[权限管理系统(四)]-spring boot +spring security短信认证+redis整合
[权限管理系统]spring boot +spring security短信认证+redis整合
现在主流的登录方式主要有 3 种:账号密码登录、短信验证码登录和第三方授权登录,前面一节Spring security(三)---认证过程已分析了spring security账号密码方式登陆,现在我们来分析一下spring security短信方式认证登陆。
Spring security 短信方式、IP验证等类似模式登录方式验证,可以根据账号密码方式登录步骤仿写出来,其主要以以下步骤进行展开:
自定义Filter:
自定义Authentication
自定义AuthenticationProvider
自定义UserDetailsService
SecurityConfig配置
1. 自定义filter:
自定义filter可以根据UsernamePasswordAuthenticationFilter过滤器进行仿写,其实质即实现AbstractAuthenticationProcessingFilter抽象类,主要流程分为:
构建构造器,并在构造器中进行配置请求路径以及请求方式的过滤
自定义attemptAuthentication()认证步骤
在2步骤中认证过程中需要AuthenticationProvider进行最终的认证,在认证filter都需要将AuthenticationProvider设置进filter中,而管理AuthenticationProvider的是AuthenticationManager,因此我们创建过滤器filter的时候需要设置AuthenticationManager,这步具体详情在5.1 SecurityConfig配置步骤。
在第2步中attemptAuthentication()认证方法主要进行以下步骤:
1).post请求认证;
2).request请求获取手机号码和验证码;
3).用自定义的Authentication对象封装手机号码和验证码;
4).使用AuthenticationManager.authenticate()方法进行验证。
自定义filter实现代码:
public class SmsAuthenticationfilter extends AbstractAuthenticationProcessingFilter {
private boolean postOnly = true;
public SmsAuthenticationfilter() {
super(new AntPathRequestMatcher(SecurityConstants.APP_MOBILE_LOGIN_URL, "POST"));
}
@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException, ServletException {
if (postOnly && !request.getMethod().equals("POST")) {
throw new AuthenticationServiceException(
"Authentication method not supported: " + request.getMethod());
}
Assert.hasText(SecurityConstants.MOBILE_NUMBER_PARAMETER, "mobile parameter must not be empty or null");
String mobile = request.getParameter(SecurityConstants.MOBILE_NUMBER_PARAMETER);
String smsCode = request.ge+tParameter(SecurityConstants.MOBILE_VERIFY_CODE_PARAMETER);
if (mobile == null) {
mobile="";
}
if(smsCode == null){
smsCode="";
}
mobile = mobile.trim();
smsCode = smsCode.trim();
SmsAuthenticationToken authRequest = new SmsAuthenticationToken(mobile,smsCode);
// Allow subclasses to set the "details" property
setDetails(request, authRequest);
return this.getAuthenticationManager().authenticate(authRequest);
}protected void setDetails(HttpServletRequest request,
SmsAuthenticationToken authRequest) {
authRequest.setDetails(authenticationDetailsSource.buildDetails(request));
}
public void setPostOnly(boolean postOnly) {
this.postOnly = postOnly;
}
}
2. Authentication:
在filter以及后面的认证都需要使用到自定义的Authentication对象,自定义Authentication对象可以根据UsernamePasswordAuthenticationToken进行仿写,实现AbstractAuthenticationToken抽象类。
自定义SmsAuthenticationToken:
public class SmsAuthenticationToken extends AbstractAuthenticationToken {
private final Object principal;
private Object credentials;
public SmsAuthenticationToken(Object principal,Object credentials ) {
super(null);
this.principal = principal;
this.credentials=credentials;
setAuthenticated(false);
}
public SmsAuthenticationToken(Object principal, Object credentials,Collection<? extends GrantedAuthority> authorities) {
super(null);
this.principal = principal;
this.credentials=credentials;
setAuthenticated(true);
}
@Override
public Object getCredentials() {
return this.credentials=credentials;
}
@Override
public Object getPrincipal() {
return this.principal;
}
public void setAuthenticated(boolean isAuthenticated) throws IllegalArgumentException {
if (isAuthenticated) {
throw new IllegalArgumentException(
"Cannot set this token to trusted - use constructor which takes a GrantedAuthority list instead");
}
super.setAuthenticated(false);
}
@Override
public void eraseCredentials() {
super.eraseCredentials();
}
}
3.AuthenticationProvider
AuthenticationProvider最终认证策略入口,短信方式验证需自定义AuthenticationProvider。可以根据AbstractUserDetailsAuthenticationProvider进行仿写,实现AuthenticationProvider以及MessageSourceAware接口。认证逻辑可以定义实现。
自定义AuthenticationProvider:
public class SmsAuthenticationProvide implements AuthenticationProvider, MessageSourceAware {
private UserDetailsService userDetailsService;
private MessageSourceAccessor messages = SpringSecurityMessageSource.getAccessor();
@Override
public void setMessageSource(MessageSource messageSource) {
this.messages = new MessageSourceAccessor(messageSource);
}
@Override
public Authentication authenticate(Authentication authentication) {
Assert.isInstanceOf(SmsAuthenticationToken.class, authentication,
messages.getMessage(
"AbstractUserDetailsAuthenticationProvider.onlySupports",
"Only UsernamePasswordAuthenticationToken is supported"));
SmsAuthenticationToken authenticationToken = (SmsAuthenticationToken) authentication;
//将验证信息保存在SecurityContext以供UserDetailsService进行验证
SecurityContext context = SecurityContextHolder.getContext();
context.setAuthentication(authenticationToken);
String mobile = (String) authenticationToken.getPrincipal();
if (mobile == null) {
throw new InternalAuthenticationServiceException("can't obtain user info ");
}
mobile = mobile.trim();
//进行验证以及获取用户信息
UserDetails user = userDetailsService.loadUserByUsername(mobile);
if (user == null) {
throw new InternalAuthenticationServiceException("can't obtain user info ");
}
SmsAuthenticationToken smsAuthenticationToken = new SmsAuthenticationToken(user, user.getAuthorities());
return smsAuthenticationToken;
}
@Override
public boolean supports(Class<?> authentication) {
return (SmsAuthenticationToken.class.isAssignableFrom(authentication));
}
public void setUserDetailsService(UserDetailsService userDetailsService) {
this.userDetailsService = userDetailsService;
}
public UserDetailsService getUserDetailsService() {
return userDetailsService;
}
}
4. UserDetailsService
在AuthenticationProvider最终认证策略入口,认证方式实现逻辑是在UserDetailsService。可以根据自己项目自定义认证逻辑。
自定义UserDetailsService:
public class SmsUserDetailsService implements UserDetailsService {
@Autowired
private RedisUtil redisUtil;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
//从SecurityContext获取认证所需的信息(手机号码、验证码)
SecurityContext context = SecurityContextHolder.getContext();
SmsAuthenticationToken authentication = (SmsAuthenticationToken) context.getAuthentication();
if(!additionalAuthenticationChecks(username,authentication)){
return null;
}
//获取用户手机号码对应用户的信息,包括权限等
return new User("admin", "123456", Arrays.asList(new SimpleGrantedAuthority("admin")));
}
public boolean additionalAuthenticationChecks(String mobile, SmsAuthenticationToken smsAuthenticationToken) {
//获取redis中手机键值对应的value验证码
String smsCode = redisUtil.get(mobile).toString();
//获取用户提交的验证码
String credentials = (String) smsAuthenticationToken.getCredentials();
if(StringUtils.isEmpty(credentials)){
return false;
}
if (credentials.equalsIgnoreCase(smsCode)) {
return true;
}
return false;
}
}
5.SecurityConfig
5.1 自定义Sms短信验证组件配置SecurityConfig
将自定义组件配置SecurityConfig中,可以根据AbstractAuthenticationFilterConfigurer(子类FormLoginConfigurer)进行仿写SmsAuthenticationSecurityConfig,主要进行以下配置:
将默认AuthenticationManager(也可以定义的)设置到自定义的filter过滤器中
将自定义的UserDetailsService设置到自定义的AuthenticationProvide中以供使用
将过滤器添加到过滤链路中,实施过滤操作。(一般以加在UsernamePasswordAuthenticationFilter前)
配置SmsAuthenticationSecurityConfig:
@Component
public class SmsAuthenticationSecurityConfig extends SecurityConfigurerAdapter<DefaultSecurityFilterChain, HttpSecurity> {
@Autowired
private UserDetailsService userDetailsService;
@Override
public void configure(HttpSecurity http) throws Exception {
//创建并配置好自定义SmsAuthenticationfilter,
SmsAuthenticationfilter smsAuthenticationfilter = new SmsAuthenticationfilter();
smsAuthenticationfilter.setAuthenticationManager(http.getSharedObject(AuthenticationManager.class));
smsAuthenticationfilter.setAuthenticationSuccessHandler(customAuthenticationSuccessHandler());
smsAuthenticationfilter.setAuthenticationFailureHandler(customAuthenticationFailureHandler());
//创建并配置好自定义SmsAuthenticationProvide
SmsAuthenticationProvide smsAuthenticationProvide=new SmsAuthenticationProvide();
smsAuthenticationProvide.setUserDetailsService(userDetailsService);
http.authenticationProvider(smsAuthenticationProvide);
//将过滤器添加到过滤链路中
http.addFilterAfter(smsAuthenticationfilter, UsernamePasswordAuthenticationFilter.class);
}
@Bean
public CustomAuthenticationSuccessHandler customAuthenticationSuccessHandler() {
return new CustomAuthenticationSuccessHandler();
} @Bean
public CustomAuthenticationFailureHandler customAuthenticationFailureHandler() {
return new CustomAuthenticationFailureHandler();
}
}
5.2 SecurityConfig主配置
SecurityConfig主配置可以参照第二节Spring Security(二)--WebSecurityConfigurer配置以及filter顺序进行配置。
SecurityConfig主配置:
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private SmsAuthenticationSecurityConfig smsAuthenticationSecurityConfig;
@Autowired
private CustomAuthenticationSuccessHandler authenticationSuccessHandler;
@Autowired
private CustomAuthenticationFailureHandler authenticationFailureHandler;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.headers().frameOptions().disable().and()
.formLogin()
.loginPage(SecurityConstants.APP_FORM_LOGIN_PAGE)
//配置form登陆的自定义URL
.loginProcessingUrl(SecurityConstants.APP_FORM_LOGIN_URL)
.successHandler(authenticationSuccessHandler)
.failureHandler(authenticationFailureHandler)
.and()
//配置smsAuthenticationSecurityConfig
.apply(smsAuthenticationSecurityConfig)
.and()
//运行通过URL
.authorizeRequests()
.antMatchers(SecurityConstants.APP_MOBILE_VERIFY_CODE_URL,
SecurityConstants.APP_USER_REGISTER_URL)
.permitAll()
.and()
.csrf().disable();
}
@Bean
public ObjectMapper objectMapper(){
return new ObjectMapper();
}
}
6.其他
6.1 redis
RedisUtil工具类:
@Component
public class RedisUtil {
@Autowired
private RedisTemplate<String, Object> redisTemplate;
/**
* 普通缓存获取
*
* @param key 键
* @return 值
*/
public Object get(String key) {
return key == null ? null : redisTemplate.opsForValue().get(key);
}
/**
* 普通缓存放入
*
* @param key 键
* @param value 值
* @return true成功 false失败
*/
public boolean set(String key, Object value) {
try {
redisTemplate.opsForValue().set(key, value);
return true;
} catch (Exception e) {
e.printStackTrace();
return false;
}
}
/**
* 普通缓存放入并设置时间
*
* @param key 键
* @param value 值
* @param time 时间(秒) time要大于0 如果time小于等于0 将设置无限期
* @return true成功 false 失败
*/
public boolean set(String key, Object value, long time) {
try {
if (time > 0) {
redisTemplate.opsForValue().set(key, value, time, TimeUnit.SECONDS);
} else {
set(key, value);
}
return true;
} catch (Exception e) {
e.printStackTrace();
return false;
}
}
}
redisConfig配置类:
@Configuration
public class RedisConfig {
@Autowired
private RedisProperties properties;
@Bean
@SuppressWarnings("all")
@ConditionalOnClass(RedisConnectionFactory.class)
public RedisTemplate<String, Object> redisTemplate(RedisConnectionFactory factory) {
RedisTemplate<String, Object> template = new RedisTemplate<String, Object>();
template.setConnectionFactory(factory);
Jackson2JsonRedisSerializer jackson2JsonRedisSerializer = new Jackson2JsonRedisSerializer(Object.class);
ObjectMapper om = new ObjectMapper();
om.setVisibility(PropertyAccessor.ALL, JsonAutoDetect.Visibility.ANY);
om.enableDefaultTyping(ObjectMapper.DefaultTyping.NON_FINAL);
jackson2JsonRedisSerializer.setObjectMapper(om);
StringRedisSerializer stringRedisSerializer = new StringRedisSerializer();
// key采用String的序列化方式
template.setKeySerializer(stringRedisSerializer);
// hash的key也采用String的序列化方式
template.setHashKeySerializer(stringRedisSerializer);
// value序列化方式采用jackson
template.setValueSerializer(jackson2JsonRedisSerializer);
// hash的value序列化方式采用jackson
template.setHashValueSerializer(jackson2JsonRedisSerializer);
template.afterPropertiesSet();
return template;
}
@Bean
@Qualifier("redisConnectionFactory")
public RedisConnectionFactory redisConnectionFactory(){
RedisStandaloneConfiguration redisConfig = new RedisStandaloneConfiguration();
redisConfig.setHostName(properties.getHost());
redisConfig.setPort(properties.getPort());
redisConfig.setPassword(RedisPassword.of(properties.getPassword()));
redisConfig.setDatabase(properties.getDatabase());
//redis连接池数据设置
JedisClientConfiguration.JedisClientConfigurationBuilder builder = JedisClientConfiguration.builder();
if (this.properties.getTimeout() != null) {
Duration timeout = this.properties.getTimeout();
builder.readTimeout(timeout).connectTimeout(timeout);
}
RedisProperties.Pool pool = this.properties.getJedis().getPool();
if (pool != null) {
builder.usePooling().poolConfig(this.jedisPoolConfig(pool));
}
JedisClientConfiguration jedisClientConfiguration = builder.build();
//根据两个配置类生成JedisConnectionFactory
return new JedisConnectionFactory(redisConfig,jedisClientConfiguration);
}
private JedisPoolConfig jedisPoolConfig(RedisProperties.Pool pool) {
JedisPoolConfig config = new JedisPoolConfig();
config.setMaxTotal(pool.getMaxActive());
config.setMaxIdle(pool.getMaxIdle());
config.setMinIdle(pool.getMinIdle());
if (pool.getMaxWait() != null) {
config.setMaxWaitMillis(pool.getMaxWait().toMillis());
}
return config;
}
}
7.总结
可以根据短信验证登陆模式去实现类似的验证方式,可以结合本节的例子进行跟项目结合起来,减少开发时间。后续还有第三方登陆方式分析以案例。最后错误请评论指出!
往期文章:
各位看官还可以吗?喜欢的话,动动手指点个赞
[权限管理系统(四)]-spring boot +spring security短信认证+redis整合的更多相关文章
- 新书上线:《Spring Boot+Spring Cloud+Vue+Element项目实战:手把手教你开发权限管理系统》,欢迎大家买回去垫椅子垫桌脚
新书上线 大家好,笔者的新书<Spring Boot+Spring Cloud+Vue+Element项目实战:手把手教你开发权限管理系统>已上线,此书内容充实.材质优良,乃家中必备垫桌脚 ...
- 基于Spring Boot+Spring Security+JWT+Vue前后端分离的开源项目
一.前言 最近整合Spring Boot+Spring Security+JWT+Vue 完成了一套前后端分离的基础项目,这里把它开源出来分享给有需要的小伙伴们 功能很简单,单点登录,前后端动态权限配 ...
- 255.Spring Boot+Spring Security:使用md5加密
说明 (1)JDK版本:1.8 (2)Spring Boot 2.0.6 (3)Spring Security 5.0.9 (4)Spring Data JPA 2.0.11.RELEASE (5)h ...
- 256.Spring Boot+Spring Security: MD5是加密算法吗?
说明 (1)JDK版本:1.8 (2)Spring Boot 2.0.6 (3)Spring Security 5.0.9 (4)Spring Data JPA 2.0.11.RELEASE (5)h ...
- Spring Boot+Spring Security:获取用户信息和session并发控制
说明 (1)JDK版本:1.8(2)Spring Boot 2.0.6(3)Spring Security 5.0.9(4)Spring Data JPA 2.0.11.RELEASE(5)hiber ...
- 快速搭建基于Spring Boot + Spring Security 环境
个人博客网:https://wushaopei.github.io/ (你想要这里多有) 1.Spring Security 权限管理框架介绍 简介: Spring Security 提供了基于 ...
- Spring Boot+Spring Security+JWT 实现 RESTful Api 认证(二)
Spring Boot+Spring Security+JWT 实现 RESTful Api 认证(二) 摘要 上一篇https://javaymw.com/post/59我们已经实现了基本的登录和t ...
- Spring boot +Spring Security + Thymeleaf 认证失败返回错误信息
[Please make sure to select the branch corresponding to the version of Thymeleaf you are using] Stat ...
- Spring Boot+Spring Security+JWT 实现 RESTful Api 认证(一)
标题 Spring Boot+Spring Security+JWT 实现 RESTful Api 认证(一) 技术 Spring Boot 2.Spring Security 5.JWT 运行环境 ...
随机推荐
- lqb 基础练习 查找整数 (遍历)
基础练习 查找整数 时间限制:1.0s 内存限制:256.0MB 问题描述 给出一个包含n个整数的数列,问整数a在数列中的第一次出现是第几个. 输入格式 第一行包含一个整数n. 第二行包含 ...
- nyoj 199-无线网络覆盖 (ceil())
199-无线网络覆盖 内存限制:64MB 时间限制:3000ms 特判: No 通过数:4 提交数:13 难度:3 题目描述: 我们的乐乐同学对于网络可算得上是情有独钟,他有一个计划,那就是用无线网覆 ...
- web前端面试经常遇得到的题型
1.position的值, relative和absolute分别是相对于谁进行定位的? § absolute :生成绝对定位的元素, 相对于最近一级的 定位不是 static 的父元素来进行定位. ...
- Day01第一天 Python基础一
变量 就是将一些运算的中间结果暂时存在内存中,以便后续代码的调用. >命名规则: 1,只能以字母,数字,下划线自由组合,且,不能以数字开头.2,不能是 Python 中的关键字.3,要具有可 ...
- 理解Redis单线程运行模式
本文首发于:https://mp.weixin.qq.com/s/je4nqCIq6ARhSV2V5Ymmtg 微信公众号:后端技术指南针 0.概述 通过本文将了解到以下内容: Redis服务器采用单 ...
- 看了这篇Redis,我以大专生的身份,进入了阿里,定级P7
摘要: 前几天讲了Redis的面试知识点,当然那只是一部分,我相信各位在面试,或者实际开发过程中对缓存雪崩,穿透,击穿也不陌生吧,就算没遇到过但是你肯定听过,那三者到底有什么区别,我们又应该怎么去防止 ...
- Java的Arrays类 基本用法
初识Java的Arrays类 Arrays类包括很多用于操作数组的静态方法(例如排序和搜索),且静态方法可以通过类名Arrays直接调用.用之前需要导入Arrays类: import java.uti ...
- tar文件归档
tar是UNIX和类UNIX系统上的压缩,备份工具, 名字来源于Tape archive--磁盘归档,最初的时候是用来将数据储存,备份到磁带上的.而今最简单的备份方法是添加新的磁盘或者在云端存储,但即 ...
- Spring 框架基础(05):事务管理机制,和实现方式
本文源码:GitHub·点这里 || GitEE·点这里 一.Spring事务管理 1.基础描述 Spring事务管理的本质就是封装了数据库对事务支持的操作,使用JDBC的事务管理机制,就是利用jav ...
- 【RN - 基础】之View使用简介
简介 View是一个容器,支持FlexBox布局. View既可以作为容器容纳其他组件,也可以作为一个组件包含进另一个容器中. 无论运行在哪个平台上,View都会直接对应这个平台的原生视图,如iOS中 ...