Spring Security使用指南

一、基于游览器的安全

表单登陆

设置表单登陆【继承WebSecurityConfigurerAdapter进行适配】

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
/**
 * 游览器端安全配置，当访问非登陆请求时，会在FilterSecurityInterceptor进行判断是否有权限
 */
@Configuration
public class BrowserSecurityConfig extends WebSecurityConfigurerAdapter {

  // 密码的加密器，高版本必须使用
  @Bean
  public PasswordEncoder passwordEncoder() {
    return new BCryptPasswordEncoder();
  }

  private AuthenticationSuccessHandler successHandler = new LoginSuccessHandler();
  private AuthenticationFailureHandler failureHandler = new LoginFailureHandler();

  /**
     * 登陆、安全拦截配置
     */
  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http.formLogin()                       			// 设置为基于表带验证
      // 当没有进行身份认证且访问需要权限的Api时跳入到这个请求
      .loginPage("/authentication/require")
      // 提交表单的地址，默认/login【查看UsernamePasswordAuthenticationFilter】
      .loginProcessingUrl("/authentication/commit")
      // 登陆成功的处理
      .successHandler(successHandler)
      // 登陆失败的处理
      .failureHandler(failureHandler)
      .and()
      .authorizeRequests()            						//认证的请求
      .antMatchers(HttpMethod.GET,
                   "/authentication/require",					//先访问的请求
                   "/authentication/commit",					//提交表单的地址
                   "/login/user.html")						//登录页
      .permitAll()                    						//允许所有
      .anyRequest()                   						//任何请求
      .authenticated()                						//需要身份认证
      .and().csrf().disable()         						//屏蔽csrf
  }
}

@RestController
public class BrowserSecurityController {

  private Logger log = LoggerFactory.getLogger(BrowserSecurityController.class);

  private RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();

  /**
    * 当没有进行身份认证且访问需要权限的Api时跳入到这个请求
    * 如果没权限根据请求的方式【Ajax或者HTML】进行返回指定信息
    */
  @GetMapping("/authentication/require")
  @ResponseStatus(HttpStatus.UNAUTHORIZED)
  public AuthenticationResponse requireAuthentication(
    HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
    String requestedWith = request.getHeader("X-Requested-With");
    if (!"XMLHttpRequest".equals(requestedWith)) {
      log.debug("未进行身份认证，游览器请求将跳转至登陆页面");
      redirectStrategy.sendRedirect(request, response, "/login/user.html");
      return null;
    }else {
      log.debug("未进行身份认证，AJAX请求将返回状态码401");
      return new AuthenticationResponse(
        request.getRequestURI(), "未登陆", HttpStatus.UNAUTHORIZED.value());
    }
  }
}

/**
 * 用户登陆成功
 */
public class LoginSuccessHandler implements AuthenticationSuccessHandler {

  private ObjectMapper objectMapper = new ObjectMapper();

  private Logger log = LoggerFactory.getLogger(LoginSuccessHandler.class);

  @Override
  public void onAuthenticationSuccess(
    HttpServletRequest request,
    HttpServletResponse response,
    Authentication authentication) throws IOException, ServletException {
    log.debug("用户{}登陆成功", authentication.getPrincipal());
    SimpleResponse simpleResponse = new SimpleResponse(String.valueOf(HttpStatus.OK.value()), "登陆成功");
    response.setContentType("application/json;charset=utf-8");
    response.getWriter().write(objectMapper.writeValueAsString(simpleResponse));
    response.flushBuffer();
  }
}

/**
 * 用户登陆失败
 */
public class LoginFailureHandler implements AuthenticationFailureHandler {

  private Logger log = LoggerFactory.getLogger(LoginFailureHandler.class);

  private ObjectMapper objectMapper = new ObjectMapper();

  @Override
  public void onAuthenticationFailure(
    HttpServletRequest request,
    HttpServletResponse response,
    AuthenticationException exception) throws IOException, ServletException {
    log.info("登录失败");
    response.setStatus(HttpStatus.OK.value());
    response.setContentType("application/json;charset=UTF-8");
    SimpleResponse simpleResponse = new SimpleResponse(String.valueOf(HttpStatus.INTERNAL_SERVER_ERROR.value()), exception.getMessage());
    response.getWriter().write(objectMapper.writeValueAsString(simpleResponse));
  }
}

/**
 * 实现 UserDetailsService 接口，用户获取用户登陆信息
 */
@Service
public class SecurityUserDetailsServiceImpl implements UserDetailsService {

  private Logger log = LoggerFactory.getLogger(SecurityUserDetailsServiceImpl.class);

  @Autowired
  private UserService userService;

  // 过呢根据用户名进行登陆
  @Override
  public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
    log.debug("根据用户名{}查找用户", username);
    // 查询user
    User user = userService.getUserByUserName(username);
    // 用户不存在
    if (user== null) {
      throw new UsernameNotFoundException( "用户名" + username + "账户不存在");
    }
    return user;
  }
}

/*
 * 实现UserDetails满足UserDetailsService需要返回的类型
 */
public class User implements UserDetails {
  private Integer id;
  private String  username;
  private String  password;

  // 权限信息
  @Override
  public Collection<? extends GrantedAuthority> getAuthorities() {
    return AuthorityUtils.createAuthorityList("admin");
  }

  @Override
  public String getPassword() {
    return this.password;
  }

  @Override
  public String getUsername() {
    return this.username;
  }

  // 账户没有过期
  @Override
  public boolean isAccountNonExpired() {
    return true;
  }

  // 账户没有锁定
  @Override
  public boolean isAccountNonLocked() {
    return true;
  }

  // 密码没有过期
  @Override
  public boolean isCredentialsNonExpired() {
    return true;
  }

  // 账户是否可用【注销？】
  @Override
  public boolean isEnabled() {
    return true;
  }
  //=======================Getter/Setter=======================
}

请求经过过滤器的流程图

form-request-filter

图片验证码

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
/**
 * 验证码生成工具类
 */
@Configuration
@ConditionalOnProperty(prefix = "login.verify.image", name = "enable")
@EnableConfigurationProperties(ImageCodeProperties.class)
public class ImageCodeUtil {

  private Logger log = LoggerFactory.getLogger(ImageCodeUtil.class);

  private ImageCodeProperties imageCodeProperties;

  public ImageCodeUtil(ImageCodeProperties imageCodeProperties) {
    this.imageCodeProperties = imageCodeProperties;
  }

  /**
     * code为生成的验证码
     * codePic为生成的验证码BufferedImage对象
     */
  public ImageValidateCode generateCodeAndPic() {
    Long expireDate     = imageCodeProperties.getExpireDate();      // 过期时间
    int  imageWidth     = imageCodeProperties.getImageWidth();      // 定义图片的width
    int  imageHeight    = imageCodeProperties.getFontHeight();      // 定义图片的height
    int  codeCount      = imageCodeProperties.getCodeCount();       // 定义图片上显示验证码的个数
    int  fontHeight     = imageCodeProperties.getFontHeight();      // 字体高度
    int  offsetX        = imageCodeProperties.getOffsetX();         // 验证码生成X轴间隔
    int  offsetY        = imageCodeProperties.getOffsetY();         // 验证码生成Y轴间距
    String fontName     = imageCodeProperties.getFontName();        // 字体
    char[] codeSequence = imageCodeProperties.getCodeSequence();    // 生成序列

    // 定义图像buffer
    BufferedImage buffImg = new BufferedImage(imageWidth, imageHeight, BufferedImage.TYPE_INT_RGB);
    Graphics graphics = buffImg.getGraphics();
    // 创建一个随机数生成器类
    Random random = new Random();
    // 将图像填充为白色
    graphics.setColor(Color.WHITE);
    graphics.fillRect(0, 0, imageWidth, imageHeight);
    // 创建字体，字体的大小应该根据图片的高度来定。
    Font font = new Font(fontName, Font.BOLD, fontHeight);
    // 设置字体。
    graphics.setFont(font);
    // 画边框。
    graphics.setColor(Color.BLACK);
    graphics.drawRect(0, 0, imageWidth - 1, imageHeight - 1);
    // 随机产生30条干扰线，使图象中的认证码不易被其它程序探测到。
    graphics.setColor(Color.BLACK);
    for (int i = 0; i < 0; i++) {
      int x1 = random.nextInt(imageWidth);
      int y1 = random.nextInt(imageHeight);
      int x2 = random.nextInt(imageWidth);
      int y2 = random.nextInt(imageHeight);
      graphics.drawLine(x1, y1, x1 + x2, y1 + y2);
    }
    // randomCode用于保存随机产生的验证码，以便用户登录后进行验证。
    StringBuffer randomCode = new StringBuffer();
    int red   = 0;
    int green = 0;
    int blue  = 0;
    // 随机产生codeCount数字的验证码。
    for (int i = 0; i < codeCount; i++) {
      // 得到随机产生的验证码数字。
      String code = String.valueOf(codeSequence[random.nextInt(codeSequence.length)]);
      // 产生随机的颜色分量来构造颜色值，这样输出的每位数字的颜色值都将不同。设置为230避免使用纯白色
      red = random.nextInt(230);
      green = random.nextInt(230);
      blue = random.nextInt(230);
      // 用随机产生的颜色将验证码绘制到图像中。
      graphics.setColor(new Color(red, green, blue));
      graphics.drawString(code, (i + 1) * offsetX, offsetY);
      // 将产生的四个随机数组合在一起。
      randomCode.append(code);
    }
    ImageValidateCode imageCode = new ImageValidateCode(randomCode.toString(), buffImg);
    if (expireDate != null){
      imageCode.setExpireDate(Instant.now().getEpochSecond() + expireDate);
    }
    log.debug("生成图片验证码{}", imageCode.getCode());
    return imageCode ;
  }
}

@ConfigurationProperties(prefix = "login.verify.image", ignoreUnknownFields = true)
public class ImageCodeProperties {
  private static final int DEFAULT_IMAGE_WIDTH  = 90;
  private static final int DEFAULT_IMAGE_HEIGHT = 90;
  private static final int DEFAULT_CODE_COUNT   = 4;
  private static final int DEFAULT_FONT_HEIGHT  = 18;
  private static final int DEFAULT_IMAGE_OFFSET_X   = 15;
  private static final int DEFAULT_IMAGE_OFFSET_Y   = 16;
  private static final String DEFAULT_FONT_NAME     = "微软雅黑";
  private static final char[] DEFAULT_CODE_SEQUENCE = { 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'J', 'K', 'L', 'M','N', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '2', '3', '4', '5', '6', '7', '8', '9' };

  private Long expireDate  = 60L;                      // 过期时间
  private int  imageWidth  = DEFAULT_IMAGE_WIDTH;      // 定义图片的width
  private int  imageHeight = DEFAULT_IMAGE_HEIGHT;     // 定义图片的height
  private int  codeCount   = DEFAULT_CODE_COUNT;       // 定义图片上显示验证码的个数
  private int  fontHeight  = DEFAULT_FONT_HEIGHT;      // 字体高度
  private int  offsetX     = DEFAULT_IMAGE_OFFSET_X;   // 验证码生成X轴间隔
  private int  offsetY     = DEFAULT_IMAGE_OFFSET_Y;   // 验证码生成Y轴间距
  private String  fontName = DEFAULT_FONT_NAME;        // 字体
  private char[] codeSequence = DEFAULT_CODE_SEQUENCE; // 生成序列

  //=======================Getter/Setter=======================
}

/*
 * 获得验证码的Controller
 */
@ConditionalOnProperty(prefix = "login.verify.image", value = "enable", havingValue = "true")
@RestController
public class ImageCodeController {

  // spring工具类用于操作session
  private SessionStrategy sessionStrategy = new HttpSessionSessionStrategy();

  @Autowired
  private ImageCodeUtil imageCodeUtil;

  public static final String SESSION_IMAGE_VERIFY_CODE = "SESSION_IMAGE_VERIFY_CODE";

  @GetMapping("/verify/image/code")
  public void getVerifyCode(HttpServletRequest request, HttpServletResponse response) throws IOException {
    ImageValidateCode imageCode = imageCodeUtil.generateCodeAndPic();

    // 设置响应的类型格式为图片格式
    response.setContentType("image/jpeg");
    // 禁止图像缓存。
    response.setHeader("Pragma", "no-cache");
    response.setHeader("Cache-Control", "no-cache");
    response.setDateHeader("Expires", 0);
    // 写入图片
    ImageIO.write(imageCode.getCodePic(), "jpg", response.getOutputStream());
    response.getOutputStream().flush();

    // code放入session
    imageCode.setCodePic(null);
    sessionStrategy.setAttribute(new ServletWebRequest(request),SESSION_IMAGE_VERIFY_CODE,imageCode);
  }
}

/**
 * 验证码校验Filter，需要在BrowserSecurityConfig中在UsernamePasswordAuthenticationFilter
 * 前配置http.addFilterBefore(imageValidateCodeFilter, UsernamePasswordAuthenticationFilter.class)
 */ 
public class ImageValidateCodeFilter extends OncePerRequestFilter {

  @Autowired
  private AuthenticationFailureHandler authenticationFailureHandler;

  private SessionStrategy sessionStrategy = new HttpSessionSessionStrategy();

  public ImageValidateCodeFilter(AuthenticationFailureHandler authenticationFailureHandler) {
    this.authenticationFailureHandler = authenticationFailureHandler;
  }

  @Override
  protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
    // 是登陆请求而且为POST
    if(StringUtils.equals("/authentication/commit", request.getRequestURI()) && StringUtils.equalsIgnoreCase(request.getMethod(), "POST")) {
      try {
        validate(new ServletWebRequest(request));
        filterChain.doFilter(request, response);
      } catch (ValidateCodeException e) {
        authenticationFailureHandler.onAuthenticationFailure(request, response, e);
      } 
    }else {
      filterChain.doFilter(request, response);
    }
  }

  private void validate(ServletWebRequest servletWebRequest) throws ServletRequestBindingException{
    ImageValidateCode codeInSession = (ImageValidateCode) sessionStrategy.getAttribute(servletWebRequest, ImageCodeController.SESSION_IMAGE_VERIFY_CODE);
    String codeInRequest = ServletRequestUtils.getStringParameter(servletWebRequest.getRequest(),"imageCode");

    if(StringUtils.isEmpty(codeInRequest)) {
      throw new ValidateCodeException("提交的验证码不能为空");
    }

    if(codeInSession == null) {
      throw new ValidateCodeException("验证码不存在");
    }
    if(codeInSession.compareExpired()) {
      sessionStrategy.removeAttribute(servletWebRequest, ImageCodeController.SESSION_IMAGE_VERIFY_CODE);
      throw new ValidateCodeException("验证码已过期");
    }


    if(!StringUtils.equalsIgnoreCase(codeInRequest, codeInSession.getCode())) {
      throw new ValidateCodeException("验证码不匹配");
    }

    // 匹配成功
    sessionStrategy.removeAttribute(servletWebRequest, ImageCodeController.SESSION_IMAGE_VERIFY_CODE);
  }
}

记住我

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
/**
 * Security配置，部分信息省略
 */
@Configuration
public class BrowserSecurityConfig extends WebSecurityConfigurerAdapter {

  // 创建表语句在JdbcTokenRepositoryImpl包含
  @Bean
  public PersistentTokenRepository persistentTokenRepository(DataSource dataSource) {
    JdbcTokenRepositoryImpl jdbcTokenRepository = new JdbcTokenRepositoryImpl();
    jdbcTokenRepository.setDataSource(dataSource);
    return jdbcTokenRepository;
  }
  /**
     * 登陆、安全拦截配置
     */
  @Override
  protected void configure(HttpSecurity http) throws Exception {   
    http.addFilterBefore(imageValidateCodeFilter, UsernamePasswordAuthenticationFilter.class)
      //基于表带验证
      .formLogin()                            
      //当没有进行身份认证且访问需要权限的Api时跳入到这个请求
      .loginPage("/authentication/require")   
      .loginProcessingUrl("/authentication/commit")
      .successHandler(successHandler)
      .failureHandler(failureHandler)
      .and()
      // 会加入RememberMeAuthenticationFilter
      .rememberMe()									 //启用rememberMe
      .tokenRepository(persistentTokenRepository())
      .userDetailsService(userDetailsService)
      .tokenValiditySeconds(60 * 60 * 24 * 7)	    //记住我的有效时间
      .rememberMeParameter("rememberMe")			//rememberMe参数名称
      .and()
      .authorizeRequests()            						//认证的请求
      .antMatchers(HttpMethod.GET,
                   "/authentication/require",					//先访问的请求
                   "/authentication/commit",					//提交表单的地址
                   "/login/user.html")						//登录页
      .permitAll()                    						//允许所有
      .anyRequest()                   						//任何请求
      .authenticated()                						//需要身份认证
      .and().csrf().disable()         						//屏蔽csrf    
  }
}

手机验证码

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
// 伪短信验证码生成
@Configuration
@ConditionalOnProperty(prefix = "login.verify.sms", name = "enable")
@EnableConfigurationProperties(SmsCodeProperties.class)
public class SmsCodeUtil {

  private Logger log = LoggerFactory.getLogger(SmsCodeUtil.class);

  private SmsCodeProperties smsCodeProperties;

  public SmsCodeUtil(SmsCodeProperties smsCodeProperties) {
    this.smsCodeProperties = smsCodeProperties;
  }

  /**
     * code为生成的验证码,此过程要发送短信
     */
  public SmsValidateCode generateCode(String mobile) {
    Long expireDate = smsCodeProperties.getExpireDate();     // 过期时间
    int  codeCount  = smsCodeProperties.getCodeCount();      // 定义短信验证码的个数

    SmsValidateCode smsCode = new SmsValidateCode(RandomStringUtils.randomNumeric(codeCount), mobile);
    if (expireDate != null){
      smsCode.setExpireDate(Instant.now().getEpochSecond() + expireDate);
    }
    log.debug("生成短信验证码{}", smsCode.getCode());
    return smsCode ;
  }
}

@ConfigurationProperties(prefix = "login.verify.sms", ignoreUnknownFields = true)
public class SmsCodeProperties {

  private static final int DEFAULT_CODE_COUNT   = 4;
  private static final Long DEFAULT_EXPIRE_DATE = 300L;

  private Long    expireDate = DEFAULT_EXPIRE_DATE;  // 过期时间
  private Integer codeCount  = DEFAULT_CODE_COUNT;   // 长度
  //=======================Getter/Setter=======================
}

//短信验证码请求的URL
@RestController
@ConditionalOnProperty(prefix="login.verify.sms", name = "enable")
public class SmsCodeController {

  private Logger log = LoggerFactory.getLogger(SmsCodeController.class);

  public static final String SMS_CODE_MOBILE_PREFIX = "SMS_CODE_MOBILE_";

  @Autowired
  private SmsCodeUtil smsCodeUtil;

  // spring工具类用于操作session
  private SessionStrategy sessionStrategy = new HttpSessionSessionStrategy();

  @GetMapping("/verify/sms/code/{mobile}", produces = MimeTypeUtils.APPLICATION_JSON_VALUE)
  public SimpleResponse getVerifyCode(@PathVariable("mobile") String mobile, HttpServletRequest request, HttpServletResponse response) throws IOException {
    SmsValidateCode smsValidateCode = smsCodeUtil.generateCode(mobile);
    log.info("给{}手机发送验证短信，验证码{}", smsValidateCode.getMobile(), smsValidateCode.getCode());

    sessionStrategy.setAttribute(new ServletWebRequest(request), SMS_CODE_MOBILE_PREFIX + mobile, smsValidateCode);

    SimpleResponse simpleResponse = new SimpleResponse();
    simpleResponse.setContent("短信发送成功");
    simpleResponse.setCode("200");
    return SimpleResponse;
  }
}

// 短信验证码校验
public class SmsValidateCodeFilter extends OncePerRequestFilter {

  @Autowired
  private AuthenticationFailureHandler authenticationFailureHandler;

  private SessionStrategy sessionStrategy = new HttpSessionSessionStrategy();

  public SmsValidateCodeFilter(AuthenticationFailureHandler authenticationFailureHandler) {
    this.authenticationFailureHandler = authenticationFailureHandler;
  }

  @Override
  protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
    // 是登陆请求而且为POST
    if(StringUtils.equals("/authentication/sms/commit", request.getRequestURI()) && StringUtils.equalsIgnoreCase(request.getMethod(), "POST")) {
      try {
        validate(new ServletWebRequest(request));
        filterChain.doFilter(request, response);
      } catch (ValidateCodeException e) {
        authenticationFailureHandler.onAuthenticationFailure(request, response, e);
      }
    }else {
      filterChain.doFilter(request, response);
    }
  }

  private void validate(ServletWebRequest servletWebRequest) {

    String questInMobile =  null;
    String questInCode =  null;

    try {
      questInMobile = ServletRequestUtils.getRequiredStringParameter(servletWebRequest.getRequest(), "mobile");
      questInCode = ServletRequestUtils.getRequiredStringParameter(servletWebRequest.getRequest(), "code");
    }catch (ServletRequestBindingException e) {
      throw new ValidateCodeException("提交的短信验证码不能为空");
    }

    SmsValidateCode smsValidateCode = (SmsValidateCode)sessionStrategy.getAttribute(servletWebRequest, SmsCodeController.SMS_CODE_MOBILE_PREFIX + questInMobile);

    if(StringUtils.isEmpty(questInMobile)) {
      throw new ValidateCodeException("提交的手机号不能为空");
    }

    if(StringUtils.isEmpty(questInCode)) {
      throw new ValidateCodeException("提交的短信验证码不能为空");
    }

    if(smsValidateCode == null) {
      throw new ValidateCodeException("手机号" + questInMobile + "短信验证码不存在");
    }
    if(smsValidateCode.compareExpired()) {
      throw new ValidateCodeException("短信验证码已过期");
    }

    if(!StringUtils.equalsIgnoreCase(questInCode, smsValidateCode.getCode())) {
      throw new ValidateCodeException("验证码不匹配");
    }
  }
}

// 校验通过时，ProviderManager挑选对应Provider加载用户信息【权限】
public class SmsCodeAuthenticationProvider implements AuthenticationProvider {

  private Logger log = LoggerFactory.getLogger(SmsCodeAuthenticationProvider.class);

  private UserService userService;

  @Override
  public Authentication authenticate(Authentication authentication) throws AuthenticationException {
    log.debug("根据手机号{}查找用户", authentication.getPrincipal());

    SmsCodeAuthenticationToken smsCodeAuthenticationToken =  (SmsCodeAuthenticationToken) authentication;
    User user = userService.getUserByMobile((String) smsCodeAuthenticationToken.getPrincipal());

    return new SmsCodeAuthenticationToken(user.getUsername(),user.getPassword(),user.getAuthorities());
  }

  @Override
  public boolean supports(Class<?> authentication) {
    return  SmsCodeAuthenticationToken.class.isAssignableFrom(authentication);
  }

  public void setUserService(UserService userService) {
    this.userService = userService;
  }
}

/**
 * 短信认证的Token
 */
public class SmsCodeAuthenticationToken extends AbstractAuthenticationToken {

  private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;

  private  Object principal;
  private Object credentials;

  public SmsCodeAuthenticationToken(Object principal, Object credentials) {
    super(null);
    this.principal = principal;
    this.credentials = credentials;
    setAuthenticated(false);
  }

  public SmsCodeAuthenticationToken(Object principal, Object credentials,
                                    Collection<? extends GrantedAuthority> authorities) {
    super(authorities);
    this.principal = principal;
    this.credentials = credentials;
    super.setAuthenticated(true); // must use super, as we override
  }

  public Object getCredentials() {
    return this.credentials;
  }

  public Object getPrincipal() {
    return this.principal;
  }

  public void setAuthenticated(boolean isAuthenticated) throws IllegalArgumentException {
    if (isAuthenticated) {
      throw new IllegalArgumentException(
        "Cannot set this token to trusted - use constructor which takes a GrantedAuthority list instead");
    }

    super.setAuthenticated(false);
  }

  @Override
  public void eraseCredentials() {
    super.eraseCredentials();
  }
}

/**
 * Security配置，部分信息省略
 */
@Configuration
public class BrowserSecurityConfig extends WebSecurityConfigurerAdapter {

  /**
     * 登陆、安全拦截配置
     */
  @Override
  protected void configure(HttpSecurity http) throws Exception {   
    http.addFilterBefore(imageValidateCodeFilter, UsernamePasswordAuthenticationFilter.class)
      .addFilterBefore(smsValidateCodeFilter, UsernamePasswordAuthenticationFilter.class)
      //基于表带验证
      .formLogin()                            
      //当没有进行身份认证且访问需要权限的Api时跳入到这个请求
      .loginPage("/authentication/require")   
      .loginProcessingUrl("/authentication/commit")
      .successHandler(successHandler)
      .failureHandler(failureHandler)
      .and()
      // 会加入RememberMeAuthenticationFilter
      .rememberMe()									 //启用rememberMe
      .tokenRepository(persistentTokenRepository())
      .userDetailsService(userDetailsService)
      .tokenValiditySeconds(60 * 60 * 24 * 7)	    //记住我的有效时间
      .rememberMeParameter("rememberMe")			//rememberMe参数名称
      .and()
      .authorizeRequests()            						//认证的请求
      .antMatchers(HttpMethod.GET,
                   "/authentication/require",					//先访问的请求
                   "/authentication/commit",					//提交表单的地址
                   "/login/user.html")						//登录页
      .permitAll()                    						//允许所有
      .anyRequest()                   						//任何请求
      .authenticated()                						//需要身份认证
      .and().csrf().disable()         						//屏蔽csrf    
  }
}

第三方登陆【以QQ为例】

spring-oauth2-detail

QQ登陆

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
public class QQUserInfo {
  /**
     * 	返回码
     */
  private String ret;
  /**
     * 如果ret<0，会有相应的错误信息提示，返回数据全部用UTF-8编码。
     */
  private String msg;
  /**
     *
     */
  private String openId;
  /**
     * 不知道什么东西，文档上没写，但是实际api返回里有。
     */
  private String is_lost;
  /**
     * 省(直辖市)
     */
  private String province;
  /**
     * 市(直辖市区)
     */
  private String city;
  /**
     * 出生年月
     */
  private String year;
  /**
     * 	用户在QQ空间的昵称。
     */
  private String nickname;
  /**
     *  星座
     */
  private String constellation;
  /**
     * 	大小为30×30像素的QQ空间头像URL。
     */
  private String figureurl;
  /**
     * 	大小为50×50像素的QQ空间头像URL。
     */
  private String figureurl_1;
  /**
     * 	大小为100×100像素的QQ空间头像URL。
     */
  private String figureurl_2;
  /**
     * 	大小为40×40像素的QQ头像URL。
     */
  private String figureurl_qq_1;
  /**
     * 	大小为100×100像素的QQ头像URL。需要注意，不是所有的用户都拥有QQ的100×100的头像，但40×40像素则是一定会有。
     */
  private String figureurl_qq_2;
  /**
     * 	性别。 如果获取不到则默认返回”男”
     */
  private String gender;
  /**
     * 	标识用户是否为黄钻用户（0：不是；1：是）。
     */
  private String is_yellow_vip;
  /**
     * 	标识用户是否为黄钻用户（0：不是；1：是）
     */
  private String vip;
  /**
     * 	黄钻等级
     */
  private String yellow_vip_level;
  /**
     * 	黄钻等级
     */
  private String level;
  /**
     * 标识是否为年费黄钻用户（0：不是； 1：是）
     */
  private String is_yellow_year_vip;
  //=======================Getter/Setter=======================
}

/**
 * 获取QQ用户信息
 */
public interface QQ {
  QQUserInfo getUserInfo();
}

/**
 * 获取QQ用户信息实现,继承AbstractOAuth2ApiBinding完成用户信息获取
 */
public class QQImpl extends AbstractOAuth2ApiBinding implements QQ{

  // 获取openid【用户的唯一标识】的URL
  private static final String GET_OPENID_URL = "https://graph.qq.com/oauth2.0/me?access_token={0}";

  // 获取用户信息的URL，accessToken会因为TokenStrategy.ACCESS_TOKEN_PARAMETER自动带上
  private static final String GET_USER_INFO_URL = "https://graph.qq.com/user/get_user_info?oauth_consumer_key={0}&openid={1}";

  // 申请QQ互联的APP ID
  private String oauthConsumerKey;

  // 用户openid【用户的唯一标识】
  private String openid;

  public QQImpl(String accessToken, String oauthConsumerKey) {
    super(accessToken, TokenStrategy.ACCESS_TOKEN_PARAMETER);
    this.oauthConsumerKey = oauthConsumerKey;
    // 获取openid
    String openidResult = getRestTemplate().getForObject(MessageFormat.format(GET_OPENID_URL, accessToken), String.class);
    if(StringUtils.isEmpty(openidResult)) {
      throw new RuntimeException("openid获取失败");
    }
    this.openid = StringUtils.substringBetween(openidResult, "\"openid\":\"", "\"}");
  }

  @Override
  public QQUserInfo getUserInfo() {
    // 填充数据
    String url = MessageFormat.format(GET_USER_INFO_URL, oauthConsumerKey, openid);
    String userInfoJson = getRestTemplate().getForObject(url, String.class);
    QQUserInfo qqUserInfo = null;
    try {
      // 解析用户信息
      ObjectMapper objectMapper = new ObjectMapper();
      objectMapper.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false);
      qqUserInfo = objectMapper.readValue(userInfoJson, QQUserInfo.class);
      qqUserInfo.setOpenId(openid);
    } catch (IOException e) {
      throw new RuntimeException("json转换失败");
    }
    return qqUserInfo;
  }
}

/**
 * 将返回的QQ用户信息转换为标准的用户信息用于存储
 */
public class QQApiAdapter implements ApiAdapter<QQ> {

  /**
     * 不对网络进行检测
     */
  @Override
  public boolean test(QQ api) {
    return true;
  }

  /**
     * 获取用户信息
     */
  @Override
  public void setConnectionValues(QQ api, ConnectionValues values) {
    QQUserInfo qqUserInfo = api.getUserInfo();
    // 显示的用户名（QQ为昵称）
    values.setDisplayName(qqUserInfo.getNickname());
    // 头像（QQ头像）
    values.setImageUrl(qqUserInfo.getFigureurl_qq_1());
    // 个人主页（QQ没有）
    values.setProfileUrl(null);
    // 用户的唯一标识ID
    values.setProviderUserId(qqUserInfo.getOpenId());
  }

  /**
     * 解绑
     */
  @Override
  public UserProfile fetchUserProfile(QQ api) {
    return null;
  }

  @Override
  public void updateStatus(QQ api, String message) {
    //发送消息等，QQ没有个人主页，时间线不能更新
  }
}

/**
 * 和服务提供商交换信息的类
 */
public class QQServiceProvider extends AbstractOAuth2ServiceProvider<QQ> {

  // QQ登录页URL
  private static final String AUTHORIZE_URL =    "https://graph.qq.com/oauth2.0/authorize";

  // QQ获取Token的URL
  private static final String ACCESS_TOKEN_URL = "https://graph.qq.com/oauth2.0/token";

  // QQ互联申请的App ID
  private String oauthConsumerKey;

  /**
     * clientId : QQ互联申请的App ID
     * clientSecret : QQ互联申请的APP Key
     */
  public QQServiceProvider(String clientId, String clientSecret) {
    super(new QQOAuthTemplate(clientId, clientSecret, AUTHORIZE_URL, ACCESS_TOKEN_URL));
    this.oauthConsumerKey = clientId;
  }

  @Override
  public QQ getApi(String accessToken) {
    return new QQImpl(accessToken, oauthConsumerKey);
  }
}

/**
 * 发出请求的类
 */
public class QQOAuthTemplate extends OAuth2Template {

  public QQOAuthTemplate(String clientId, String clientSecret, String authorizeUrl, String accessTokenUrl) {
    super(clientId, clientSecret, authorizeUrl, accessTokenUrl);
    // setUseParametersForClientAuthentication设置为true才能将clientId、clientSecret以请求参数的方式带出去
    setUseParametersForClientAuthentication(true);
  }


  /**
     * QQ返回的用户信息是text/html，所以需要处理返回类型
     */
  @Override
  protected RestTemplate createRestTemplate() {
    RestTemplate restTemplate = super.createRestTemplate();
    restTemplate.getMessageConverters().add(new StringHttpMessageConverter());
    return restTemplate;
  }

  @Override
  protected AccessGrant postForAccessGrant(String accessTokenUrl, MultiValueMap<String, String> parameters) {
    String response = getRestTemplate().postForObject(accessTokenUrl, parameters, String.class);
    String[] items = response.split("&");
    String accessToken = StringUtils.substringAfterLast(items[0], "=");
    Long expiresIn = Long.valueOf(StringUtils.substringAfterLast(items[1], "="));
    String refreshToken = StringUtils.substringAfterLast(items[2], "=");
    return new AccessGrant(accessToken, null, refreshToken, expiresIn);
  }
}

/**
 * 获取连接信息的类
 */
public class QQConnectFactory extends OAuth2ConnectionFactory<QQ> {

  /**
     * providerId：要与发出请求的路径最后结尾相同
     * clientId：APP ID
     * clientSecret：APP Key
     */
  public QQConnectFactory(String providerId, String clientId, String clientSecret ) {
    super(providerId, new QQServiceProvider(clientId, clientSecret), new QQApiAdapter());
  }
}

@ConfigurationProperties(prefix = "qq.social", ignoreUnknownFields = true)
public class QQSocialProperties {

  private String appId;
  private String appKey;
  private String callBackUri;
  private String providerId;

  //=======================Getter/Setter=======================
}

@Configuration
@ConditionalOnProperty(prefix = "qq.social", name = "enable")
@EnableConfigurationProperties(QQSocialProperties.class)
@EnableSocial
public class QQSocialConfig extends SocialConfigurerAdapter {

  private DataSource dataSource;

  private QQSocialProperties qqSocialProperties;

  @Autowired
  private UserService userService;

  public QQSocialConfig(QQSocialProperties qqSocialProperties, DataSource dataSource) {
    this.dataSource = dataSource;
    this.qqSocialProperties = qqSocialProperties;
  }

  @Override
  public UserIdSource getUserIdSource() {
    return new AuthenticationNameUserIdSource();
  }

  @Override
  public UsersConnectionRepository getUsersConnectionRepository(ConnectionFactoryLocator connectionFactoryLocator) {
    JdbcUsersConnectionRepository jdbcUsersConnectionRepository = new JdbcUsersConnectionRepository(dataSource, connectionFactoryLocator, Encryptors.noOpText());
    // 自注册，注意权限也要设置
    jdbcUsersConnectionRepository.setConnectionSignUp(new ConnectionSignUp() {
      @Override
      public String execute(Connection<?> connection) {
        User user = new User();
        user.setUsername(UUID.randomUUID().toString());
        userService.save(user);
        return user.getUserId();
      }
    });
    return jdbcUsersConnectionRepository;
  }

  @Override
  public void addConnectionFactories(ConnectionFactoryConfigurer connectionFactoryConfigurer, Environment environment) {
    connectionFactoryConfigurer.addConnectionFactory(
      new QQConnectFactory(qqSocialProperties.getProviderId(), qqSocialProperties.getAppId(), qqSocialProperties.getAppKey()));
  }
}

@Configuration
@ConditionalOnProperty(prefix = "qq.social", name = "enable")
@EnableConfigurationProperties(QQSocialProperties.class)
public class QQSpringSocialConfigurer extends SpringSocialConfigurer {

  private QQSocialProperties qqSocialProperties;

  // 如果是没设置setConnectionSignUp则需要设置注册页
  public QQSpringSocialConfigurer(QQSocialProperties qqSocialProperties) {
    this.qqSocialProperties = qqSocialProperties;
    super.signupUrl("/register.html");
  }

  @Override
  protected <T> T postProcess(T object) {
    SocialAuthenticationFilter filter = (SocialAuthenticationFilter)super.postProcess(object);
    filter.setFilterProcessesUrl(qqSocialProperties.getCallBackUri());
    return (T) filter;
  }
}

@RestController
public class UserController {

  private BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
  @Autowired
  private UserService userService;

  @Autowired
  private ProviderSignInUtils providerSignInUtils;

  @PostMapping("/user/register")
  public String register(User user, HttpServletRequest request) {
    user.setPassword(passwordEncoder.encode(user.getPassword()));
    userService.save(user);
    // 调用再次尝试使用第三方账户登陆
    providerSignInUtils.doPostSignUp(user.getUserId(), new ServletRequestAttributes(request));
    // 前台应该请求index页面
    return "ok";
  }
}

public class BrowserSecurityConfig extends WebSecurityConfigurerAdapter {

  /**
    * 获取社交账户信息
    */
  @Bean
  public ProviderSignInUtils providerSignInUtils(ConnectionFactoryLocator connectionFactoryLocator, UsersConnectionRepository connectionRepository){
    return new ProviderSignInUtils(connectionFactoryLocator, connectionRepository);
  }
}

查看绑定状态&绑定&解绑

前置需要手动@Import(ConnectController.class)并多配置一个回调接口为/connect/{providerId}

查看绑定状态

拿到已绑定的列表[/connect method=get]
配置视图

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
@Component("connect/status")
public class ConnectStatusView extends AbstractView {

  private ObjectMapper objectMapper = new ObjectMapper();

  @Override
  protected void renderMergedOutputModel(Map<String, Object> model, HttpServletRequest request, HttpServletResponse response) throws Exception {
    Map<String, List<Connection<?>>> connectionMap = (Map<String, List<Connection<?>>>)model.get("connectionMap");
    Map<String, Boolean> connections = new HashMap<>();
    for (Map.Entry<String, List<Connection<?>>> entry : connectionMap.entrySet()) {
      connections.put(entry.getKey(), !CollectionUtils.isEmpty(entry.getValue()));
    }
    response.setContentType(MimeTypeUtils.APPLICATION_JSON_VALUE);
    response.setCharacterEncoding(CharEncoding.UTF_8);
    response.getWriter().write(objectMapper.writeValueAsString(connections));
  }
}

绑定&解绑

绑定[/connect/qq method=post]
解绑[/connect/wechat method=delete]
绑定视图&解绑视图

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
@Component({"connect/qqConnected", "connect/qqConnect"})
public class ConnectView extends AbstractView {
  @Override
  protected void renderMergedOutputModel(
    Map<String, Object> model,
    HttpServletRequest request,
    HttpServletResponse response) throws Exception {
    response.setCharacterEncoding(CharEncoding.UTF_8);
    response.setContentType(MimeTypeUtils.TEXT_HTML_VALUE);
    if(model.get("connections") == null) {
      response.getWriter().write("<h3>解绑成功</h3>");
    }else {
      response.getWriter().write("<h3>绑定成功</h3>");
    }
  }
}

Session管理

session超时设置

1
server.servlet.session.timeout=PT30M

session并发控制

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
/**
  * 登陆、安全拦截配置
  */
@Override
protected void configure(HttpSecurity http) throws Exception {

  http //省略各项配置
    .and()
    .sessionManagement()
    .invalidSessionUrl("/session/invalid")	//session失效的处理URL
    .maximumSessions(1)			        //只允许一个用户登陆,后登陆的把前登陆顶掉
    //.maxSessionsPreventsLogin(true) 	//只允许一个用户登陆,不允许在在别的地方登陆
    .expiredSessionStrategy(new BrowserSessionInformationExpiredStrategy())   //重复登陆提示
    .and()  //省略各项配置
}

public class BrowserSessionInformationExpiredStrategy implements SessionInformationExpiredStrategy {

  @Override
  public void onExpiredSessionDetected(SessionInformationExpiredEvent event) throws IOException, ServletException {
    event.getResponse().setContentType(MimeTypeUtils.APPLICATION_JSON_VALUE);
    event.getResponse().setCharacterEncoding(CharEncoding.UTF_8);
    event.getResponse().getWriter().write("账号在别处登陆");
  }
}

@RestController
public class BrowserSecurityController {

  @GetMapping("/session/invalid")
  @ResponseStatus(HttpStatus.UNAUTHORIZED)
  public AuthenticationResponse invalidSession(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
    String requestedWith = request.getHeader("X-Requested-With");
    if (!"XMLHttpRequest".equals(requestedWith)) {
      log.debug("会话过期，游览器请求将跳转至登陆页面");
      redirectStrategy.sendRedirect(request, response, "/login/user.html");
    }
    log.debug("会话过期，AJAX请求将返回状态码401");
    return new AuthenticationResponse(request.getRequestURI(), "会话超时", HttpStatus.UNAUTHORIZED.value());
  }
}

集群session管理

1
2
3
4
#配置Spring-Session之后将redis存储到redis
spring.session.store-type=redis
spring.redis.host=192.168.1.158
spring.redis.port=6379

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
// 配置redisTemplate序列化存储为json，否则前文验证码模块等需要实现java序列化接口才可使用
@Bean
public RedisTemplate<Object, Object> redisTemplate(RedisConnectionFactory redisConnectionFactory) {
  Jackson2JsonRedisSerializer<Object> jackson2JsonRedisSerializer = new Jackson2JsonRedisSerializer<Object>(Object.class);
  RedisTemplate<Object, Object> template = new RedisTemplate<Object, Object>();
  template.setConnectionFactory(redisConnectionFactory);
  template.setKeySerializer(jackson2JsonRedisSerializer);
  template.setValueSerializer(jackson2JsonRedisSerializer);
  template.setHashKeySerializer(jackson2JsonRedisSerializer);
  template.setHashValueSerializer(jackson2JsonRedisSerializer);
  return template;
}

退出登陆

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
/**
  * 登陆、安全拦截配置
  */
@Override
protected void configure(HttpSecurity http) throws Exception {

  http //省略各项配置
    .and()
    .logout()						  // 会使session失效
    //.logoutSuccessHandler()		  // 配置退出成功的处理器，进行扫尾工作，或者返回JSON
    .logoutUrl("/authentication/out") // 退出请求的url
    .logoutSuccessUrl("/logout.html") // 退出成功请求的url，默认跳转到登录页，可不配置
    //.deleteCookies()				  // 删除cookie等操作
    .and()  //省略各项配置
}

二、基于App的安全

Spring-OAuth2-Authentication

表单登陆

app-form-login

需要继承配置ResourceServerConfigurerAdapter重载public void configure(HttpSecurity http) 方法

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
@Configuration
public class AppResourceServerConfigurer extends ResourceServerConfigurerAdapter {
  @Override
  public void configure(HttpSecurity http) throws Exception {
    // ....

    http.userDetailsService(userDetailsService);
    //表单登陆功能
    FormLoginConfigurer<HttpSecurity> formLoginConfigurer = http.formLogin();
    formLoginConfigurer.loginPage(coreSecurityProperties.getLoginPageUrl());
    formLoginConfigurer.loginProcessingUrl(coreSecurityProperties.getAuthenticationUrl());
    formLoginConfigurer.successHandler(successHandler);
    formLoginConfigurer.failureHandler(failureHandler);

    // ....
  }

  /**
    * APP默认的登陆失败处理器
    */
  public class DefaultLoginFailureHandler implements AuthenticationFailureHandler {

    private static Logger log = LoggerFactory.getLogger(DefaultLoginFailureHandler.class);

    private ObjectMapper objectMapper = new ObjectMapper();

    @Override
    public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
      log.info("登录失败");
      response.setStatus(HttpStatus.OK.value());
      response.setContentType(MimeTypeUtils.APPLICATION_JSON_VALUE);
      response.setCharacterEncoding(CharEncoding.UTF_8);
      SimpleResponse simpleResponse = new SimpleResponse(String.valueOf(HttpStatus.INTERNAL_SERVER_ERROR.value()), exception.getMessage());
      response.getWriter().write(objectMapper.writeValueAsString(simpleResponse));
    }
  }


  /**
    * APP登陆成功处理器,需要在登陆成功时发放OAuth2令牌
    */
  public class DefaultLoginSuccessHandler implements AuthenticationSuccessHandler {

    private ObjectMapper objectMapper = new ObjectMapper();

    private static Logger log = LoggerFactory.getLogger(DefaultLoginSuccessHandler.class);

    @Autowired
    private ClientDetailsService clientDetailsService;

    @Autowired
    private AuthorizationServerTokenServices authorizationServerTokenServices;

    @Autowired
    private PasswordEncoder passwordEncoder;

    @Override
    public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
      response.setCharacterEncoding(CharEncoding.UTF_8);
      response.setContentType(MimeTypeUtils.APPLICATION_JSON_VALUE);
      //用Basic 认证传入clientId和secret
      String header = request.getHeader("Authorization");
      if (header == null || !header.toLowerCase().startsWith("basic ")) {
        throw new AuthenticationException("没有OAuth2需要的的认证信息");
      }
      String[] tokens = extractAndDecodeHeader(header, request);
      String clientId = tokens[0];
      String secret   = tokens[1];

      ClientDetails clientDetails = clientDetailsService.loadClientByClientId(clientId);
      if(clientDetails == null) {
        response.getWriter().write(objectMapper.writeValueAsString(new AuthenticationException("clientId不正确")));
        return;
      }

      if(!passwordEncoder.matches(secret, clientDetails.getClientSecret())) {
        response.getWriter().write(objectMapper.writeValueAsString(new AuthenticationException("secret不正确")));
        return;
      }

      TokenRequest tokenRequest = new TokenRequest(Collections.EMPTY_MAP, clientId, clientDetails.getScope(), "custom_login");

      OAuth2Request oauth2Request = tokenRequest.createOAuth2Request(clientDetails);

      OAuth2Authentication oAuth2Authentication = new OAuth2Authentication(oauth2Request, authentication);

      OAuth2AccessToken accessToken = authorizationServerTokenServices.createAccessToken(oAuth2Authentication);

      log.debug("用户{}登陆成功", authentication.getPrincipal());

      response.getWriter().write(objectMapper.writeValueAsString(accessToken));
    }


    private String[] extractAndDecodeHeader(String header, HttpServletRequest request)
      throws IOException {

      byte[] base64Token = header.substring(6).getBytes("UTF-8");
      byte[] decoded;
      try {
        decoded = Base64.getDecoder().decode(base64Token);
      }
      catch (IllegalArgumentException e) {
        throw new BadCredentialsException(
          "Failed to decode basic authentication token");
      }

      String token = new String(decoded, CharEncoding.UTF_8);

      int delimiter = token.indexOf(":");

      if (delimiter == -1) {
        throw new BadCredentialsException("Invalid basic authentication token");
      }
      return new String[] { token.substring(0, delimiter), token.substring(delimiter + 1) };
    }
  }

图片验证码

注意：不能使用Session存储方式，需要将验证码存放如Redis中

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
@ConditionalOnProperty(prefix = "login.verify.image", value = "enable", havingValue = "true")
@Controller
public class ImageCodeController {

  @Autowired
  private ImageCodeUtil imageCodeUtil;

  public static final String REDIS_IMAGE_VERIFY_CODE = "VERIFY_CODE:IMAGE_CODE:";

  @Autowired
  private RedisTemplate redisTemplate;

  @GetMapping(SecurityBrowserConstants.VALIDATE_IMAGE_URL)
  @ResponseBody
  public void getVerifyCode(@RequestParam("device") String device, HttpServletResponse response) throws IOException {
    ImageValidateCode imageCode = imageCodeUtil.generateCodeAndPic();
    ImageValidateCode redisInCode = new ImageValidateCode();
    redisInCode.setCode(imageCode.getCode());
    redisInCode.setExpireDate(imageCode.getExpireDate());
    // 设置响应的类型格式为图片格式
    response.setContentType(MimeTypeUtils.IMAGE_JPEG_VALUE);
    // 禁止图像缓存。
    response.setHeader("Pragma", "no-cache");
    response.setHeader("Cache-Control", "no-cache");
    response.setDateHeader("Expires", 0);
    // 写入图片
    ImageIO.write(imageCode.getCodePic(), "jpeg", response.getOutputStream());
    response.getOutputStream().flush();
    if (imageCode.getExpireDate() == null) {
      redisTemplate.boundValueOps(REDIS_IMAGE_VERIFY_CODE + device).set(redisInCode);
    }else {
      redisTemplate.boundValueOps(REDIS_IMAGE_VERIFY_CODE + device).set(redisInCode, imageCode.getExpireDate(), TimeUnit.MILLISECONDS);
    }
  }
}

/**
 * 图片验证码拦截匹配器
 */
public class ImageValidateCodeFilter extends OncePerRequestFilter {

  @Autowired
  private CoreSecurityProperties coreSecurityProperties;

  private AuthenticationFailureHandler authenticationFailureHandler;

  @Autowired
  private RedisTemplate redisTemplate;

  public ImageValidateCodeFilter(AuthenticationFailureHandler authenticationFailureHandler) {
    this.authenticationFailureHandler = authenticationFailureHandler;
  }

  @Override
  protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
    // 是登陆请求而且为POST
    if(StringUtils.equals(coreSecurityProperties.getAuthenticationUrl(), request.getRequestURI()) && StringUtils.equalsIgnoreCase(request.getMethod(), "POST")) {
      try {
        validate(new ServletWebRequest(request));
        filterChain.doFilter(request, response);
      } catch (ValidateCodeException e) {
        authenticationFailureHandler.onAuthenticationFailure(request, response, e);
      }
    }else {
      filterChain.doFilter(request, response);
    }
  }

  private void validate(ServletWebRequest servletWebRequest) throws ServletRequestBindingException{
    String questInDevice = null;
    String questInCode   = null;
    try {
      questInDevice = ServletRequestUtils.getRequiredStringParameter(servletWebRequest.getRequest(), "device");
      questInCode   = ServletRequestUtils.getStringParameter(servletWebRequest.getRequest(),"imageCode");
    }catch (ServletRequestBindingException e) {
      throw new ValidateCodeException("提交的图片验证码参数缺失");
    }

    String keyName = ImageCodeController.REDIS_IMAGE_VERIFY_CODE + questInDevice;
    ImageValidateCode codeInRedis = (ImageValidateCode)redisTemplate.boundValueOps(keyName).get();

    if(codeInRedis == null) {
      // 过期判断由Redis控制,Redis设置了过期时间，程序不判断过期行为
      throw new ValidateCodeException("验证码不存在，或已过期");
    }
    if(!StringUtils.equalsIgnoreCase(questInCode, codeInRedis.getCode())) {
      throw new ValidateCodeException("验证码不匹配");
    }
    // 匹配成功
    redisTemplate.delete(keyName);
  }
}

手机验证码

注意：不能使用Session存储方式，需要将验证码存放如Redis中

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
@ConditionalOnProperty(prefix = "login.verify.sms", value = "enable", havingValue = "true")
@Controller
public class SmsCodeController {

  private static Logger log = LoggerFactory.getLogger(SmsCodeController.class);

  public static final String SMS_CODE_MOBILE_PREFIX = "VERIFY_CODE:SMS_CODE_MOBILE:";

  @Autowired
  private SmsCodeUtil smsCodeUtil;

  @Autowired
  private RedisTemplate redisTemplate;

  @Autowired
  private LoginVerifySmsSender loginVerifySmsSender;

  @GetMapping(value = "/verify/sms/code/{mobile}", produces = MimeTypeUtils.APPLICATION_JSON_VALUE)
  @ResponseBody
  public SimpleResponse getVerifyCode(@PathVariable("mobile") String mobile, @RequestParam("device") String device, HttpServletRequest request, HttpServletResponse response) throws IOException {
    SmsValidateCode smsValidateCode = smsCodeUtil.generateCode(mobile);
    if(loginVerifySmsSender.sendVerifyCode(smsValidateCode)) {
      //发送短信
      log.debug("给{}手机发送验证短信，验证码{}成功", smsValidateCode.getMobile(), smsValidateCode.getCode());
    }else {
      log.debug("给{}手机发送验证短信，验证码{}失败", smsValidateCode.getMobile(), smsValidateCode.getCode());
      return new SimpleResponse(String.valueOf(HttpStatus.OK.value()), "短信发送失败");
    }
    redisTemplate.boundValueOps(SMS_CODE_MOBILE_PREFIX + device + ":" + mobile).set(smsValidateCode, smsValidateCode.getExpireDate(), TimeUnit.MILLISECONDS);
    SimpleResponse simpleResponse = new SimpleResponse(String.valueOf(HttpStatus.OK.value()), "短信发送成功");
    return simpleResponse;
  }
}

/**
 * 短信认证的Token
 */
public class SmsCodeAuthenticationToken extends AbstractAuthenticationToken {

  private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;

  private  Object principal;
  private Object credentials;

  public SmsCodeAuthenticationToken(Object principal, Object credentials) {
    super(null);
    this.principal = principal;
    this.credentials = credentials;
    setAuthenticated(false);
  }

  public SmsCodeAuthenticationToken(Object principal, Object credentials,
                                    Collection<? extends GrantedAuthority> authorities) {
    super(authorities);
    this.principal = principal;
    this.credentials = credentials;
    super.setAuthenticated(true); // must use super, as we override
  }

  public Object getCredentials() {
    return this.credentials;
  }

  public Object getPrincipal() {
    return this.principal;
  }

  public void setAuthenticated(boolean isAuthenticated) throws IllegalArgumentException {
    if (isAuthenticated) {
      throw new IllegalArgumentException(
        "Cannot set this token to trusted - use constructor which takes a GrantedAuthority list instead");
    }

    super.setAuthenticated(false);
  }

  @Override
  public void eraseCredentials() {
    super.eraseCredentials();
  }
}

/**
 * 短信认证登陆处理
 */
public class SmsAuthenticationFilter extends AbstractAuthenticationProcessingFilter {

  public static final String SECURITY_FORM_MOBILE_KEY = "mobile";

  private String mobileParameter = SECURITY_FORM_MOBILE_KEY;
  private boolean postOnly = true;

  public SmsAuthenticationFilter() {
    super(new AntPathRequestMatcher("/authentication/sms/commit", "POST"));
  }

  public Authentication attemptAuthentication(HttpServletRequest request,
                                              HttpServletResponse response) throws AuthenticationException {
    if (postOnly && !request.getMethod().equals("POST")) {
      throw new AuthenticationServiceException(
        "Authentication method not supported: " + request.getMethod());
    }

    String mobile = obtainMobile(request);

    if (mobile == null) {
      mobile = "";
    }

    mobile = mobile.trim();

    SmsCodeAuthenticationToken authRequest = new SmsCodeAuthenticationToken(mobile, null);

    setDetails(request, authRequest);

    return this.getAuthenticationManager().authenticate(authRequest);
  }

  protected String obtainMobile(HttpServletRequest request) {
    return request.getParameter(mobileParameter);
  }

  protected void setDetails(HttpServletRequest request,
                            SmsCodeAuthenticationToken authRequest) {
    authRequest.setDetails(authenticationDetailsSource.buildDetails(request));
  }

  public void setMobileParameter(String mobileParameter) {
    Assert.hasText(mobileParameter, "mobileParameter parameter must not be empty or null");
    this.mobileParameter = mobileParameter;
  }
}

/**
 * 短信验证码拦截匹配器
 */
public class SmsValidateCodeFilter extends OncePerRequestFilter {

  private AuthenticationFailureHandler authenticationFailureHandler;

  @Autowired
  private CoreSecurityProperties coreSecurityProperties;

  @Autowired
  private RedisTemplate redisTemplate;

  public SmsValidateCodeFilter(AuthenticationFailureHandler authenticationFailureHandler) {
    this.authenticationFailureHandler = authenticationFailureHandler;
  }

  @Override
  protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
    // 是登陆请求而且为POST
    if(StringUtils.equals(coreSecurityProperties.getSmsAuthenticationUrl(), request.getRequestURI()) && StringUtils.equalsIgnoreCase(request.getMethod(), "POST")) {
      try {
        validate(new ServletWebRequest(request));
        filterChain.doFilter(request, response);
      } catch (ValidateCodeException e) {
        authenticationFailureHandler.onAuthenticationFailure(request, response, e);
      }
    }else {
      filterChain.doFilter(request, response);
    }
  }

  private void validate(ServletWebRequest servletWebRequest) {

    String questInMobile = null;
    String questInCode   = null;
    String questInDevice = null;

    try {
      questInMobile = ServletRequestUtils.getRequiredStringParameter(servletWebRequest.getRequest(), "mobile");
      questInCode = ServletRequestUtils.getRequiredStringParameter(servletWebRequest.getRequest(), "code");
      questInDevice = ServletRequestUtils.getRequiredStringParameter(servletWebRequest.getRequest(), "device");
    }catch (ServletRequestBindingException e) {
      throw new ValidateCodeException("提交的短信验证码参数缺失");
    }

    String keyName = SmsCodeController.SMS_CODE_MOBILE_PREFIX + questInDevice + ":" +questInMobile;
    SmsValidateCode smsValidateCode = (SmsValidateCode) redisTemplate.boundValueOps(keyName).get();

    if(StringUtils.isEmpty(questInMobile)) {
      throw new ValidateCodeException("提交的手机号不能为空");
    }

    if(StringUtils.isEmpty(questInCode)) {
      throw new ValidateCodeException("提交的短信验证码不能为空");
    }

    if(smsValidateCode == null) {
      // 过期判断由Redis控制,Redis设置了过期时间，程序不判断过期行为
      throw new ValidateCodeException("手机号" + questInMobile + "短信验证码不存在或已过期");
    }

    if(!StringUtils.equalsIgnoreCase(questInCode, smsValidateCode.getCode())) {
      throw new ValidateCodeException("验证码不匹配");
    }

    // 匹配成功
    redisTemplate.delete(keyName);
  }
}

第三方登陆

简化验证模式需要将OpenId服务器
授权码模式直接将请求转给服务器即可

三、权限设置

概览

请求经过的过滤器

permission-filter

判断是否允许访问的过程

permission-struct

简单的只区分是否登陆

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
http. //省略其它配置
  .formLogin()//基于表带验证
  .loginPage("/authentication/require")   //设置先访问的请求
  .loginProcessingUrl("/authentication/commit")
  .authorizeRequests()            //认证的请求
  .antMatchers(HttpMethod.GET,"/authentication/require", "/me")//匹配请求
  .permitAll()                    //允许所有
  .anyRequest()                   //认证的请求
  .authenticated()                //需要进行登陆身份认证
  //省略其它配置

区分简单、有限角色【硬编码】

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
http.
  .formLogin()//基于表带验证
  .loginPage("/authentication/require")   //设置先访问的请求
  .loginProcessingUrl("/authentication/commit")
  .and()
  .authorizeRequests()            					  //认证的请求
  .antMatchers(HttpMethod.GET,"/authentication/require")//匹配请求
  .permitAll()                    //允许所有
  .antMatchers("/user/**")		//匹配请求
  .hasRole("ADMIN")				//需要管理员角色，匹配的是ROLE_ADMIN,会加前缀ROLE
  .antMatchers("/me")				//匹配请求
  .hasRole("ANONYMOUS")			//匿名角色可访问【访问此请求如果未登陆会创建一个匿名授权】
  //.antMatchers("/me").anonymous()  也可使用这种方式，与上等价
  .anyRequest()                   //认证的请求
  .authenticated()                //需要身份认证

如果访问的URL不是指定的允许所有可访问，也不是指定角色为匿名用户可访问，那么访问时会抛出Access is denied (user is anonymous)的异常

复杂角色【一般用于后台管理】

Security权限表达式

表达式	说明
permitAll	永远返回true
denyAll	永远返回false
anonymous	当前用户是anonymous时返回true
authenticated	当前用户不是anonymous时返回true
rememberMe	当前用户是rememberMe时返回true
fullAuthenticated	当前用户即不是rememberMe也不是anonymous时返回true
hasRole(role)	当前用户拥有指定角色时返回true
hasAnyRole(role1,role2)	当前用户拥有任意指定角色时返回true
hasAuthority(authority)	当前用户拥有指定权限时返回true
hasAnyAuthority(authority1,authority2)	当前用户拥有任意指定权限时返回true
hasIpAddress(Ip)	请求匹配IP时返回true

使用方法

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
//方法一：使用代码的方式指定条件，但是不能指定连续条件
expressionInterceptUrlRegistry.antMatchers("/user/add").hasRole("USER_MANAGER");

//方法二：使用表达式，可以指定连续条件
expressionInterceptUrlRegistry.antMatchers("/user/add")
  .access("hasRole('USER_MANAGER') and hasIpAddress('192.168.1.100')");

//方法三：使用@PreAuthorize(express)注解
@GetMapping("/user/add")
@PreAuthorize("hasRole('ADMIN')")
public String userAdd() {
  // doSomething
}

Spring Security使用指南

一、基于游览器的安全

表单登陆

图片验证码

记住我

手机验证码

第三方登陆【以QQ为例】

Session管理

退出登陆

二、基于App的安全

表单登陆

图片验证码

手机验证码

第三方登陆

三、权限设置

概览

简单的只区分是否登陆

区分简单、有限角色【硬编码】

复杂角色【一般用于后台管理】

四、代码