SpringSecurity重写DaoAuthenticationProvider,自定义密码对比类 |
您所在的位置:网站首页 › 4位数字的密码 › SpringSecurity重写DaoAuthenticationProvider,自定义密码对比类 |
|
需求,默认的SpringSecurity密码校验,无法满足需求,需要自定义来进行密码比对 a、网上找了一些教程,没法一步到位,很多代码,连import都没有贴出来,烦死了。 b、这里说明一下,我是为了图方便,系统原有密码登录情况下,要加入验证码登录,由于验证码时4-5位纯数字,而密码是6位以上的数字+字母,因此不想Filter这些全部来搞,因此想了这个办法简洁一点,也很快能够完成功能。 c、主要涉及两个地方,1是新增MyAuthenticationProvider类,继承DaoAuthenticationProvider,2,public class SecurityConfig extends WebSecurityConfigurerAdapter配置类中修改protected void configure(AuthenticationManagerBuilder auth) throws Exception方法。 MyAuthenticationProvider.java代码如下: import com.dhproject.common.constant.CacheConstants; import com.dhproject.common.core.redis.RedisCache; import com.dhproject.common.exception.ServiceException; import com.dhproject.common.utils.SecurityUtils; import com.dhproject.common.utils.StringUtils; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.authentication.BadCredentialsException; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.authentication.dao.DaoAuthenticationProvider; import org.springframework.security.core.AuthenticationException; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.crypto.password.PasswordEncoder; import javax.annotation.Resource; public class MyAuthenticationProvider extends DaoAuthenticationProvider { //passwordEncoder密码比较器 @Resource private PasswordEncoder passwordEncoder; //Redis @Autowired protected RedisCache redisCache; /** * 构造初始化 * @param userDetailsService * @param passwordEncoder * @param redisCache */ public MyAuthenticationProvider(UserDetailsService userDetailsService, PasswordEncoder passwordEncoder, RedisCache redisCache) { super(); // 这个地方一定要对userDetailsService赋值,不然userDetailsService是null (这个坑有点深) setUserDetailsService(userDetailsService); //passwordEncoder由于父类是private,这里需要自定义初始化后才能使用 this.passwordEncoder = passwordEncoder; //这个是Redis,根据实际情况初始化 this.redisCache = redisCache; } /** * 重写该方法 * @param userDetails * @param authentication * @throws AuthenticationException */ @Override protected void additionalAuthenticationChecks(UserDetails userDetails, UsernamePasswordAuthenticationToken authentication) throws AuthenticationException { if (authentication.getCredentials() == null) { this.logger.debug("Failed to authenticate since no credentials provided"); throw new BadCredentialsException(this.messages.getMessage("AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials")); } else { String mobile = authentication.getPrincipal().toString(); String password = authentication.getCredentials().toString(); //这里进行密码和验证码验证 //如果是四位纯数字,那么认定是验证码登录 if(isCodeLogin(password)){ // 1. 检验Redis手机号的验证码 String verifyKey = CacheConstants.SMS_CODE_KEY+mobile; String code = redisCache.getCacheObject(verifyKey); if (StringUtils.isEmpty(code)) { throw new ServiceException("验证码已经过期或尚未发送,请重新发送验证码"); } if (!password.equals(code)) { throw new ServiceException("输入的验证码不正确,请重新输入"); } // 2. 短信验证成功后要删除redis中的验证码 redisCache.deleteObject(verifyKey); }else{ if (!this.passwordEncoder.matches(password, userDetails.getPassword())) { this.logger.debug("Failed to authenticate since password does not match stored value"); throw new BadCredentialsException(this.messages.getMessage("AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials")); } } } } /** * 时都是验证码登录 * @param password * @return */ public boolean isCodeLogin(String password) { return StringUtils.isNumeric(password) && (password.length()==4||password.length()==5); } }SecurityConfig.java代码如下:一定要注意看说明,不然肯定最后还会有问题 /** * 身份认证接口 */ @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { //定义了新的Provider方法,就不能使用默认的userDetailsService进行构造,否则抛出BadCredentialsException异常,代码会继续执行 auth.authenticationProvider(new MyAuthenticationProvider(userDetailsService,bCryptPasswordEncoder(),redisCache)); //默认的userDetailsService进行构造 //auth.userDetailsService(userDetailsService).passwordEncoder(bCryptPasswordEncoder()); }SecurityConfig.java类,全部文件,我也贴一下,方便各位参考: import com.dhproject.common.core.redis.RedisCache; import com.dhproject.framework.security.sms.MyAuthenticationProvider; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.http.HttpMethod; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer; import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; import org.springframework.security.web.authentication.logout.LogoutFilter; import org.springframework.web.filter.CorsFilter; import com.dhproject.framework.config.properties.PermitAllUrlProperties; import com.dhproject.framework.security.filter.JwtAuthenticationTokenFilter; import com.dhproject.framework.security.handle.AuthenticationEntryPointImpl; import com.dhproject.framework.security.handle.LogoutSuccessHandlerImpl; /** * spring security配置 * * @author */ @EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true) public class SecurityConfig extends WebSecurityConfigurerAdapter { @Autowired protected RedisCache redisCache; /** * 自定义用户认证逻辑 */ @Autowired private UserDetailsService userDetailsService; /** * 认证失败处理类 */ @Autowired private AuthenticationEntryPointImpl unauthorizedHandler; /** * 退出处理类 */ @Autowired private LogoutSuccessHandlerImpl logoutSuccessHandler; /** * token认证过滤器 */ @Autowired private JwtAuthenticationTokenFilter authenticationTokenFilter; /** * 跨域过滤器 */ @Autowired private CorsFilter corsFilter; /** * 允许匿名访问的地址 */ @Autowired private PermitAllUrlProperties permitAllUrl; /** * 解决 无法直接注入 AuthenticationManager * * @return * @throws Exception */ @Bean @Override public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); } /** * anyRequest | 匹配所有请求路径 * access | SpringEl表达式结果为true时可以访问 * anonymous | 匿名可以访问 * denyAll | 用户不能访问 * fullyAuthenticated | 用户完全认证可以访问(非remember-me下自动登录) * hasAnyAuthority | 如果有参数,参数表示权限,则其中任何一个权限可以访问 * hasAnyRole | 如果有参数,参数表示角色,则其中任何一个角色可以访问 * hasAuthority | 如果有参数,参数表示权限,则其权限可以访问 * hasIpAddress | 如果有参数,参数表示IP地址,如果用户IP和参数匹配,则可以访问 * hasRole | 如果有参数,参数表示角色,则其角色可以访问 * permitAll | 用户可以任意访问 * rememberMe | 允许通过remember-me登录的用户访问 * authenticated | 用户登录后可访问 */ @Override protected void configure(HttpSecurity httpSecurity) throws Exception { // 注解标记允许匿名访问的url ExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrlRegistry registry = httpSecurity.authorizeRequests(); permitAllUrl.getUrls().forEach(url -> registry.antMatchers(url).permitAll()); httpSecurity // CSRF禁用,因为不使用session .csrf().disable() // 禁用HTTP响应标头 .headers().cacheControl().disable().and() // 认证失败处理类 .exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and() // 基于token,所以不需要session .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and() // 过滤请求 .authorizeRequests() // 对于登录login 注册register 验证码captchaImage 允许匿名访问 .antMatchers("/login", "/register", "/captchaImage", "/container/public/sendSms").permitAll() // 静态资源,可匿名访问 .antMatchers(HttpMethod.GET, "/", "/*.html", "/**/*.html", "/**/*.css", "/**/*.js", "/profile/**", "/public/**").permitAll() .antMatchers("/swagger-ui.html", "/swagger-resources/**", "/webjars/**", "/*/api-docs", "/druid/**").permitAll() // 除上面外的所有请求全部需要鉴权认证 .anyRequest().authenticated() .and() .headers().frameOptions().disable(); // 添加Logout filter httpSecurity.logout().logoutUrl("/logout").logoutSuccessHandler(logoutSuccessHandler); // 添加JWT filter httpSecurity.addFilterBefore(authenticationTokenFilter, UsernamePasswordAuthenticationFilter.class); // 添加CORS filter httpSecurity.addFilterBefore(corsFilter, JwtAuthenticationTokenFilter.class); httpSecurity.addFilterBefore(corsFilter, LogoutFilter.class); } /** * 强散列哈希加密实现 */ @Bean public BCryptPasswordEncoder bCryptPasswordEncoder() { return new BCryptPasswordEncoder(); } /** * 身份认证接口 */ @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { //定义了新的Provider方法,就不能使用默认的userDetailsService进行构造,否则抛出BadCredentialsException异常,代码会继续执行 auth.authenticationProvider(new MyAuthenticationProvider(userDetailsService,bCryptPasswordEncoder(),redisCache)); //默认的userDetailsService进行构造 //auth.userDetailsService(userDetailsService).passwordEncoder(bCryptPasswordEncoder()); } }2.可能存在问题问题 MyDaoAuthenticationProvider重写DaoAuthenticationProvider中additionalAuthenticationChecks方法后,自定义验证密码错误后,抛出BadCredentialsException异常,代码会继续执行,会执行DaoAuthenticationProvider中的additionalAuthenticationChecks发放,导致自定义抛出的BadCredentialsException的异常无用。 代码注释中已经说明 |
今日新闻 |
推荐新闻 |
| CopyRight 2018-2019 办公设备维修网 版权所有 豫ICP备15022753号-3 |