Spring Security实现的基本原理就是一堆过滤器,每个需要认证的请求都需要经过每个拦截器的拦截,如果所有拦截器都不报错就表示该用户有权限访问访问该接口,如果没有权限就抛异常。Spring Security登录时会经过UsernamePasswordAuthenticationFilter过滤器来校验用户名和密码,Spring Security并没有提供用于校验验证码的过滤器,所以实现验证码登录只需要定义一个图片验证码的过滤器,然后将图片验证码过滤器添加到Spring Security过滤器链中,一般是将图片验证码过滤器添加到UsernamePasswordAuthenticationFilter过滤器签名,先校验图片验证码是否正确,正确再校验用户名和密码是否正确。
该示例代码需要基于前面文章的代码之上
- pom.xml
spring-social-web 这里使用到该依赖的HttpSessionSessionStrategy类,一个Session管理的工具类
<dependency>
<groupId>org.springframework.social</groupId>
<artifactId>spring-social-web</artifactId>
<version>1.1.4.RELEASE</version>
</dependency>
- login.html
登录页面增加图片验证码域,页面加载时<img src="/code/image"/>会请求接口,接口返回一个验证码图片
<!DOCTYPE html>
<html lang="en"
xmlns="http://www.w3.org/1999/xhtml"
xmlns:th="http://www.thymeleaf.org">
<head>
<meta charset="utf-8">
<title>登录</title>
</head>
<body>
<form method="post" action="/login">
<h2 class="form-signin-heading">登录</h2>
<span th:if="${param.error}" th:text="${session.SPRING_SECURITY_LAST_EXCEPTION.message}"></span>
<p>
<label for="username">用户名</label>
<input type="text" id="username" name="username" required autofocus>
</p>
<p>
<label for="password">密码</label>
<input type="password" id="password" name="password" required>
</p>
<p>
<label for="imageCode">图形验证码</label>
<input type="input" id="imageCode" name="imageCode" required>
<img src="/code/image"/>
</p>
<input type="checkbox" name="remember-me"/>记住我<br>
<button type="submit">登录</button>
</form>
</body>
</html>
- 验证码控制器
获取验证码时将验证码保存到Session中,以便于登录时从Session获取到该验证码用于比较。
@RestController
public class ValidateCodeController {
private SessionStrategy sessionStrategy = new HttpSessionSessionStrategy();
public static final String SESSION_KEY = "SESSION_KEY_IMAGE_CODE";
@GetMapping("/code/image")
public void createCode(HttpServletRequest request, HttpServletResponse response) throws IOException {
ImageCode imageCode = createImageCode(request);
sessionStrategy.setAttribute(new ServletWebRequest(request), SESSION_KEY, imageCode);
ImageIO.write(imageCode.getImage(), "JPEG", response.getOutputStream());
}
private ImageCode createImageCode(HttpServletRequest request) {
int width = 67;
int height = 23;
BufferedImage image = new BufferedImage(width, height, BufferedImage.TYPE_INT_RGB);
Graphics g = image.getGraphics();
Random random = new Random();
g.setColor(getRandColor(200, 250));
g.fillRect(0, 0, width, height);
g.setFont(new Font("Times New Roman", Font.ITALIC, 20));
g.setColor(getRandColor(160, 200));
for (int i = 0; i < 155; i++) {
int x = random.nextInt(width);
int y = random.nextInt(height);
int xl = random.nextInt(12);
int yl = random.nextInt(12);
g.drawLine(x, y, x + xl, y + yl);
}
String sRand = "";
for (int i = 0; i < 4; i++) {
String rand = String.valueOf(random.nextInt(10));
sRand += rand;
g.setColor(new Color(20 + random.nextInt(110), 20 + random.nextInt(110), 20 + random.nextInt(110)));
g.drawString(rand, 13 * i + 6, 16);
}
g.dispose();
return new ImageCode(image, sRand, 60);
}
/**
* 生成随机背景条纹
*
* @param fc
* @param bc
* @return
*/
private Color getRandColor(int fc, int bc) {
Random random = new Random();
if (fc > 255) {
fc = 255;
}
if (bc > 255) {
bc = 255;
}
int r = fc + random.nextInt(bc - fc);
int g = fc + random.nextInt(bc - fc);
int b = fc + random.nextInt(bc - fc);
return new Color(r, g, b);
}
}
@Data
@ToString
@AllArgsConstructor
@RequiredArgsConstructor
public class ImageCode {
private BufferedImage image;
private String code;
private LocalDateTime expireTime;
public ImageCode(BufferedImage image, String code, int expireIn) {
this.image = image;
this.code = code;
this.expireTime = LocalDateTime.now().plusSeconds(expireIn);
}
public boolean isExpried() {
return LocalDateTime.now().isAfter(expireTime);
}
}
- 图片验证码过滤器
该过滤器只拦截登录页面,主要用于校验验证码是否正确,如果校验失败就使用认证失败处理器处理, 这里的认证失败处理就是将错误信息返回给前端(这里只是简单的做法)
public class ImageValidateCodeFilter extends OncePerRequestFilter {
@Autowired
private AuthenticationFailureHandler authenticationFailureHandler;
// spring-social-web
private SessionStrategy sessionStrategy = new HttpSessionSessionStrategy();
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
if ("/login".equals(request.getRequestURI()) && "POST".equals(request.getMethod())) {
try {
validate(new ServletWebRequest(request));
} catch (ValidateCodeException e) {
authenticationFailureHandler.onAuthenticationFailure(request, response, e);
return;
}
}
filterChain.doFilter(request, response);
}
private void validate(ServletWebRequest request) throws ServletRequestBindingException {
ImageCode codeInSession = (ImageCode) sessionStrategy.getAttribute(request, ValidateCodeController.SESSION_KEY);
String codeInRequest = ServletRequestUtils.getStringParameter(request.getRequest(), "imageCode");
if (StringUtils.isEmpty(codeInRequest)) {
throw new ValidateCodeException("验证码不能为空");
}
if (codeInSession == null) {
throw new ValidateCodeException("验证码不存在");
}
if (codeInSession.isExpried()) {
sessionStrategy.removeAttribute(request, ValidateCodeController.SESSION_KEY);
throw new ValidateCodeException("验证码已过期");
}
if (!codeInRequest.equals(codeInSession.getCode())) {
throw new ValidateCodeException("验证码不匹配");
}
sessionStrategy.removeAttribute(request, ValidateCodeController.SESSION_KEY);
}
public AuthenticationFailureHandler getAuthenticationFailureHandler() {
return authenticationFailureHandler;
}
public void setAuthenticationFailureHandler(AuthenticationFailureHandler authenticationFailureHandler) {
this.authenticationFailureHandler = authenticationFailureHandler;
}
}
@Slf4j
@Component
public class MyAuthenticationFailureHandler implements AuthenticationFailureHandler {
@Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
log.info("认证失败");
response.setContentType("text/html;charset=utf-8");
response.getWriter().write(exception.getMessage());
}
}
- Spring Security Configuration
将图片验证码过滤器添加到Spring Security过滤器链中来,并且将图片验证码过滤器添加到UsernamePasswordAuthenticationFilter前面(addFilterBefore), 这里也需要将"/code/image"配置为不需要认证。
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
private MyUserDetailsService myUserDetailsService;
@Autowired
private MyAuthenticationSuccessHandler myAuthenticationSuccessHandler;
@Autowired
private MyAuthenticationFailureHandler myAuthenticationFailureHandler;
@Override
protected void configure(HttpSecurity http) throws Exception {
ImageValidateCodeFilter imageValidateCodeFilter = new ImageValidateCodeFilter();
validateCodeFilter.setAuthenticationFailureHandler(myAuthenticationFailureHandler);
http.csrf().disable()
// 配置需要认证的请求
.authorizeRequests()
.antMatchers("/login", "/code/image").permitAll()
.anyRequest()
.authenticated()
.and()
// 登录表单相关配置
.addFilterBefore(imageValidateCodeFilter, UsernamePasswordAuthenticationFilter.class)
.formLogin()
.loginPage("/login")
.usernameParameter("username")
.passwordParameter("password")
.successHandler(myAuthenticationSuccessHandler)
.failureUrl("/login?error")
.permitAll()
.and()
// 登出相关配置
.logout()
.permitAll();
}
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(myUserDetailsService).passwordEncoder(passwordEncoder());
}
@Override
public void configure(WebSecurity web) {
web.ignoring().antMatchers("/static/**");
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
}
