2. 程式人生 > >spring security4 新增驗證碼

spring security4 新增驗證碼

阿新 發佈:2019-01-07

spring security是一個很大的模組,本文中只涉及到了自定義引數的認證。spring security預設的驗證引數只有username和password,一般來說都是不夠用的。由於時間過太久,有些忘,可能有少許遺漏。好了,不廢話。
spring以及spring security配置採用javaConfig,版本依次為4.2.54.0.4
總體思路:自定義EntryPoint,新增自定義引數擴充套件AuthenticationToken以及AuthenticationProvider進行驗證。

首先定義EntryPoint:

import org.springframework.security.core.AuthenticationException;
import
 
 org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

public class MyAuthenticationEntryPoint extends LoginUrlAuthenticationEntryPoint
 
 {
    public MyAuthenticationEntryPoint(String loginFormUrl) {
        super(loginFormUrl);
    }
    @Override
    public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {
        super.commence(request, response, authException);
    }
}

接下來是token,validCode是驗證碼引數:

import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;

public class MyUsernamePasswordAuthenticationToken extends UsernamePasswordAuthenticationToken {
    private String validCode;
    public MyUsernamePasswordAuthenticationToken(String principal, String credentials, String validCode) {
        super(principal, credentials);
        this.validCode = validCode;
    }
    public String getValidCode() {
        return validCode;
    }
    public void setValidCode(String validCode) {
        this.validCode = validCode;
    }
}

繼續ProcessingFilter,

import com.core.shared.ValidateCodeHandle;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import java.io.IOException;

public class MyValidCodeProcessingFilter extends AbstractAuthenticationProcessingFilter {

    private String usernameParam = "username";
    private String passwordParam = "password";
    private String validCodeParam = "validateCode";

    public MyValidCodeProcessingFilter() {
        super(new AntPathRequestMatcher("/user/login", "POST"));
    }

    @Override
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException, ServletException {
        String username = request.getParameter(usernameParam);
        String password = request.getParameter(passwordParam);
        String validCode = request.getParameter(validCodeParam);
        valid(validCode, request.getSession());
        MyUsernamePasswordAuthenticationToken token = new MyUsernamePasswordAuthenticationToken(username, password, validCode);
        return this.getAuthenticationManager().authenticate(token);
    }

    public void valid(String validCode, HttpSession session) {
        if (validCode == null) {
            throw new ValidCodeErrorException("驗證碼為空!");
        }
        if (!ValidateCodeHandle.matchCode(session.getId(), validCode)) {
            throw new ValidCodeErrorException("驗證碼錯誤!");
        }
    }
}

分別定義三個引數,用於接收login表單過來的引數,構造方法給出了login的url以及需要post方式
接下來就是認證了,此處還沒到認證使用者名稱和密碼的時候,只是認證了驗證碼
下面是ValidateCodeHandle一個工具類以及ValidCodeErrorException:

import java.util.concurrent.ConcurrentHashMap;

public class ValidateCodeHandle {

    private static ConcurrentHashMap validateCode = new ConcurrentHashMap<>();

    public static ConcurrentHashMap getCode() {
        return validateCode;
    }

    public static void save(String sessionId, String code) {
        validateCode.put(sessionId, code);
    }

    public static String getValidateCode(String sessionId) {
        Object obj = validateCode.get(sessionId);
        if (obj != null) {
            return String.valueOf(obj);
        }
        return null;
    }

    public static boolean matchCode(String sessionId, String inputCode) {
        String saveCode = getValidateCode(sessionId);
        if (saveCode.equals(inputCode)) {
            return true;
        }
        return false;
    }

}

這裡需要繼承AuthenticationException以表明它是security的認證失敗,這樣才會走後續的失敗流程

import org.springframework.security.core.AuthenticationException;

public class ValidCodeErrorException extends AuthenticationException {

    public ValidCodeErrorException(String msg) {
        super(msg);
    }

    public ValidCodeErrorException(String msg, Throwable t) {
        super(msg, t);
    }
}

接下來是Provider:

import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.userdetails.UserDetails;

public class MyAuthenticationProvider extends DaoAuthenticationProvider {

    @Override
    public boolean supports(Class<?> authentication) {
        return MyUsernamePasswordAuthenticationToken.class.isAssignableFrom(authentication);
    }

    @Override
    protected void additionalAuthenticationChecks(UserDetails userDetails, UsernamePasswordAuthenticationToken authentication) throws AuthenticationException {
        Object salt = null;
        if (getSaltSource() != null) {
            salt = getSaltSource().getSalt(userDetails);
        }
        if (authentication.getCredentials() == null) {
            logger.debug("Authentication failed: no credentials provided");
            throw new BadCredentialsException("使用者名稱或密碼錯誤!");
        }

        String presentedPassword = authentication.getCredentials().toString();

        if (!this.getPasswordEncoder().isPasswordValid(userDetails.getPassword(), presentedPassword, salt)) {
            logger.debug("Authentication failed: password does not match stored value");

            throw new BadCredentialsException("使用者名稱或密碼錯誤!");
        }

    }
}

其中supports方法指定使用自定義的token,additionalAuthenticationChecks方法和父類的邏輯一模一樣,我只是更改了異常返回的資訊。
接下來是處理認證成功和認證失敗的handler

import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

public class FrontAuthenticationSuccessHandler extends SimpleUrlAuthenticationSuccessHandler {

    public FrontAuthenticationSuccessHandler(String defaultTargetUrl) {
        super(defaultTargetUrl);
    }

    @Override
    public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
        super.onAuthenticationSuccess(request, response, authentication);
    }
}
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

public class FrontAuthenticationFailureHandler extends SimpleUrlAuthenticationFailureHandler {

    public FrontAuthenticationFailureHandler(String defaultFailureUrl) {
        super(defaultFailureUrl);
    }

    @Override
    public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
        super.onAuthenticationFailure(request, response, exception);
    }
}

最後就是最重要的security config 了:

import com.service.user.CustomerService;
import com.web.filter.SiteMeshFilter;
import com.web.mySecurity.*;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.ProviderManager;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.crypto.password.StandardPasswordEncoder;
import org.springframework.security.web.access.ExceptionTranslationFilter;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;
import org.springframework.web.filter.CharacterEncodingFilter;

import javax.servlet.DispatcherType;
import javax.servlet.FilterRegistration;
import javax.servlet.ServletContext;
import java.util.ArrayList;
import java.util.EnumSet;
import java.util.List;

@Configuration
@EnableWebSecurity
public class SecurityConfig extends AbstractSecurityWebApplicationInitializer {

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new StandardPasswordEncoder("MD5");
    }

    @Autowired
    private CustomerService customerService;

    @Configuration
    @Order(1)
    public static class FrontendWebSecurityConfigureAdapter extends WebSecurityConfigurerAdapter {

        @Autowired
        private MyValidCodeProcessingFilter myValidCodeProcessingFilter;

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.csrf().disable()  
                    .authorizeRequests()
                    .antMatchers("/user/login", "/user/logout").permitAll()
                    .anyRequest().authenticated()
                    .and()
                    .addFilterBefore(myValidCodeProcessingFilter, UsernamePasswordAuthenticationFilter.class)
                    .formLogin()
                    .loginPage("/user/login")
                    .and()
                    .logout()
                    .logoutUrl("/user/logout")
                    .logoutSuccessUrl("/user/login");
        }

    }

    @Bean(name = "frontAuthenticationProvider")
    public MyAuthenticationProvider frontAuthenticationProvider() {
        MyAuthenticationProvider myAuthenticationProvider = new MyAuthenticationProvider();
        myAuthenticationProvider.setUserDetailsService(customerService);
        myAuthenticationProvider.setPasswordEncoder(passwordEncoder());
        return myAuthenticationProvider;
    }

    @Bean
    public AuthenticationManager authenticationManager() {
        List<AuthenticationProvider> list = new ArrayList<>();
        list.add(frontAuthenticationProvider());
        AuthenticationManager authenticationManager = new ProviderManager(list);
        return authenticationManager;
    }

    @Bean
    public MyValidCodeProcessingFilter myValidCodeProcessingFilter(AuthenticationManager authenticationManager) {
        MyValidCodeProcessingFilter filter = new MyValidCodeProcessingFilter();
        filter.setAuthenticationManager(authenticationManager);
        filter.setAuthenticationSuccessHandler(frontAuthenticationSuccessHandler());
        filter.setAuthenticationFailureHandler(frontAuthenticationFailureHandler());
        return filter;
    }

    @Bean
    public FrontAuthenticationFailureHandler frontAuthenticationFailureHandler() {
        return new FrontAuthenticationFailureHandler("/user/login");
    }

    @Bean
    public FrontAuthenticationSuccessHandler frontAuthenticationSuccessHandler() {
        return new FrontAuthenticationSuccessHandler("/front/test");
    }

    @Bean
    public MyAuthenticationEntryPoint myAuthenticationEntryPoint() {
        return new MyAuthenticationEntryPoint("/user/login");
    }

}

首先是一個加密類的bean,customerService是一個簡單的查詢使用者

@Service("customerService")
public class CustomerServiceImpl implements CustomerService {

    @Autowired
    private UserDao userDao;

    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        return  userDao.findCustomerByUsername(username);
    }
}

下來就是FrontendWebSecurityConfigureAdapter了,重寫了configure方法,先禁用csrf,
開啟授權請求authorizeRequests(),其中”/user/login”, “/user/logout”放過許可權驗證,
其他請求需要進行登入認證,
然後是addFilterBefore(),把我自定義的myValidCodeProcessingFilter新增到security預設的UsernamePasswordAuthenticationFilter之前,也就是先進行我的自定義引數認證,
然後是formLogin(),配置登入url以及登出url,登入登出url都需要進行controller對映,也就是要自己寫controller。
接下來就是AuthenticationProvider,AuthenticationManager,ProcessingFilter,AuthenticationFailureHandler,AuthenticationSuccessHandler,EntryPoint的bean顯示宣告。
下面是login.jsp

<body>
<div class="login_div">
    <form:form autocomplete="false" commandName="userDTO" method="post">
        <div>
            <span class="error_tips"><b>${SPRING_SECURITY_LAST_EXCEPTION.message}</b></span>
        </div>
        username:<form:input path="username" cssClass="form-control"/><br/>
        password:<form:password path="password" cssClass="form-control"/><br/>
        validateCode:<form:input path="validateCode" cssClass="form-control"/>
        <label>${validate_code}</label>
        <div class="checkbox">
            <label>
                <input type="checkbox" name="remember-me"/>記住我
            </label>
        </div>
        <input type="submit" class="btn btn-primary" value="submit"/>
    </form:form>
</div>
</body>

驗證碼驗證失敗的時候丟擲的是ValidCodeErrorException,由於它繼承AuthenticationException,security在驗證的時候遇到AuthenticationException就會觸發AuthenticationFailureHandler,上面的bean中聲明瞭認證失敗跳轉到登入url,所以login.jsp裡面有${SPRING_SECURITY_LAST_EXCEPTION.message}獲取我認證時丟擲異常資訊,能友好的提示使用者。

整個自定義security驗證流程就走完了

相關推薦

spring security4 新增驗證

spring security是一個很大的模組,本文中只涉及到了自定義引數的認證。spring security預設的驗證引數只有username和password,一般來說都是不夠用的。由於時間過太久,有些忘,可能有少許遺漏。好了,不廢話。 spring以及

java spring 實現登入頁面新增驗證

from 表單: <div class="block">     <p class="block-heading">使用者登入</p>     <div class="blo

phpcms v9表單嚮導新增驗證

要做留言板的功能,故用新增表單,想要在提交留言前加一個驗證碼的功能。網上的教程比較混亂,於是親自實驗了下,步驟如下: 首先是呼叫表單的頁面加入驗證碼。表單js呼叫模版預設的是 \phpcms\templates\default\formguide\show.html 新增如下程式碼:

laravel 新增驗證

1、  安裝依賴  composer require gregwar/captcha 2、使用       use Gregwar\Captcha\CaptchaBuilder; use DB; use Request; use Sess

cas server (4.2.7) 新增驗證

新增驗證碼     修改casLoginView.jsp   <!--驗證碼開始--->      <div class="vCodeBox imgCode" > &nb

【SpringSecurity系列】SpringBoot整合SpringSecurity新增驗證登入

上一篇博文已經介紹過了SpringSecurity的表單登入,這裡我們基於上一篇的基礎上,新增一個驗證碼進行登入,登入頁面效果圖,如圖所示: 首先我們需要建立驗證碼的生成規則,首先建立一個驗證碼的實體: public class ImageCode { /** 驗證碼 */

CAS5.1.8新增驗證

老生常談的題目了吧。但是,要在網上找出一篇能跑又看得明白的相關教程,還真不容易。 我費了九牛二虎之力,終於添加了驗證碼功能,記錄如下。 一、執行結果 二、程式碼結構 程式碼是純新增的,不想修改現有的程式碼。CAS實在是太龐大了,idea載入都要幾分鐘。作為一個java小白,

輕鬆把玩HttpClient之封裝HttpClient工具類(七),新增驗證識別功能

       這個HttpClientUtil工具類分享在GitHub上已經半年多的時間了,並且得到了不小的關注,有25顆star,被fork了38次。有了大家的鼓勵,工具類一直也在完善中。最近比較忙,兩個多月前的修改在今天剛修改測試完成,今天再次分享給大家。       驗

Spring Boot +Shiro 驗證Filter和限制密碼錯誤次數

驗證碼校驗 CustomFormAuthenticationFilter 將我們自己實現的Filter,放到ShiroFilterFactoryBean中。 ShiroFilterFactor

Spring MVC:圖片驗證的生成與返回

效果 程式碼 模型 //分類圖片和儲存圖片數量和路徑 public class ImageGroup { private String name; //圖片組名稱 private int count;//圖片組

javaweb頁面中新增驗證功能

package cn.itcast.vcode.utils; import java.awt.BasicStroke; import java.awt.Color; import java.awt.Font; import java.awt.Graphics2D; import java.awt.image

laraval新增驗證驗證

安裝:composer require "mews/captcha:~2.0" 執行:php artisan vendor:publish 生成配置檔案config/captcha 前端 <img class="thumbnail captcha" src="{{ captcha_

給JSP頁面新增驗證

  前段時間學習Struts2做了個驗證碼的小例子,今天在火狐下檢視遇到點問題,在這裡記錄一下。 製作圖形驗證碼關鍵在於編寫生成圖形的Servlet package com.petrochina.servlet; import java.awt.Color; import

spring Security4 和 oauth2整合 註解+xml混合使用(驗證等額外資料驗證

spring Security4 和 oauth2整合(驗證碼等額外資料驗證) 上一篇寫的自定義使用者名稱密碼驗證,這裡寫驗證碼的驗證,或者其他資訊的驗證。 git地址:https://gitee.com/xiaoyaofeiyang/OauthUmp spring Securi

spring security4自定義登陸加驗證配置

最近做的專案中使用了spring security來管理許可權,由於之前沒有接觸過所以在網上找了半天資料研究,打算記錄下來。 security的版本使用的是4.2,相信網上很多文章都已經說明了3.x和4.x的區別,這裡就不再說明了,下面說下準備工作。 相關j

Spring Security-- 驗證功能的實現

turn stringbu overflow .net 內容 一個 子類 異常 too spring security4 添加驗證碼 http://www.itwendao.com/article/detail/165400.html http://www.itdada

spring mvc實現登錄驗證

period nbsp def fine 顯示 pin asi sin current 一、實現圖形驗證碼的基礎類 VerifyCodeUtils.java,這個類是從網上摘抄的~ package com.comp.common; import java.aw

Spring MVC 中使用 Google kaptcha 驗證

實用 pri 集成 auto req post bsp produce target 驗證碼是抵抗批量操作和惡意登錄最有效的方式之一。 驗證碼從產生到現在已經衍生出了很多分支、方式。google kaptcha 是一個非常實用的驗證碼生成類庫。 通過靈

Spring中整合Cage,實現驗證功能

ger 類型 body match exce sub pom esp rec 1.pom.xml中添加Cage依賴。 <dependency> <groupId>com.github.cage</groupId

為wordpress後臺登陸新增算術驗證

對於新建站(個人部落格-檸檬https://ninmong.com)的站長來說提高後臺的安全性,是一件非常重要的事,新增驗證可以起到很好的效果,廢話少說,貼程式碼 //後臺登陸數學驗證碼 function rhymo_add_login_fields() { //獲取兩個隨機數, 範圍0~9 $nu