SpringSecurity-9-实现通过手机短信进行认证功能
手机短信流程分析
手机号登录的时候是不需要密码登录的,而是通过短信验证码实现免密登录。具体步骤如下 :
向手机发送验证码,第三方短信发送平台,如阿里云短信手机获取验证码后,在表单中输入验证码使用自定义过滤器SmsCodeValidateFilter短信校验通过后,使用自定义手机认证过滤器SmsCodeAuthenticationFilter校验手机号码是否存在自定义SmsCodeAuthenticationToken提供给SmsCodeAuthenticationFilter自定义SmsCodeAuthenticationProvider提供给AuthenticationManager创建针对手机号查询用户信息的SmsCodeUserDetailsService,提交给SmsCodeAuthenticationProvider自定义SmsCodeSecurityConfig配置类将上面组件连接起来将SmsCodeSecurityConfig添加到LearnSrpingSecurity安全配置的过滤器链上
创建短信发送接口
定义发生短信的服务接口com.security.learn.sms.SmsCodeS代码如下:
publicinterfaceSmsCodeS{booleansSmsCode(Stringmobile,Stringcode);}实现短信发生服务接口com.security.learn.sms.impl.SmsCodeSImpl代码如下@Slf4jpublicclassSmsCodeSImplimplementsSmsCodeS{@OverridepublicbooleansSmsCode(Stringmobile,Stringcode){StringsCode=String.format("你好你的验证码%s,请勿泄露他人。",code);log.info("向手机号"+mobile+"发送的短信为:"+sCode);returntrue;}}注:因为这里是示例所以就没有真正的使用第三方发送短信平台。
将smsCodeS注入到容器实现如下@ConfigurationpublicclassMyconfig{@BeanpublicPasswordEncoderpasswordEncoder(){returnnewBCryptPasswordEncoder();}@Bean@ConditionalOnMissingBean(SmsCodeS.class)publicSmsCodeSsmsCodeS(){returnnewSmsCodeSImpl();}}手机登录页与发送短信验证码
创建SmsController实现短信发送验证码的API,代码如下:@ControllerpublicclassSmsController{publicstaticfinalStringSESSION_KEY="SESSION_KEY_MOBILE_CODE";@RequestMapping("/mobile/page")publicStringtoMobilePage(){return"login-mobile";}@AutowiredprivateSmsCodeSsmsCodeS;/***生成手机验证码并发送*@paramrequest*@return*/@RequestMapping("/code/mobile")@ResponseBodypublicStringsmsCode(HttpServletRequestrequest){//1.生成一个手机验证码Stringcode=RandomStringUtils.randomNumeric(4);request.getSession().setAttribute(SESSION_KEY,code);Stringmobile=request.getParameter("mobile");smsCodeS.sSmsCode(mobile,code);return"200";}}在src\main\resources\templates文件夹下添加login-mobile.html静态页面,具体实现如下<!--suppressALL--><!DOCTYPEhtml><htmlxmlns:th="http://www.thymeleaf.org"><head><metacharset="utf-8"><metahttp-equiv="X-UA-Compatible"content="IE=edge"><title>springboot葵花宝典手机登录</title><!--Tellthebrowsertoberesponsivetoscreenwidth--><metaname="viewport"content="width=device-width,initial-scale=1"></head><body><p><ahref="#">springboot葵花宝典手机登录</a><br><ath:href="@{/login/page}"href="login.html"><span>使用密码验证登录</span></a><br><formth:action="@{/mobile/form}"action="index.html"method="post"><span>手机号码</span><inputid="mobile"name="mobile"type="text"class="form-control"placeholder="手机号码"><br><span>验证码</span><inputtype="text"name="smsCode"class="form-control"placeholder="验证码"><aid="sCode"th:attr="code_url=@{/code/mobile?mobile=}"href="#">获取验证码</a><br><!--提示信息,表达式红线没关系,忽略它--><pth:if="${param.error}"><spanth:text="${session.SPRING_SECURITY_LAST_EXCEPTION?.message}"style="color:#ff0000"></span></p><span>记住我</span><inputtype="checkbox"name="remember-me-test"><br><buttontype="submit"class="btnbtn-primarybtn-block">登录</button></form></p><scriptth:src="@{/plugins/jquery/jquery.min.js}"src="plugins/jquery/jquery.min.js"></script><script>//发送验证码$("#sCode").click(function(){varmobile=$('#mobile').val().trim();if(mobile==''){alert("手机号不能为空");return;}varurl=$(this).attr("code_url")+mobile;$.get(url,function(data){alert(data==="200"?"发送成功":"发送失败");});});</script></body></html>在LearnSrpingSecurity的configure(HttpSecurity http)方法中添加手机免密登录允许的url.and().authorizeRequests().antMatchers("/login/page","/code/image","/mobile/page","/code/mobile").permitAll()
短信验证码校验过滤器 SmsCodeValidateFilter
短信验证码的校验过滤器,实际上和图片验证过滤器原理一致。都都是继承OncePerRequestFilter实现一个Spring环境下的过滤器。@Component注解不可少其核心校验规则如下:
登录时候手机号码不可为空登录时手机输入码不可为空登录时输入的短信验证码必须和“谜底”中的验证码一致@ComponentpublicclassSmsCodeValidateFilterextsOncePerRequestFilter{@AutowiredMyAuthenticationFailureHandlerfailureHandler;@OverrideprotectedvoiddoFilterInternal(HttpServletRequestrequest,HttpServletResponseresponse,FilterChainfilterChain)throwsServletException,IOException{if(request.getRequestURI().equals("/mobile/form")&&request.getMethod().equalsIgnoreCase("post")){try{validate(request);}catch(AuthenticationExceptione){failureHandler.onAuthenticationFailure(request,response,e);return;}}filterChain.doFilter(request,response);}privatevoidvalidate(HttpServletRequestrequest){//获取session中的手机验证码HttpSessionsession=request.getSession();StringsessionCode=(String)request.getSession().getAttribute(SmsController.SESSION_KEY);//获取用户输入的验证码StringinpuCode=request.getParameter("smsCode");//手机号StringmobileInRequest=request.getParameter("mobile");if(StringUtils.isEmpty(mobileInRequest)){thrownewValidateCodeException("手机号码不能为空!");}if(StringUtils.isEmpty(inpuCode)){thrownewValidateCodeException("短信验证码不能为空!");}if(StrUtil.isBlank(sessionCode)){thrownewValidateCodeException("短信验证码不存在!");}if(!sessionCode.equalsIgnoreCase(inpuCode)){thrownewValidateCodeException("输入的短信验证码错误!");}session.removeAttribute(SmsController.SESSION_KEY);}}实现手机认证SmsCodeAuthenticationFilter过滤器
创建com.security.learn.filter.SmsCodeAuthenticationFilter,仿照UsernamePassword AuthenticationFilter进行代码实现,不过将用户名、密码换成手机号进行认证,短信验证码在此部分已经没有用了,因为我们在SmsCodeValidateFilter已经验证过了。
publicclassSmsCodeAuthenticationFilterextsAbstractAuthenticationProcessingFilter{publicstaticfinalStringSPRING_SECURITY_FORM_MOBILE_KEY="mobile";privateStringmobileParameter=SPRING_SECURITY_FORM_MOBILE_KEY;//请求中携带手机号的参数名称privatebooleanpostOnly=true;//指定当前过滤器是否只处理POST请求publicSmsCodeAuthenticationFilter(){//指定当前过滤器处理的请求super(newAntPathRequestMatcher("//mobile/form","POST"));}publicAuthenticationattemptAuthentication(HttpServletRequestrequest,HttpServletResponseresponse)throwsAuthenticationException{if(this.postOnly&&!request.getMethod().equals("POST")){thrownewAuthenticationServiceException("Authenticationmethodnotsupported:"+request.getMethod());}//从请求中获取手机号码Stringmobile=this.obtainMobile(request);if(mobile==null){mobile="";}mobile=mobile.trim();SmsCodeAuthenticationTokenauthRequest=newSmsCodeAuthenticationToken(mobile);this.setDetails(request,authRequest);returnthis.getAuthenticationManager().authenticate(authRequest);}/***从从请求中获取手机号码*@paramrequest*@return*/protectedStringobtainMobile(HttpServletRequestrequest){returnrequest.getParameter(this.mobileParameter);}/***将请求中的Sessionid和host主句ip放到SmsCodeAuthenticationToken中*@paramrequest*@paramauthRequest*/protectedvoidsetDetails(HttpServletRequestrequest,SmsCodeAuthenticationTokenauthRequest){authRequest.setDetails(this.authenticationDetailsSource.buildDetails(request));}publicvoidsetMobileParameter(StringmobileParameter){Assert.hasText(mobileParameter,"Usernameparametermustnotbeemptyornull");this.mobileParameter=mobileParameter;}publicvoidsetPostOnly(booleanpostOnly){this.postOnly=postOnly;}publicfinalStringgetMobileParameter(){returnthis.mobileParameter;}}封装手机认证Token SmsCodeAuthenticationToken
创建com.security.learn.filter.SmsCodeAuthenticationToken,仿照UsernamePasswordAuthenticationToken进行代码实现
publicclassSmsCodeAuthenticationTokenextsAbstractAuthenticationToken{privatestaticfinallongserialVersionUID=SpringSecurityCoreVersion.SERIAL_VERSION_UID;//存放认证信息,认证之前存放手机号,认证之后存放登录的用户privatefinalObjectprincipal;/***开始认证时,SmsCodeAuthenticationToken接收的是手机号码,并且标识未认证*@parammobile*/publicSmsCodeAuthenticationToken(Stringmobile){super(null);this.principal=mobile;this.setAuthenticated(false);}/***当认证通过后,会重新创建一个新的SmsCodeAuthenticationToken,来标识它已经认证通过,*@paramprincipal用户信息*@paramauthorities用户权限*/publicSmsCodeAuthenticationToken(Objectprincipal,Collection<?extsGrantedAuthority>authorities){super(authorities);this.principal=principal;super.setAuthenticated(true);//表示认证通过}/***在父类中是一个抽象方法,所以要实现,但是它是密码,而当前不需要,则直接返回null*@return*/publicObjectgetCredentials(){returnnull;}/***手机号获取*@return*/publicObjectgetPrincipal(){returnthis.principal;}publicvoidsetAuthenticated(booleanisAuthenticated)throwsIllegalArgumentException{if(isAuthenticated){thrownewIllegalArgumentException("Cannotsetthistokentotrusted-useconstructorwhichtakesaGrantedAuthoritylistinstead");}super.setAuthenticated(false);}publicvoideraseCredentials(){super.eraseCredentials();}}手机认证提供者 SmsCodeAuthenticationProvider
创建com.security.learn.filter.SmsCodeAuthenticationProvider,提供给底层的ProviderManager代码实现如下
publicclassSmsCodeAuthenticationProviderimplementsAuthenticationProvider{@Autowired@Qualifier("smsCodeUserDetailsService")privateUserDetailsServiceuserDetailsService;publicUserDetailsServicegetUserDetailsService(){returnuserDetailsService;}publicvoidsetUserDetailsService(UserDetailsServiceuserDetailsService){this.userDetailsService=userDetailsService;}/***处理认证:*1.通过手机号去数据库查询用户信息(UserDeatilsService)*2.再重新构建认证信息*@paramauthentication*@return*@throwsAuthenticationException*/@OverridepublicAuthenticationauthenticate(Authenticationauthentication)throwsAuthenticationException{//利用UserDetailsService获取用户信息,拿到用户信息后重新组装一个已认证的AuthenticationSmsCodeAuthenticationTokenauthenticationToken=(SmsCodeAuthenticationToken)authentication;UserDetailsuser=userDetailsService.loadUserByUsername((String)authenticationToken.getPrincipal());//根据手机号码拿到用户信息if(user==null){thrownewAuthenticationServiceException("无法获取用户信息");}SmsCodeAuthenticationTokenauthenticationResult=newSmsCodeAuthenticationToken(user,user.getAuthorities());authenticationResult.setDetails(authenticationToken.getDetails());returnauthenticationResult;}/***AuthenticationManager挑选一个AuthenticationProvider*来处理传入进来的Token就是根据supports方法来判断的*@paramaClass*@return*/@Overridepublicbooleansupports(Class<?>aClass){returnSmsCodeAuthenticationToken.class.isAssignableFrom(aClass);}}手机号获取用户信息 SmsCodeUserDetailsService
创建com.security.learn.impl.SmsCodeUserDetailsService类,不要注入PasswordEncoder
@Slf4j@Component("smsCodeUserDetailsService")publicclassSmsCodeUserDetailsServiceimplementsUserDetailsService{@OverridepublicUserDetailsloadUserByUsername(Stringmobile)throwsUsernameNotFoundException{log.info("请求的手机号是:"+mobile);returnnewUser(mobile,"",true,true,true,true,AuthorityUtils.commaSeparatedStringToAuthorityList("ADMIN"));}}因为测试就没有去数据库中获取手机号
自定义管理认证配置 SmsCodeSecurityConfig
最后我们将以上实现进行组装,并将以上接口实现以配置的方式告知Spring Security。因为配置代码比较多,所以我们单独抽取一个关于短信验证码的配置类SmsCodeSecurityConfig,继承自SecurityConfigurerAdapter。将上面定义的组件绑定起来,添加到容器中:
注意添加@Component注解
@ComponentpublicclassSmsCodeSecurityConfigextsSecurityConfigurerAdapter<DefaultSecurityFilterChain,HttpSecurity>{@Autowired@Qualifier("smsCodeUserDetailsService")privateSmsCodeUserDetailsServicesmsCodeUserDetailsService;@ResourceprivateSmsCodeValidateFiltersmsCodeValidateFilter;@Overridepublicvoidconfigure(HttpSecurityhttp)throwsException{//创建手机校验过滤器实例SmsCodeAuthenticationFiltersmsCodeAuthenticationFilter=newSmsCodeAuthenticationFilter();//接收AuthenticationManager认证管理器smsCodeAuthenticationFilter.setAuthenticationManager(http.getSharedObject(AuthenticationManager.class));//处理成功handler//smsCodeAuthenticationFilter.setAuthenticationSuccessHandler(myAuthenticationSuccessHandler);//处理失败handler//smsCodeAuthenticationFilter.setAuthenticationFailureHandler(myAuthenticationFailureHandler);smsCodeAuthenticationFilter.setRememberMeServices(http.getSharedObject(RememberMeServices.class));//获取验证码提供者SmsCodeAuthenticationProvidersmsCodeAuthenticationProvider=newSmsCodeAuthenticationProvider();smsCodeAuthenticationProvider.setUserDetailsService(smsCodeUserDetailsService);//在用户密码过滤器前面加入短信验证码校验过滤器http.addFilterBefore(smsCodeValidateFilter,UsernamePasswordAuthenticationFilter.class);//在用户密码过滤器后面加入短信验证码认证授权过滤器http.authenticationProvider(smsCodeAuthenticationProvider).addFilterAfter(smsCodeAuthenticationFilter,UsernamePasswordAuthenticationFilter.class);}}绑定到安全配置 LearnSrpingSecurity
. 向 LearnSrpingSecurity中注入 SmsCodeValidateFilter和 SmsCodeSecurityConfig实例将 SmsCodeValidateFilter实例添加到 UsernamePasswordAuthenticationFilter 前面http.csrf().disable()//禁用跨站csrf攻击防御,后面的章节会专门讲解//.addFilterBefore(codeValidateFilter,UsernamePasswordAuthenticationFilter.class).addFilterBefore(smsCodeValidateFilter,UsernamePasswordAuthenticationFilter.class)在 LearnSrpingSecurity#confifigure(HttpSecurity http) 方法体最后调用 apply 添加 SmsCodeSecurityConfig.and().apply(smsCodeSecurityConfig)具体实现如图
实现手机登录RememberMe功能
实现分析
在UsernamePasswordAuthenticationFilter过滤器中有一个RememberMeServices引用,它的父类AbstractAuthenticationProcessingFilter,提供提供的 setRememberMeServices方法。而在实现手机短信验证码登录时,我们自定了一个 MobileAuthenticationFilter 也一样的继承了AbstractAuthenticationProcessingFilter 它,我们只要向其 setRememberMeServices 方法手动注入一 个 RememberMeServices 实例即可。代码实现
在com.security.learn.config.SmsCodeSecurityConfig中向SmsCodeAuthenticationFilter中注入RememberMeServices实例smsCodeAuthenticationFilter.setRememberMeServices(http.getSharedObject(RememberMeServices.class));
检查 记住我 的 input 标签的 name="remember-me-test"<span>记住我</span><inputtype="checkbox"name="remember-me-test"><br>rememberMeParameter设置from表单“自动登录”勾选框的参数名称。如果这里改了,from表单中checkbox的name属性要对应的更改。如果不设置默认是remember-me。rememberMeCookieName设置了保存在浏览器端的cookie的名称,如果不设置默认也是remember-me。如下图中查看浏览器的cookie。
测试
重启项目,访问 http://localhost:8888/mobile/page输入手机号与验证码, 勾选 记住我 , 点击登录
查看数据库中中 persistent_logins 表的记录
关闭浏览器, 再重新打开浏览器访问http://localhost:8888 , 发现会跳转回用户名密码登录页,而正常应该勾选了 记住我 , 这一步应该是可以正常访问的.
错误原因
数据库中 username 为 手机号 1333383XXXX, 当你访问http://localhost:8888默认RememberMeServices 是调
用 CustomUserDetailsService 通过用户名查询, 而 当前在 CustomUserDetailsService 判断了用户名为 admin才通
过认证, 而此时传入的用户名是 1333383XXXX, 所以查询不到 1333383XXXX用户数据
错误解决方式
数据库中的 persistent_logins 表为什么存储的是手机号?原因是当前在 SmsCodeUserDetailsService中返回的 User 对象中的 username 属性设置的是手机号 mobile,而应该设置这个手机号所对应的那个用户名. 比如当前username 的值
@Slf4j@Component("smsCodeUserDetailsService")publicclassSmsCodeUserDetailsServiceimplementsUserDetailsService{@OverridepublicUserDetailsloadUserByUsername(Stringmobile)throwsUsernameNotFoundException{log.info("请求的手机号是:"+mobile);returnnewUser("admin","",true,true,true,true,AuthorityUtils.commaSeparatedStringToAuthorityList("ADMIN"));}}注:我们这里实际上是写为固定admin了实际上需要通过数据库根据手机号获取用户信息。
关闭浏览再打开访问http://localhost:8888就无需手动登录认证了。因为默认采用的 CustomUserDetailsService 查询可查询到用户名为 admin 的信息,即认证通过
如果您觉得本文不错,欢迎,点赞,收藏,您的是我坚持的动力!
原创不易,转载请注明出处,感谢!如果本文对您有用,欢迎转发分享!
