SpringBoot + SpringSecurity 簡訊驗證碼登入功能
實現原理
在之前的文章中,我們介紹了普通的帳號密碼登入的方式: SpringBoot + Spring Security 基本使用及個性化登入配置。 但是現在還有一種常見的方式,就是直接通過手機簡訊驗證碼登入,這裡就需要自己來做一些額外的工作了。
對SpringSecurity認證流程詳解有一定了解的都知道,在帳號密碼認證的過程中,涉及到了以下幾個類:UsernamePasswordAuthenticationFilter
(用於請求引數獲取),UsernamePasswordAuthenticationToken
(表示使用者登入資訊),ProviderManager
(進行認證校驗),
因為是通過的簡訊驗證碼登入,所以我們需要對請求的引數,認證過程,使用者登入Token資訊進行一定的重寫。
當然驗證碼的過程我們應該放在最前面,如果
基本實現
驗證碼校驗
簡訊驗證碼的功能實現,其實和圖形驗證碼的原理是一樣的。只不過一個是返回給前端一個圖片,一個是給使用者傳送短訊息,這裡只需要去呼叫一下簡訊服務商的介面就好了。更多的原理可以參考 SpringBoot + SpringSecurity 實現圖形驗證碼功能
AuthenticationToken
在使用帳號密碼登入的時候,UsernamePasswordAuthenticationToken裡面包含了使用者的帳號,密碼,以及其他的是否可用等狀態資訊。我們是通過手機簡訊來做登入,所以就沒有密碼了,這裡我們就直接將UsernamePasswordAuthenticationToken的程式碼copy過來,把密碼相關的資訊去掉就可以了
public class SmsCodeAuthenticationToken extends AbstractAuthenticationToken {
private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
private final Object principal;
public SmsCodeAuthenticationToken(String mobile) {
super(null);
this .principal = mobile;
setAuthenticated(false);
}
public SmsCodeAuthenticationToken(Object principal,
Collection<? extends GrantedAuthority> authorities) {
super(authorities);
this.principal = principal;
super.setAuthenticated(true); // must use super, as we override
}
public Object getCredentials() {
return null;
}
public Object getPrincipal() {
return this.principal;
}
public void setAuthenticated(boolean isAuthenticated) throws IllegalArgumentException {
if (isAuthenticated) {
throw new IllegalArgumentException(
"Cannot set this token to trusted - use constructor which takes a GrantedAuthority list instead");
}
super.setAuthenticated(false);
}
@Override
public void eraseCredentials() {
super.eraseCredentials();
}
}
AuthenticationFilter
在帳戶密碼登入的流程中,預設使用的是UsernamePasswordAuthenticationFilter,它的作用是從請求中獲取帳戶、密碼,請求方式校驗,生成AuthenticationToken。這裡我們的引數是有一定改變的,所以還是老方法,copy過來進行簡單的修改
public class SmsCodeAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
// 請求引數key
private String mobileParameter = SecurityConstants.DEFAULT_PARAMETER_NAME_MOBILE;
// 是否只支援POST
private boolean postOnly = true;
public SmsCodeAuthenticationFilter() {
// 請求介面的url
super(new AntPathRequestMatcher(SecurityConstants.DEFAULT_LOGIN_PROCESSING_URL_MOBILE, "POST"));
}
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
throws AuthenticationException {
if (postOnly && !request.getMethod().equals("POST")) {
throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod());
}
// 根據請求引數名,獲取請求value
String mobile = obtainMobile(request);
if (mobile == null) {
mobile = "";
}
mobile = mobile.trim();
// 生成對應的AuthenticationToken
SmsCodeAuthenticationToken authRequest = new SmsCodeAuthenticationToken(mobile);
setDetails(request, authRequest);
return this.getAuthenticationManager().authenticate(authRequest);
}
/**
* 獲取手機號
*/
protected String obtainMobile(HttpServletRequest request) {
return request.getParameter(mobileParameter);
}
// 省略不相關程式碼
}
Provider
在帳號密碼登入的過程中,密碼的正確性以及帳號是否可用是通過DaoAuthenticationProvider
來校驗的。我們也應該自己實現一個Provier
public class SmsCodeAuthenticationProvider implements AuthenticationProvider {
private UserDetailsService userDetailsService;
/**
* 身份邏輯驗證
* @param authentication
* @return
* @throws AuthenticationException
*/
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
SmsCodeAuthenticationToken authenticationToken = (SmsCodeAuthenticationToken) authentication;
UserDetails user = userDetailsService.loadUserByUsername((String) authenticationToken.getPrincipal());
if (user == null) {
throw new InternalAuthenticationServiceException("無法獲取使用者資訊");
}
SmsCodeAuthenticationToken authenticationResult = new SmsCodeAuthenticationToken(user, user.getAuthorities());
authenticationResult.setDetails(authenticationToken.getDetails());
return authenticationResult;
}
@Override
public boolean supports(Class<?> authentication) {
return SmsCodeAuthenticationToken.class.isAssignableFrom(authentication);
}
public UserDetailsService getUserDetailsService() {
return userDetailsService;
}
public void setUserDetailsService(UserDetailsService userDetailsService) {
this.userDetailsService = userDetailsService;
}
}
配置
主要的認證流程就是通過以上四個過程實現的, 這裡我們再降它們配置一下就可以了
@Component
public class SmsCodeAuthenticationSecurityConfig extends SecurityConfigurerAdapter<DefaultSecurityFilterChain, HttpSecurity> {
@Autowired
private AuthenticationSuccessHandler myAuthenticationSuccessHandler;
@Autowired
private AuthenticationFailureHandler myAuthenticationFailureHandler;
@Autowired
private UserDetailsService userDetailsService;
@Override
public void configure(HttpSecurity http) throws Exception {
SmsCodeAuthenticationFilter smsCodeAuthenticationFilter = new SmsCodeAuthenticationFilter();
smsCodeAuthenticationFilter.setAuthenticationManager(http.getSharedObject(AuthenticationManager.class));
smsCodeAuthenticationFilter.setAuthenticationSuccessHandler(myAuthenticationSuccessHandler);
smsCodeAuthenticationFilter.setAuthenticationFailureHandler(myAuthenticationFailureHandler);
SmsCodeAuthenticationProvider smsCodeAuthenticationProvider = new SmsCodeAuthenticationProvider();
smsCodeAuthenticationProvider.setUserDetailsService(userDetailsService);
http.authenticationProvider(smsCodeAuthenticationProvider)
.addFilterAfter(smsCodeAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
}
}
// BrowerSecurityConfig.java
@Override
protected void configure(HttpSecurity http) throws Exception {
http.apply(smsCodeAuthenticationSecurityConfig);
}