APP backend without password login Security authentication process ideas

Mobile 2023-08-11 21:31:29 views: null
APP backend without password login Security authentication process ideas

Spring security is used in the background, but the app side obviously cannot use the same processing method as the web side login, so how to "cheat" spring security, the following introduces the security authentication process after the app accesses SMS login and one-click login.

Basic process (pseudo-code display):

//短信登录
public Object SMSLogin(忽略信息参数){
    
    
			// 构建一个由账号密码组成的认证对象,在这个构造器内部会将对应的信息赋值给各自的本地变量,并且会调用父类AbstractAuthenticationToken构造器
			UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(账号(手机号),前端传的明文验证码));
			/** 
				调用authenticate方法时,这时开始认证上面构建的待认证对象,会调用到 loadUserByUsername(String username) 方法用来查询数据库是否存在等逻辑.
				需要重写此方法,先实现 UserDetailsService类.
			*/
            Authentication authenticate = authenticationManager.authenticate(usernamePasswordAuthenticationToken);
            //认证成功后取出认证后的用户信息.
            MyUserDetails myUserDetails = (MyUserDetails) authenticate.getPrincipal();
            //使用JWT生成token
            redis.set(存入用户的唯一过期标识之类的,用来进入系统时判断,此token是否过期),
            String token = "Bearer " + Jwts.builder()
            		// 主体标识信息
                    .setSubject(手机号)
                    //载荷
                    .addClaims(用户信息,权限等,用map装载)
                    // token失效时间
                    .setExpiration(new Date(currentTimeMillis + SecurityConstant.TOKEN_EXPIRE_TIME * 60 * 1000))
                    //签名(方式,盐)
                    .signWith(加密方式,)
                    //压缩方式,为啥压缩因为如果存放的东西很大的话,可以在网络传输期间减少它们的总大小
                    .compressWith(CompressionCodecs.GZIP).compact();
                    //得到token后就阔以做返回处理了
}

One-click login without password and account.
The parameter token is obtained by calling the third-party interface from the front end and then calling the background login interface. The background calls the third-party interface according to the token to get the user's mobile phone number.

//一键登录
public Object Login(String token){
    
    
	//第一步:调用第三方接口获取手机号等信息
	String phone = v1();
	//因为验证密码时是使用同一个 loadUserByUsername(String username)方法来判断是一键登录还是短信登录,所以为了区分,在这里做一个状态标识,
	// 插入状态标识(60秒自动失效,成功后手动清除)
    String oauthId //随机生成一个字符
    redis.set(前缀 + "手机号",oauthId,60);
    //以下代码与上个例子相同, 不同的是 构建认证对象时,密码传的是 oauthId,
    //注意: loadUserByUsername方法中,返回的 UserDetails 对象的密码必须是密文的,也就是说,赋值时得手动加密下,不然会匹配不上导致密码错误.
}

loadUserByUsername(String username) 方法

//根据用户名查询用户信息的方法
 public  UserDetails loadUserByUsername(String username){
    
    
 	1.先查库此账号是否存在,不存在则自动注册
 	2.存在则构建库里的信息,如果是验证码登录则将短信验证码加密返回,
 	3.Redis取出一键登录的标识如果存在则取出并将随机字符加密返回.
 }

Security Authentication Process

Guess you like

Origin blog.csdn.net/AKALXH/article/details/119137860
Recommended
TIOBE May list: Fortran “resurrected” into Top 10
GCC 14.1 released
Ranking
B. Little Girl and Game【1300 / 回文字符串 博弈论】
CIKERS Shane 20190613
"Javascript advanced programming" study notes - the constructor and prototype
beeline hiveserver2 start
springboot - Automatically backup mysql data every day
Data Storage Full Solution--Detailed Persistence Technology
Detailed Explanation of Spring Web MVC DispatcherServlet—Official Original
TCP / IP protocol layers structure and function
Command type literal pos: unknown; Fallback type literal pos: unknown] with root cause
Design of multifunctional curtain controller with indoor anti-theft alarm
Daily
More
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)

Code World

© 2018 codetd.com