Spring Security – 实现图形验证码(二)

时间:2021-7-4 作者:qvyue

Spring Security – 使用自定义AuthenticationProvider实现图形验证码

前面通过过滤器实现验证码校验,是从servlet层面实现的配置简单,易于理解。Spring Security 还提供了另一种更为灵活的方法。

通过自定义认证同样可以实现。

一、自定义AuthenticationProvider

我们只是在常规的密码校验前加了一层判断图形验证码的认证条件

所以可以通过继承DaoAuthenticationProvider稍加修改即可实现需求

  • 通过构造方法注入自定义的MyUserDetailsServiceMyPasswordEncoder
  • 重新additionalAuthenticationChecks()方法
  • 添加实现图形验证码校验逻辑
@Component
public class MyAuthenticationProvider extends DaoAuthenticationProvider {

    //构造方法注入MyUserDetailsService和MyPasswordEncoder
    public MyAuthenticationProvider(MyUserDetailsService myUserDetailService, MyPasswordEncoder myPasswordEncoder) {
        this.setUserDetailsService(myUserDetailService);
        this.setPasswordEncoder(myPasswordEncoder);
    }

    @Override
    protected void additionalAuthenticationChecks(UserDetails userDetails, UsernamePasswordAuthenticationToken authentication) throws AuthenticationException {
        //实现图形验证码逻辑
        
        //验证码错误,抛出异常
        if (!details.getImageCodeIsRight()) {
            throw new VerificationCodeException("验证码错误");
        }
        //调用父类完成密码校验认证
        super.additionalAuthenticationChecks(userDetails, authentication);
    }
}
@Component
public class MyPasswordEncoder implements PasswordEncoder {
    private static final PasswordEncoder INSTANCE = new MyPasswordEncoder();

    public String encode(CharSequence rawPassword) {
        return rawPassword.toString();
    }

    public boolean matches(CharSequence rawPassword, String encodedPassword) {
        return rawPassword.toString().equals(encodedPassword);
    }

    public static PasswordEncoder getInstance() {
        return INSTANCE;
    }

    private MyPasswordEncoder() {
    }
}
@Service
public class MyUserDetailsService implements UserDetailsService {

    @Autowired
    private UserMapper userMapper;

    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        System.out.println("查询数据库");
        //查询用户信息
        User user = userMapper.findByUserName(username);
        if (user==null){
            throw new UsernameNotFoundException(username+"用户不存在");
        }
        //重新填充roles
        user.setAuthorities(AuthorityUtils.commaSeparatedStringToAuthorityList(user.getRoles()));
        return user;
    }
}

authentication封装了用户的登录验证信息

但是图形验证码是存在session中的,我们需要将request请求一同封装进authentication

这样就可以在additionalAuthenticationChecks()中添加验证码的校验逻辑了

其实我们要验证的所有信息可以当成一个主体Principal,通过继承实现Principal,经过包装,返回的Authentication认证实体。

public interface Authentication extends Principal, Serializable {
    //获取主体权限列表
    Collection extends GrantedAuthority> getAuthorities();
    //获取主题凭证,一般为密码
    Object getCredentials();
    //获取主体携带的详细信息
    Object getDetails();
    //获取主体,一般为一个用户名
    Object getPrincipal();
    //主体是否验证成功
    boolean isAuthenticated();
    
    void setAuthenticated(boolean var1) throws IllegalArgumentException;
}

一次完整的认证通常包含多个AuthenticationProvider

ProviderManager管理

ProviderManagerUsernamePasswordAuthenticationFilter 调用

也就是说,所有的 AuthenticationProvider包含的Authentication都来源于UsernamePasswordAuthenticationFilter

二、自定义AuthenticationDetailsSource

UsernamePasswordAuthenticationFilter本身并没有设置用户详细信息的流程,而且是通过标准接口 AuthenticationDetailsSource构建的,这意味着它是一个允许定制的特性。

public interface AuthenticationDetailsSource {
    T buildDetails(C var1);
}

UsernamePasswordAuthenticationFilter中使用的AuthenticationDetailsSource是一个标准的Web认证源,携带

的是用户的sessionIdIP地址

public class WebAuthenticationDetailsSource implements AuthenticationDetailsSource {
    public WebAuthenticationDetailsSource() {
    }

    public WebAuthenticationDetails buildDetails(HttpServletRequest context) {
        return new WebAuthenticationDetails(context);
    }
}
public class WebAuthenticationDetails implements Serializable {
    private static final long serialVersionUID = 530L;
    private final String remoteAddress;
    private final String sessionId;

    public WebAuthenticationDetails(HttpServletRequest request) {
        this.remoteAddress = request.getRemoteAddr();
        HttpSession session = request.getSession(false);
        this.sessionId = session != null ? session.getId() : null;
    }

    private WebAuthenticationDetails(String remoteAddress, String sessionId) {
        this.remoteAddress = remoteAddress;
        this.sessionId = sessionId;
    }

可以看到我们是可以拿到HttpServletRequest的,我们可以实现自己WebAuthenticationDetails,并扩展自己需要的信息

public class MyWebAuthenticationDetails extends WebAuthenticationDetails {

    private boolean imageCodeIsRight;

    public boolean getImageCodeIsRight(){
        return this.imageCodeIsRight;
    }

    //补充用户提交的验证码和session保存的验证码
    public MyWebAuthenticationDetails(HttpServletRequest request) {
        super(request);
        String captcha = request.getParameter("captcha");
        HttpSession session = request.getSession();
        String saveCaptcha = (String) session.getAttribute("captcha");
        if (StringUtils.isNotEmpty(saveCaptcha)){
            session.removeAttribute("captcha");
        }
        if (StringUtils.isNotEmpty(captcha) && captcha.equals(saveCaptcha)){
            this.imageCodeIsRight = true;
        }
    }
}

将他提供给一个自定义的AuthenticationDetailsSource

@Component
public class MyAuthenticationDetailsSource implements AuthenticationDetailsSource {

    @Override
    public WebAuthenticationDetails buildDetails(HttpServletRequest request) {
        return new MyWebAuthenticationDetails(request);
    }
}

有了HttpServletRequest,接下来再去实现我们的图形验证码验证逻辑

@Component
public class MyAuthenticationProvider extends DaoAuthenticationProvider {

    //构造方法注入UserDetailsService和PasswordEncoder
    public MyAuthenticationProvider(MyUserDetailsService myUserDetailService, MyPasswordEncoder myPasswordEncoder) {
        this.setUserDetailsService(myUserDetailService);
        this.setPasswordEncoder(myPasswordEncoder);
    }

    @Override
    protected void additionalAuthenticationChecks(UserDetails userDetails, UsernamePasswordAuthenticationToken authentication) throws AuthenticationException {
        //实现图形验证码逻辑
        //获取详细信息
        MyWebAuthenticationDetails details = (MyWebAuthenticationDetails) authentication.getDetails();
        //验证码错误,抛出异常
        if (!details.getImageCodeIsRight()) {
            throw new VerificationCodeException("验证码错误");
        }
        //调用父类完成密码校验认证
        super.additionalAuthenticationChecks(userDetails, authentication);
    }
}

三、应用自定义认证

最后修改WebSecurityConfig 使其应用自定义的MyAuthenticationDetailsSource、MyAuthenticationProvider

@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private DataSource dataSource;
    @Autowired
    private MyUserDetailsService myUserDetailsService;
    @Autowired
    private MyAuthenticationDetailsSource myWebAuthenticationDetailsSource;
    @Autowired
    private MyAuthenticationProvider myAuthenticationProvider;

    @Override
    public void configure(AuthenticationManagerBuilder auth) throws Exception {
        //应用MyAuthenticationProvider
        auth.authenticationProvider(myAuthenticationProvider);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/admin/api/**").hasRole("ADMIN")
                .antMatchers("/user/api/**").hasRole("USER")
                .antMatchers("/app/api/**","/captcha.jpg").permitAll()
                .anyRequest()
                .authenticated()
                .and()
                .formLogin()
                //AuthenticationDetailsSource
                .authenticationDetailsSource(myWebAuthenticationDetailsSource)
                .loginPage("/myLogin.html")
                // 指定处理登录请求的路径,修改请求的路径,默认为/login
                .loginProcessingUrl("/mylogin").permitAll()
                .failureHandler(new MyAuthenticationFailureHandler())
                .and()
                .csrf().disable();
    }



    @Bean
    public Producer kaptcha() {
        //配置图形验证码的基本参数
        Properties properties = new Properties();
        //图片宽度
        properties.setProperty("kaptcha.image.width", "150");
        //图片长度
        properties.setProperty("kaptcha.image.height", "50");
        //字符集
        properties.setProperty("kaptcha.textproducer.char.string", "0123456789");
        //字符长度
        properties.setProperty("kaptcha.textproducer.char.length", "4");
        Config config = new Config(properties);
        //使用默认的图形验证码实现,也可以自定义
        DefaultKaptcha defaultKaptcha = new DefaultKaptcha();
        defaultKaptcha.setConfig(config);
        return defaultKaptcha;
    }

}

四、测试

启动项目

访问api:http://localhost:8080/user/api/hi

Spring Security - 实现图形验证码(二)
image-20201019160019522.png

输入正确用户名密码,正确验证码

访问成功

页面显示hi,user.

重启项目

输入正确用户名密码,错误验证码

访问失败

返回失败报文

{
"error_code": 401,
"error_name": "com.yang.springsecurity.exception.VerificationCodeException",
"message": "请求失败,图形验证码校验异常"
}
声明:本文内容由互联网用户自发贡献自行上传,本网站不拥有所有权,未作人工编辑处理,也不承担相关法律责任。如果您发现有涉嫌版权的内容,欢迎发送邮件至:qvyue@qq.com 进行举报,并提供相关证据,工作人员会在5个工作日内联系你,一经查实,本站将立刻删除涉嫌侵权内容。