SpringSecurity-9-实现通过手机短信进行认证功能
手机短信流程分析
手机号登录的时候是不需要密码登录的,而是通过短信验证码实现免密登录。具体步骤如下 :
向手机发送验证码,第三方短信发送平台,如阿里云短信
手机获取验证码后,在表单中输入验证码
使用自定义过滤器SmsCodeValidateFilter
短信校验通过后,使用自定义手机认证过滤器SmsCodeAuthenticationFilter校验手机号码是否存在
自定义SmsCodeAuthenticationToken提供给SmsCodeAuthenticationFilter
自定义SmsCodeAuthenticationProvider提供给AuthenticationManager
创建针对手机号查询用户信息的SmsCodeUserDetailsService,提交给SmsCodeAuthenticationProvider
自定义SmsCodeSecurityConfig配置类将上面组件连接起来
将SmsCodeSecurityConfig添加到LearnSrpingSecurity安全配置的过滤器链上
创建短信发送接口
- 定义发生短信的服务接口com.security.learn.sms.SmsCodeSend
代码如下:
public interface SmsCodeSend { boolean sendSmsCode(String mobile, String code); }
- 实现短信发生服务接口com.security.learn.sms.impl.SmsCodeSendImpl代码如下
@Slf4j public class SmsCodeSendImpl implements SmsCodeSend { @Override public boolean sendSmsCode(String mobile, String code) { String sendCode = String.format("你好你的验证码%s,请勿泄露他人。", code); log.info("向手机号" + mobile + "发送的短信为:" + sendCode); return true; } }
注:因为这里是示例所以就没有真正的使用第三方发送短信平台。
- 将smsCodeSend注入到容器实现如下
@Configuration public class Myconfig { @Bean public PasswordEncoder passwordEncoder(){ return new BCryptPasswordEncoder(); } @Bean @ConditionalOnMissingBean(SmsCodeSend.class) public SmsCodeSend smsCodeSend(){ return new SmsCodeSendImpl(); } }
手机登录页与发送短信验证码
- 创建SmsController实现短信发送验证码的API,代码如下:
@Controller public class SmsController { public static final String SESSION_KEY = "SESSION_KEY_MOBILE_CODE"; @RequestMapping("/mobile/page") public String toMobilePage(){ return "login-mobile"; } @Autowired private SmsCodeSend smsCodeSend; /** *生成手机验证码并发送 * @param request * @return */ @RequestMapping("/code/mobile") @ResponseBody public String smsCode(HttpServletRequest request){ // 1. 生成一个手机验证码 String code = RandomStringUtils.randomNumeric(4); request.getSession().setAttribute(SESSION_KEY, code); String mobile = request.getParameter("mobile"); smsCodeSend.sendSmsCode(mobile, code); return "200"; } }
- 在
src\main\resources\templates文件夹下添加login-mobile.html静态页面,具体实现如下
<!--suppress ALL--> <!DOCTYPE html> <html xmlns:th="http://www.thymeleaf.org"> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <title>springboot葵花宝典手机登录</title> <!-- Tell the browser to be responsive to screen width --> <meta name="viewport" content="width=device-width, initial-scale=1"> </head> <body > <div > <a href="#">springboot葵花宝典手机登录</a> <br> <a th:href="@{/login/page}" href="login.html" > <span>使用密码验证登录</span> </a> <br> <form th:action="@{/mobile/form}" action="index.html" method="post"> <span>手机号码</span> <input id="mobile" name="mobile" type="text" class="form-control" placeholder="手机号码"><br> <span>验证码</span> <input type="text" name="smsCode" class="form-control" placeholder="验证码"> <a id="sendCode" th:attr="code_url=@{/code/mobile?mobile=}" href="#"> 获取验证码 </a><br> <!-- 提示信息, 表达式红线没关系,忽略它 --> <div th:if="${param.error}"> <span th:text="${session.SPRING_SECURITY_LAST_EXCEPTION?.message}" style="color:#ff0000"></span> </div> <span>记住我</span><input type="checkbox" name="remember-me-test" > <br> <button type="submit" class="btn btn-primary btn-block">登录</button> </form> </div> <script th:src="@{/plugins/jquery/jquery.min.js}" src="plugins/jquery/jquery.min.js"></script> <script> // 发送验证码 $("#sendCode").click(function () { var mobile = $('#mobile').val().trim(); if(mobile == '') { alert("手机号不能为空"); return; } var url = $(this).attr("code_url") + mobile; $.get(url, function(data){ alert(data === "200" ? "发送成功": "发送失败"); }); }); </script> </body> </html>
- 在LearnSrpingSecurity的configure(HttpSecurity http)方法中添加手机免密登录允许的url
.and().authorizeRequests() .antMatchers("/login/page","/code/image","/mobile/page","/code/mobile").permitAll()
短信验证码校验过滤器 SmsCodeValidateFilter
短信验证码的校验过滤器,实际上和图片验证过滤器原理一致。都都是继承OncePerRequestFilter实现一个Spring环境下的过滤器。@Component注解不可少其核心校验规则如下:
登录时候手机号码不可为空
登录时手机输入码不可为空
登录时输入的短信验证码必须和“谜底”中的验证码一致
@Component public class SmsCodeValidateFilter extends OncePerRequestFilter { @Autowired MyAuthenticationFailureHandler failureHandler; @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { if (request.getRequestURI().equals("/mobile/form") && request.getMethod().equalsIgnoreCase("post")) { try { validate(request); }catch (AuthenticationException e){ failureHandler.onAuthenticationFailure( request,response,e); return; } } filterChain.doFilter(request,response); } private void validate(HttpServletRequest request) { //获取session中的手机验证码 HttpSession session = request.getSession(); String sessionCode = (String)request.getSession().getAttribute(SmsController.SESSION_KEY); // 获取用户输入的验证码 String inpuCode = request.getParameter("smsCode"); //手机号 String mobileInRequest = request.getParameter("mobile"); if(StringUtils.isEmpty(mobileInRequest)){ throw new ValidateCodeException("手机号码不能为空!"); } if(StringUtils.isEmpty(inpuCode)){ throw new ValidateCodeException("短信验证码不能为空!"); } if(StrUtil.isBlank(sessionCode)){ throw new ValidateCodeException("短信验证码不存在!"); } if(!sessionCode.equalsIgnoreCase(inpuCode)){ throw new ValidateCodeException("输入的短信验证码错误!"); } session.removeAttribute(SmsController.SESSION_KEY); } }
实现手机认证SmsCodeAuthenticationFilter过滤器
创建com.security.learn.filter.SmsCodeAuthenticationFilter,仿照UsernamePassword AuthenticationFilter进行代码实现,不过将用户名、密码换成手机号进行认证,短信验证码在此部分已经没有用了,因为我们在SmsCodeValidateFilter已经验证过了
public class SmsCodeAuthenticationFilter extends AbstractAuthenticationProcessingFilter { public static final String SPRING_SECURITY_FORM_MOBILE_KEY = "mobile"; private String mobileParameter = SPRING_SECURITY_FORM_MOBILE_KEY ; //请求中携带手机号的参数名称 private boolean postOnly = true; //指定当前过滤器是否只处理POST请求 public SmsCodeAuthenticationFilter() { //指定当前过滤器处理的请求 super(new AntPathRequestMatcher("//mobile/form", "POST")); } public Authentication attemptAuthentication( HttpServletRequest request, HttpServletResponse response) throws AuthenticationException { if (this.postOnly && !request.getMethod().equals("POST")) { throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod()); } //从请求中获取手机号码 String mobile = this.obtainMobile(request); if (mobile == null) { mobile = ""; } mobile = mobile.trim(); SmsCodeAuthenticationToken authRequest = new SmsCodeAuthenticationToken(mobile); this.setDetails(request, authRequest); return this.getAuthenticationManager().authenticate(authRequest); } /** * 从从请求中获取手机号码 * @param request * @return */ protected String obtainMobile(HttpServletRequest request) { return request.getParameter(this.mobileParameter); } /** * 将请求中的Sessionid和host主句ip放到SmsCodeAuthenticationToken中 * @param request * @param authRequest */ protected void setDetails(HttpServletRequest request, SmsCodeAuthenticationToken authRequest) { authRequest.setDetails(this.authenticationDetailsSource.buildDetails(request)); } public void setMobileParameter(String mobileParameter) { Assert.hasText(mobileParameter, "Username parameter must not be empty or null"); this.mobileParameter = mobileParameter; } public void setPostOnly(boolean postOnly) { this.postOnly = postOnly; } public final String getMobileParameter() { return this.mobileParameter; } }
封装手机认证Token SmsCodeAuthenticationToken
创建com.security.learn.filter.SmsCodeAuthenticationToken,仿照UsernamePasswordAuthenticationToken进行代码实现
public class SmsCodeAuthenticationToken extends AbstractAuthenticationToken { private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID; //存放认证信息,认证之前存放手机号,认证之后存放登录的用户 private final Object principal; /** * 开始认证时,SmsCodeAuthenticationToken 接收的是手机号码, 并且 标识未认证 * @param mobile */ public SmsCodeAuthenticationToken(String mobile) { super(null); this.principal = mobile; this.setAuthenticated(false); } /** * 当认证通过后,会重新创建一个新的SmsCodeAuthenticationToken,来标识它已经认证通过, * @param principal 用户信息 * @param authorities 用户权限 */ public SmsCodeAuthenticationToken(Object principal, Collection<? extends GrantedAuthority> authorities) { super(authorities); this.principal = principal; super.setAuthenticated(true);//表示认证通过 } /** * 在父类中是一个抽象方法,所以要实现, 但是它是密码,而当前不需要,则直接返回null * @return */ public Object getCredentials() { return null; } /** * 手机号获取 * @return */ public Object getPrincipal() { return this.principal; } public void setAuthenticated(boolean isAuthenticated) throws IllegalArgumentException { if (isAuthenticated) { throw new IllegalArgumentException("Cannot set this token to trusted - use constructor which takes a GrantedAuthority list instead"); } super.setAuthenticated(false); } public void eraseCredentials() { super.eraseCredentials(); } }
手机认证提供者 SmsCodeAuthenticationProvider
创建com.security.learn.filter.SmsCodeAuthenticationProvider,提供给底层的ProviderManager代码实现如下
public class SmsCodeAuthenticationProvider implements AuthenticationProvider { @Autowired @Qualifier("smsCodeUserDetailsService") private UserDetailsService userDetailsService; public UserDetailsService getUserDetailsService() { return userDetailsService; } public void setUserDetailsService(UserDetailsService userDetailsService) { this.userDetailsService = userDetailsService; } /** * 处理认证: * 1. 通过 手机号 去数据库查询用户信息(UserDeatilsService) * 2. 再重新构建认证信息 * @param authentication * @return * @throws AuthenticationException */ @Override public Authentication authenticate(Authentication authentication) throws AuthenticationException { //利用UserDetailsService获取用户信息,拿到用户信息后重新组装一个已认证的Authentication SmsCodeAuthenticationToken authenticationToken = (SmsCodeAuthenticationToken)authentication; UserDetails user = userDetailsService.loadUserByUsername((String) authenticationToken.getPrincipal()); //根据手机号码拿到用户信息 if(user == null){ throw new AuthenticationServiceException("无法获取用户信息"); } SmsCodeAuthenticationToken authenticationResult = new SmsCodeAuthenticationToken(user,user.getAuthorities()); authenticationResult.setDetails(authenticationToken.getDetails()); return authenticationResult; } /** * AuthenticationManager挑选一个AuthenticationProvider * 来处理传入进来的Token就是根据supports方法来判断的 * @param aClass * @return */ @Override public boolean supports(Class<?> aClass) { return SmsCodeAuthenticationToken.class.isAssignableFrom(aClass); } }
手机号获取用户信息 SmsCodeUserDetailsService
创建com.security.learn.impl.SmsCodeUserDetailsService类,不要注入PasswordEncoder
@Slf4j @Component("smsCodeUserDetailsService") public class SmsCodeUserDetailsService implements UserDetailsService { @Override public UserDetails loadUserByUsername(String mobile) throws UsernameNotFoundException { log.info("请求的手机号是:" + mobile); return new User(mobile, "", true, true, true, true, AuthorityUtils.commaSeparatedStringToAuthorityList("ADMIN")); } }
因为测试就没有去数据库中获取手机号
自定义管理认证配置 SmsCodeSecurityConfig
最后我们将以上实现进行组装,并将以上接口实现以配置的方式告知Spring Security。因为配置代码比较多,所以我们单独抽取一个关于短信验证码的配置类SmsCodeSecurityConfig,继承自SecurityConfigurerAdapter。将上面定义的组件绑定起来,添加到容器中:注意添加@Component注解
@Component public class SmsCodeSecurityConfig extends SecurityConfigurerAdapter<DefaultSecurityFilterChain, HttpSecurity> { @Autowired @Qualifier("smsCodeUserDetailsService") private SmsCodeUserDetailsService smsCodeUserDetailsService; @Resource private SmsCodeValidateFilter smsCodeValidateFilter; @Override public void configure(HttpSecurity http) throws Exception { //创建手机校验过滤器实例 SmsCodeAuthenticationFilter smsCodeAuthenticationFilter = new SmsCodeAuthenticationFilter(); //接收 AuthenticationManager 认证管理器 smsCodeAuthenticationFilter.setAuthenticationManager(http.getSharedObject(AuthenticationManager.class)); //处理成功handler //smsCodeAuthenticationFilter.setAuthenticationSuccessHandler(myAuthenticationSuccessHandler); //处理失败handler //smsCodeAuthenticationFilter.setAuthenticationFailureHandler(myAuthenticationFailureHandler); smsCodeAuthenticationFilter.setRememberMeServices(http.getSharedObject(RememberMeServices.class)); // 获取验证码提供者 SmsCodeAuthenticationProvider smsCodeAuthenticationProvider = new SmsCodeAuthenticationProvider(); smsCodeAuthenticationProvider.setUserDetailsService(smsCodeUserDetailsService); //在用户密码过滤器前面加入短信验证码校验过滤器 http.addFilterBefore(smsCodeValidateFilter, UsernamePasswordAuthenticationFilter.class); //在用户密码过滤器后面加入短信验证码认证授权过滤器 http.authenticationProvider(smsCodeAuthenticationProvider) .addFilterAfter(smsCodeAuthenticationFilter, UsernamePasswordAuthenticationFilter.class); } }
绑定到安全配置 LearnSrpingSecurity
. 向 LearnSrpingSecurity中注入 SmsCodeValidateFilter和 SmsCodeSecurityConfig实例
将 SmsCodeValidateFilter实例添加到 UsernamePasswordAuthenticationFilter 前面
. 向 LearnSrpingSecurity中注入 SmsCodeValidateFilter和 SmsCodeSecurityConfig实例 将 SmsCodeValidateFilter实例添加到 UsernamePasswordAuthenticationFilter 前面 http.
- 在 LearnSrpingSecurity#confifigure(HttpSecurity http) 方法体最后调用 apply 添加 SmsCodeSecurityConfig
.and() .apply(smsCodeSecurityConfig)
具体实现如图
实现手机登录RememberMe功能
实现分析
在UsernamePasswordAuthenticationFilter过滤器中有一个RememberMeServices引用,它的父类AbstractAuthenticationProcessingFilter,提供提供的 setRememberMeServices方法。
而在实现手机短信验证码登录时,我们自定了一个 MobileAuthenticationFilter 也一样的继承了AbstractAuthenticationProcessingFilter 它,我们只要向其 setRememberMeServices 方法手动注入一 个 RememberMeServices 实例即可。
代码实现
- 在com.security.learn.config.SmsCodeSecurityConfig中向SmsCodeAuthenticationFilter中注入RememberMeServices实例
smsCodeAuthenticationFilter.setRememberMeServices(http.getSharedObject(RememberMeServices.class));
- 检查 记住我 的 input 标签的 name=“remember-me-test”
<span>记住我</span><input type="checkbox" name="remember-me-test" > <br>
rememberMeParameter设置from表单“自动登录”勾选框的参数名称。如果这里改了,from表单中checkbox的name属性要对应的更改。如果不设置默认是remember-me。
rememberMeCookieName设置了保存在浏览器端的cookie的名称,如果不设置默认也是remember-me。如下图中查看浏览器的cookie。
测试
重启项目,访问 http://localhost:8888/mobile/page输入手机号与验证码, 勾选 记住我 , 点击登录
查看数据库中中 persistent_logins 表的记录
关闭浏览器, 再重新打开浏览器访问http://localhost:8888 , 发现会跳转回用户名密码登录页,而正常应该勾选了 记住我 , 这一步应该是可以正常访问的.
错误原因
数据库中 username 为 手机号 1333383XXXX, 当你访问http://localhost:8888默认RememberMeServices 是调
用 CustomUserDetailsService 通过用户名查询, 而 当前在 CustomUserDetailsService 判断了用户名为 admin才通
过认证, 而此时传入的用户名是 1333383XXXX, 所以查询不到 1333383XXXX用户数据
错误解决方式
数据库中的 persistent_logins 表为什么存储的是手机号?原因是当前在 SmsCodeUserDetailsService中返回的 User 对象中的 username 属性设置的是手机号 mobile,而应该设置这个手机号所对应的那个用户名. 比如当前username 的值
@Slf4j @Component("smsCodeUserDetailsService") public class SmsCodeUserDetailsService implements UserDetailsService { @Override public UserDetails loadUserByUsername(String mobile) throws UsernameNotFoundException { log.info("请求的手机号是:" + mobile); return new User("admin", "", true, true, true, true, AuthorityUtils.commaSeparatedStringToAuthorityList("ADMIN")); } }
注:我们这里实际上是写为固定admin了实际上需要通过数据库根据手机号获取用户信息。
关闭浏览再打开访问http://localhost:8888就无需手动登录认证了。因为默认采用的 CustomUserDetailsService 查询可查询到用户名为 admin 的信息,即认证通过
如果您觉得本文不错,欢迎关注,点赞,收藏支持,您的关注是我坚持的动力!
