spring security 自定義認證登入
1.概要
1.1.簡介
spring security是一種基於 Spring AOP 和 Servlet 過濾器的安全框架,以此來管理許可權認證等。
1.2.spring security 自定義認證流程
1)認證過程
生成未認證的AuthenticationToken
↑(獲取資訊) (根據AuthenticationToken分配provider)
AuthenticationFilter -> AuthenticationManager -> AuthenticationProvider
↓(認證)
UserDetails(一般查詢資料庫獲取)
↓(通過)
生成認證成功的AuthenticationToken
↓(存放)
SecurityContextHolder
複製程式碼2)將AuthenticationFilter加入到security過濾鏈(資源伺服器中配置),如:
http.addFilterBefore(AuthenticationFilter, AbstractPreAuthenticatedProcessingFilter.class)
複製程式碼或者:
http.addFilterAfter(AuthenticationFilter, UsernamePasswordAuthenticationFilter.class)
複製程式碼2.以手機號簡訊登入為例
2.1.開發環境
- SpringBoot
- Spring security
- Redis
2.2.核心程式碼分析
2.2.1.自定義登入認證流程
2.2.1.1.自定義認證登入Token
/**
* 手機登入Token
*
* @author : CatalpaFlat
*/
public class MobileLoginAuthenticationToken extends AbstractAuthenticationToken {
private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
private static final Logger logger = LoggerFactory.getLogger(MobileLoginAuthenticationToken.class.getName());
private final Object principal;
public MobileLoginAuthenticationToken(String mobile) {
super(null);
this.principal = mobile;
this.setAuthenticated(false);
logger.info("MobileLoginAuthenticationToken setAuthenticated ->false loading ...");
}
public MobileLoginAuthenticationToken(Object principal,
Collection<? extends GrantedAuthority> authorities) {
super(authorities);
this.principal = principal;
// must use super, as we override
super.setAuthenticated(true);
logger.info("MobileLoginAuthenticationToken setAuthenticated ->true loading ...");
}
@Override
public void setAuthenticated(boolean authenticated) {
if (authenticated) {
throw new IllegalArgumentException(
"Cannot set this token to trusted - use constructor which takes a GrantedAuthority list instead");
}
super.setAuthenticated(false);
}
@Override
public Object getCredentials() {
return null;
}
@Override
public Object getPrincipal() {
return this.principal;
}
@Override
public void eraseCredentials() {
super.eraseCredentials();
}
}
複製程式碼注: setAuthenticated():判斷是否已認證
- 在過濾器時,會生成一個未認證的AuthenticationToken,此時呼叫的是自定義token的setAuthenticated(),此時設定為false -> 未認證
- 在提供者時,會生成一個已認證的AuthenticationToken,此時呼叫的是父類的setAuthenticated(),此時設定為true -> 已認證
2.2.1.1.自定義認證登入過濾器
/**
* 手機簡訊登入過濾器
*
* @author : CatalpaFlat
*/
public class MobileLoginAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
private boolean postOnly = true;
private static final Logger logger = LoggerFactory.getLogger(MobileLoginAuthenticationFilter.class.getName());
@Getter
@Setter
private String mobileParameterName;
public MobileLoginAuthenticationFilter(String mobileLoginUrl, String mobileParameterName,
String httpMethod) {
super(new AntPathRequestMatcher(mobileLoginUrl, httpMethod));
this.mobileParameterName = mobileParameterName;
logger.info("MobileLoginAuthenticationFilter loading ...");
}
@Override
public Authentication attemptAuthentication(HttpServletRequest request,
HttpServletResponse response) throws AuthenticationException, IOException, ServletException {
if (postOnly && !request.getMethod().equals(HttpMethod.POST.name())) {
throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod());
}
//get mobile
String mobile = obtainMobile(request);
//assemble token
MobileLoginAuthenticationToken authRequest = new MobileLoginAuthenticationToken(mobile);
// Allow subclasses to set the "details" property
setDetails(request, authRequest);
return this.getAuthenticationManager().authenticate(authRequest);
}
/**
* 設定身份認證的詳情資訊
*/
private void setDetails(HttpServletRequest request, MobileLoginAuthenticationToken authRequest) {
authRequest.setDetails(authenticationDetailsSource.buildDetails(request));
}
/**
* 獲取手機號
*/
private String obtainMobile(HttpServletRequest request) {
return request.getParameter(mobileParameterName);
}
public void setPostOnly(boolean postOnly) {
this.postOnly = postOnly;
}
}
複製程式碼注:attemptAuthentication()方法:
- 過濾指定的url、httpMethod
- 獲取所需請求引數資料封裝生成一個未認證的AuthenticationToken
- 傳遞給AuthenticationManager認證
2.2.1.1.自定義認證登入提供者
/**
* 手機簡訊登入認證提供者
*
* @author : CatalpaFlat
*/
public class MobileLoginAuthenticationProvider implements AuthenticationProvider {
private static final Logger logger = LoggerFactory.getLogger(MobileLoginAuthenticationProvider.class.getName());
@Getter
@Setter
private UserDetailsService customUserDetailsService;
public MobileLoginAuthenticationProvider() {
logger.info("MobileLoginAuthenticationProvider loading ...");
}
/**
* 認證
*/
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
//獲取過濾器封裝的token資訊
MobileLoginAuthenticationToken authenticationToken = (MobileLoginAuthenticationToken) authentication;
//獲取使用者資訊(資料庫認證)
UserDetails userDetails = customUserDetailsService.loadUserByUsername((String) authenticationToken.getPrincipal());
//不通過
if (userDetails == null) {
throw new InternalAuthenticationServiceException("Unable to obtain user information");
}
//通過
MobileLoginAuthenticationToken authenticationResult = new MobileLoginAuthenticationToken(userDetails, userDetails.getAuthorities());
authenticationResult.setDetails(authenticationToken.getDetails());
return authenticationResult;
}
/**
* 根據token型別,來判斷使用哪個Provider
*/
@Override
public boolean supports(Class<?> authentication) {
return MobileLoginAuthenticationToken.class.isAssignableFrom(authentication);
}
}
複製程式碼注:authenticate()方法
- 獲取過濾器封裝的token資訊
- 調取UserDetailsService獲取使用者資訊(資料庫認證)->判斷通過與否
- 通過則封裝一個新的AuthenticationToken,並返回
2.2.1.1.自定義認證登入認證配置
@Configuration(SpringBeanNameConstant.DEFAULT_CUSTOM_MOBILE_LOGIN_AUTHENTICATION_SECURITY_CONFIG_BN)
public class MobileLoginAuthenticationSecurityConfig extends SecurityConfigurerAdapter<DefaultSecurityFilterChain, HttpSecurity> {
private static final Logger logger = LoggerFactory.getLogger(MobileLoginAuthenticationSecurityConfig.class.getName());
@Value("${login.mobile.url}")
private String defaultMobileLoginUrl;
@Value("${login.mobile.parameter}")
private String defaultMobileLoginParameter;
@Value("${login.mobile.httpMethod}")
private String defaultMobileLoginHttpMethod;
@Autowired
private CustomYmlConfig customYmlConfig;
@Autowired
private UserDetailsService customUserDetailsService;
@Autowired
private AuthenticationSuccessHandler customAuthenticationSuccessHandler;
@Autowired
private AuthenticationFailureHandler customAuthenticationFailureHandler;
public MobileLoginAuthenticationSecurityConfig() {
logger.info("MobileLoginAuthenticationSecurityConfig loading ...");
}
@Override
public void configure(HttpSecurity http) throws Exception {
MobilePOJO mobile = customYmlConfig.getLogins().getMobile();
String url = mobile.getUrl();
String parameter = mobile.getParameter().getMobile();
String httpMethod = mobile.getHttpMethod();
MobileLoginAuthenticationFilter mobileLoginAuthenticationFilter = new MobileLoginAuthenticationFilter(StringUtils.isBlank(url) ? defaultMobileLoginUrl : url,
StringUtils.isBlank(parameter) ? defaultMobileLoginUrl : parameter, StringUtils.isBlank(httpMethod) ? defaultMobileLoginHttpMethod : httpMethod);
mobileLoginAuthenticationFilter.setAuthenticationManager(http.getSharedObject(AuthenticationManager.class));
mobileLoginAuthenticationFilter.setAuthenticationSuccessHandler(customAuthenticationSuccessHandler);
mobileLoginAuthenticationFilter.setAuthenticationFailureHandler(customAuthenticationFailureHandler);
MobileLoginAuthenticationProvider mobileLoginAuthenticationProvider = new MobileLoginAuthenticationProvider();
mobileLoginAuthenticationProvider.setCustomUserDetailsService(customUserDetailsService);
http.authenticationProvider(mobileLoginAuthenticationProvider)
.addFilterAfter(mobileLoginAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
}
}
複製程式碼注:configure()方法
- 例項化AuthenticationFilter和AuthenticationProvider
- 將AuthenticationFilter和AuthenticationProvider新增到spring security中。
2.2.2.基於redis自定義驗證碼校驗
2.2.2.1.基於redis自定義驗證碼過濾器
/**
* 驗證碼過濾器
*
* @author : CatalpaFlat
*/
@Component(SpringBeanNameConstant.DEFAULT_VALIDATE_CODE_FILTER_BN)
public class ValidateCodeFilter extends OncePerRequestFilter implements InitializingBean {
private static final Logger logger = LoggerFactory.getLogger(ValidateCodeFilter.class.getName());
@Autowired
private CustomYmlConfig customYmlConfig;
@Autowired
private RedisTemplate<Object, Object> redisTemplate;
/**
* 驗證請求url與配置的url是否匹配的工具類
*/
private AntPathMatcher pathMatcher = new AntPathMatcher();
public ValidateCodeFilter() {
logger.info("Loading ValidateCodeFilter...");
}
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,
FilterChain filterChain) throws ServletException, IOException {
String url = customYmlConfig.getLogins().getMobile().getUrl();
if (pathMatcher.match(url, request.getRequestURI())) {
String deviceId = request.getHeader("deviceId");
if (StringUtils.isBlank(deviceId)) {
throw new CustomException(HttpStatus.NOT_ACCEPTABLE.value(), "Not deviceId in the head of the request");
}
String codeParamName = customYmlConfig.getLogins().getMobile().getParameter().getCode();
String code = request.getParameter(codeParamName);
if (StringUtils.isBlank(code)) {
throw new CustomException(HttpStatus.NOT_ACCEPTABLE.value(), "Not code in the parameters of the request");
}
String key = SystemConstant.DEFAULT_MOBILE_KEY_PIX + deviceId;
SmsCodePO smsCodePo = (SmsCodePO) redisTemplate.opsForValue().get(key);
if (smsCodePo.isExpried()){
throw new CustomException(HttpStatus.BAD_REQUEST.value(), "The verification code has expired");
}
String smsCode = smsCodePo.getCode();
if (StringUtils.isBlank(smsCode)) {
throw new CustomException(HttpStatus.BAD_REQUEST.value(), "Verification code does not exist");
}
if (StringUtils.equals(code, smsCode)) {
redisTemplate.delete(key);
//let it go
filterChain.doFilter(request, response);
} else {
throw new CustomException(HttpStatus.BAD_REQUEST.value(), "Validation code is incorrect");
}
}else {
//let it go
filterChain.doFilter(request, response);
}
}
}
複製程式碼注:doFilterInternal()
- 自定義驗證碼過濾校驗
2.2.2.2.將自定義驗證碼過濾器新增到spring security過濾器鏈
http.addFilterBefore(validateCodeFilter, AbstractPreAuthenticatedProcessingFilter.class)
複製程式碼注:新增到認證預處理過濾器前
3.測試效果
最後附上原始碼地址:https://gitee.com/CatalpaFlat/springSecurity.git