spring security 自定义认证登录

**

spring security 自定义认证登录

**
1.概要
1.1.简介
spring security是一种基于 Spring AOP 和 Servlet 过滤器的安全框架，以此来管理权限认证等。

1.2.spring security 自定义认证流程
1）认证过程

生成未认证的AuthenticationToken                 
       ↑（获取信息）           （根据AuthenticationToken分配provider）                                    
 AuthenticationFilter   ->     AuthenticationManager    ->    AuthenticationProvider
                                                                      ↓（认证）
                                                              UserDetails（一般查询数据库获取）
                                                                      ↓（通过）
                                                             生成认证成功的AuthenticationToken
                                                                      ↓（存放）
                                                                SecurityContextHolder

2）将AuthenticationFilter加入到security过滤链（资源服务器中配置），如：

http.addFilterBefore(AuthenticationFilter, AbstractPreAuthenticatedProcessingFilter.class)
或者：

http.addFilterAfter(AuthenticationFilter, UsernamePasswordAuthenticationFilter.class)
2.以手机号短信登录为例
2.1.开发环境
SpringBoot
Spring security
Redis
2.2.核心代码分析
2.2.1.自定义登录认证流程
2.2.1.1.自定义认证登录Token

/** * 手机登录Token * * @author ： CatalpaFlat */
public class MobileLoginAuthenticationToken extends AbstractAuthenticationToken { 
    private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
    private static final Logger logger = LoggerFactory.getLogger(MobileLoginAuthenticationToken.class.getName());
    private final Object principal;
    public MobileLoginAuthenticationToken(String mobile) { 
        super(null);
        this.principal = mobile;
        this.setAuthenticated(false);
        logger.info("MobileLoginAuthenticationToken setAuthenticated ->false loading ...");
    }
    public MobileLoginAuthenticationToken(Object principal,
                                          Collection<? extends GrantedAuthority> authorities) { 
        super(authorities);
        this.principal = principal;
        // must use super, as we override
        super.setAuthenticated(true);
        logger.info("MobileLoginAuthenticationToken setAuthenticated ->true loading ...");
    }
    @Override
    public void setAuthenticated(boolean authenticated) { 
        if (authenticated) { 
            throw new IllegalArgumentException(
                    "Cannot set this token to trusted - use constructor which takes a GrantedAuthority list instead");
        }
        super.setAuthenticated(false);
    }
    @Override
    public Object getCredentials() { 
        return null;
    }
    @Override
    public Object getPrincipal() { 
        return this.principal;
    }
    @Override
    public void eraseCredentials() { 
        super.eraseCredentials();
    }
}

注：
setAuthenticated()：判断是否已认证

在过滤器时，会生成一个未认证的AuthenticationToken，此时调用的是自定义token的setAuthenticated()，此时设置为false -> 未认证
在提供者时，会生成一个已认证的AuthenticationToken，此时调用的是父类的setAuthenticated()，此时设置为true -> 已认证
2.2.1.1.自定义认证登录过滤器

/** * 手机短信登录过滤器 * * @author ： CatalpaFlat */
public class MobileLoginAuthenticationFilter extends AbstractAuthenticationProcessingFilter { 
    private boolean postOnly = true;
    private static final Logger logger = LoggerFactory.getLogger(MobileLoginAuthenticationFilter.class.getName());
    @Getter
    @Setter
    private String mobileParameterName;
    public MobileLoginAuthenticationFilter(String mobileLoginUrl, String mobileParameterName,
                                           String httpMethod) { 
        super(new AntPathRequestMatcher(mobileLoginUrl, httpMethod));
        this.mobileParameterName = mobileParameterName;
        logger.info("MobileLoginAuthenticationFilter loading ...");
    }
    @Override
    public Authentication attemptAuthentication(HttpServletRequest request,
                                                HttpServletResponse response) throws AuthenticationException, IOException, ServletException { 
        if (postOnly && !request.getMethod().equals(HttpMethod.POST.name())) { 
            throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod());
        }
        //get mobile
        String mobile = obtainMobile(request);
        //assemble token
        MobileLoginAuthenticationToken authRequest = new MobileLoginAuthenticationToken(mobile);
        // Allow subclasses to set the "details" property
        setDetails(request, authRequest);
        return this.getAuthenticationManager().authenticate(authRequest);
    }
    /** * 设置身份认证的详情信息 */
    private void setDetails(HttpServletRequest request, MobileLoginAuthenticationToken authRequest) { 
        authRequest.setDetails(authenticationDetailsSource.buildDetails(request));
    }
    /** * 获取手机号 */
    private String obtainMobile(HttpServletRequest request) { 
        return request.getParameter(mobileParameterName);
    }
    public void setPostOnly(boolean postOnly) { 
        this.postOnly = postOnly;
    }
}

注：attemptAuthentication()方法：

过滤指定的url、httpMethod
获取所需请求参数数据封装生成一个未认证的AuthenticationToken
传递给AuthenticationManager认证
2.2.1.1.自定义认证登录提供者

/** * 手机短信登录认证提供者 * * @author ： CatalpaFlat */
public class MobileLoginAuthenticationProvider implements AuthenticationProvider { 
    private static final Logger logger = LoggerFactory.getLogger(MobileLoginAuthenticationProvider.class.getName());
    @Getter
    @Setter
    private UserDetailsService customUserDetailsService;
    public MobileLoginAuthenticationProvider() { 
        logger.info("MobileLoginAuthenticationProvider loading ...");
    }
    /** * 认证 */
    @Override
    public Authentication authenticate(Authentication authentication) throws AuthenticationException { 
        //获取过滤器封装的token信息
        MobileLoginAuthenticationToken authenticationToken = (MobileLoginAuthenticationToken) authentication;
        //获取用户信息（数据库认证）
        UserDetails userDetails = customUserDetailsService.loadUserByUsername((String) authenticationToken.getPrincipal());
        //不通过
        if (userDetails == null) { 
            throw new InternalAuthenticationServiceException("Unable to obtain user information");
        }
        //通过
        MobileLoginAuthenticationToken authenticationResult = new MobileLoginAuthenticationToken(userDetails, userDetails.getAuthorities());
        authenticationResult.setDetails(authenticationToken.getDetails());
        return authenticationResult;
    }
    /** * 根据token类型，来判断使用哪个Provider */
    @Override
    public boolean supports(Class<?> authentication) { 
        return MobileLoginAuthenticationToken.class.isAssignableFrom(authentication);
    }
}

注：authenticate()方法

获取过滤器封装的token信息
调取UserDetailsService获取用户信息（数据库认证）->判断通过与否
通过则封装一个新的AuthenticationToken，并返回
2.2.1.1.自定义认证登录认证配置

@Configuration(SpringBeanNameConstant.DEFAULT_CUSTOM_MOBILE_LOGIN_AUTHENTICATION_SECURITY_CONFIG_BN)
public class MobileLoginAuthenticationSecurityConfig extends SecurityConfigurerAdapter<DefaultSecurityFilterChain, HttpSecurity> { 
    private static final Logger logger = LoggerFactory.getLogger(MobileLoginAuthenticationSecurityConfig.class.getName());
    @Value("${login.mobile.url}")
    private String defaultMobileLoginUrl;
    @Value("${login.mobile.parameter}")
    private String defaultMobileLoginParameter;
    @Value("${login.mobile.httpMethod}")
    private String defaultMobileLoginHttpMethod;
    @Autowired
    private CustomYmlConfig customYmlConfig;
    @Autowired
    private UserDetailsService customUserDetailsService;
    @Autowired
    private AuthenticationSuccessHandler customAuthenticationSuccessHandler;
    @Autowired
    private AuthenticationFailureHandler customAuthenticationFailureHandler;
    public MobileLoginAuthenticationSecurityConfig() { 
        logger.info("MobileLoginAuthenticationSecurityConfig loading ...");
    }
    @Override
    public void configure(HttpSecurity http) throws Exception { 
        MobilePOJO mobile = customYmlConfig.getLogins().getMobile();
        String url = mobile.getUrl();
        String parameter = mobile.getParameter().getMobile();
        String httpMethod = mobile.getHttpMethod();
        MobileLoginAuthenticationFilter mobileLoginAuthenticationFilter = new MobileLoginAuthenticationFilter(StringUtils.isBlank(url) ? defaultMobileLoginUrl : url,
                StringUtils.isBlank(parameter) ? defaultMobileLoginUrl : parameter, StringUtils.isBlank(httpMethod) ? defaultMobileLoginHttpMethod : httpMethod);
        mobileLoginAuthenticationFilter.setAuthenticationManager(http.getSharedObject(AuthenticationManager.class));
        mobileLoginAuthenticationFilter.setAuthenticationSuccessHandler(customAuthenticationSuccessHandler);
        mobileLoginAuthenticationFilter.setAuthenticationFailureHandler(customAuthenticationFailureHandler);
        MobileLoginAuthenticationProvider mobileLoginAuthenticationProvider = new MobileLoginAuthenticationProvider();
        mobileLoginAuthenticationProvider.setCustomUserDetailsService(customUserDetailsService);
        http.authenticationProvider(mobileLoginAuthenticationProvider)
                .addFilterAfter(mobileLoginAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
    }
}

注：configure()方法

实例化AuthenticationFilter和AuthenticationProvider
将AuthenticationFilter和AuthenticationProvider添加到spring security中。
2.2.2.基于redis自定义验证码校验
2.2.2.1.基于redis自定义验证码过滤器

/** * 验证码过滤器 * * @author ： CatalpaFlat */
@Component(SpringBeanNameConstant.DEFAULT_VALIDATE_CODE_FILTER_BN)
public class ValidateCodeFilter extends OncePerRequestFilter implements InitializingBean { 
    private static final Logger logger = LoggerFactory.getLogger(ValidateCodeFilter.class.getName());
    @Autowired
    private CustomYmlConfig customYmlConfig;
    @Autowired
    private RedisTemplate<Object, Object> redisTemplate;
    /** * 验证请求url与配置的url是否匹配的工具类 */
    private AntPathMatcher pathMatcher = new AntPathMatcher();
    public ValidateCodeFilter() { 
        logger.info("Loading ValidateCodeFilter...");
    }
    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,
                                    FilterChain filterChain) throws ServletException, IOException { 
        String url = customYmlConfig.getLogins().getMobile().getUrl();
        if (pathMatcher.match(url, request.getRequestURI())) { 
            String deviceId = request.getHeader("deviceId");
            if (StringUtils.isBlank(deviceId)) { 
                throw new CustomException(HttpStatus.NOT_ACCEPTABLE.value(), "Not deviceId in the head of the request");
            }
            String codeParamName = customYmlConfig.getLogins().getMobile().getParameter().getCode();
            String code = request.getParameter(codeParamName);
            if (StringUtils.isBlank(code)) { 
                throw new CustomException(HttpStatus.NOT_ACCEPTABLE.value(), "Not code in the parameters of the request");
            }
            String key = SystemConstant.DEFAULT_MOBILE_KEY_PIX + deviceId;
            SmsCodePO smsCodePo = (SmsCodePO) redisTemplate.opsForValue().get(key);
            if (smsCodePo.isExpried()){ 
                throw new CustomException(HttpStatus.BAD_REQUEST.value(), "The verification code has expired");
            }
            String smsCode = smsCodePo.getCode();
            if (StringUtils.isBlank(smsCode)) { 
                throw new CustomException(HttpStatus.BAD_REQUEST.value(), "Verification code does not exist");
            }
            if (StringUtils.equals(code, smsCode)) { 
                redisTemplate.delete(key);
                //let it go
                filterChain.doFilter(request, response);
            } else { 
                throw new CustomException(HttpStatus.BAD_REQUEST.value(), "Validation code is incorrect");
            }
        }else { 
            //let it go
            filterChain.doFilter(request, response);
        }
    }
}

注：doFilterInternal()

自定义验证码过滤校验
2.2.2.2.将自定义验证码过滤器添加到spring security过滤器链

http.addFilterBefore(validateCodeFilter, AbstractPreAuthenticatedProcessingFilter.class)

注：添加到认证预处理过滤器前

3.测试效果
发送验证码

假装发送

校验并登陆

校验并认证

最后附上源码地址：https://gitee.com/CatalpaFlat/springSecurity.git

作者：CatalpaFlat
链接：https://www.jianshu.com/p/7f913e0681fc
来源：简书
著作权归作者所有。商业转载请联系作者获得授权，非商业转载请注明出处。