之前文章都是基于用戶名密碼登錄，第六章圖形驗證碼登錄其實還是用戶名密碼登錄，只不過多了一層圖形驗證碼校驗而已；Spring Security默認提供的認證流程就是用戶名密碼登錄，整個流程都已經(jīng)固定了，雖然提供了一些接口擴展，但是有些時候我們就需要有自己特殊的身份認證邏輯，比如用短信驗證碼登錄，它和用戶名密碼登錄的邏輯是不一樣的，這時候就需要重新寫一套身份認證邏輯。

開發(fā)短信驗證碼接口

獲取驗證碼

短信驗證碼的發(fā)送獲取邏輯和圖片驗證碼類似，這里直接貼出代碼。

@GetMapping('/code/sms')public void createSmsCode(HttpServletRequest request, HttpServletResponse response) throws Exception {// 創(chuàng)建驗證碼ValidateCode smsCode = createCodeSmsCode(request);// 將驗證碼放到session中sessionStrategy.setAttribute(new ServletWebRequest(request), SMS_CODE_SESSION_KEY, smsCode);String mobile = ServletRequestUtils.getRequiredStringParameter(request, 'mobile');// 發(fā)送驗證碼smsCodeSender.send(mobile, smsCode.getCode());}

前端代碼

<tr><td>手機號:</td><td><input type='text' name='mobile' value='13012345678'></td></tr><tr><td>短信驗證碼:</td><td><input type='text' name='smsCode'><a href='http://m.4tl426be.cn/code/sms?mobile=13012345678' rel='external nofollow' >發(fā)送驗證碼</a></td></tr>

短信驗證碼流程原理

短信驗證碼登錄和用戶名密碼登錄對比

步驟流程

首先點擊登錄應該會被SmsAuthenticationFilter過濾器處理，這個過濾器拿到請求以后會在登錄請求中拿到手機號，然后封裝成自定義的一個SmsAuthenticationToken（未認證）。 這個Token也會傳給AuthenticationManager，因為AuthenticationManager整個系統(tǒng)只有一個，它會檢索系統(tǒng)中所有的AuthenticationProvider，這時候我們要提供自己的SmsAuthenticationProvider，用它來校驗自己寫的SmsAuthenticationToken的手機號信息。 在校驗的過程中同樣會調(diào)用UserDetailsService，把手機號傳給它讓它去讀用戶信息，去判斷是否能登錄，登錄成功的話再把SmsAuthenticationToken標記為已認證。 到這里為止就是短信驗證碼的認證流程，上面的流程并沒有提到校驗驗證碼信息，其實它的驗證流程和圖形驗證碼驗證流程也是類似，同樣是在SmsAuthenticationFilter過濾器之前加一個過濾器來驗證短信驗證碼。

代碼實現(xiàn)

SmsCodeAuthenticationToken

作用：封裝認證Token 實現(xiàn)：可以繼承AbstractAuthenticationToken抽象類，該類實現(xiàn)了Authentication接口

public class SmsCodeAuthenticationToken extends AbstractAuthenticationToken {private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;private final Object principal;/** * 進入SmsAuthenticationFilter時，構(gòu)建一個未認證的Token * * @param mobile */public SmsCodeAuthenticationToken(String mobile) {super(null);this.principal = mobile;setAuthenticated(false);}/** * 認證成功以后構(gòu)建為已認證的Token * * @param principal * @param authorities */public SmsCodeAuthenticationToken(Object principal,Collection<? extends GrantedAuthority> authorities) {super(authorities);this.principal = principal;super.setAuthenticated(true);}@Overridepublic Object getCredentials() {return null;}@Overridepublic Object getPrincipal() {return this.principal;}@Overridepublic void setAuthenticated(boolean isAuthenticated) throws IllegalArgumentException {if (isAuthenticated) {throw new IllegalArgumentException('Cannot set this token to trusted - use constructor which takes a GrantedAuthority list instead');}super.setAuthenticated(false);}@Overridepublic void eraseCredentials() {super.eraseCredentials();}}

SmsCodeAuthenticationFilter

作用：處理短信登錄的請求，構(gòu)建Token，把請求信息設置到Token中。 實現(xiàn)：該類可以模仿UsernamePasswordAuthenticationFilter類，繼承AbstractAuthenticationProcessingFilter抽象類

public class SmsCodeAuthenticationFilter extends AbstractAuthenticationProcessingFilter {private String mobileParameter = 'mobile';private boolean postOnly = true; /** * 表示要處理的請求路徑 */public SmsCodeAuthenticationFilter() { super(new AntPathRequestMatcher('/authentication/mobile', 'POST'));} @Overridepublic Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)throws AuthenticationException {if (postOnly && !request.getMethod().equals('POST')) {throw new AuthenticationServiceException('Authentication method not supported: ' + request.getMethod());}String mobile = obtainMobile(request);if (mobile == null) {mobile = '';}mobile = mobile.trim();SmsCodeAuthenticationToken authRequest = new SmsCodeAuthenticationToken(mobile);// 把請求信息設到Token中setDetails(request, authRequest);return this.getAuthenticationManager().authenticate(authRequest);}/** * 獲取手機號 */protected String obtainMobile(HttpServletRequest request) {return request.getParameter(mobileParameter);}protected void setDetails(HttpServletRequest request, SmsCodeAuthenticationToken authRequest) {authRequest.setDetails(authenticationDetailsSource.buildDetails(request));}public void setMobileParameter(String usernameParameter) {Assert.hasText(usernameParameter, 'Username parameter must not be empty or null');this.mobileParameter = usernameParameter;}public void setPostOnly(boolean postOnly) {this.postOnly = postOnly;}public final String getMobileParameter() {return mobileParameter;}}

SmsAuthenticationProvider

作用：提供認證Token的校驗邏輯，配置為能夠支持SmsCodeAuthenticationToken的校驗 實現(xiàn)：實現(xiàn)AuthenticationProvider接口，實現(xiàn)其兩個方法。

public class SmsCodeAuthenticationProvider implements AuthenticationProvider {private UserDetailsService userDetailsService; /** * 進行身份認證的邏輯 * * @param authentication * @return * @throws AuthenticationException */@Overridepublic Authentication authenticate(Authentication authentication) throws AuthenticationException {SmsCodeAuthenticationToken authenticationToken = (SmsCodeAuthenticationToken) authentication;UserDetails user = userDetailsService.loadUserByUsername((String) authenticationToken.getPrincipal());if (user == null) {throw new InternalAuthenticationServiceException('無法獲取用戶信息');}SmsCodeAuthenticationToken authenticationResult = new SmsCodeAuthenticationToken(user, user.getAuthorities());authenticationResult.setDetails(authenticationToken.getDetails());return authenticationResult;} /** * 表示支持校驗的Token，這里是SmsCodeAuthenticationToken * * @param authentication * @return */@Overridepublic boolean supports(Class<?> authentication) {return SmsCodeAuthenticationToken.class.isAssignableFrom(authentication);}public UserDetailsService getUserDetailsService() {return userDetailsService;}public void setUserDetailsService(UserDetailsService userDetailsService) {this.userDetailsService = userDetailsService;}}

ValidateCodeFilter

作用：校驗短信驗證碼 實現(xiàn)：和圖形驗證碼類似，繼承OncePerRequestFilter接口防止多次調(diào)用，主要就是驗證碼驗證邏輯，驗證通過則繼續(xù)下一個過濾器。

@Component('validateCodeFilter')public class ValidateCodeFilter extends OncePerRequestFilter implements InitializingBean {/** * 驗證碼校驗失敗處理器 */@Autowiredprivate AuthenticationFailureHandler authenticationFailureHandler;/** * 系統(tǒng)配置信息 */@Autowiredprivate SecurityProperties securityProperties;/** * 系統(tǒng)中的校驗碼處理器 */@Autowiredprivate ValidateCodeProcessorHolder validateCodeProcessorHolder;/** * 存放所有需要校驗驗證碼的url */private Map<String, ValidateCodeType> urlMap = new HashMap<>();/** * 驗證請求url與配置的url是否匹配的工具類 */private AntPathMatcher pathMatcher = new AntPathMatcher();/** * 初始化要攔截的url配置信息 */@Overridepublic void afterPropertiesSet() throws ServletException {super.afterPropertiesSet();urlMap.put('/authentication/mobile', ValidateCodeType.SMS);addUrlToMap(securityProperties.getCode().getSms().getUrl(), ValidateCodeType.SMS);}/** * 講系統(tǒng)中配置的需要校驗驗證碼的URL根據(jù)校驗的類型放入map * * @param urlString * @param type */protected void addUrlToMap(String urlString, ValidateCodeType type) {if (StringUtils.isNotBlank(urlString)) {String[] urls = StringUtils.splitByWholeSeparatorPreserveAllTokens(urlString, ',');for (String url : urls) {urlMap.put(url, type);}}}/** * 驗證短信驗證碼 * * @param request * @param response * @param chain * @throws ServletException * @throws IOException */@Overrideprotected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)throws ServletException, IOException {ValidateCodeType type = getValidateCodeType(request);if (type != null) {logger.info('校驗請求(' + request.getRequestURI() + ')中的驗證碼,驗證碼類型' + type);try {// 進行驗證碼的校驗validateCodeProcessorHolder.findValidateCodeProcessor(type).validate(new ServletWebRequest(request, response));logger.info('驗證碼校驗通過');} catch (ValidateCodeException exception) {// 如果校驗拋出異常，則交給我們之前文章定義的異常處理器進行處理authenticationFailureHandler.onAuthenticationFailure(request, response, exception);return;}}// 繼續(xù)調(diào)用后邊的過濾器chain.doFilter(request, response);}/** * 獲取校驗碼的類型，如果當前請求不需要校驗，則返回null * * @param request * @return */private ValidateCodeType getValidateCodeType(HttpServletRequest request) {ValidateCodeType result = null;if (!StringUtils.equalsIgnoreCase(request.getMethod(), 'GET')) {Set<String> urls = urlMap.keySet();for (String url : urls) {if (pathMatcher.match(url, request.getRequestURI())) {result = urlMap.get(url);}}}return result;}}

添加配置

SmsCodeAuthenticationSecurityConfig

作用：配置SmsCodeAuthenticationFilter，后面需要把這些配置加到主配置類BrowserSecurityConfig

@Componentpublic class SmsCodeAuthenticationSecurityConfig extends SecurityConfigurerAdapter<DefaultSecurityFilterChain, HttpSecurity> {@Autowiredprivate AuthenticationSuccessHandler meicloudAuthenticationSuccessHandler;@Autowiredprivate AuthenticationFailureHandler meicloudAuthenticationFailureHandler;@Autowiredprivate UserDetailsService userDetailsService;@Autowiredprivate PersistentTokenRepository persistentTokenRepository;@Overridepublic void configure(HttpSecurity http) throws Exception {SmsCodeAuthenticationFilter smsCodeAuthenticationFilter = new SmsCodeAuthenticationFilter();// 設置AuthenticationManagersmsCodeAuthenticationFilter.setAuthenticationManager(http.getSharedObject(AuthenticationManager.class));// 設置登錄成功處理器smsCodeAuthenticationFilter.setAuthenticationSuccessHandler(meicloudAuthenticationSuccessHandler);// 設置登錄失敗處理器smsCodeAuthenticationFilter.setAuthenticationFailureHandler(meicloudAuthenticationFailureHandler);String key = UUID.randomUUID().toString();smsCodeAuthenticationFilter.setRememberMeServices(new PersistentTokenBasedRememberMeServices(key, userDetailsService, persistentTokenRepository));SmsCodeAuthenticationProvider smsCodeAuthenticationProvider = new SmsCodeAuthenticationProvider();smsCodeAuthenticationProvider.setUserDetailsService(userDetailsService);// 將自己寫的Provider加到Provider集合里去http.authenticationProvider(smsCodeAuthenticationProvider).addFilterAfter(smsCodeAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);}}

BrowserSecurityConfig

作用：主配置類；添加短信驗證碼配置類、添加SmsCodeAuthenticationSecurityConfig配置

@Configurationpublic class BrowserSecurityConfig extends WebSecurityConfigurerAdapter {@Beanpublic PasswordEncoder passwordEncoder() {return new BCryptPasswordEncoder();}@Autowiredprivate SecurityProperties securityProperties;@Autowiredprivate DataSource dataSource;@Autowiredprivate UserDetailsService userDetailsService;@Autowiredprivate AuthenticationSuccessHandler meicloudAuthenticationSuccessHandler;@Autowiredprivate AuthenticationFailureHandler meicloudAuthenticationFailureHandler;@Autowiredprivate SmsCodeAuthenticationSecurityConfig smsCodeAuthenticationSecurityConfig;@Overrideprotected void configure(HttpSecurity http) throws Exception {// 驗證碼校驗過濾器ValidateCodeFilter validateCodeFilter = new ValidateCodeFilter();// 將驗證碼校驗過濾器加到 UsernamePasswordAuthenticationFilter 過濾器之前http.addFilterBefore(validateCodeFilter, UsernamePasswordAuthenticationFilter.class).formLogin()// 當用戶登錄認證時默認跳轉(zhuǎn)的頁面.loginPage('/authentication/require')// 以下這行 UsernamePasswordAuthenticationFilter 會知道要處理表單的 /authentication/form 請求，而不是默認的 /login.loginProcessingUrl('/authentication/form').successHandler(meicloudAuthenticationSuccessHandler).failureHandler(meicloudAuthenticationFailureHandler)// 配置記住我功能.and().rememberMe()// 配置TokenRepository.tokenRepository(persistentTokenRepository())// 配置Token過期時間.tokenValiditySeconds(3600)// 最終拿到用戶名之后，使用UserDetailsService去做登錄.userDetailsService(userDetailsService).and().authorizeRequests()// 排除對 '/authentication/require' 和 '/meicloud-signIn.html' 的身份驗證.antMatchers('/authentication/require', securityProperties.getBrowser().getSignInPage(), '/code/*').permitAll()// 表示所有請求都需要身份驗證.anyRequest().authenticated().and().csrf().disable()// 暫時把跨站請求偽造的功能關(guān)閉掉// 相當于把smsCodeAuthenticationSecurityConfig里的配置加到上面這些配置的后面.apply(smsCodeAuthenticationSecurityConfig);}/** * 記住我功能的Token存取器配置 * * @return */@Beanpublic PersistentTokenRepository persistentTokenRepository() {JdbcTokenRepositoryImpl tokenRepository = new JdbcTokenRepositoryImpl();tokenRepository.setDataSource(dataSource);// 啟動的時候自動創(chuàng)建表，建表語句 JdbcTokenRepositoryImpl 已經(jīng)都寫好了tokenRepository.setCreateTableOnStartup(true);return tokenRepository;}}

總結(jié)

到此這篇關(guān)于Spring Security 實現(xiàn)短信驗證碼登錄功能的文章就介紹到這了,更多相關(guān)spring security 驗證碼登錄內(nèi)容請搜索好吧啦網(wǎng)以前的文章或繼續(xù)瀏覽下面的相關(guān)文章希望大家以后多多支持好吧啦網(wǎng)！