1、如何实现?

回顾一下上篇文章仿造Spring Security表单登录实现一个IP登录,我们仿造用户名密码登录实现了本地管理员无需账号密码直接登录的功能。在我们项目中,通常表单登录的时候都会有一个图形验证码,手机登录的时候也会发送一个几位数的验证码给用户,那么加上验证码有什么用呢?验证码是一种区分用户是计算机还是人的公共全自动程序;可以防止恶意破解密码、刷票、论坛灌水、刷页、恶意注册、登录。
🤔好了,已经知道了图形验证码存在的必要性,这个时候我们该考虑的就是该如何将这个验证码校验功能加到默认的表单登录认证流程中?
我的做法是将表单登录用的图形验证码和手机短信登录用的短信验证码的校验过程都放在一个过滤器中来实现,所以接下来的工作就是类似默认的表单登录和我们前面写过的IP登录一样看看怎么将验证码校验过滤器和手机短信登录认证过滤器加到过滤器链中。
其中,有一个关键的点就是我们在使用表单登录的时候通常是账号密码和图形验证码是一起提交的,也就是说访问后端的URL是同一个,所以校验图形验证码的过滤器拦截的URL应该和表单登录认证过滤器拦截的URL应该是同一个,那么与之类似,校验短信验证码的过滤器拦截的URL应该和手机短信登录认证过滤器拦截的URL也应该是同一个。
那么具体该怎么开始呢?首先,你需要有一个发送验证码的接口,这个接口可以根据验证码类型来生成不同的验证码返回给前端,并且将生成的验证码保存起来(内存或者redis);验证码校验过滤器需要对用户输入的验证码和刚才生成的验证码进行比对,校验不通过,则抛出异常,校验通过的话就会来到表单登录认证过滤器或者手机短信登录认证过滤器,因为表单登录认证的过滤器Spring Security已经默认实现,那么我们只要写一个手机短信登录过滤器就好了。

2、主要逻辑

验证码过滤器和手机短信登录认证过滤器。

2.1、验证码过滤器

2.1.1、生成验证码和验证码校验接口

验证码处理器接口ValidateCodeProcessor,用于生成和校验验证码,以及判断该处理器是属于哪种验证码类型三个方法。

  1. public interface ValidateCodeProcessor {
  2.   /**
  3.    * 创建验证码
  4.    *
  5.    * @param request 请求
  6.    * @return JsonResult对象
  7.    */
  8.   JsonResult create(ServletWebRequest request);
  10.   /**
  11.    * 校验验证码
  12.    *
  13.    * @param request request
  14.    */
  15.   void validate(ServletWebRequest request);
  17.   boolean supports(ValidateCodeType validateCodeType);
  18. }

然后写一个抽象类继承该接口,实现这三个方法,其中的生成验证码的create方法中的send方法交给子类去重写,其实这个地方就用到了模板方法模式。然后需要注意的是校验验证码的validate方法中在短信验证码校验成功后先别删除,因为在后续的手机短信登录认证过滤器中需要用到。

  1. public abstract class AbstractValidateCodeProcessor<T extends ValidateCode>
  2.     implements ValidateCodeProcessor {
  3.   // 用于保存生成的验证码
  4.   protected final ValidateCodeRepository validateCodeRepository;
  5.   // 验证码生成接口
  6.   protected final ValidateCodeGenerator<T> validateCodeGenerator;
  7.   // 验证码类型
  8.   protected final ValidateCodeType validateCodeType;
  10.   protected AbstractValidateCodeProcessor(
  11.       ValidateCodeRepository validateCodeRepository,
  12.       ValidateCodeGenerator<T> validateCodeGenerator,
  13.       ValidateCodeType validateCodeType) {
  14.     this.validateCodeRepository = validateCodeRepository;
  15.     this.validateCodeGenerator = validateCodeGenerator;
  16.     this.validateCodeType = validateCodeType;
  17.   }
  19.   @Override
  20.   public JsonResult create(ServletWebRequest request) {
  21.     T validateCode = validateCodeGenerator.generate(request);
  22.     validateCodeRepository.save(validateCode, validateCodeType);
  23.     return send(validateCode);
  24.   }
  26.   protected abstract JsonResult send(T validateCode);
  28.   @Override
  29.   public void validate(ServletWebRequest request) {
  30.     ValidateCode codeInSession = validateCodeRepository.get(validateCodeType);
  31.     String codeInRequest;
  32.     try {
  33.       codeInRequest =
  34.           ServletRequestUtils.getRequiredStringParameter(
  35.               request.getRequest(), validateCodeType.getParamNameOnValidate());
  36.     } catch (ServletRequestBindingException e) {
  37.       throw new MyAuthenticationException(ResultCode.VALIDATE_CODE_PARAM_NOT_EXIST);
  38.     }
  39.     if (StringUtils.isBlank(codeInRequest)) {
  40.       throw new MyAuthenticationException(ResultCode.VALIDATE_CODE_IS_BLANK);
  41.     }
  42.     if (codeInSession == null) {
  43.       throw new MyAuthenticationException(ResultCode.VALIDATE_CODE_NOT_EXIST);
  44.     }
  45.     if (codeInSession.isExpired()) {
  46.       validateCodeRepository.remove(validateCodeType);
  47.       throw new MyAuthenticationException(ResultCode.VALIDATE_CODE_EXPIRED);
  48.     }
  49.     if (!CharSequenceUtil.equals(codeInSession.getCode(), codeInRequest)) {
  50.       throw new MyAuthenticationException(ResultCode.VALIDATE_CODE_NOT_MATCH);
  51.     }
  52.     if (!ValidateCodeType.SMS.equals(validateCodeType)) {
  53.       validateCodeRepository.remove(validateCodeType);
  54.     }
  55.   }
  57.   @Override
  58.   public boolean supports(ValidateCodeType validateCodeType) {
  59.     return this.validateCodeType.equals(validateCodeType);
  60.   }
  61. }

生成的图形验证码以base64编码返回。

  1. @Slf4j
  2. @Component
  3. public class ImageCodeProcessor extends AbstractValidateCodeProcessor<ImageCode> {
  4.   public ImageCodeProcessor(
  5.       ValidateCodeRepository validateCodeRepository, ImageCodeGenerator imageCodeGenerator) {
  6.     super(validateCodeRepository, imageCodeGenerator, ValidateCodeType.IMAGE);
  7.   }
  9.   @Override
  10.   protected JsonResult send(ImageCode imageCode) {
  11.     FastByteArrayOutputStream os = new FastByteArrayOutputStream();
  12.     try {
  13.       ImageIO.write(imageCode.getImage(), "png", os);
  14.     } catch (IOException e) {
  15.       return JsonResultUtil.error(e.getMessage());
  16.     }
  17.     log.info("生成的图形验证码:" + imageCode.getCode());
  18.     return JsonResultUtil.success("data:image/png;base64," + Base64.encode(os.toByteArray()));
  19.   }
  20. }

手机短信是需要发送到手机上的,现在我默认的实现类是在控制台中打印出来,后续有条件的话会直接调接口发到手机上。

  1. @Component
  2. public class SmsCodeProcessor extends AbstractValidateCodeProcessor<SmsCode> {
  3.   private final SmsCodeSender smsCodeSender;
  5.   public SmsCodeProcessor(
  6.       SmsCodeGenerator smsCodeGenerator,
  7.       ValidateCodeRepository validateCodeRepository,
  8.       SmsCodeSender smsCodeSender) {
  9.     super(validateCodeRepository, smsCodeGenerator, ValidateCodeType.SMS);
  10.     this.smsCodeSender = smsCodeSender;
  11.   }
  13.   @Override
  14.   protected JsonResult send(SmsCode smsCode) {
  15.     return smsCodeSender.send(smsCode);
  16.   }
  17. }

2.1.2、验证码校验过滤器

该类的主要逻辑就是从请求参数中读取出验证码类型参数,根据验证码类型调用上面的验证码处理器类去调用validate方法对请求参数中的验证码和保存起来的验证码进行比对。

  1. /** 该过滤器用于验证码校验(目前表单登录和手机登录时需要校验) */
  2. @Slf4j
  3. @EqualsAndHashCode(callSuper = true)
  4. @Data
  5. public class ValidateCodeAuthenticationProcessingFilter extends OncePerRequestFilter {
  6.   private RequestMatcher requiresAuthenticationRequestMatcher;
  7.   private ValidateCodeProcessorHolder validateCodeProcessorHolder;
  8.   private AuthenticationFailureHandler authenticationFailureHandler;
  10.   public ValidateCodeAuthenticationProcessingFilter(
  11.       RequestMatcher requiresAuthenticationRequestMatcher,
  12.       ValidateCodeProcessorHolder validateCodeProcessorHolder,
  13.       AuthenticationFailureHandler authenticationFailureHandler) {
  14.     Assert.notNull(
  15.         requiresAuthenticationRequestMatcher,
  16.         "requiresAuthenticationRequestMatcher cannot be null");
  17.     Assert.notNull(validateCodeProcessorHolder, "validateCodeProcessorHolder cannot be null");
  18.     Assert.notNull(authenticationFailureHandler, "authenticationFailureHandler cannot be null");
  19.     this.requiresAuthenticationRequestMatcher = requiresAuthenticationRequestMatcher;
  20.     this.validateCodeProcessorHolder = validateCodeProcessorHolder;
  21.     this.authenticationFailureHandler = authenticationFailureHandler;
  22.   }
  24.   @Override
  25.   protected void doFilterInternal(
  26.       HttpServletRequest request, HttpServletResponse response, FilterChain chain)
  27.       throws ServletException, IOException {
  28.     if (requiresAuthentication(request)) {
  29.       try {
  30.         Integer validateCodeType =
  31.             ServletRequestUtils.getRequiredIntParameter(
  32.                 request, SecurityConstant.DEFAULT_PARAMETER_NAME_VALIDATE_CODE_TYPE);
  33.         validateCodeProcessorHolder
  34.             .findValidateCodeProcessorByType(validateCodeType)
  35.             .validate(new ServletWebRequest(request, response));
  36.         log.info("验证码校验通过");
  37.       } catch (ServletRequestBindingException e) {
  38.         authenticationFailureHandler.onAuthenticationFailure(
  39.             request,
  40.             response,
  41.             new MyAuthenticationException(ResultCode.VALIDATE_CODE_TYPE_PARAM_NOT_EXIST));
  42.         return;
  43.       } catch (MyAuthenticationException e) {
  44.         authenticationFailureHandler.onAuthenticationFailure(request, response, e);
  45.         return;
  46.       }
  47.     }
  48.     chain.doFilter(request, response);
  49.   }
  51.   private boolean requiresAuthentication(HttpServletRequest request) {
  52.     return this.requiresAuthenticationRequestMatcher.matches(request);
  53.   }
  54. }

短信验证码校验过滤器继承自ValidateCodeAuthenticationProcessingFilter过滤器,定义了拦截地址URL为DEFAULT_SIGN_IN_PROCESSING_URL_MOBILE常量,这个拦截地址URL应该和接下来的手机短信登录过滤器拦截的URL一样。

  1. public class SmsCodeAuthenticationFilter extends ValidateCodeAuthenticationProcessingFilter {
  2.   private static final AntPathRequestMatcher DEFAULT_ANT_PATH_REQUEST_MATCHER =
  3.       new AntPathRequestMatcher(SecurityConstant.DEFAULT_SIGN_IN_PROCESSING_URL_MOBILE, "POST");
  5.   public SmsCodeAuthenticationFilter(
  6.       ValidateCodeProcessorHolder validateCodeProcessorHolder,
  7.       AuthenticationFailureHandler authenticationFailureHandler) {
  8.     super(
  9.         DEFAULT_ANT_PATH_REQUEST_MATCHER,
  10.         validateCodeProcessorHolder,
  11.         authenticationFailureHandler);
  12.   }
  13. }

图形验证码校验过滤器也继承自ValidateCodeAuthenticationProcessingFilter过滤器,定义了拦截地址URL为DEFAULT_SIGN_IN_PROCESSING_URL_FORM常量,这个拦截地址URL应该和表单登录认证过滤器拦截的URL一样。

  1. public class ImageCodeAuthenticationFilter extends ValidateCodeAuthenticationProcessingFilter {
  2.   private static final AntPathRequestMatcher DEFAULT_ANT_PATH_REQUEST_MATCHER =
  3.       new AntPathRequestMatcher(SecurityConstant.DEFAULT_SIGN_IN_PROCESSING_URL_FORM, "POST");
  5.   public ImageCodeAuthenticationFilter(
  6.       ValidateCodeProcessorHolder validateCodeProcessorHolder,
  7.       AuthenticationFailureHandler authenticationFailureHandler) {
  8.     super(
  9.         DEFAULT_ANT_PATH_REQUEST_MATCHER,
  10.         validateCodeProcessorHolder,
  11.         authenticationFailureHandler);
  12.   }
  13. }

默认的表单登录认证过滤器拦截的URL是/loginPOST请求,所以我们得更改它的拦截地址为DEFAULT_SIGN_IN_PROCESSING_URL_FORM

  1. public class SecurityConfig extends WebSecurityConfigurerAdapter {
  2.     @Override
  3.     protected void configure(HttpSecurity http) throws Exception {
  4.         http
  5.             ...
  6.             .formLogin()
  7.             .loginProcessingUrl(SecurityConstant.DEFAULT_SIGN_IN_PROCESSING_URL_FORM)
  8.             ...
  9.     }
  10. }

2.1.3、将验证码过滤器添加到过滤器链

  1. @Component
  2. @RequiredArgsConstructor
  3. public class ValidateCodeConfigurer
  4.     extends SecurityConfigurerAdapter<DefaultSecurityFilterChain, HttpSecurity> {
  5.   private final ValidateCodeProcessorHolder validateCodeProcessorHolder;
  6.   private final MyAuthenticationFailureHandler authenticationFailureHandler;
  8.   @Override
  9.   public void configure(HttpSecurity http) {
  10.     ImageCodeAuthenticationFilter imageCodeAuthenticationFilter =
  11.         new ImageCodeAuthenticationFilter(
  12.             validateCodeProcessorHolder, authenticationFailureHandler);
  13.     SmsCodeAuthenticationFilter smsCodeAuthenticationFilter =
  14.         new SmsCodeAuthenticationFilter(validateCodeProcessorHolder, authenticationFailureHandler);
  15.     http.addFilterBefore(imageCodeAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
  16.     http.addFilterBefore(smsCodeAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
  17.   }
  18. }

然后在SecurityConfig中使用http.apply(validateConfigurer)即可。

2.2、手机短信登录认证过滤器

相信大家通过IP登录功能,其实对扩展Spring Security认证登录有了一定的了解,其实,Spring Security 就是通过过滤器链来实现的,所以我们只要把我们的过滤器加到这个过滤器链中就可以了。看看Spring Security默认的表单登录是怎么将UsernamePasswordAuthenticationFilter加到过滤器链中的,不难发现,其中对扩展认证登录流程有4个最重要的东西:

  • xxxAuthenticationToken:继承自AbstractAuthenticationToken,里面封装了登录用户信息。
  • xxxAuthenticationProvider:实现AuthenticationProvider接口,对特定的AuthenticationToken进行校验,校验不通过则抛出异常,校验通过返回一个认证成功的AuthenticationToken即可。
  • xxxAuthenticationFilter:继承自AbstractAuthenticationProcessingFilter类,重写其中的attemptAuthentication方法,调用AuthenticationManager中的providersAuthenticatonToken进行校验。

  • xxxConfigurer:继承自SecurityConfigurerAdapter_<_DefaultSecurityFilterChain, HttpSecurity_>_,重写其中的init方法和configure方法,init方法主要用于将xxxAuthenticationProvider添加到providerManagerproviders集合中,configure方法主要用于将配置好的xxxAuthenticationFilter添加到过滤器链中。

    2.2.1、SmsCodeAuthenticationToken

    1. @EqualsAndHashCode(callSuper = true)
    2. public class SmsCodeAuthenticationToken extends AbstractAuthenticationToken {
    3. private final String mobile;
    5. public SmsCodeAuthenticationToken(String mobile) {
    6.   super(null);
    7.   this.mobile = mobile;
    8.   this.setAuthenticated(false);
    9. }
    11. public SmsCodeAuthenticationToken(
    12.     String mobile, Collection<? extends GrantedAuthority> authorities) {
    13.   super(authorities);
    14.   this.mobile = mobile;
    15.   super.setAuthenticated(true);
    16. }
    18. @Override
    19. public Object getCredentials() {
    20.   return null;
    21. }
    23. @Override
    24. public Object getPrincipal() {
    25.   return mobile;
    26. }
    27. }

    2.2.2、SmsCodeAuthenticationProvider

    1. public class SmsCodeAuthenticationProvider implements AuthenticationProvider, MessageSourceAware {
    2. private final SysUserService sysUserService;
    3. private final ValidateCodeRepository validateCodeRepository;
    4. protected MessageSourceAccessor messages = SpringSecurityMessageSource.getAccessor();
    6. public SmsCodeAuthenticationProvider(
    7.     SysUserService sysUserService, ValidateCodeRepository validateCodeRepository) {
    8.   this.sysUserService = sysUserService;
    9.   this.validateCodeRepository = validateCodeRepository;
    10. }
    12. @Override
    13. public Authentication authenticate(Authentication authentication) throws AuthenticationException {
    14.   Assert.isInstanceOf(
    15.       SmsCodeAuthenticationToken.class,
    16.       authentication,
    17.       () ->
    18.           this.messages.getMessage(
    19.               "SmsCodeAuthenticationProvider.onlySupports",
    20.               "Only SmsCodeAuthenticationToken is supported"));
    21.   SmsCodeAuthenticationToken smsCodeAuthenticationToken =
    22.       (SmsCodeAuthenticationToken) authentication;
    23.   String mobile = (String) smsCodeAuthenticationToken.getPrincipal();
    24.   SmsCode smsCode = (SmsCode) validateCodeRepository.get(ValidateCodeType.SMS);
    25.   if (ObjectUtil.isEmpty(smsCode) || !smsCode.getMobile().equals(mobile)) {
    26.     throw new MyAuthenticationException(ResultCode.MOBILE_PARAM_NOT_MATCH);
    27.   }
    28.   UserDetails userDetails = sysUserService.loadUserByPhone(mobile);
    29.   validateCodeRepository.remove(ValidateCodeType.SMS);
    30.   SmsCodeAuthenticationToken authenticationResult =
    31.       new SmsCodeAuthenticationToken(mobile, userDetails.getAuthorities());
    32.   authenticationResult.setDetails(smsCodeAuthenticationToken.getDetails());
    33.   return authenticationResult;
    34. }
    36. @Override
    37. public boolean supports(Class<?> authentication) {
    38.   return SmsCodeAuthenticationToken.class.isAssignableFrom(authentication);
    39. }
    41. @Override
    42. public void setMessageSource(MessageSource messageSource) {
    43.   this.messages = new MessageSourceAccessor(messageSource);
    44. }
    45. }

    2.2.3、SmsCodeLoginFilter

    1. public class SmsCodeLoginFilter extends AbstractAuthenticationProcessingFilter {
    2. private static final AntPathRequestMatcher DEFAULT_ANT_PATH_REQUEST_MATCHER =
    3.     new AntPathRequestMatcher(SecurityConstant.DEFAULT_SIGN_IN_PROCESSING_URL_MOBILE, "POST");
    5. protected SmsCodeLoginFilter() {
    6.   super(DEFAULT_ANT_PATH_REQUEST_MATCHER);
    7. }
    9. @Override
    10. public Authentication attemptAuthentication(
    11.     HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
    12.   if (!request.getMethod().equals("POST")) {
    13.     throw new AuthenticationServiceException(
    14.         "Authentication method not supported: " + request.getMethod());
    15.   } else {
    16.     String mobile = obtainMobile(request);
    17.     mobile = (mobile != null) ? mobile : "";
    18.     mobile = mobile.trim();
    19.     SmsCodeAuthenticationToken authRequest = new SmsCodeAuthenticationToken(mobile);
    20.     setDetails(request, authRequest);
    21.     return this.getAuthenticationManager().authenticate(authRequest);
    22.   }
    23. }
    25. protected void setDetails(HttpServletRequest request, SmsCodeAuthenticationToken authRequest) {
    26.   authRequest.setDetails(authenticationDetailsSource.buildDetails(request));
    27. }
    29. @Nullable
    30. protected String obtainMobile(HttpServletRequest request) {
    31.   return request.getParameter(SecurityConstant.DEFAULT_PARAMETER_NAME_MOBILE);
    32. }
    33. }

    2.2.4、SmsCodeLoginConfigurer

    1. @Component
    2. @RequiredArgsConstructor
    3. public class SmsCodeLoginConfigurer
    4.   extends SecurityConfigurerAdapter<DefaultSecurityFilterChain, HttpSecurity> {
    5. private final MyAuthenticationSuccessHandler authenticationSuccessHandler;
    6. private final MyAuthenticationFailureHandler authenticationFailureHandler;
    7. private final SysUserService sysUserService;
    8. private final ValidateCodeRepository validateCodeRepository;
    10. @Override
    11. public void init(HttpSecurity http) {
    12.   http.authenticationProvider(
    13.       postProcess(new SmsCodeAuthenticationProvider(sysUserService, validateCodeRepository)));
    14. }
    16. @Override
    17. public void configure(HttpSecurity http) {
    18.   SmsCodeLoginFilter smsCodeLoginFilter = new SmsCodeLoginFilter();
    19.   smsCodeLoginFilter.setAuthenticationManager(http.getSharedObject(AuthenticationManager.class));
    20.   smsCodeLoginFilter.setAuthenticationSuccessHandler(authenticationSuccessHandler);
    21.   smsCodeLoginFilter.setAuthenticationFailureHandler(authenticationFailureHandler);
    22.   http.addFilterAfter(smsCodeLoginFilter, UsernamePasswordAuthenticationFilter.class);
    23. }
    24. }

    然后在SecurityConfig中使用http.apply(SmsCodeLoginConfigurer)即可。
    逻辑大概就只有上面这些,具体的实现可以参考项目,其实主要搞懂了源码,知道Spring Security怎么运作的,那这些东西对你来说就没什么难度。
    talk is cheap,show me the code.