實(shí)現(xiàn)原理
在之前的文章中,我們介紹了普通的帳號(hào)密碼登錄的方式: SpringBoot + Spring Security 基本使用及個(gè)性化登錄配置。 但是現(xiàn)在還有一種常見的方式,就是直接通過手機(jī)短信驗(yàn)證碼登錄,這里就需要自己來做一些額外的工作了。
對(duì)SpringSecurity認(rèn)證流程詳解有一定了解的都知道,在帳號(hào)密碼認(rèn)證的過程中,涉及到了以下幾個(gè)類:UsernamePasswordAuthenticationFilter(用于請(qǐng)求參數(shù)獲取),UsernamePasswordAuthenticationToken(表示用戶登錄信息),ProviderManager(進(jìn)行認(rèn)證校驗(yàn)),
因?yàn)槭峭ㄟ^的短信驗(yàn)證碼登錄,所以我們需要對(duì)請(qǐng)求的參數(shù),認(rèn)證過程,用戶登錄Token信息進(jìn)行一定的重寫。
當(dāng)然驗(yàn)證碼的過程我們應(yīng)該放在最前面,如果圖形驗(yàn)證碼的實(shí)現(xiàn)一樣。這樣的做法的好處是:將驗(yàn)證碼認(rèn)證該過程解耦出來,讓其他接口也可以使用到。
基本實(shí)現(xiàn)
驗(yàn)證碼校驗(yàn)
短信驗(yàn)證碼的功能實(shí)現(xiàn),其實(shí)和圖形驗(yàn)證碼的原理是一樣的。只不過一個(gè)是返回給前端一個(gè)圖片,一個(gè)是給用戶發(fā)送短消息,這里只需要去調(diào)用一下短信服務(wù)商的接口就好了。更多的原理可以參考 SpringBoot + SpringSecurity 實(shí)現(xiàn)圖形驗(yàn)證碼功能
AuthenticationToken
在使用帳號(hào)密碼登錄的時(shí)候,UsernamePasswordAuthenticationToken里面包含了用戶的帳號(hào),密碼,以及其他的是否可用等狀態(tài)信息。我們是通過手機(jī)短信來做登錄,所以就沒有密碼了,這里我們就直接將UsernamePasswordAuthenticationToken的代碼copy過來,把密碼相關(guān)的信息去掉就可以了
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
public class SmsCodeAuthenticationToken extends AbstractAuthenticationToken { private final Object principal; public SmsCodeAuthenticationToken(String mobile) { super(null); this.principal = mobile; setAuthenticated(false); } public SmsCodeAuthenticationToken(Object principal, Collection<? extends GrantedAuthority> authorities) { super(authorities); this.principal = principal; super.setAuthenticated(true); // must use super, as we override } public Object getCredentials() { return null; } public Object getPrincipal() { return this.principal; } public void setAuthenticated(boolean isAuthenticated) throws IllegalArgumentException { if (isAuthenticated) { throw new IllegalArgumentException( "Cannot set this token to trusted - use constructor which takes a GrantedAuthority list instead"); } super.setAuthenticated(false); } @Override public void eraseCredentials() { super.eraseCredentials(); }} |
AuthenticationFilter
在帳戶密碼登錄的流程中,默認(rèn)使用的是UsernamePasswordAuthenticationFilter,它的作用是從請(qǐng)求中獲取帳戶、密碼,請(qǐng)求方式校驗(yàn),生成AuthenticationToken。這里我們的參數(shù)是有一定改變的,所以還是老方法,copy過來進(jìn)行簡單的修改
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
public class SmsCodeAuthenticationFilter extends AbstractAuthenticationProcessingFilter { // 請(qǐng)求參數(shù)key private String mobileParameter = SecurityConstants.DEFAULT_PARAMETER_NAME_MOBILE; // 是否只支持POST private boolean postOnly = true; public SmsCodeAuthenticationFilter() { // 請(qǐng)求接口的url super(new AntPathRequestMatcher(SecurityConstants.DEFAULT_LOGIN_PROCESSING_URL_MOBILE, "POST")); } public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException { if (postOnly && !request.getMethod().equals("POST")) { throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod()); } // 根據(jù)請(qǐng)求參數(shù)名,獲取請(qǐng)求value String mobile = obtainMobile(request); if (mobile == null) { mobile = ""; } mobile = mobile.trim(); // 生成對(duì)應(yīng)的AuthenticationToken SmsCodeAuthenticationToken authRequest = new SmsCodeAuthenticationToken(mobile); setDetails(request, authRequest); return this.getAuthenticationManager().authenticate(authRequest); } /** * 獲取手機(jī)號(hào) */ protected String obtainMobile(HttpServletRequest request) { return request.getParameter(mobileParameter); } // 省略不相關(guān)代碼} |
Provider
在帳號(hào)密碼登錄的過程中,密碼的正確性以及帳號(hào)是否可用是通過DaoAuthenticationProvider來校驗(yàn)的。我們也應(yīng)該自己實(shí)現(xiàn)一個(gè)Provier
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
public class SmsCodeAuthenticationProvider implements AuthenticationProvider { private UserDetailsService userDetailsService; /** * 身份邏輯驗(yàn)證 * @param authentication * @return * @throws AuthenticationException */ @Override public Authentication authenticate(Authentication authentication) throws AuthenticationException { SmsCodeAuthenticationToken authenticationToken = (SmsCodeAuthenticationToken) authentication; UserDetails user = userDetailsService.loadUserByUsername((String) authenticationToken.getPrincipal()); if (user == null) { throw new InternalAuthenticationServiceException("無法獲取用戶信息"); } SmsCodeAuthenticationToken authenticationResult = new SmsCodeAuthenticationToken(user, user.getAuthorities()); authenticationResult.setDetails(authenticationToken.getDetails()); return authenticationResult; } @Override public boolean supports(Class<?> authentication) { return SmsCodeAuthenticationToken.class.isAssignableFrom(authentication); } public UserDetailsService getUserDetailsService() { return userDetailsService; } public void setUserDetailsService(UserDetailsService userDetailsService) { this.userDetailsService = userDetailsService; }} |
配置
主要的認(rèn)證流程就是通過以上四個(gè)過程實(shí)現(xiàn)的, 這里我們?cè)俳邓鼈兣渲靡幌戮涂梢粤?/p>
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
|
@Componentpublic class SmsCodeAuthenticationSecurityConfig extends SecurityConfigurerAdapter<DefaultSecurityFilterChain, HttpSecurity> { @Autowired private AuthenticationSuccessHandler myAuthenticationSuccessHandler; @Autowired private AuthenticationFailureHandler myAuthenticationFailureHandler; @Autowired private UserDetailsService userDetailsService; @Override public void configure(HttpSecurity http) throws Exception { SmsCodeAuthenticationFilter smsCodeAuthenticationFilter = new SmsCodeAuthenticationFilter(); smsCodeAuthenticationFilter.setAuthenticationManager(http.getSharedObject(AuthenticationManager.class)); smsCodeAuthenticationFilter.setAuthenticationSuccessHandler(myAuthenticationSuccessHandler); smsCodeAuthenticationFilter.setAuthenticationFailureHandler(myAuthenticationFailureHandler); SmsCodeAuthenticationProvider smsCodeAuthenticationProvider = new SmsCodeAuthenticationProvider(); smsCodeAuthenticationProvider.setUserDetailsService(userDetailsService); http.authenticationProvider(smsCodeAuthenticationProvider) .addFilterAfter(smsCodeAuthenticationFilter, UsernamePasswordAuthenticationFilter.class); }} // BrowerSecurityConfig.java@Overrideprotected void configure(HttpSecurity http) throws Exception { http.apply(smsCodeAuthenticationSecurityConfig);} |
代碼下載
以上就是本文的全部內(nèi)容,希望對(duì)大家的學(xué)習(xí)有所幫助,也希望大家多多支持服務(wù)器之家。
原文鏈接:https://blog.csdn.net/u013435893/article/details/79684027
