一、引言
理论零碎通常须要实现多种认证形式,比方用户名明码、手机验证码、邮箱等等。Spring Security能够通过自定义认证器AuthenticationProvider 来实现不同的认证形式。接下来介绍一下SpringSecurity具体如何来实现多种认证形式。
二、具体步骤
这里咱们以用户名明码、手机验证码两种形式来进行演示,其余一些登录形式相似。
2.1 自定义认证器AuthenticationProvider
首先针对每一种登录形式,咱们能够定义其对应的认证器AuthenticationProvider,以及对应的认证信息Authentication,理论场景中这两个个别是配套应用。认证器AuthenticationProvider有一个认证办法authenticate(),咱们须要实现该认证办法,认证胜利之后返回认证信息Authentication。
2.1.1 手机验证码
针对手机验证码形式,咱们能够定义以下两个类
MobilecodeAuthenticationProvider.class
import com.kamier.security.web.service.MyUser;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import java.util.HashMap;
import java.util.Map;
public class MobilecodeAuthenticationProvider implements AuthenticationProvider {
private UserDetailsService userDetailsService;
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
MobilecodeAuthenticationToken mobilecodeAuthenticationToken = (MobilecodeAuthenticationToken) authentication;
String phone = mobilecodeAuthenticationToken.getPhone();
String mobileCode = mobilecodeAuthenticationToken.getMobileCode();
System.out.println("登陆手机号:" + phone);
System.out.println("手机验证码:" + mobileCode);
// 模仿从redis中读取手机号对应的验证码及其用户名
Map<String, String> dataFromRedis = new HashMap<>();
dataFromRedis.put("code", "6789");
dataFromRedis.put("username", "admin");
// 判断验证码是否统一
if (!mobileCode.equals(dataFromRedis.get("code"))) {
throw new BadCredentialsException("验证码谬误");
}
// 如果验证码统一,从数据库中读取该手机号对应的用户信息
MyUser loadedUser = (MyUser) userDetailsService.loadUserByUsername(dataFromRedis.get("username"));
if (loadedUser == null) {
throw new UsernameNotFoundException("用户不存在");
} else {
MobilecodeAuthenticationToken result = new MobilecodeAuthenticationToken(loadedUser, null, loadedUser.getAuthorities());
return result;
}
}
@Override
public boolean supports(Class<?> aClass) {
return MobilecodeAuthenticationToken.class.isAssignableFrom(aClass);
}
public void setUserDetailsService(UserDetailsService userDetailsService) {
this.userDetailsService = userDetailsService;
}
}留神这里的supports办法,是实现多种认证形式的要害,认证管理器AuthenticationManager会通过这个supports办法来断定以后须要应用哪一种认证形式。
MobilecodeAuthenticationToken.class
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.core.GrantedAuthority;
import java.util.Collection;
/**
* 手机验证码认证信息,在UsernamePasswordAuthenticationToken的根底上增加属性 手机号、验证码
*/
public class MobilecodeAuthenticationToken extends AbstractAuthenticationToken {
private static final long serialVersionUID = 530L;
private Object principal;
private Object credentials;
private String phone;
private String mobileCode;
public MobilecodeAuthenticationToken(String phone, String mobileCode) {
super(null);
this.phone = phone;
this.mobileCode = mobileCode;
this.setAuthenticated(false);
}
public MobilecodeAuthenticationToken(Object principal, Object credentials, Collection<? extends GrantedAuthority> authorities) {
super(authorities);
this.principal = principal;
this.credentials = credentials;
super.setAuthenticated(true);
}
public Object getCredentials() {
return this.credentials;
}
public Object getPrincipal() {
return this.principal;
}
public String getPhone() {
return phone;
}
public String getMobileCode() {
return mobileCode;
}
public void setAuthenticated(boolean isAuthenticated) throws IllegalArgumentException {
if (isAuthenticated) {
throw new IllegalArgumentException("Cannot set this token to trusted - use constructor which takes a GrantedAuthority list instead");
} else {
super.setAuthenticated(false);
}
}
public void eraseCredentials() {
super.eraseCredentials();
this.credentials = null;
}
}2.1.2 用户名明码
针对用户名明码形式,咱们能够间接应用自带的DaoAuthenticationProvider以及对应的UsernamePasswordAuthenticationToken。
2.2 实现UserDetailService
UserDetailService服务用以返回以后登录用户的用户信息,能够每一种认证形式实现对应的UserDetailService,也能够应用同一个。这里咱们应用同一个UserDetailService服务,代码如下:
MyUserDetailsService.class
import com.google.common.collect.Lists;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.stereotype.Service;
@Service
public class MyUserDetailsService implements UserDetailsService {
@Override
public UserDetails loadUserByUsername(String username) throws AuthenticationException {
MyUser myUser;
// 这里模仿从数据库中获取用户信息
if (username.equals("admin")) {
myUser = new MyUser("admin", new BCryptPasswordEncoder().encode("123456"), Lists.newArrayList("p1", "p2"));
myUser.setAge(25);
myUser.setSex(1);
myUser.setAddress("xxxx小区");
return myUser;
} else {
throw new UsernameNotFoundException("用户不存在");
}
}
}MyUser.class
import com.google.common.collect.Lists;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.User;
import java.util.List;
import java.util.Optional;
import java.util.stream.Collectors;
public class MyUser extends User {
private int sex;
private int age;
private String address;
public MyUser(String username, String password, List<String> authorities) {
super(username, password, Optional.ofNullable(authorities).orElse(Lists.newArrayList()).stream()
.map(str -> (GrantedAuthority) () -> str)
.collect(Collectors.toList()));
}
public int getSex() {
return sex;
}
public void setSex(int sex) {
this.sex = sex;
}
public int getAge() {
return age;
}
public void setAge(int age) {
this.age = age;
}
public String getAddress() {
return address;
}
public void setAddress(String address) {
this.address = address;
}
}2.3 对立解决认证异样
定义一个认证异样处理器,对立解决认证异样AuthenticationException,如下
@Component
public class MyAuthenticationEntryPoint implements AuthenticationEntryPoint {
@Override
public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {
R result = R.error("用户未登录或已过期");
response.setContentType("text/json;charset=utf-8");
response.getWriter().write(new Gson().toJson(result));
}
}2.4 配置器WebSecurityConfigurer
在配置器中咱们去实例化一个认证管理器AuthenticationManager,这个认证管理器中蕴含了两个认证器,别离是MobilecodeAuthenticationProvider(手机验证码)、DaoAuthenticationProvider(用户名明码)。
重写config办法进行security的配置:
- 登录相干接口的放行,其余接口须要认证
- 配置认证异样处理器
MySecurityConfigurer.class
@Configuration
public class MySecurityConfigurer extends WebSecurityConfigurerAdapter {
@Autowired
private MyAuthenticationEntryPoint myAuthenticationEntryPoint;
@Autowired
private UserDetailsService myUserDetailsService;
@Autowired
private TokenAuthenticationFilter tokenAuthenticationFilter;
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean
public MobilecodeAuthenticationProvider mobilecodeAuthenticationProvider() {
MobilecodeAuthenticationProvider mobilecodeAuthenticationProvider = new MobilecodeAuthenticationProvider();
mobilecodeAuthenticationProvider.setUserDetailsService(myUserDetailsService);
return mobilecodeAuthenticationProvider;
}
@Bean
public DaoAuthenticationProvider daoAuthenticationProvider() {
DaoAuthenticationProvider daoAuthenticationProvider = new DaoAuthenticationProvider();
daoAuthenticationProvider.setPasswordEncoder(passwordEncoder());
daoAuthenticationProvider.setUserDetailsService(myUserDetailsService);
return daoAuthenticationProvider;
}
/**
* 定义认证管理器AuthenticationManager
* @return
*/
@Bean
public AuthenticationManager authenticationManager() {
List<AuthenticationProvider> authenticationProviders = new ArrayList<>();
authenticationProviders.add(mobilecodeAuthenticationProvider());
authenticationProviders.add(daoAuthenticationProvider());
ProviderManager authenticationManager = new ProviderManager(authenticationProviders);
// authenticationManager.setEraseCredentialsAfterAuthentication(false);
return authenticationManager;
}
@Override
public void configure(HttpSecurity http) throws Exception {
http
// 敞开csrf
.csrf().disable()
// 解决认证异样
.exceptionHandling().authenticationEntryPoint(myAuthenticationEntryPoint)
.and()
// 权限配置,登录相干的申请放行,其余须要认证
.authorizeRequests()
.antMatchers("/login/*").permitAll()
.anyRequest().authenticated()
.and()
// 增加token认证过滤器
.addFilterAfter(tokenAuthenticationFilter, LogoutFilter.class)
// 不应用session会话治理
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
}
到这里实现多种认证形式根本就完结了。
但在理论我的项目中,认证胜利后通常会返回一个token令牌(如jwt等),后续咱们将token放到申请头中进行申请,后端校验该token,校验胜利后再拜访相应的接口,所以这里在下面的配置中加了一个token认证过滤器TokenAuthenticationFilter。
TokenAuthenticationFilter的代码如下:
@Component
@WebFilter
public class TokenAuthenticationFilter extends OncePerRequestFilter {
@Override
protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
String token = httpServletRequest.getHeader("token");
// 如果没有token,跳过该过滤器
if (!StringUtils.isEmpty(token)) {
// 模仿redis中的数据
Map<String, MyUser> map = new HashMap<>();
map.put("test_token1", new MyUser("admin", new BCryptPasswordEncoder().encode("123456"), Lists.newArrayList("p1", "p2")));
map.put("test_token2", new MyUser("root", new BCryptPasswordEncoder().encode("123456"), Lists.newArrayList("p1")));
// 这里模仿从redis获取token对应的用户信息
MyUser myUser = map.get(token);
if (myUser != null) {
UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(myUser, null, myUser.getAuthorities());
SecurityContextHolder.getContext().setAuthentication(authRequest);
} else {
throw new PreAuthenticatedCredentialsNotFoundException("token不存在");
}
}
filterChain.doFilter(httpServletRequest, httpServletResponse);
}
}三、测试验证
编写一个简略的Controller来验证多种登录形式,代码如下:
@RestController
@RequestMapping("/login")
public class LoginController {
@Autowired
private AuthenticationManager authenticationManager;
/**
* 用户名明码登录
* @param username
* @param password
* @return
*/
@GetMapping("/usernamePwd")
public R usernamePwd(String username, String password) {
UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(username, password);
Authentication authenticate = null;
try {
authenticate = authenticationManager.authenticate(usernamePasswordAuthenticationToken);
} catch (Exception e) {
e.printStackTrace();
return R.error("登陆失败");
}
String token = UUID.randomUUID().toString().replace("-", "");
return R.ok(token, "登陆胜利");
}
/**
* 手机验证码登录
* @param phone
* @param mobileCode
* @return
*/
@GetMapping("/mobileCode")
public R mobileCode(String phone, String mobileCode) {
MobilecodeAuthenticationToken mobilecodeAuthenticationToken = new MobilecodeAuthenticationToken(phone, mobileCode);
Authentication authenticate = null;
try {
authenticate = authenticationManager.authenticate(mobilecodeAuthenticationToken);
} catch (Exception e) {
e.printStackTrace();
return R.error("验证码谬误");
}
String token = UUID.randomUUID().toString().replace("-", "");
return R.ok(token, "登陆胜利");
}
}
- 用户名明码
拜访/login/usernamePwd接口进行登录,账号密码为admin/123456,能够看到拜访胜利,如下图 - 手机验证码
拜访/login/mobileCode接口进行登录,如下图 - 带token拜访
在申请头带上token拜访接口,如下图 - 不带token拜访
到这里Spring Security实现多种认证形式就完结了,如有谬误,感激斧正。
发表回复