(十一)、SpringBoot+Security 短信验证登录和图形验证登录共存

最新推荐文章于 2024-06-06 09:22:33 发布
最新推荐文章于 2024-06-06 09:22:33 发布
阅读量1.7k 收藏 1
点赞数
分类专栏: SpringBoot 文章标签: security springboot 验证码
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/zekeTao/article/details/79635996
版权

可以前往第一篇博客查看目录结构 --> 这里

一、在core模块下创建authentication.mobile包

二、参考UsernamePasswordAuthenticationToken自定义一个SmsCodeAuthenticationToken

package com.zeke.core.authentication.mobile;

import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.SpringSecurityCoreVersion;

import java.util.Collection;

public class SmsCodeAuthenticationToken extends AbstractAuthenticationToken {

    private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;

    // ~ Instance fields
    // ================================================================================================

    private final Object principal;

    // ~ Constructors
    // ===================================================================================================

    /**
     * This constructor can be safely used by any code that wishes to create a
     * <code>UsernamePasswordAuthenticationToken</code>, as the {@link #isAuthenticated()}
     * will return <code>false</code>.
     *
     */
    public SmsCodeAuthenticationToken(Object principal) {
        super(null);
        this.principal = principal;
        setAuthenticated(false);
    }

    /**
     * This constructor should only be used by <code>AuthenticationManager</code> or
     * <code>AuthenticationProvider</code> implementations that are satisfied with
     * producing a trusted (i.e. {@link #isAuthenticated()} = <code>true</code>)
     * authentication token.
     *
     * @param principal
     * @param authorities
     */
    public SmsCodeAuthenticationToken(Object principal, Collection<? extends GrantedAuthority> authorities) {
        super(authorities);
        this.principal = principal;
        super.setAuthenticated(true); // must use super, as we override
    }

    // ~ Methods
    // ========================================================================================================

    public Object getCredentials() {
        return null;
    }

    public Object getPrincipal() {
        return this.principal;
    }

    public void setAuthenticated(boolean isAuthenticated) throws IllegalArgumentException {
        if (isAuthenticated) {
            throw new IllegalArgumentException(
                    "Cannot set this token to trusted - use constructor which takes a GrantedAuthority list instead");
        }

        super.setAuthenticated(false);
    }

    @Override
    public void eraseCredentials() {
        super.eraseCredentials();
    }
}

三、参考UsernamePasswordAuthenticationFilter自定义一个SmsCodeAuthenticationFilter

package com.zeke.core.authentication.mobile;

import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.util.Assert;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class SmsCodeAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
    // ~ Static fields/initializers
    // =====================================================================================

    public static final String ZEKE_FORM_MOBILE_KEY = "mobile";

    private String mobileParameter = ZEKE_FORM_MOBILE_KEY;
    private boolean postOnly = true;

    // ~ Constructors
    // ===================================================================================================

    public SmsCodeAuthenticationFilter() {
        super(new AntPathRequestMatcher("/authentication/mobile", "POST"));
    }

    // ~ Methods
    // ========================================================================================================

    public Authentication attemptAuthentication(HttpServletRequest request,
                                                HttpServletResponse response) throws AuthenticationException {
        if (postOnly && !request.getMethod().equals("POST")) {
            throw new AuthenticationServiceException(
                    "Authentication method not supported: " + request.getMethod());
        }

        String mobile = obtainMobile(request);

        if (mobile == null) {
            mobile = "";
        }

        mobile = mobile.trim();

        SmsCodeAuthenticationToken authRequest = new SmsCodeAuthenticationToken(mobile);

        // Allow subclasses to set the "details" property
        setDetails(request, authRequest);

        return this.getAuthenticationManager().authenticate(authRequest);
    }

    /**
     * 获取手机号
     */
    protected String obtainMobile(HttpServletRequest request) {
        return request.getParameter(mobileParameter);
    }

    /**
     * Provided so that subclasses may configure what is put into the authentication
     * request's details property.
     *
     * @param request that an authentication request is being created for
     * @param authRequest the authentication request object that should have its details
     * set
     */
    protected void setDetails(HttpServletRequest request,
                              SmsCodeAuthenticationToken authRequest) {
        authRequest.setDetails(authenticationDetailsSource.buildDetails(request));
    }

    /**
     * Sets the parameter name which will be used to obtain the username from the login
     * request.
     *
     * @param mobileParameter the parameter name. Defaults to "username".
     */
    public void setMobileParameter(String mobileParameter) {
        Assert.hasText(mobileParameter, "Username parameter must not be empty or null");
        this.mobileParameter = mobileParameter;
    }

    /**
     * Defines whether only HTTP POST requests will be allowed by this filter. If set to
     * true, and an authentication request is received which is not a POST request, an
     * exception will be raised immediately and authentication will not be attempted. The
     * <tt>unsuccessfulAuthentication()</tt> method will be called as if handling a failed
     * authentication.
     * <p>
     * Defaults to <tt>true</tt> but may be overridden by subclasses.
     */
    public void setPostOnly(boolean postOnly) {
        this.postOnly = postOnly;
    }

    public final String getMobileParameter() {
        return mobileParameter;
    }
}

四、创建SmsCodeAuthenticationProvider完成短信验证登录逻辑

package com.zeke.core.authentication.mobile;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.InternalAuthenticationServiceException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;

/**
 * 短信验证登录逻辑
 */
public class SmsCodeAuthenticationProvider implements AuthenticationProvider {

    private UserDetailsService userDetailsService;

    @Override
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        //传进来的authentication就是我们自定义的SmsCodeAuthenticationToken,强转
        SmsCodeAuthenticationToken authenticationToken = (SmsCodeAuthenticationToken)authentication;
        //Principal就是手机号码,根据手机号码获取用户信息
        UserDetails user = userDetailsService.loadUserByUsername((String) authenticationToken.getPrincipal());

        if (user == null){
            throw new InternalAuthenticationServiceException("无法获取用户信息");
        }

        //生成已认证Token
        SmsCodeAuthenticationToken smsCodeAuthenticationResult = new SmsCodeAuthenticationToken(user,user.getAuthorities());
        //吧authenticationToken中未认证的Details放到smsCodeAuthenticationResult的Details中认证
        smsCodeAuthenticationResult.setDetails(authenticationToken.getDetails());

        return smsCodeAuthenticationResult;
    }

    @Override
    public boolean supports(Class<?> authentication) {
        return SmsCodeAuthenticationToken.class.isAssignableFrom(authentication);
    }

    public UserDetailsService getUserDetailsService() {
        return userDetailsService;
    }

    public void setUserDetailsService(UserDetailsService userDetailsService) {
        this.userDetailsService = userDetailsService;
    }
}

五、把SmsCodeAuthenticationFilter、SmsCodeAuthenticationProvider、SmsCodeAuthenticationToken连接起来,配置到Security里面去

package com.zeke.core.authentication.mobile;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.SecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.web.DefaultSecurityFilterChain;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.stereotype.Component;

@Component
public class SmsCodeAuthenticationSecurityConfig extends SecurityConfigurerAdapter<DefaultSecurityFilterChain,HttpSecurity> {

    @Autowired
    private AuthenticationSuccessHandler zekeAuthenticationSuccessHandler;

    @Autowired
    private AuthenticationFailureHandler zekeAuthenticationFailureHandler;

    @Autowired
    private UserDetailsService userDetailsService;

    @Override
    public void configure(HttpSecurity http) throws Exception {
        //new一个filter
        SmsCodeAuthenticationFilter smsCodeAuthenticationFilter = new SmsCodeAuthenticationFilter();
        //filter调用authenticationManager
        smsCodeAuthenticationFilter.setAuthenticationManager(http.getSharedObject(AuthenticationManager.class));
        smsCodeAuthenticationFilter.setAuthenticationSuccessHandler(zekeAuthenticationSuccessHandler);
        smsCodeAuthenticationFilter.setAuthenticationFailureHandler(zekeAuthenticationFailureHandler);

        SmsCodeAuthenticationProvider smsCodeAuthenticationProvider = new SmsCodeAuthenticationProvider();
        smsCodeAuthenticationProvider.setUserDetailsService(userDetailsService);

        http.authenticationProvider(smsCodeAuthenticationProvider)
            .addFilterAfter(smsCodeAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
    }
}

六、在Browser模块下的BrowserSecurityConfig中把SmsCodeAuthenticationSecurityConfig 'apply'进入configure方法中

 @Autowired
    private SmsCodeAuthenticationSecurityConfig smsCodeAuthenticationSecurityConfig;
.and()
.apply(smsCodeAuthenticationSecurityConfig);


七、把core模块下的ValidateCodeFilter(图形验证码的过滤器)复制一份,改名为SmsCodeFilter用作短信验证码的过滤器(这个地方实际生产需要重构,有重复代码,本人懒~)

package com.imooc.security.core.validate.sms;

import com.imooc.security.core.properties.SecurityProperties;
import com.imooc.security.core.validate.ValidateCode;
import com.imooc.security.core.validate.ValidateCodeException;
import com.imooc.security.core.validate.image.ImageCode;
import org.apache.commons.lang.StringUtils;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.social.connect.web.HttpSessionSessionStrategy;
import org.springframework.social.connect.web.SessionStrategy;
import org.springframework.util.AntPathMatcher;
import org.springframework.web.bind.ServletRequestBindingException;
import org.springframework.web.bind.ServletRequestUtils;
import org.springframework.web.context.request.ServletWebRequest;
import org.springframework.web.filter.OncePerRequestFilter;

import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.HashSet;
import java.util.Set;

import static com.imooc.security.core.validate.ValidateCodeProcessor.SESSION_KEY_PREFIX;

public class SmsCodeFilter extends OncePerRequestFilter implements InitializingBean{

    @Autowired
    private AuthenticationFailureHandler authenticationFailureHandler;

    private SessionStrategy sessionStrategy = new HttpSessionSessionStrategy();

    /**
     * 存放所有需要拦截的URL
     */
    private Set<String> urls = new HashSet<>();

    private SecurityProperties securityProperties;

    private AntPathMatcher pathMatcher = new AntPathMatcher();

    @Override
    public void afterPropertiesSet() throws ServletException {
        super.afterPropertiesSet();
        String[] configUrls = StringUtils.splitByWholeSeparatorPreserveAllTokens(securityProperties.getCode().getSms().getUrl(),",");
        for (String configUrl : configUrls) {
            urls.add(configUrl);
        }
        urls.add("/authentication/mobile");
    }

    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {

        boolean action = false;
        for (String url : urls) {
            if (pathMatcher.match(url,request.getRequestURI())){
                action = true;
            }
        }

        if (action){

            try {
                validate(new ServletWebRequest(request));
            }
            catch (ValidateCodeException e) {
                authenticationFailureHandler.onAuthenticationFailure(request,response,e);
                return;
            }

        }
        filterChain.doFilter(request,response);
    }

    /**
     * 校验提交验证码的合法性
     * @param request
     * @throws ServletRequestBindingException
     */
    private void validate(ServletWebRequest request) throws ServletRequestBindingException {
        String type = SESSION_KEY_PREFIX + "SMS";

        ValidateCode codeInSession = (ValidateCode) sessionStrategy.getAttribute(request,type);
        String codeInRequest = ServletRequestUtils.getStringParameter(request.getRequest(), "smsCode");

        if (StringUtils.isBlank(codeInRequest)){
            throw new ValidateCodeException("验证码的值不能为空");
        }
        if (codeInSession == null){
            throw new ValidateCodeException("验证码不存在");
        }
        if (codeInSession.isExpried()){
            sessionStrategy.removeAttribute(request,type);
            throw new ValidateCodeException("验证码已过期");
        }
        if (!StringUtils.equals(codeInSession.getCode(), codeInRequest)){
            throw new ValidateCodeException("验证码不匹配");
        }
        sessionStrategy.removeAttribute(request,type);
    }

    public AuthenticationFailureHandler getAuthenticationFailureHandler() {
        return authenticationFailureHandler;
    }

    public void setAuthenticationFailureHandler(AuthenticationFailureHandler authenticationFailureHandler) {
        this.authenticationFailureHandler = authenticationFailureHandler;
    }

    public SessionStrategy getSessionStrategy() {
        return sessionStrategy;
    }

    public void setSessionStrategy(SessionStrategy sessionStrategy) {
        this.sessionStrategy = sessionStrategy;
    }

    public Set<String> getUrls() {
        return urls;
    }

    public void setUrls(Set<String> urls) {
        this.urls = urls;
    }

    public SecurityProperties getSecurityProperties() {
        return securityProperties;
    }

    public void setSecurityProperties(SecurityProperties securityProperties) {
        this.securityProperties = securityProperties;
    }
}

八、在browser模块下BrowserSecurityConfig的configure中添加下述代码,把第七条的filter配置进去

        SmsCodeFilter smsCodeFilter = new SmsCodeFilter();
        smsCodeFilter.setAuthenticationFailureHandler(imoocAuthenticationFailureHandler);
        smsCodeFilter.setSecurityProperties(securityProperties);
        smsCodeFilter.afterPropertiesSet();
http.addFilterBefore(smsCodeFilter, UsernamePasswordAuthenticationFilter.class)

九、启动工程,访问localhost/zeke-login.html,输入错误验证码或正确验证码测试,两种登录方式

zekeTao
关注
  • 0
    点赞
  • 1
    收藏
    觉得还不错? 一键收藏
  • 1
    评论
专栏目录
spring security 多认证方式的配置,自定义认证方式
qq_31983635的博客
09-30 2722
背景: 项目中已经有了登录界面,通过账号密码登录的方式登录系统,之前别人搞的, 新需求: 需要与其他系统集成,相当于单点登录,也不需要去认证服务器验证,默认认为他们传过来的就是正确的(话说这样真的挺危险的), 经过讨论,加一点加密措施,使用了 JWT进行加密传输, 所以需要在保留现有登录界面登录方式的基础上, 添加新的登录方式,点击链接直接登录(链接中带上加密后的JWT串) 过程: 接到了需求后,就去网上搜了一遍, 毕竟面向百度编程时代, 看了看怎么集成, 帖子也不少,写的比较好的如下 https:.
SpringBoot + SpringSecurity 验证登录功能实现
08-27
SpringBoot + SpringSecurity 验证登录功能实现 本文主要介绍了 SpringBoot + SpringSecurity 验证登录功能实现的详细过程,该功能可以使用户通过手机验证登录系统,而不是传统的用户名密码登录...
SpringBoot 集成 Spring Security验证登录【完整源码+数据库】
02-16
Spring Security 默认是账号和密码登录,现在是对 Spring Security 进行扩展,来实现验证码方式登录SpringBoot 集成 Spring Security验证登录【完整源码+数据库】
oauth2自定义granter与provider实现自定义身份认证
weixin_45738731的博客
05-17 920
oauth接收到了你传入的grant_type,并把你的请求转发到了你自己的Granter,但谁来进行真正的用户息合法性校验呢?这段代码比较简单,说白了,当用户进行身份校验时,如果传入的grant_type为group_token_authentication,那么则自动进入这段逻辑创建GroupCompanyAuthenticationToken对象的实例,并将request接收到的参数传入。同时,还提供了认证模式的扩展机制,以便于我们在遇到特殊情况时根据自己的需求来完成身份验证
Spring Boot:验证登录/注册逻辑实现
最新发布
qq_53723451的博客
06-06 37
在现代应用程序中,验证成为了一种常见的用户登录和注册方式,因为它安全可靠,且用户体验良好。在这篇文章中,我们将使用SpringBoot实现验证登录和注册的逻辑。我们将从创建交互对象开始,逐步实现业务逻辑,并最终测试我们的接口。首先,我们需要创建交互对象来处理用户输入和输出。为了更好地处理业务逻辑中可能出现的异常情况,我们创建自定义业务异常。现在,我们可以编写测试用例来测试我们的登录和注册接口。现在,我们可以实现登录和注册的业务逻辑了。
SpringSecurity学习之路12-完成验证码的开发
kevin
06-16 551
目的:在验证码的重构完成之后,已经实现了发送验证码的功能,接下来要做的就是将验证登录的逻辑添加就如程序里。使用户可以以账号、密码或手机号加验证码的方式登录。 下图是验证码的实现逻辑: 当用户以用户名+密码的形式登录时,经过UsernamepasswordAuthenticationFilter,将用户息封装为一个token。然后AuthenticationManager是会根据...
SpringSecurity OAuth2 自定义授权 微小程序登录
走在编程之路.....
06-18 8045
结合网络上的方法,主要有两种方式,一种是采用Filter,一种是采用自定义授权,目前我实现的方式是采用的是“自定义授权”的方式实现微小程序登录验证
springboot+security+mybatis+redis+jwt,鉴权框架搭建
06-22
本项目集成了springboot+security+mybatis+redis+jwt用于学习security鉴权功能,其中有集成了redis,mybatis,jasypt,jwt,thymeleaf,knife4j,mybatis-plus 项目搭建已经比较成熟,能够直接进行使用,通过代码...
SpringBoot+SpringSecurity+JWT+MybatisPlus实现基于注解的权限验证
08-26
SpringBoot+SpringSecurity+JWT+MybatisPlus实现基于注解的权限验证,可根据注解的格式不同,做到角色权限控制,角色加资源权限控制等,粒度比较细化。 @PreAuthorize("hasAnyRole('ADMIN','USER')"):具有admin或...
Springboot+SpringSecurity+JWT实现用户登录和权限认证示例
08-19
以下是实现Spring Boot + Spring Security + JWT登录和权限认证的主要步骤: 1. **项目初始化**:创建一个新的Spring Boot项目,添加`spring-boot-starter-web`、`spring-boot-starter-security`、`spring-security...
springboot+security+jwt+mybaits-plus+mysql实现权限管理
03-13
在这个项目中,Spring Security被用来进行用户登录验证、权限控制和访问限制,确保只有经过身份验证和授权的用户才能访问特定资源。 3. JWT:JWT是一种轻量级的身份验证机制,用于在不同域之间传递息。在Spring ...
Spring Security 源码分析五:Spring Security 登录
weixin_42073629的博客
06-01 227
1. 概述 在Spring Security源码分析一:Spring Security认证过程和Spring Security源码分析二:Spring Security授权过程两章中。我们已经详细解读过Spring Security如何处理用户名和密码登录。(其实就是过滤器链)本章我们将仿照用户名密码来显示登录。 1.1 目录结构 1.2 SmsCodeAuthenticationFilter SmsCodeAuthenticationFilter对应用户名密码登录的UsernamePass
若依ruoyi实现单点登录
屎香香wuqingvika的专栏
12-01 1万+
系统说明(两个系统数据库用户息username是同步的,都是唯一的)登录需求:我登录到第三方平台,第三方平台嵌入我们的若依,所以在跳若依的管理页面时不想再登录了。但是验证是需要把第三方平台的token解析成username,拿到username只走我们自己只验证账号的认证。
Spring Boot整合Spring Security(四)在登录界面添加验证
时雨吹雪的博客
01-31 3688
Spring Security,在自定义登录界面添加验证
01-SpringSecurity认证、授权
qq_42861526的博客
08-02 866
springSecurity的认证流程
SpringBoot中实现验证码功能
故常无,欲以观其妙;常有,欲以观其徼;
04-16 2153
SpringBoot实现验证
springboot+springsecurity实现验证验证功能
weixin_45411740的博客
07-19 708
于我们使用的是security权限管理,登陆是由security自行完成的,所以添加验证吗功能还比较复杂,具体的来说就是要在我们登录的时候去拦截登录流程,然后去判断我们的验证码是否正确,在校对后,流程继续进行,如果错误,抛出一个异常(刚开始是这么做的,但是后来发现异常无法捕获,导致页面报错,为了简单我就直接返回首页面了。...
Springboot+SpringSecurity实现图片验证码功能
lyy的博客
01-16 6346
到目前,我学会了两种方法,在这里分享给大家。 第一种 在使用Spring Security框架过程中,经常会有这样的需求,即在登录验证时,附带增加额外的数据,如验证码、用户类型等。下面将介绍如何实现。 第一步:实现自定义的WebAuthenticationDetails 该类提供了获取用户登录时携带的额外息的功能,默认实现WebAuthenticationDetail...
SpringBoot + SpringSecurity 验证登录功能
热门推荐
whyalwaysmea
03-25 1万+
实现原理 在之前的文章中,我们介绍了普通的帐号密码登录的方式: SpringBoot + Spring Security 基本使用及个性化登录配置。 但是现在还有一种常见的方式,就是直接通过手机验证登录,这里就需要自己来做一些额外的工作了。 对SpringSecurity认证流程详解有一定了解的都知道,在帐号密码认证的过程中,涉及到了以下几个类:UsernamePasswordAuth...
springboot +thymeleaf邮箱验证登录
08-12
你可以使用Spring Boot和Thymeleaf来实现邮箱验证登录功能。下面是一些基本的步骤: 1. 添加所需的依赖:在您的项目的pom.xml文件中添加Spring Boot和Thymeleaf的依赖项。 ```xml <groupId>org.springframework....

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值