1、手机号登录是不需要密码的,通过短信验证码实现免密登录功能。
a.向手机发送手机验证码,使用第三方短信平台 SDK 发送,如: 阿里云短信服务
b.登录表单输入短信验证码
c.使用自定义短信验证码校验过滤器SmsVerifyCodeValidateFilter
d.当验证码校验通过后,进入自定义手机认证过滤器 MobileAuthenticationFilter 校验手机号是否存在
e.自定义 MobileAuthenticationToken 提供给 MobileAuthenticationFilter
f.自定义 MobileAuthenticationProvider 提供给 ProviderManager 处理
g.创建针对手机号查询用户信息的 MobileUserDetailsService ,交给 MobileAuthenticationProvider
h.自定义 MobileAuthenticationConfig 配置类将上面组件连接起来,添加到容器中
i.将 MobileAuthenticationConfig 添加到 SpringSecurityConfig 安全配置的过滤器链上。
2、跳转到短信登录认证页面,在 SpringSecurityConfig 放行手机登录与短信发送相关请求URL
/**
* 前往手机验证码登录页
*
* @return
*/
@RequestMapping("/mobile/page")
public String toMobilePage() {
return "login-mobile"; // templates/login-mobile.html
}/**
* 资源权限配置(过滤器链):
* 1、被拦截的资源
* 2、资源所对应的角色权限
* 3、定义认证方式:httpBasic 、httpForm
* 4、定制登录页面、登录请求地址、错误处理方式
* 5、自定义 spring security 过滤器
*
* @param http
* @throws Exception
*/
@Override
protected void configure(HttpSecurity http) throws Exception {
//http.httpBasic()//采用httpBasic 认证方式
/*http.formLogin()
.loginPage("/login/page")// 交给 /login/page 响应认证(登录)页面
.loginProcessingUrl("/login/form") // 登录表单提交处理Url, 默认是 /login
.usernameParameter("name") // 默认用户名的属性名是 username
.passwordParameter("pwd") // 默认密码的属性名是 password
.and()
.authorizeRequests()//认证请求
.antMatchers("/login/page").permitAll()//自定义登录页不需要认证
.anyRequest().authenticated();// 所有进入应用的HTTP请求都要进行认证*/
http
.addFilterBefore(imageVerifyCodeValidateFilter, UsernamePasswordAuthenticationFilter.class)//将校验过滤器 imageCodeValidateFilter 添加到 UsernamePasswordAuthenticationFilter 前面
.addFilterBefore(smsVerifyCodeValidateFilter,UsernamePasswordAuthenticationFilter.class)//将校验过滤器 smsVerifyCodeValidateFilter 添加到 UsernamePasswordAuthenticationFilter 前面
.formLogin()
.loginPage(securityProperties.getLoginPage())// 交给 /login/page 响应认证(登录)页面
.loginProcessingUrl(securityProperties.getLoginProcessingUrl()) // 登录表单提交处理Url, 默认是 /login
.usernameParameter(securityProperties.getUsernameParameter()) // 默认用户名的属性名是 username
.passwordParameter(securityProperties.getPasswordParameter()) // 默认密码的属性名是 password
.successHandler(customAuthenticationSuccessHandler)//自定义认证成功处理器
.failureHandler(customAuthenticationFailureHandler)//自定义认证失败处理器
.and()
.authorizeRequests()//认证请求
.antMatchers(securityProperties.getLoginPage(),securityProperties.getMobilePage(),securityProperties.getImageCodeUrl(),securityProperties.getMobileCodeUrl()).permitAll()//自定义登录页不需要认证,生成图片验证码,发送短信获取验证码也不需要验证
.anyRequest().authenticated()// 所有进入应用的HTTP请求都要进行认证
.and()
.rememberMe()//记住我功能
.tokenRepository(jdbcTokenRepository())//保存登录信息
.tokenValiditySeconds(securityProperties.getTokenValiditySeconds());//记住我有效时长一周
// 将手机相关的配置绑定过滤器链上
http.apply(mobileAuthenticationConfig);
}
3、创建阿里云短信发送服务接口
上述自己去阿里云短信服务模块去申请
@Component
@ConfigurationProperties(prefix = "moblie.sms")
@Data
public class SmsProperties {
private String accessKeyId;
private String accessKeySecret;
private String signName;
private String templateCode;
private String product;
private String domain;
}@Controller
public class SmsSendController {
@Autowired
SmsSendService smsSendService;
@RequestMapping(value = "/code/mobile",method = RequestMethod.GET)
@ResponseBody
public Result smsCodeSend(@RequestParam("mobile") String phoneNumbers, HttpServletRequest request){
return smsSendService.sendSms(phoneNumbers,request);
}
}/**
* 短信发送接口
*/
public interface SmsSendService {
/**
* 短信发送
* @param PhoneNumbers 手机号
* @return
*/
Result sendSms(String PhoneNumbers, HttpServletRequest request);
}/**
* 发送短信验证码
*/
@Service
public class SmsSendServiceImpl implements SmsSendService {
Logger logger= LoggerFactory.getLogger(SmsSendServiceImpl.class);
public static final String SESSION_SMS_VERIFY_CODE = "SESSION_SMS_VERIFY_CODE";
@Autowired
SmsProperties smsProperties;
@Override
public Result sendSms(String PhoneNumbers, HttpServletRequest request) {
//1.生成一个手机短信验证码
String code = RandomUtil.randomNumbers(4);
//2.将验证码发到session中
HttpSession session = request.getSession();
session.setAttribute(SESSION_SMS_VERIFY_CODE,code);
//3.发送短信
SendSmsResponse response = toSendSms(PhoneNumbers, code);
logger.info("向手机号" + PhoneNumbers + "发送的验证码为::" + code);
if (response.getCode().equals("ok")){
return Result.ok("获取验证码成功");
}else {
return Result.build(500,"获取验证码失败");
}
}
public SendSmsResponse toSendSms(String PhoneNumbers, String code) {
//可自助调整超时时间
System.setProperty("sun.net.client.defaultConnectTimeout", "10000");
System.setProperty("sun.net.client.defaultReadTimeout", "10000");
//初始化acsClient,暂不支持region化
IClientProfile profile = DefaultProfile.getProfile("cn-hangzhou", smsProperties.getAccessKeyId(), smsProperties.getAccessKeySecret());
DefaultProfile.addEndpoint( "cn-hangzhou", smsProperties.getProduct(), smsProperties.getDomain());
IAcsClient acsClient = new DefaultAcsClient(profile);
//组装请求对象-具体描述见控制台-文档部分内容
SendSmsRequest request = new SendSmsRequest();
//必填:待发送手机号
request.setPhoneNumbers(PhoneNumbers);
//必填:短信签名-可在短信控制台中找到
request.setSignName(smsProperties.getSignName());
//必填:短信模板-可在短信控制台中找到
request.setTemplateCode(smsProperties.getTemplateCode());
//可选:模板中的变量替换JSON串,如模板内容为"亲爱的${name},您的验证码为${code}"时,此处的值为
request.setTemplateParam("{\"code\":\"" + code + "\"}");
//选填-上行短信扩展码(无特殊需求用户请忽略此字段)
//request.setSmsUpExtendCode("90997");
//可选:outId为提供给业务方扩展字段,最终在短信回执消息中将此值带回给调用者
request.setOutId("yourOutId");
//hint 此处可能会抛出异常,注意catch
SendSmsResponse sendSmsResponse = null;
try {
sendSmsResponse = acsClient.getAcsResponse(request);
} catch (Exception e) {
e.printStackTrace();
throw new RuntimeException("发送短信失败");
}
return sendSmsResponse;
}
}4、实现短信验证码校验过滤器 SmsVerifyCodeValidateFilter,校验输入的验证码与发送的短信验证是否一致。
/**
*
* 短信验证码校验过滤器
* OncePerRequestFilter: 所有请求之前被调用一次
*/
@Component("smsVerifyCodeValidateFilter")
public class SmsVerifyCodeValidateFilter extends OncePerRequestFilter {
@Autowired
SecurityProperties securityProperties;
@Autowired
CustomAuthenticationFailureHandler customAuthenticationFailureHandler;
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
//1.判断手机登录认证 且请求方式为post
if (securityProperties.getMobileProcessingUrl().equalsIgnoreCase(request.getRequestURI())&&request.getMethod().equalsIgnoreCase("post")){
try {
//校验验证码合法性
validate(request);
} catch (AuthenticationException e) {
//将验证失败的抛出的异常交给自定义认证失败处理器处理异常
customAuthenticationFailureHandler.onAuthenticationFailure(request,response,e);
return;
}
}
filterChain.doFilter(request,response);
}
private void validate(HttpServletRequest request) {
//先获取session中的验证码
String sessionImageCode = (String) request.getSession().getAttribute(SmsSendServiceImpl.SESSION_SMS_VERIFY_CODE);
//获取用户输入的验证码
String inputCode = request.getParameter("code");
if (StringUtils.isBlank(inputCode)){
throw new SmsVerifyCodeException("验证码不能为空");
}
if (!inputCode.equalsIgnoreCase(sessionImageCode)){
throw new SmsVerifyCodeException("验证码输入错误");
}
}
}5、实现手机认证登录过滤器MobileAuthenticationFilter,模仿UsernamePasswordAuthenticationFilter进行改造
**
* 手机登录过滤器
* 实现同UsernamePasswordAuthenticationFilter
* 将username相关的都改成mobile,而且手机登录只有手机号,没有密码,所以去掉密码
* 相应的参数最好写成可配置的
*
*/
public class MobileAuthenticationFilter extends
AbstractAuthenticationProcessingFilter {
// ~ Static fields/initializers
// =====================================================================================
@Resource
SecurityProperties securityProperties;
/**
* 前端表单中的手机号码参数
*/
private String mobileParameter = "mobile";
private boolean postOnly = true;
// ~ Constructors
// ===================================================================================================
public MobileAuthenticationFilter() {
super(new AntPathRequestMatcher("/mobile/form", "POST"));
}
// ~ Methods
// ========================================================================================================
public Authentication attemptAuthentication(HttpServletRequest request,
HttpServletResponse response) throws AuthenticationException {
if (postOnly && !request.getMethod().equals("POST")) {
throw new AuthenticationServiceException(
"Authentication method not supported: " + request.getMethod());
}
String mobile = obtainMobile(request);
if (mobile == null) {
mobile = "";
}
mobile = mobile.trim();
MobileAuthenticationToken authRequest = new MobileAuthenticationToken(mobile);
// Allow subclasses to set the "details" property
setDetails(request, authRequest);
return this.getAuthenticationManager().authenticate(authRequest);
}
/**
* Enables subclasses to override the composition of the username, such as by
* including additional values and a separator.
*
* @param request so that request attributes can be retrieved
* @return the username that will be presented in the <code>Authentication</code>
* request token to the <code>AuthenticationManager</code>
*/
@Nullable
protected String obtainMobile(HttpServletRequest request) {
return request.getParameter(mobileParameter);
}
/**
* Provided so that subclasses may configure what is put into the authentication
* request's details property.
*
* @param request that an authentication request is being created for
* @param authRequest the authentication request object that should have its details
* set
*/
protected void setDetails(HttpServletRequest request,
MobileAuthenticationToken authRequest) {
authRequest.setDetails(authenticationDetailsSource.buildDetails(request));
}
/**
* Defines whether only HTTP POST requests will be allowed by this filter. If set to
* true, and an authentication request is received which is not a POST request, an
* exception will be raised immediately and authentication will not be attempted. The
* <tt>unsuccessfulAuthentication()</tt> method will be called as if handling a failed
* authentication.
* <p>
* Defaults to <tt>true</tt> but may be overridden by subclasses.
*/
public void setPostOnly(boolean postOnly) {
this.postOnly = postOnly;
}
public String getMobileParameter() {
return mobileParameter;
}
public void setMobileParameter(String mobileParameter) {
this.mobileParameter = mobileParameter;
}
}6、封装手机认证Token MobileAuthenticationToken提供给上面自定义的 MobileAuthenticationFilter 使用。模仿UsernamePasswordAuthenticationToken进行改造
/**
* 封装手机认证Token
* 实现同UsernamePasswordAuthenticationToken
*/
public class MobileAuthenticationToken extends AbstractAuthenticationToken {
private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
//认证之前存放机号,认证之后放用户信息
private final Object principal;
/**
* 开始认证时,创建一个MobileAuthenticationToken实例 接收的是手机号码, 并且 标识未认证
*
* @param principal 手机号
*/
public MobileAuthenticationToken(Object principal) {
super(null);
this.principal = principal; // 手机号
setAuthenticated(false);
}
/**
* 当认证通过后,会重新创建一个新的MobileAuthenticationToken,来标识它已经认证通过,
*
* @param principal 用户信息
* @param authorities 用户权限
*/
public MobileAuthenticationToken(Object principal,
Collection<? extends GrantedAuthority> authorities) {
super(authorities);
this.principal = principal;// 用户信息
super.setAuthenticated(true); // 标识已经认证通过
}
@Override
public Object getCredentials() {
return null;
}
public Object getPrincipal() {
return this.principal;
}
public void setAuthenticated(boolean isAuthenticated) throws IllegalArgumentException {
if (isAuthenticated) {
throw new IllegalArgumentException(
"Cannot set this token to trusted - use constructor which takes a GrantedAuthority list instead");
}
super.setAuthenticated(false);
}
@Override
public void eraseCredentials() {
super.eraseCredentials();
}
}7、实现手机认证提供者 MobileAuthenticationProvider,提供给底层 ProviderManager 使用。
/**
* 实现手机认证提供者 MobileAuthenticationProvider提供给底层 ProviderManager 使用
*/
public class MobileAuthenticationProvider implements AuthenticationProvider {
UserDetailsService userDetailsService;
public void setUserDetailsService(UserDetailsService userDetailsService) {
this.userDetailsService = userDetailsService;
}
/**
* 认证处理:
* 1. 通过 手机号 去数据库查询用户信息(UserDeatilsService)
* 2. 再重新构建认证信息
*
* @param authentication
* @return
* @throws AuthenticationException
*/
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
MobileAuthenticationToken mobileAuthenticationToken = (MobileAuthenticationToken) authentication;
// 获取用户输入的手机号
String mobile = (String) mobileAuthenticationToken.getPrincipal();
// 查询数据库
UserDetails userDetails = userDetailsService.loadUserByUsername(mobile);
//未查询到用户信息
if (userDetails == null) {
throw new AuthenticationServiceException("该手机未注册");
}
// 查询到了用户信息, 则认证通过,就重新构建 MobileAuthenticationToken 实例
MobileAuthenticationToken authenticationToken = new MobileAuthenticationToken(userDetails, userDetails.getAuthorities());
authenticationToken.setDetails(mobileAuthenticationToken.getDetails());
return authenticationToken;
}
/**
* 通过此方法,来判断 采用哪一个 AuthenticationProvider
*
* @param authentication
* @return
*/
@Override
public boolean supports(Class<?> authentication) {
return MobileAuthenticationToken.class.isAssignableFrom(authentication);
}
}8、手机号获取用户信息 MobileUserDetailsService
/**
* 通过手机号获取用户信息和权限信息
*/
@Component("mobileUserDetailsService")
public class MobileUserDetailsService implements UserDetailsService {
Logger logger = LoggerFactory.getLogger(MobileUserDetailsService.class);
@Override
public UserDetails loadUserByUsername(String mobile) throws UsernameNotFoundException {
logger.info("请求的手机号是:" + mobile);
// 1. 通过手机号查询用户信息(查询数据库)
// 2. 如果有此用户,则查询用户权限
// 3. 封装用户信息
return new User(mobile, "", true, true, true, true, AuthorityUtils.commaSeparatedStringToAuthorityList("ADMIN"));
}
}9、自定义管理认证配置 MobileAuthenticationConfig,将上面定义的组件绑定起来,添加到容器中
/**
* 自定义管理认证配置
* 将定义的手机短信认证相关的组件组合起来,一起添加到容器中
*/
@Component("mobileAuthenticationConfig")
public class MobileAuthenticationConfig extends SecurityConfigurerAdapter<DefaultSecurityFilterChain, HttpSecurity> {
@Autowired
CustomAuthenticationSuccessHandler customAuthenticationSuccessHandler;
@Autowired
CustomAuthenticationFailureHandler customAuthenticationFailureHandler;
@Autowired
MobileUserDetailsService mobileUserDetailsService;
@Override
public void configure(HttpSecurity http) throws Exception {
// 创建校验手机号过滤器实例
MobileAuthenticationFilter mobileAuthenticationFilter = new MobileAuthenticationFilter();
// 接收 AuthenticationManager 认证管理器
mobileAuthenticationFilter.setAuthenticationManager(http.getSharedObject(AuthenticationManager.class));
// 采用哪个成功、失败处理器
mobileAuthenticationFilter.setAuthenticationSuccessHandler(customAuthenticationSuccessHandler);
mobileAuthenticationFilter.setAuthenticationFailureHandler(customAuthenticationFailureHandler);
//手机登录记住我功能
mobileAuthenticationFilter.setRememberMeServices(http.getSharedObject(RememberMeServices.class));
// 为 Provider 指定明确 的mobileUserDetailsService 来查询用户信息
MobileAuthenticationProvider provider = new MobileAuthenticationProvider();
provider.setUserDetailsService(mobileUserDetailsService);
// 将 provider 绑定到 HttpSecurity 上面,
// 并且将 手机认证加到 用户名密码认证之后
http.authenticationProvider(provider).addFilterAfter(mobileAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
}
}10、绑定到安全配置 SpringSecurityConfig
向 SpringSecurityConfig 中注入SmsVerifyCodeValidateFilter和MobileAuthenticationConfig实例
将 SmsVerifyCodeValidateFilter实例添加到UsernamePasswordAuthenticationFilter前面
http
.addFilterBefore(imageVerifyCodeValidateFilter, UsernamePasswordAuthenticationFilter.class)//将校验过滤器 imageCodeValidateFilter 添加到 UsernamePasswordAuthenticationFilter 前面
.addFilterBefore(smsVerifyCodeValidateFilter,UsernamePasswordAuthenticationFilter.class)//将校验过滤器 smsVerifyCodeValidateFilter 添加到 UsernamePasswordAuthenticationFilter 前面在 SpringSecurityConfifig#confifigure(HttpSecurity http) 方法体最后调用 apply 添加mobileAuthenticationConfig(将手机相关的配置绑定过滤器链上)
// 将手机相关的配置绑定过滤器链上
http.apply(mobileAuthenticationConfig);11、SpringSecurityConfig安全配置类完整代码
/**
* 安全配置类作为安全控制中心, 用于实现身份认证与授权配置功能
*/
@Configuration
@EnableWebSecurity //启动 SpringSecurity 过滤器链功能
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
SecurityProperties securityProperties;
Logger logger = LoggerFactory.getLogger(SpringSecurityConfig.class);
@Bean
public BCryptPasswordEncoder bCryptPasswordEncoder() {
// 加密存储 明文+随机盐值
return new BCryptPasswordEncoder();
}
@Autowired
CustomUserDetailsService customUserDetailsService;
/**
* 认证管理器:
* 1、认证信息提供方式(用户名、密码、当前用户的资源权限)
* 2、可采用内存存储方式,也可能采用数据库方式等
*
* @param auth
* @throws Exception
*/
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
//基于内存存储认证信息 存储的密码必须是加密后的 不然会报错:There is no PasswordEncoder mapped for the id "null"
//auth.inMemoryAuthentication().withUser("zcc").password("123").authorities("ADMIN");
/*String password = bCryptPasswordEncoder().encode("123");
logger.info("加密后的密码:" + password);
auth.inMemoryAuthentication().withUser("zcc").password(password).authorities("ADMIN");*/
// 指定使用自定义查询用户信息来完成身份认证
auth.userDetailsService(customUserDetailsService);
}
@Autowired
CustomAuthenticationSuccessHandler customAuthenticationSuccessHandler;
@Autowired
CustomAuthenticationFailureHandler customAuthenticationFailureHandler;
@Autowired
ImageVerifyCodeValidateFilter imageVerifyCodeValidateFilter;
@Autowired
SmsVerifyCodeValidateFilter smsVerifyCodeValidateFilter;
@Autowired
MobileAuthenticationConfig mobileAuthenticationConfig;
/**
* 记住我 功能
*/
@Autowired
DataSource dataSource;
@Bean
public JdbcTokenRepositoryImpl jdbcTokenRepository(){
JdbcTokenRepositoryImpl jdbcTokenRepository = new JdbcTokenRepositoryImpl();
jdbcTokenRepository.setDataSource(dataSource);
// 是否启动时自动创建表,第一次启动创建就行,后面启动把这个注释掉,不然报错已存在表
//jdbcTokenRepository.setCreateTableOnStartup(true);
return jdbcTokenRepository;
}
/**
* 资源权限配置(过滤器链):
* 1、被拦截的资源
* 2、资源所对应的角色权限
* 3、定义认证方式:httpBasic 、httpForm
* 4、定制登录页面、登录请求地址、错误处理方式
* 5、自定义 spring security 过滤器
*
* @param http
* @throws Exception
*/
@Override
protected void configure(HttpSecurity http) throws Exception {
//http.httpBasic()//采用httpBasic 认证方式
/*http.formLogin()
.loginPage("/login/page")// 交给 /login/page 响应认证(登录)页面
.loginProcessingUrl("/login/form") // 登录表单提交处理Url, 默认是 /login
.usernameParameter("name") // 默认用户名的属性名是 username
.passwordParameter("pwd") // 默认密码的属性名是 password
.and()
.authorizeRequests()//认证请求
.antMatchers("/login/page").permitAll()//自定义登录页不需要认证
.anyRequest().authenticated();// 所有进入应用的HTTP请求都要进行认证*/
http
.addFilterBefore(imageVerifyCodeValidateFilter, UsernamePasswordAuthenticationFilter.class)//将校验过滤器 imageCodeValidateFilter 添加到 UsernamePasswordAuthenticationFilter 前面
.addFilterBefore(smsVerifyCodeValidateFilter,UsernamePasswordAuthenticationFilter.class)//将校验过滤器 smsVerifyCodeValidateFilter 添加到 UsernamePasswordAuthenticationFilter 前面
.formLogin()
.loginPage(securityProperties.getLoginPage())// 交给 /login/page 响应认证(登录)页面
.loginProcessingUrl(securityProperties.getLoginProcessingUrl()) // 登录表单提交处理Url, 默认是 /login
.usernameParameter(securityProperties.getUsernameParameter()) // 默认用户名的属性名是 username
.passwordParameter(securityProperties.getPasswordParameter()) // 默认密码的属性名是 password
.successHandler(customAuthenticationSuccessHandler)//自定义认证成功处理器
.failureHandler(customAuthenticationFailureHandler)//自定义认证失败处理器
.and()
.authorizeRequests()//认证请求
.antMatchers(securityProperties.getLoginPage(),securityProperties.getMobilePage(),securityProperties.getImageCodeUrl(),securityProperties.getMobileCodeUrl()).permitAll()//自定义登录页不需要认证,生成图片验证码,发送短信获取验证码也不需要验证
.anyRequest().authenticated()// 所有进入应用的HTTP请求都要进行认证
.and()
.rememberMe()//记住我功能
.tokenRepository(jdbcTokenRepository())//保存登录信息
.tokenValiditySeconds(securityProperties.getTokenValiditySeconds());//记住我有效时长一周
// 将手机相关的配置绑定过滤器链上
http.apply(mobileAuthenticationConfig);
}
/**
* 放行静态资源(js css 等)
*
* @param web
*/
@Override
public void configure(WebSecurity web) {
//web.ignoring().antMatchers("/dist/**", "/modules/**", "/plugins/**");
web.ignoring().antMatchers(securityProperties.getStaticPaths());
}
}12、测试
记住我功能测试:(记住我 的 input 标签的 name="remember-me")
本文章为转载内容,我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题,欢迎原作者联系我们进行内容更正或删除文章。
