SpringSecurity实战笔记之Security
=================================Spring Security========================================
一、默认配置
1、默认会对所有请求都需要进行认证与授权;
2、默认使用httpBasic方式进行登录
3、默认的用户名为user,密码在启动应用时在console中有打印
4、自定义配置:
package com.imooc.security.browser; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; /** * WebSecurity 配置类 */ @Configuration public class BrowserSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.httpBasic() //httpBasic登录 // http.formLogin() //表单登录 .and() .authorizeRequests() .anyRequest() .authenticated(); } }
二、基本原理
1、Spring Security 是一组过滤器链,包含以下过滤器
UsernamePasswordAuthenticationFilter
httpBasicAuthenticationFilter
(这两个过滤器两选一,默认是选择httpBasic)
RememberMeAuthenticationFilter
.
.
.
ExceptionTranslationFilter //对下面的拦截抛出的异常,进行对应的处理返回
FilterSecurityInterceptor //最后一道拦截,用户可自定义配置,可以很复杂
2、流程(以Username Password Authentication Filter为例)
-请求首先经过UsernamePasswordAuthenticationFilter,如果请求中有用户名及密码,UsernamePasswordAuthenticationFilter就会处理,没有的话就会放行;
-请求到达了FilterSecurityInterceptor,由于用户未进行认证,被拦截下来并抛出未认证异常;
-异常到达了ExceptionTranslationFilter,ExceptionTranslationFilter根据异常为认证并向前找到认证方式为表单认证,则返回了表单登录页面;
-用户进行表单登录,UsernamePasswordAuthenticationFilter再次判断请求中有用户名及密码,此时有,则处理了,将认证通过信息保存下来;
-请求到达了FilterSecurityInterceptor,发现用户已认证,则放行,请求到达了controller方法中;
三、自定义用户认证逻辑
1、如何处理用户信息获取逻辑
//用户信息通过UserDetailsService接口类获取
package com.imooc.security.browser; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.security.core.authority.AuthorityUtils; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.stereotype.Component; @Component public class MyUserDetailService implements UserDetailsService{ private Logger logger = LoggerFactory.getLogger(MyUserDetailService.class); @Override public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { logger.info("用户名:"+username); return new User(username,"123456", AuthorityUtils.commaSeparatedStringToAuthorityList("admin")); } }
2、处理用户校验逻辑
2.1、密码是否匹配,只需告诉Spring Security从数据为中读出来的密码是多少就ok了
2.2、用户状态是否正常,是否被冻结了等(UserDetails的实现中)
private final boolean accountNonExpired; //没有过期
private final boolean accountNonLocked; //没有冻结
private final boolean credentialsNonExpired; //密码没有过期
private final boolean enabled; //用户账号是否可用
3、处理密码加密解密
3.1、使用的接口PasswordEncoder(package org.springframework.security.crypto.password;)
3.2、要配置了才会生效
@Bean public PasswordEncoder passwordEncoder(){ return new BCryptPasswordEncoder();//这个类实现了PasswordEncoder接口 }
3.3、添加用户时
用户密码要经过passwordEncode(用户密码);处理后才存入数据库
3.4、用户登录时
直接使用数据库中的密码存入User构造函数中
四、个性化用户认证逻辑
1、自定义登录页面
1.1、需求:如果用户没有登录,请求html页面时,跳转到html登录页面,页面用户可以在配置文件中自定义,登录成功后跳转到原来请求的页面;
请求接口时,返回401状态及提示信息,让前端跳转到其应用的登录页面中,登录成功后,跳转到原来的请求
1.2、默认标准登录页面:在browser模块resources下的resources目录下创建imooc-loginIn.html
1.3、安全配置(先将csrf关闭)
@Override protected void configure(HttpSecurity http) throws Exception { // http.httpBasic() http.formLogin() .loginPage("/authentication/require") // 登录controller .loginProcessingUrl("/authentication/form") //登录action_url,默认是/login .and() .authorizeRequests() .antMatchers("/authentication/require","/imooc-loginIn.html").permitAll() .anyRequest() .authenticated() .and() .csrf().disable(); }
1.4、在browser模块:自定义Controller,在方法内判断是返回登录页面,还是返回401状态码和错误信息
package com.imooc.security.browser; import com.imooc.security.browser.support.SimpleResponse; import org.apache.commons.lang.StringUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.http.HttpStatus; import org.springframework.security.web.DefaultRedirectStrategy; import org.springframework.security.web.RedirectStrategy; import org.springframework.security.web.savedrequest.HttpSessionRequestCache; import org.springframework.security.web.savedrequest.RequestCache; import org.springframework.security.web.savedrequest.SavedRequest; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.ResponseStatus; import org.springframework.web.bind.annotation.RestController; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; @RestController public class BrowserSecurityController { private Logger logger = LoggerFactory.getLogger(BrowserSecurityController.class); //Spring Security将当前的请求缓存到HttpSessionRequestCache中 private RequestCache requestCache = new HttpSessionRequestCache(); //Spring 跳转工具类 private RedirectStrategy redirectStrategy =new DefaultRedirectStrategy(); /** * 当需要身份认证时,跳转到这里 * @param request * @param response * @return */ @RequestMapping("/authentication/require") @ResponseStatus(code= HttpStatus.UNAUTHORIZED) //指定返回状态码为401 public SimpleResponse requireAuthentication(HttpServletRequest request, HttpServletResponse response) throws IOException { //获取引用跳转的请求 SavedRequest savedRequest = requestCache.getRequest(request,response); if(savedRequest!=null){ String targetUrl = savedRequest.getRedirectUrl(); logger.info("引发跳转的请求是:{}",targetUrl); if(StringUtils.endsWithIgnoreCase(targetUrl,".html")){ redirectStrategy.sendRedirect(request,response,"/imooc-loginIn.html"); } } return new SimpleResponse("访问的服务需要身份认证,请引导用户到登录页面"); } }
1.5、用户可以在配置文件中自定义登录页面,以上的"/imooc-loginIn.html"是从配置文件中读取,以下类写在core模块中
需求:读取imooc.security.browser.loginPage=/demo-signIn.html的值
1.5.1、读取配置文件类SecurityProperties
package com.imooc.security.core.properties; import org.springframework.boot.context.properties.ConfigurationProperties; @ConfigurationProperties(prefix = "imooc.security") public class SecurityProperties { private BrowserProperties browser = new BrowserProperties(); public BrowserProperties getBrowser() { return browser; } public void setBrowser(BrowserProperties browser) { this.browser = browser; } }
1.5.2、Browser对象类,有loginPage属性
package com.imooc.security.core.properties; public class BrowserProperties { private String loginPage = "/imooc-loginIn.html"; public String getLoginPage() { return loginPage; } public void setLoginPage(String loginPage) { this.loginPage = loginPage; } }
1.5.3、将读取配置文件类SecurityProperties注册到容器中
package com.imooc.security.core; import com.imooc.security.core.properties.SecurityProperties; import org.springframework.boot.context.properties.EnableConfigurationProperties; import org.springframework.context.annotation.Configuration; @Configuration @EnableConfigurationProperties(SecurityProperties.class) public class SecurityCoreConfig { }
1.5.4、这样SecurityProperties就可以被其它类通过@Autowired注入使用
String loginPage =securityProperties.getBrowser().getLoginPage();
2、自定义登录成功处理(默认是跳转到引发登录的页面或接口)
2.1、继承SavedRequestAwareAuthenticationSuccessHandler类(Spring Security 默认的Success 处理器),同时支持用户自定义是跳转还是返回json(imooc.security.browser.loginType=REDIRECT)
@Component("imoocAuthenticationSuccessHandler")
public class ImoocAuthenticationSuccessHandler extends SavedRequestAwareAuthenticationSuccessHandler {
private Logger logger = LoggerFactory.getLogger(getClass());
@Autowired
private ObjectMapper objectMapper;
@Autowired
private SecurityProperties securityProperties;
/**
* 登录成功后会被调用
* @param request
* @param response
* @param authentication //保存着所有的认证信息
* @throws IOException
* @throws ServletException
*/
@Override
public void onAuthenticationSuccess(HttpServletRequest request,HttpServletResponse response,Authentication authentication) throws IOException, ServletException {
logger.info("登录成功");
if(LoginType.JSON.equals(securityProperties.getBrowser().getLoginType())){
response.setContentType("application/json;charset=UTF-8");
response.getWriter().write(objectMapper.writeValueAsString(authentication));
}else {
//如果不是Json就调父类的方法,父类的方法就是跳转
super.onAuthenticationSuccess(request,response,authentication);
}
}
}
2.2、修改安全配置
.successHandler(imoocAuthenticationSuccessHandler)
3、自定义登录失败的处理(默认是跳转到登录登录页面)
3.1、继承SimpleUrlAuthenticationFailureHandler类(Spring Security 默认的Failure处理器),同时支持用户自定义是跳转还是返回json(imooc.security.browser.loginType=REDIRECT)
@Component("imoocAuthenticationFailureHandler")
public class ImoocAuthenticationFailureHandler extends SimpleUrlAuthenticationFailureHandler {
private Logger logger = LoggerFactory.getLogger(getClass());
@Autowired
private ObjectMapper objectMapper;
@Autowired
private SecurityProperties securityProperties;
@Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException e) throws IOException, ServletException {
logger.info("登录失败");
if(LoginType.JSON.equals(securityProperties.getBrowser().getLoginType())){
response.setStatus(HttpStatus.INTERNAL_SERVER_ERROR.value());
response.setContentType("application/json;charset=UTF-8");
response.getWriter().write(objectMapper.writeValueAsString(e));
}else{
super.onAuthenticationFailure(request,response,e);
}
}
}
3.2、修改安全配置
.failureHandler(imoocAuthenticationFailureHandler)
五、认证流程源码及详解
1、认证处理流程说明
-从UsernamePasswordAuthenticationFilter到AuthenticationManager(不做任务实现);
-AuthenticationManager调用AuthenticationProvider(重头戏),里面用到UsserDetailsService,UserDetails;
-如果存在失败就调用上节课所讲登录失败的方法;
-如果没有异常,就再回到UsernamePasswordAuthenticationFilter,进行密码是否过期判断,通过后将认证标识为true,并将信息保存在Authentication对象中。
2、认证结果如何在多个请求之间共享(session)
2.1、关键类:SecurityContext(包装了Authentication,重写了equals,hasCode方法)、SecurityContextHolder(线程级的变量)、SecurityContextPersistenceFilter
2.2、在调成功处理器之前,AbstractPreAuthenticationProcessingFilter中有SecurityContextHolder.getContext().setAuthentication(authResult);//放入SecurityContext中,其它线程也是可以读取得到的
2.3、SecurityContextPersistenceFilter过滤器位于最前,请求进来时,判断session中SecurityContext是否存在,有就取出来放入线程中,向后传递。没有,直接往下走。请求离开进,判断线程中SecurityContext是否存在,有就将其放入session中。
3、获取认证用户信息
@GetMapping("/me")
public Object getCurrentUser(){
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
return authentication;
}
//或
@GetMapping("/me")
public Object getCurrentUser(Authentication authentication){
return authentication;
}
/**
* 只取用户detail信息
* @param user
* @return
*/
@GetMapping("/me")
public Object getCurrentUser(@AuthenticationPrincipal UserDetails user){
return user;
}
六、图片验证码功能(core模块)
1、生成图片验证码
1.1、根据随机数生成图片
1.2、将随机数存Session中
1.3、将生成的图片写到接口的响应中
1.4、页面代码
<td>图形验证码:</td> <td> <input type="text" name="imageCode"> <img src="/code/image" alt="验证码" onclick="this.setAttribute('src','/code/image')"> </td>
1.5、后台代码
package com.imooc.security.core.validate.code; import org.springframework.social.connect.web.HttpSessionSessionStrategy; import org.springframework.social.connect.web.SessionStrategy; import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.ResponseStatus; import org.springframework.web.bind.annotation.RestController; import org.springframework.web.context.request.ServletWebRequest; import javax.imageio.ImageIO; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.awt.*; import java.awt.image.BufferedImage; import java.io.IOException; import java.util.Random; @RestController public class ValidateCodeController { private static final String SESSION_KEY = "SESSION_KEY_IMAGE_CODE"; private SessionStrategy sessionStrategy = new HttpSessionSessionStrategy(); @GetMapping("/code/image") public void createCode(HttpServletRequest request, HttpServletResponse response) throws IOException { //1、根据随机数生成图片 ImageCode imageCode = generate(request); //2、将随机数存Session中 sessionStrategy.setAttribute(new ServletWebRequest(request),SESSION_KEY,imageCode); //3、将生成的图片写到接口的响应中 ImageIO.write(imageCode.getImage(), "JPEG", response.getOutputStream()); } /** * 根据随机数生成图片 * @param request * @return */ private ImageCode generate(HttpServletRequest request) { int width = 67; int height = 23; BufferedImage image = new BufferedImage(width, height, BufferedImage.TYPE_INT_RGB); Graphics g = image.getGraphics(); Random random = new Random(); g.setColor(getRandColor(200, 250)); g.fillRect(0, 0, width, height); g.setFont(new Font("Times New Roman", Font.ITALIC, 20)); g.setColor(getRandColor(160, 200)); for (int i = 0; i < 155; i++) { int x = random.nextInt(width); int y = random.nextInt(height); int xl = random.nextInt(12); int yl = random.nextInt(12); g.drawLine(x, y, x + xl, y + yl); } String sRand = ""; for (int i = 0; i < 4; i++) { String rand = String.valueOf(random.nextInt(10)); sRand += rand; g.setColor(new Color(20 + random.nextInt(110), 20 + random.nextInt(110), 20 + random.nextInt(110))); g.drawString(rand, 13 * i + 6, 16); } g.dispose(); return new ImageCode(image, sRand, 60); } /** * 生成随机背景条纹 * * @param fc * @param bc * @return */ private Color getRandColor(int fc, int bc) { Random random = new Random(); if (fc > 255) { fc = 255; } if (bc > 255) { bc = 255; } int r = fc + random.nextInt(bc - fc); int g = fc + random.nextInt(bc - fc); int b = fc + random.nextInt(bc - fc); return new Color(r, g, b); } }
2、图形验证码校验
2.1、验证码校验过滤器
/** * 自定义验证码过滤器,要将其配置到安全配置中 */ public class ValidateCodeFilter extends OncePerRequestFilter { private AuthenticationFailureHandler authenticationFailureHandler; private SessionStrategy sessionStrategy = new HttpSessionSessionStrategy(); @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { if(StringUtils.equals("/authentication/form",request.getRequestURI()) && StringUtils.equalsIgnoreCase(request.getMethod(),"post")){ try{ validate(new ServletWebRequest(request)); }catch (ValidateCodeException e){ authenticationFailureHandler.onAuthenticationFailure(request,response,e); return; } } filterChain.doFilter(request,response); } private void validate(ServletWebRequest servletWebRequest) throws ServletRequestBindingException { ImageCode codeInSession = (ImageCode) sessionStrategy.getAttribute(servletWebRequest, ValidateCodeController.SESSION_KEY); String codeInRequest = ServletRequestUtils.getStringParameter(servletWebRequest.getRequest(),"imageCode"); if(StringUtils.isBlank(codeInRequest)){ throw new ValidateCodeException("验证码的值不能为空"); } if(codeInSession==null){ throw new ValidateCodeException("验证码不存在"); } if(codeInSession.isExpired()){ sessionStrategy.removeAttribute(servletWebRequest,ValidateCodeController.SESSION_KEY); throw new ValidateCodeException("验证码已过期"); } if(!StringUtils.equals(codeInRequest,codeInSession.getCode())){ throw new ValidateCodeException("验证码不匹配"); } sessionStrategy.removeAttribute(servletWebRequest,ValidateCodeController.SESSION_KEY); } public void setAuthenticationFailureHandler(AuthenticationFailureHandler authenticationFailureHandler) { this.authenticationFailureHandler = authenticationFailureHandler; } }
2.2、拦截器注册
@Override protected void configure(HttpSecurity http) throws Exception { //登录验证码过滤器,添加到UsernamePasswordAuthenticationFilter之前 ValidateCodeFilter validateCodeFilter = new ValidateCodeFilter(); validateCodeFilter.setAuthenticationFailureHandler(imoocAuthenticationFailureHandler); //http.httpBasic() http.addFilterBefore(validateCodeFilter, UsernamePasswordAuthenticationFilter.class) .formLogin() .loginPage("/authentication/require") // 登录controller .loginProcessingUrl("/authentication/form") //登录action_url,默认是/login .successHandler(imoocAuthenticationSuccessHandler) .failureHandler(imoocAuthenticationFailureHandler) .and() .authorizeRequests() .antMatchers("/authentication/require",securityProperties.getBrowser().getLoginPage(),"/code/image").permitAll() .anyRequest() .authenticated() .and() .csrf().disable(); }
3、重构代码
3.1、验证码基本参数可配置
需求:请求配置(配置值在调用接口时传递)优先于应用级配置(配置值写在imooc-security-demok )优先于默认配置(配置值写在imooc-security-core中)
-(默认配置)将验证码基本参数:长度,高度,位数,有效时间配置在(core模块)ImageCodeProperties类中,将该类作为ValidateCodeProperties属性,ValidateCodeProperties又作为SecurityProperties属性;
-(应用级配置)在应用的Application.properties文件中配置验证码基本参数,如果不配置就读取默认配置
imooc.security.code.image.width=100
imooc.security.code.image.height=20
imooc.security.code.image.length=6
imooc.security.code.image.expireIn=60
-(请求配置)假设允许前端指定验证码图片的长度width,controller接口为/code/image?width=200
controller方法中width的读取方式为(request为ServletWebRequest):
int width = ServletRequestUtils.getIntParameter(request.getRequest(),"width",securityProperties.getCode().getImage().getWidth());
3.2、验证码拦截的接口可配置
-同理在ImageCodeProperties添加urls属性,但不用配置默认值(因为登录的路径会写死在代码中),用于承载应用的Application.properties的配置
imooc.security.code.image.urls=/user/*
-在拦截器中(ValidateCodeFilter)读取配置文件的urls,然后与当前请求进行匹配,如果匹配成功就进行验证码校验,对应代码片段
@Override public void afterPropertiesSet() throws ServletException { super.afterPropertiesSet(); String[] configUrls = StringUtils.splitByWholeSeparatorPreserveAllTokens(securityProperties.getCode().getImage().getUrls(), ","); for(String configUrl : configUrls){ urls.add(configUrl); } urls.add("/authentication/form"); } @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { String requestURI = request.getRequestURI(); boolean action = false; for(String url:urls){ if(antPathMatcher.match(url,requestURI)){ action=true; } } if(action){ try{ validate(new ServletWebRequest(request)); }catch (ValidateCodeException e){ authenticationFailureHandler.onAuthenticationFailure(request,response,e); return; } } filterChain.doFilter(request,response); }
3.3、验证码的生成逻辑可配置
-将ValidateCodeController类中ImageCode imageCode = generate(request);(//1、根据随机数生成图片) 的方法抽取出来,放在ValidateCodeGenerator接口中,由ImageCodeGenerator类去实现,然后注入
@Autowired
private ValidateCodeGenerator imageCodeGenerator;
再调用
ImageCode imageCode =imageCodeGenerator.generate(new ServletWebRequest(request));
-bean配置:
@Configuration
public class ValidateCodeBeanConfig {
@Autowired
private SecurityProperties securityProperties;
@Bean
@ConditionalOnMissingBean(name = "imageCodeGenerator") //这个注解的作用是如果不存在imageCodeGenerator这个Bean时,才使用以下配置(写框架必备知识)
public ValidateCodeGenerator imageCodeGenerator(){
ImageCodeGenerator codeGenerator = new ImageCodeGenerator();
codeGenerator.setSecurityProperties(securityProperties);
return codeGenerator;
}
}
七、实现"记住我"(browser模块)
1、记住我功能基本原理
认证成功后,RemeberMeService通过TokenRepository将Token写入数据库,同时也将token写入浏览器Cookie
当用户再次访问时,会经过RememberMeAuthenticationFilter,读取Cookie中的Token,RemeberMeService通过TokenRepository查找数据库中的token,如果有记录,就将记录中的username取出来,再去调UserDetailsService获取用户信息,再将用户信息SecurityContext中
2、记住我功能具体实现
2.1、页面代码
<tr>
<td colspan="2"><input type="checkbox" name="remember-me">记住我</td>
</tr>
2.2、配置
/**
* 记住我Repository
* @return
*/
@Bean
public PersistentTokenRepository persistentTokenRepository(){
JdbcTokenRepositoryImpl tokenRepository = new JdbcTokenRepositoryImpl();
tokenRepository.setDataSource(dataSource);
//tokenRepository.setCreateTableOnStartup(true);//启动时,自动创建一张表
return tokenRepository;
}
在安全配置中添加
.rememberMe()
.tokenRepository(persistentTokenRepository()) //记住我Repository
.tokenValiditySeconds(securityProperties.getBrowser().getRememberMeSeconds()) //失效时间
.userDetailsService(userDetailsService) //取到用户信息后,使用的userDetailsService获取用户信息
八、实现短信验证码登录(core)
1、短信验证码的发送
-创建短信验证码对象ValidateCode,具有code及expireTime两个属性,由于图片验证码也具有这两个属性,所以将原有的图片验证码对象继承ValidateCode
-创建短信验证码基本参数配置对象SmsCodeProperties,具有length,expireIn,url属性,由于图片验证码ImageCodeProperties也具有这些属性,所以将ImageCodeProperties继承SmsCodeProperties
-创建短信验证码的生成器SmsCodeGenerator
-发送方法,要作用接口的方式,方便接入不同的短信供应商
-最后,重构校验码发送代码,由于校验码发送的流程都是相同的(生成,保存,发送),所以使用模板模式,将这三个方法合并为VlidateCodeProcessors接口的一个方法,然后这个方法有一个抽象实现类AbstractValidateCodeProcessor,实现了VlidateCodeProcessors的方法,有生成,保存,发送三个方法,由于发送方法不能统一,故有ImageCodeProcessor,SmsCodeSender分别继承AbstractValidateCodeProcessor,分别实现发送方法。
对于controller中调用那个CodeProcessor,以及生成器中调用哪个CodeGenerator,使用了
/**
* 收集系统中所有的{@link ValidateCodeProcessor}接口的实现
*/
@Autowired
private Map<String,ValidateCodeProcessor> validateCodeProcessors;
/**
* 收集系统中所有的{@link ValidateCodeGenerator}接口的实现
*/
@Autowired
private Map<String,ValidateCodeGenerator> validateCodeGenerators;
再根据url中的关键字获取对应的实现类
validateCodeProcessors.get(type+"CodeProcessor").create(new ServletWebRequest(request,response));
ValidateCodeGenerator validateCodeGenerator = validateCodeGenerators.get(type + "CodeGenerator");
2、验证码登录
-SmsCodeAuthenticationToken:参照UsernamePasswordAuthenticationToken创建
-SmsCodeAuthenticationFilter:参照UsernamePasswordAuthenticationFilter创建
-SmsCodeAuthenticationProvider
public class SmsCodeAuthenticationProvider implements AuthenticationProvider{
private UserDetailsService userDetailsService;
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
SmsCodeAuthenticationToken authenticationToken = (SmsCodeAuthenticationToken)authentication;
UserDetails user = userDetailsService.loadUserByUsername((String) authenticationToken.getPrincipal());
if(user==null){
throw new InternalAuthenticationServiceException("无法获取用户信息");
}
SmsCodeAuthenticationToken authenticationTokenResult = new SmsCodeAuthenticationToken(user,user.getAuthorities());
authenticationTokenResult.setDetails(authenticationToken.getDetails());
return authenticationTokenResult;
}
@Override
public boolean supports(Class<?> authentication) {
return SmsCodeAuthenticationToken.class.isAssignableFrom(authentication);
}
public UserDetailsService getUserDetailsService() {
return userDetailsService;
}
public void setUserDetailsService(UserDetailsService userDetailsService) {
this.userDetailsService = userDetailsService;
}
}
-SmsCodeFilter:参照ValidateCodeFilter创建
-SmsCodeAuthenticationSecurityConfig:将SmsCodeAuthenticationFilter,SmsCodeAuthenticationProvider配置到Spring Security中,然后再将此配置apply到BrowserSecurityConfig中
@Component
public class SmsCodeAuthenticationSecurityConfig extends SecurityConfigurerAdapter<DefaultSecurityFilterChain,HttpSecurity> {
@Autowired
private AuthenticationSuccessHandler imoocAuthenticationSuccessHandler;
@Autowired
private AuthenticationFailureHandler imoocAuthenticationFailureHandler;
@Autowired
private UserDetailsService userDetailsService;
@Autowired
private SecurityProperties securityProperties;
@Override
public void configure(HttpSecurity http) throws Exception {
SmsCodeAuthenticationFilter smsCodeAuthenticationFilter = new SmsCodeAuthenticationFilter();
smsCodeAuthenticationFilter.setAuthenticationManager(http.getSharedObject(AuthenticationManager.class));
smsCodeAuthenticationFilter.setAuthenticationSuccessHandler(imoocAuthenticationSuccessHandler);
smsCodeAuthenticationFilter.setAuthenticationFailureHandler(imoocAuthenticationFailureHandler);
SmsCodeAuthenticationProvider smsCodeAuthenticationProvider = new SmsCodeAuthenticationProvider();
smsCodeAuthenticationProvider.setUserDetailsService(userDetailsService);
http.authenticationProvider(smsCodeAuthenticationProvider)
.addFilterAfter(smsCodeAuthenticationFilter,UsernamePasswordAuthenticationFilter.class);
}
}
3、代码重构
-将图片验证码过滤器及短信验证码过法器合并为一个公共类
-将配置文件按作用分模块、分类配置,最后通过apply引用,去除重复
-将有两处地方及以上使用到的常量保存在SecurityConstants