close();
return decryptedData;
}
/** */
/**
* <p>
* 公钥加密
* </p>
*
* @param data
* 源数据
* @param publicKey
* 公钥(BASE64编码)
* @return
* @throws Exception
*/
public static byte[] encryptByPublicKey(byte[] data, String publicKey) throws Exception {
byte[] keyBytes = Base64.decodeBase64(publicKey);
X509EncodedKeySpec x509KeySpec = new X509EncodedKeySpec(keyBytes);
KeyFactory keyFactory = KeyFactory.getInstance(KEY_ALGORITHM);
Key publicK = keyFactory.generatePublic(x509KeySpec);
// 对数据加密
Cipher cipher = Cipher.getInstance(keyFactory.getAlgorithm());
cipher.init(Cipher.ENCRYPT_MODE, publicK);
int inputLen = data.length;
ByteArrayOutputStream out = new ByteArrayOutputStream();
int offSet = 0;
byte[] cache;
int i = 0;
// 对数据分段加密
while (inputLen - offSet > 0) {
if (inputLen - offSet > MAX_ENCRYPT_BLOCK) {
cache = cipher.doFinal(data, offSet, MAX_ENCRYPT_BLOCK);
} else {
cache = cipher.doFinal(data, offSet, inputLen - offSet);
}
out.write(cache, 0, cache.length);
i++;
offSet = i * MAX_ENCRYPT_BLOCK;
}
byte[] encryptedData = out.toByteArray();
out.close();
return encryptedData;
}
/** */
/**
* <p>
* 私钥加密
* </p>
*
* @param data
* 源数据
* @param privateKey
* 私钥(BASE64编码)
* @return
* @throws Exception
*/
public static byte[] encryptByPrivateKey(byte[] data, String privateKey) throws Exception {
byte[] keyBytes = Base64.decodeBase64(privateKey);
PKCS8EncodedKeySpec pkcs8KeySpec = new PKCS8EncodedKeySpec(keyBytes);
KeyFactory keyFactory = KeyFactory.getInstance(KEY_ALGORITHM);
Key privateK = keyFactory.generatePrivate(pkcs8KeySpec);
Cipher cipher = Cipher.getInstance(keyFactory.getAlgorithm());
cipher.init(Cipher.ENCRYPT_MODE, privateK);
int inputLen = data.length;
ByteArrayOutputStream out = new ByteArrayOutputStream();
int offSet = 0;
byte[] cache;
int i = 0;
// 对数据分段加密
while (inputLen - offSet > 0) {
if (inputLen - offSet > MAX_ENCRYPT_BLOCK) {
cache = cipher.doFinal(data, offSet, MAX_ENCRYPT_BLOCK);
} else {
cache = cipher.doFinal(data, offSet, inputLen - offSet);
}
out.write(cache, 0, cache.length);
i++;
offSet = i * MAX_ENCRYPT_BLOCK;
}
byte[] encryptedData = out.toByteArray();
out.close();
return encryptedData;
}
/** */
/**
* <p>
* 获取私钥
* </p>
*
* @param keyMap
* 密钥对
* @return
* @throws Exception
*/
public static String getPrivateKey(Map<String, Object> keyMap) throws Exception {
Key key = (Key) keyMap.get(PRIVATE_KEY);
return Base64.encodeBase64String(key.getEncoded());
}
/** */
/**
* <p>
* 获取公钥
* </p>
*
* @param keyMap
* 密钥对
* @return
* @throws Exception
*/
public static String getPublicKey(Map<String, Object> keyMap) throws Exception {
Key key = (Key) keyMap.get(PUBLIC_KEY);
return Base64.encodeBase64String(key.getEncoded());
}
/**
* java端公钥加密
*/
public static String encryptedDataOnJava(String data, String PUBLICKEY) {
try {
data = Base64.encodeBase64String(encryptByPublicKey(data.getBytes(), PUBLICKEY));
} catch (Exception e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
return data;
}
/**
* java端私钥解密
*/
public static String decryptDataOnJava(String data, String PRIVATEKEY) {
String temp = "";
try {
byte[] rs = Base64.decodeBase64(data);
temp = new String(RSAUtils.decryptByPrivateKey(rs, PRIVATEKEY),"UTF-8");
} catch (Exception e) {
e.printStackTrace();
}
return temp;
}
public static void main(String[] args) throws Exception{
//生成密钥对(公钥和私钥)
Map<String, Object> msd = genKeyPair();
//获取私钥
String ss = getPrivateKey(msd);
//获取公钥
String gs =getPublicKey(msd);
//java端公钥加密
String gsmm = encryptedDataOnJava("wangtao",gs);
//java端私钥解密
String ssmm = decryptDataOnJava("gsmm",ss);
//
//
}
}
1:在跳转登录页的时候把后端生成的publickey传输给前端进行保存,在登录时重新传输给后端进行解密
,因为在springsecurity不设置自定义登录页的情况下,会跳转到自带的登录页,且自带的登录页不能修改,所以我们需要在springsecurity配置中指定自定义的登录页
@Override
protected void configure(HttpSecurity http) throws Exception {
//.addFilterBefore(new SmsCodeFilter(), UsernamePasswordAuthenticationFilter.class)
/// http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED);
http
.apply(smsCodeAuthenticationSecurityConfig).and() //把短信验证的自定义filter加入到httpsecurity
.authorizeRequests()
.mvcMatchers("/favicon.ico", "/signIn", "/signUp", "/security_check", "/404","/403", "/captcha/**", "/user/me","/captcha/sms","/sms/login").permitAll()
.mvcMatchers("/oauth/signUp").permitAll()
.mvcMatchers("**/management/**").hasAnyAuthority(RoleEnum.ROLE_SUPER.name())
.mvcMatchers("/oauth/register").permitAll()
.anyRequest().authenticated()
.and()
.csrf().disable()
.logout()
.logoutUrl("/logout")
.logoutSuccessUrl("/signIn")
.and().headers().frameOptions().disable()
.and()
.formLogin()
.authenticationDetailsSource(authenticationDetailsSource)
.failureHandler(customAuthenticationFailureHandler)
.successHandler(customAuthenticationSuccessHandler)
//设置signIn路径为登录页
.loginPage("/signIn").loginProcessingUrl("/security_check").permitAll();
http.exceptionHandling().accessDeniedHandler(customAccessDeniedHandler);
}
@GetMapping("/signIn")
public String signIn(@RequestParam(value = "error", required = false) String error,
Model model, HttpServletRequest request) {
if (StringUtils.isNotEmpty(error)) {
model.addAttribute("error", error);
}
try{
//生成密钥对(公钥和私钥)
Map<String, Object> msd = RSAUtils.genKeyPair();
//获取私钥
String privatekey = RSAUtils.getPrivateKey(msd);
//获取公钥
String publickey =RSAUtils.getPublicKey(msd);
//把密钥对存入缓存
//RedisUtil redis = new RedisUtil();
//RedisUtil.set(publickey,privatekey);
if(!RedisUtil.exists("oauthserver_ras_publickey_"+publickey)){
RedisUtil.set("oauthserver_ras_publickey_"+publickey,privatekey);
}
//request.getSession().setAttribute(publickey,privatekey);
//传输公钥给前端用户
model.addAttribute("publickey", publickey);
}catch (Exception e){e.printStackTrace();}
return "signIn";
}
2:前端页面获取到publickey,用js的一个插件(jsencrypt)来进行加密,
<script th:src="@{/assets/jsencrypt.min.js}"
src="../static/assets/jsencrypt.min.js"></script>
var encrypt = new JSEncrypt();
encrypt.setPublicKey($("#publickey").val());
var password = $("#password").val();
var username = $("#username").val();
$("#password").val(encrypt.encrypt(""+password));
/*$("#username").val(encrypt.encrypt(""+username));*/
且加密后的效果如下
3:输入用户名密码.点击登录,springsecurity是调用UsernamePasswordAuthenticationFilter这个过滤器进行处理
public class UsernamePasswordAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
public static final String SPRING_SECURITY_FORM_USERNAME_KEY = "username";
public static final String SPRING_SECURITY_FORM_PASSWORD_KEY = "password";
private String usernameParameter = "username";
private String passwordParameter = "password";
private boolean postOnly = true;
public UsernamePasswordAuthenticationFilter() {
super(new AntPathRequestMatcher("/login", "POST"));
}
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
if (this.postOnly && !request.getMethod().equals("POST")) {
throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod());
} else {
String username = this.obtainUsername(request);
String password = this.obtainPassword(request);
if (username == null) {
username = "";
}
if (password == null) {
password = "";
}
username = username.trim();
//封装用户名和密码,已经其他信息,到后续认证的时候会获取这个对象
UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);
this.setDetails(request, authRequest);
//重点 调用AuthenticationManager来处理所有符合的privoer
return this.getAuthenticationManager().authenticate(authRequest);
}
}
}
public class ProviderManager implements AuthenticationManager, MessageSourceAware, InitializingBean {
Class<? extends Authentication> toTest = authentication.getClass();
AuthenticationException lastException = null;
AuthenticationException parentException = null;
Authentication result = null;
Authentication parentResult = null;
boolean debug = logger.isDebugEnabled();
//获取Provider
Iterator var8 = this.getProviders().iterator();
while(var8.hasNext()) {
AuthenticationProvider provider = (AuthenticationProvider)var8.next();
if (provider.supports(toTest)) {
if (debug) {
logger.debug("Authentication attempt using " + provider.getClass().getName());
}
try {
result = provider.authenticate(authentication);
if (result != null) {
this.copyDetails(authentication, result);
break;
}
} catch (AccountStatusException var13) {
this.prepareException(var13, authentication);
throw var13;
} catch (InternalAuthenticationServiceException var14) {
this.prepareException(var14, authentication);
throw var14;
} catch (AuthenticationException var15) {
lastException = var15;
}
}
}
if (result == null && this.parent != null) {
try {
result = parentResult = this.parent.authenticate(authentication);
} catch (ProviderNotFoundException var11) {
} catch (AuthenticationException var12) {
parentException = var12;
lastException = var12;
}
}
if (result != null) {
if (this.eraseCredentialsAfterAuthentication && result instanceof CredentialsContainer) {
((CredentialsContainer)result).eraseCredentials();
}
if (parentResult == null) {
this.eventPublisher.publishAuthenticationSuccess(result);
}
return result;
} else {
if (lastException == null) {
lastException = new ProviderNotFoundException(this.messages.getMessage("ProviderManager.providerNotFound", new Object[]{toTest.getName()}, "No AuthenticationProvider found for {0}"));
}
if (parentException == null) {
this.prepareException((AuthenticationException)lastException, authentication);
}
throw lastException;
}
}
认证时,AuthenticationManager调用的Provider就是我们
1:我们请求到登录页面的时候生成对应的钥匙对,然后返回给前端,在springsecurity中,我们跳转到自定义的登录页,需要在WebSecurityConfigurerAdapter实现类中***configure(HttpSecurity http)***中设置对应的登录页,在登录页中根据后端传过来的公钥用JSEncrypt进行加密,传给后台。
2:前端发起登录验证请求会经过springsecurity拦截器,登录验证主要是经过usernamepasswordfilter,在这个拦截器依次调用的时候,在abstractprovide实现类中依次调用验证账号,验证密码方法中进行解密,在对比即可,解密用的即使上图的工具类,这是思路。