SpringBoot+SpringSecurity登陆认证优雅集成图形验证码
前言
在SpringSecurity的默认登陆支持组件formLogin中没有提供图形验证码的支持,目前大多数的方案都是经过新增Filter来实现。filter的方式能够实现功能,可是没有优雅的解决, 须要从新维护一套和登陆相关的url,例如:loginProccessUrl,loginFailUrl,loginSuccessUrl,从软件设计角度来说功能没有内聚。
下面为你们介绍一种优雅的解决方案。html
解决思路
先获取验证码
判断图形验证码先要获取到验证码,在UsernamePasswordAuthenticationToken(UPAT)中没有字段来存储验证码,重写UPAT成本过高。能够从details字段中入手,将验证码放在details中。git
判断验证码是否正确
UPAT的认证是在DaoAuthenticationProvider中完成的,若是须要判断验证码直接修改是成本比较大的方式,能够新增AuthenticationProvider来对验证码新增验证。web
输出验证码
常规超过能够经过Controller来输出,可是验证码的管理须要统一,防止各类sessionKey乱飞。spring
代码实现
新增验证码容器:CaptchaAuthenticationDetails
public class CaptchaAuthenticationDetails extends WebAuthenticationDetails {
private final String DEFAULT_CAPTCHA_PARAMETER_NAME = "captcha";
private String captchaParameter = DEFAULT_CAPTCHA_PARAMETER_NAME;
/**
* 用户提交的验证码
*/
private String committedCaptcha;
/**
* 预设的验证码
*/
private String presetCaptcha;
private final WebAuthenticationDetails webAuthenticationDetails;
public CaptchaAuthenticationDetails(HttpServletRequest request) {
super(request);
this.committedCaptcha = request.getParameter(captchaParameter);
this.webAuthenticationDetails = new WebAuthenticationDetails(request);
}
public boolean isCaptchaMatch() {
if (this.presetCaptcha == null || this.committedCaptcha == null) {
return false;
}
return this.presetCaptcha.equalsIgnoreCase(committedCaptcha);
}
getter ...
setter ...
}
这个类主要是用于保存验证码session
验证码获取:CaptchaAuthenticationDetailsSource
public class CaptchaAuthenticationDetailsSource implements AuthenticationDetailsSource<HttpServletRequest, CaptchaAuthenticationDetails> {
private final CaptchaRepository<HttpServletRequest> captchaRepository;
public CaptchaAuthenticationDetailsSource(CaptchaRepository<HttpServletRequest> captchaRepository) {
this.captchaRepository = captchaRepository;
}
@Override
public CaptchaAuthenticationDetails buildDetails(HttpServletRequest httpServletRequest) {
CaptchaAuthenticationDetails captchaAuthenticationDetails = new CaptchaAuthenticationDetails(httpServletRequest);
captchaAuthenticationDetails.setPresetCaptcha(captchaRepository.load(httpServletRequest));
return captchaAuthenticationDetails;
}
}
根据提交的参数构建CaptchaAuthenticationDetails,用户提交的验证码(committedCaptcha)从request中获取,预设的验证码(presetCaptcha)从验证码仓库(CaptchaRepostory)获取mvc
验证码仓库实现SessionCaptchaRepository
public class SessionCaptchaRepository implements CaptchaRepository<HttpServletRequest> {
private static final String CAPTCHA_SESSION_KEY = "captcha";
/**
* the key of captcha in session attributes */ private String captchaSessionKey = CAPTCHA_SESSION_KEY;
@Override
public String load(HttpServletRequest request) {
return (String) request.getSession().getAttribute(captchaSessionKey);
}
@Override
public void save(HttpServletRequest request, String captcha) {
request.getSession().setAttribute(captchaSessionKey, captcha);
}
/**
* @return sessionKey */ public String getCaptchaSessionKey() {
return captchaSessionKey;
}
/**
* @param captchaSessionKey sessionKey
*/ public void setCaptchaSessionKey(String captchaSessionKey) {
this.captchaSessionKey = captchaSessionKey;
}
}
这个验证码仓库是基于Session的,若是想要基于Redis只要实现CaptchaRepository便可。app
对验证码进行认证CaptchaAuthenticationProvider
public class CaptchaAuthenticationProvider implements AuthenticationProvider {
private final Logger log = LoggerFactory.getLogger(this.getClass());
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
UsernamePasswordAuthenticationToken authenticationToken = (UsernamePasswordAuthenticationToken) authentication;
CaptchaAuthenticationDetails details = (CaptchaAuthenticationDetails) authenticationToken.getDetails();
if (!details.isCaptchaMatch()) {
//验证码不匹配抛出异常,退出认证
if (log.isDebugEnabled()) {
log.debug("认证失败:验证码不匹配");
}
throw new CaptchaIncorrectException("验证码错误");
}
//替换details
authenticationToken.setDetails(details.getWebAuthenticationDetails());
//返回空交给下一个provider进行认证
return null;
}
@Override
public boolean supports(Class<?> aClass) {
return UsernamePasswordAuthenticationToken.class.isAssignableFrom(aClass);
}
}
SpringSecurity配置
@EnableWebSecurity
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Bean
public CaptchaRepository<HttpServletRequest> sessionCaptchaRepository() {
return new SessionCaptchaRepository();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.formLogin()
.loginProcessingUrl("/login")
.loginPage("/login.html")
.authenticationDetailsSource(new CaptchaAuthenticationDetailsSource(sessionCaptchaRepository()))
.failureUrl("/login.html?error=true")
.defaultSuccessUrl("/index.html")
.and()
.authenticationProvider(new CaptchaAuthenticationProvider())
.csrf()
.disable();
}
@Override
public void configure(WebSecurity web) {
web.ignoring()
.mvcMatchers("/captcha", "/login.html");
}
}
将CaptchaAuthenticationProvider加入到认证链条中,从新配置authenticationDetailsSourcedom
提供图形验证码接口
@Controller
public class CaptchaController {
private final CaptchaRepository<HttpServletRequest> captchaRepository;
@Autowired
public CaptchaController(CaptchaRepository<HttpServletRequest> captchaRepository) {
this.captchaRepository = captchaRepository;
}
@RequestMapping("/captcha")
public void captcha(HttpServletRequest request, HttpServletResponse response) throws IOException {
RandomCaptcha randomCaptcha = new RandomCaptcha(4);
captchaRepository.save(request, randomCaptcha.getValue());
CaptchaImage captchaImage = new DefaultCaptchaImage(200, 60, randomCaptcha.getValue());
captchaImage.write(response.getOutputStream());
}
}
将生成的随机验证码(RandomCaptcha)保存到验证码仓库(CaptchaRepository)中,并将验证码图片(CaptchaImage)输出到客户端。
至此整个图形验证码认证的全流程已经结束。ide
代码仓库
相关文章
- 1. 前端登陆jq图形验证码
- 2. 登陆验证码
- 3. Gogs集成openldap登陆认证
- 4. (十一)、SpringBoot+Security 短信验证登陆和图形验证登陆共存
- 5. SpringBoot集成Spring Security作登陆验证
- 6. Springboot2.1.6集成 activiti7 出现登陆验证
- 7. 登陆点击验证码图片切换验证码无效
- 8. 验证登陆
- 9. 登陆验证
- 10. (MVC)验证用户是否登陆 登陆认证
- 更多相关文章...
- • XML 验证 - XML 教程
- • DTD 验证 - DTD 教程
- • 算法总结-广度优先算法
- • 算法总结-深度优先算法
相关标签/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
欢迎关注本站公众号,获取更多信息
