devbox
喵喵爱编程
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

【Spring Security】实现多种认证方式_springsecurity多种认证详解

作者:喵喵爱编程 | 2024-06-21 04:00:04

springsecurity多种认证详解

一、引言

实际系统通常需要实现多种认证方式,比如用户名密码、手机验证码、邮箱等等。Spring Security可以通过自定义认证器AuthenticationProvider 来实现不同的认证方式。接下来介绍一下SpringSecurity具体如何来实现多种认证方式。

二、具体步骤

这里我们以用户名密码、手机验证码两种方式来进行演示,其他一些登录方式类似。

2.1 自定义认证器AuthenticationProvider

首先针对每一种登录方式,我们可以定义其对应的认证器AuthenticationProvider,以及对应的认证信息Authentication实际场景中这两个一般是配套使用。认证器AuthenticationProvider有一个认证方法authenticate(),我们需要实现该认证方法,认证成功之后返回认证信息Authentication。

2.1.1 手机验证码

针对手机验证码方式,我们可以定义以下两个类
MobilecodeAuthenticationProvider.class

  1. import com.kamier.security.web.service.MyUser;
  2. import org.springframework.security.authentication.AuthenticationProvider;
  3. import org.springframework.security.authentication.BadCredentialsException;
  4. import org.springframework.security.core.Authentication;
  5. import org.springframework.security.core.AuthenticationException;
  6. import org.springframework.security.core.userdetails.UserDetailsService;
  7. import org.springframework.security.core.userdetails.UsernameNotFoundException;
  8.  
  9. import java.util.HashMap;
  10. import java.util.Map;
  11.  
  12. public class MobilecodeAuthenticationProvider implements AuthenticationProvider {
  13.  
  14.     private UserDetailsService userDetailsService;
  15.  
  16.     @Override
  17.     public Authentication authenticate(Authentication authentication) throws AuthenticationException {
  18.  
  19.         MobilecodeAuthenticationToken mobilecodeAuthenticationToken = (MobilecodeAuthenticationToken) authentication;
  20.         String phone = mobilecodeAuthenticationToken.getPhone();
  21.         String mobileCode = mobilecodeAuthenticationToken.getMobileCode();
  22.         System.out.println("登陆手机号:" + phone);
  23.         System.out.println("手机验证码:" + mobileCode);
  24.  
  25.         // 模拟从redis中读取手机号对应的验证码及其用户名
  26.         Map dataFromRedis = new HashMap();
  27.         dataFromRedis.put("code", "6789");
  28.         dataFromRedis.put("username", "admin");
  29.  
  30.         // 判断验证码是否一致
  31.         if (!mobileCode.equals(dataFromRedis.get("code"))) {
  32.             throw new BadCredentialsException("验证码错误");
  33.         }
  34.  
  35.         // 如果验证码一致,从数据库中读取该手机号对应的用户信息
  36.         MyUser loadedUser = (MyUser) userDetailsService.loadUserByUsername(dataFromRedis.get("username"));
  37.         if (loadedUser == null) {
  38.             throw new UsernameNotFoundException("用户不存在");
  39.         } else {
  40.             MobilecodeAuthenticationToken result = new MobilecodeAuthenticationToken(loadedUser, null, loadedUser.getAuthorities());
  41.             return result;
  42.         }
  43.     }
  44.  
  45.     @Override
  46.     public boolean supports(Class> aClass) {
  47.         return MobilecodeAuthenticationToken.class.isAssignableFrom(aClass);
  48.     }
  49.  
  50.     public void setUserDetailsService(UserDetailsService userDetailsService) {
  51.         this.userDetailsService = userDetailsService;
  52.     }
  53. }

注意这里的supports方法,是实现多种认证方式的关键,认证管理器AuthenticationManager会通过这个supports方法来判定当前需要使用哪一种认证方式

MobilecodeAuthenticationToken.class

  1. import org.springframework.security.authentication.AbstractAuthenticationToken;
  2. import org.springframework.security.core.GrantedAuthority;
  3. import java.util.Collection;
  4.  
  5. /**
  6.  * 手机验证码认证信息,在UsernamePasswordAuthenticationToken的基础上添加属性 手机号、验证码
  7.  */
  8. public class MobilecodeAuthenticationToken extends AbstractAuthenticationToken {
  9.     private static final long serialVersionUID = 530L;
  10.     private Object principal;
  11.     private Object credentials;
  12.     private String phone;
  13.     private String mobileCode;
  14.  
  15.  
  16.     public MobilecodeAuthenticationToken(String phone, String mobileCode) {
  17.         super(null);
  18.         this.phone = phone;
  19.         this.mobileCode = mobileCode;
  20.         this.setAuthenticated(false);
  21.     }
  22.  
  23.     public MobilecodeAuthenticationToken(Object principal, Object credentials, Collection extends GrantedAuthority> authorities) {
  24.         super(authorities);
  25.         this.principal = principal;
  26.         this.credentials = credentials;
  27.         super.setAuthenticated(true);
  28.     }
  29.  
  30.     public Object getCredentials() {
  31.         return this.credentials;
  32.     }
  33.  
  34.     public Object getPrincipal() {
  35.         return this.principal;
  36.     }
  37.  
  38.     public String getPhone() {
  39.         return phone;
  40.     }
  41.  
  42.     public String getMobileCode() {
  43.         return mobileCode;
  44.     }
  45.  
  46.     public void setAuthenticated(boolean isAuthenticated) throws IllegalArgumentException {
  47.         if (isAuthenticated) {
  48.             throw new IllegalArgumentException("Cannot set this token to trusted - use constructor which takes a GrantedAuthority list instead");
  49.         } else {
  50.             super.setAuthenticated(false);
  51.         }
  52.     }
  53.  
  54.     public void eraseCredentials() {
  55.         super.eraseCredentials();
  56.         this.credentials = null;
  57.     }
  58. }
2.1.2 用户名密码

针对用户名密码方式,我们可以直接使用自带的DaoAuthenticationProvider以及对应的UsernamePasswordAuthenticationToken。

2.2 实现UserDetailService

UserDetailService服务用以返回当前登录用户的用户信息,可以每一种认证方式实现对应的UserDetailService,也可以使用同一个。这里我们使用同一个UserDetailService服务,代码如下:

MyUserDetailsService.class

  1. import com.google.common.collect.Lists;
  2. import org.springframework.security.core.AuthenticationException;
  3. import org.springframework.security.core.userdetails.UserDetails;
  4. import org.springframework.security.core.userdetails.UserDetailsService;
  5. import org.springframework.security.core.userdetails.UsernameNotFoundException;
  6. import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
  7. import org.springframework.stereotype.Service;
  8.  
  9. @Service
  10. public class MyUserDetailsService implements UserDetailsService {
  11.     @Override
  12.     public UserDetails loadUserByUsername(String username) throws AuthenticationException {
  13.         MyUser myUser;
  14.         // 这里模拟从数据库中获取用户信息
  15.         if (username.equals("admin")) {
  16.             myUser = new MyUser("admin", new BCryptPasswordEncoder().encode("123456"), Lists.newArrayList("p1", "p2"));
  17.             myUser.setAge(25);
  18.             myUser.setSex(1);
  19.             myUser.setAddress("xxxx小区");
  20.             return myUser;
  21.         } else {
  22.             throw new UsernameNotFoundException("用户不存在");
  23.         }
  24.     }
  25. }

MyUser.class

  1. import com.google.common.collect.Lists;
  2. import org.springframework.security.core.GrantedAuthority;
  3. import org.springframework.security.core.userdetails.User;
  4. import java.util.List;
  5. import java.util.Optional;
  6. import java.util.stream.Collectors;
  7.  
  8. public class MyUser extends User {
  9.  
  10.     private int sex;
  11.     private int age;
  12.     private String address;
  13.     public MyUser(String username, String password, List authorities) {
  14.         super(username, password, Optional.ofNullable(authorities).orElse(Lists.newArrayList()).stream()
  15.                 .map(str -> (GrantedAuthority) () -> str)
  16.                 .collect(Collectors.toList()));
  17.     }
  18.  
  19.     public int getSex() {
  20.         return sex;
  21.     }
  22.  
  23.     public void setSex(int sex) {
  24.         this.sex = sex;
  25.     }
  26.  
  27.     public int getAge() {
  28.         return age;
  29.     }
  30.  
  31.     public void setAge(int age) {
  32.         this.age = age;
  33.     }
  34.  
  35.     public String getAddress() {
  36.         return address;
  37.     }
  38.  
  39.     public void setAddress(String address) {
  40.         this.address = address;
  41.     }
  42. }

2.3 统一处理认证异常

定义一个认证异常处理器,统一处理认证异常AuthenticationException,如下

  1. @Component
  2. public class MyAuthenticationEntryPoint implements AuthenticationEntryPoint {
  3.     @Override
  4.     public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {
  5.         R result = R.error("用户未登录或已过期");
  6.         response.setContentType("text/json;charset=utf-8");
  7.         response.getWriter().write(new Gson().toJson(result));
  8.     }
  9. }

2.4 配置器WebSecurityConfigurer

在配置器中我们去实例化一个认证管理器AuthenticationManager,这个认证管理器中包含了两个认证器,分别是MobilecodeAuthenticationProvider(手机验证码)、DaoAuthenticationProvider(用户名密码)。

重写config方法进行security的配置:

  1. 登录相关接口的放行,其他接口需要认证
  2. 配置认证异常处理器

MySecurityConfigurer.class

  1. @Configuration
  2. public class MySecurityConfigurer extends WebSecurityConfigurerAdapter {
  3.  
  4.     @Autowired
  5.     private MyAuthenticationEntryPoint myAuthenticationEntryPoint;
  6.  
  7.     @Autowired
  8.     private UserDetailsService myUserDetailsService;
  9.  
  10.     @Autowired
  11.     private TokenAuthenticationFilter tokenAuthenticationFilter;
  12.  
  13.     @Bean
  14.     public PasswordEncoder passwordEncoder() {
  15.         return new BCryptPasswordEncoder();
  16.     }
  17.  
  18.     @Bean
  19.     public MobilecodeAuthenticationProvider mobilecodeAuthenticationProvider() {
  20.         MobilecodeAuthenticationProvider mobilecodeAuthenticationProvider = new MobilecodeAuthenticationProvider();
  21.         mobilecodeAuthenticationProvider.setUserDetailsService(myUserDetailsService);
  22.         return mobilecodeAuthenticationProvider;
  23.     }
  24.  
  25.     @Bean
  26.     public DaoAuthenticationProvider daoAuthenticationProvider() {
  27.         DaoAuthenticationProvider daoAuthenticationProvider = new DaoAuthenticationProvider();
  28.         daoAuthenticationProvider.setPasswordEncoder(passwordEncoder());
  29.         daoAuthenticationProvider.setUserDetailsService(myUserDetailsService);
  30.         return daoAuthenticationProvider;
  31.     }
  32.  
  33.     /**
  34.      * 定义认证管理器AuthenticationManager
  35.      * @return
  36.      */
  37.     @Bean
  38.     public AuthenticationManager authenticationManager() {
  39.         List authenticationProviders = new ArrayList();
  40.         authenticationProviders.add(mobilecodeAuthenticationProvider());
  41.         authenticationProviders.add(daoAuthenticationProvider());
  42.         ProviderManager authenticationManager = new ProviderManager(authenticationProviders);
  43. //        authenticationManager.setEraseCredentialsAfterAuthentication(false);
  44.         return authenticationManager;
  45.  
  46.     }
  47.  
  48.     @Override
  49.     public void configure(HttpSecurity http) throws Exception {
  50.         http
  51.                 // 关闭csrf
  52.                 .csrf().disable()
  53.                 // 处理认证异常
  54.                 .exceptionHandling().authenticationEntryPoint(myAuthenticationEntryPoint)
  55.                 .and()
  56.                 // 权限配置,登录相关的请求放行,其余需要认证
  57.                 .authorizeRequests()
  58.                 .antMatchers("/login/*").permitAll()
  59.                 .anyRequest().authenticated()
  60.                 .and()
  61.                 // 添加token认证过滤器
  62.                 .addFilterAfter(tokenAuthenticationFilter, LogoutFilter.class)
  63.                 // 不使用session会话管理
  64.                 .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
  65.     }
  66. }

到这里实现多种认证方式基本就结束了。

但在实际项目中,认证成功后通常会返回一个token令牌(如jwt等),后续我们将token放到请求头中进行请求,后端校验该token,校验成功后再访问相应的接口,所以这里在上面的配置中加了一个token认证过滤器TokenAuthenticationFilter

TokenAuthenticationFilter的代码如下:

  1. @Component
  2. @WebFilter
  3. public class TokenAuthenticationFilter extends OncePerRequestFilter {
  4.  
  5.     @Override
  6.     protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
  7.         String token = httpServletRequest.getHeader("token");
  8.  
  9.         // 如果没有token,跳过该过滤器
  10.         if (!StringUtils.isEmpty(token)) {
  11.             // 模拟redis中的数据
  12.             Map map = new HashMap();
  13.             map.put("test_token1", new MyUser("admin", new BCryptPasswordEncoder().encode("123456"), Lists.newArrayList("p1", "p2")));
  14.             map.put("test_token2", new MyUser("root", new BCryptPasswordEncoder().encode("123456"), Lists.newArrayList("p1")));
  15.  
  16.             // 这里模拟从redis获取token对应的用户信息
  17.             MyUser myUser = map.get(token);
  18.             if (myUser != null) {
  19.                 UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(myUser, null, myUser.getAuthorities());
  20.                 SecurityContextHolder.getContext().setAuthentication(authRequest);
  21.             } else {
  22.                 throw new PreAuthenticatedCredentialsNotFoundException("token不存在");
  23.             }
  24.         }
  25.  
  26.         filterChain.doFilter(httpServletRequest, httpServletResponse);
  27.     }
  28. }

三、测试验证

编写一个简单的Controller来验证多种登录方式,代码如下:

  1. @RestController
  2. @RequestMapping("/login")
  3. public class LoginController {
  4.  
  5.     @Autowired
  6.     private AuthenticationManager authenticationManager;
  7.  
  8.     /**
  9.      * 用户名密码登录
  10.      * @param username
  11.      * @param password
  12.      * @return
  13.      */
  14.     @GetMapping("/usernamePwd")
  15.     public R usernamePwd(String username, String password) {
  16.         UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(username, password);
  17.         Authentication authenticate = null;
  18.         try {
  19.             authenticate = authenticationManager.authenticate(usernamePasswordAuthenticationToken);
  20.         } catch (Exception e) {
  21.             e.printStackTrace();
  22.             return R.error("登陆失败");
  23.         }
  24.  
  25.         String token = UUID.randomUUID().toString().replace("-", "");
  26.         return R.ok(token, "登陆成功");
  27.     }
  28.  
  29.     /**
  30.      * 手机验证码登录
  31.      * @param phone
  32.      * @param mobileCode
  33.      * @return
  34.      */
  35.     @GetMapping("/mobileCode")
  36.     public R mobileCode(String phone, String mobileCode) {
  37.         MobilecodeAuthenticationToken mobilecodeAuthenticationToken = new MobilecodeAuthenticationToken(phone, mobileCode);
  38.         Authentication authenticate = null;
  39.         try {
  40.             authenticate = authenticationManager.authenticate(mobilecodeAuthenticationToken);
  41.         } catch (Exception e) {
  42.             e.printStackTrace();
  43.             return R.error("验证码错误");
  44.         }
  45.  
  46.         String token = UUID.randomUUID().toString().replace("-", "");
  47.         return R.ok(token, "登陆成功");
  48.     }
  49. }
  • 用户名密码
    访问/login/usernamePwd接口进行登录,账号密码为admin/123456,可以看到访问成功,如下图

  • 手机验证码
    访问/login/mobileCode接口进行登录,如下图

  • 带token访问
    在请求头带上token访问接口,如下图

  • 不带token访问

到这里Spring Security实现多种认证方式就结束了,如有错误,感谢指正。

声明:本文内容由网友自发贡献,转载请注明出处:【wpsshop】
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号