本文介绍了Spring Security Oauth2.0 实现短信验证码登录示例,分享给大家,具体如下:
定义手机号登录令牌
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
|
/** * @author lengleng * @date 2018/1/9 * 手机号登录令牌 */ public class MobileAuthenticationToken extends AbstractAuthenticationToken { private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID; private final Object principal; public MobileAuthenticationToken(String mobile) { super ( null ); this .principal = mobile; setAuthenticated( false ); } public MobileAuthenticationToken(Object principal, Collection<? extends GrantedAuthority> authorities) { super (authorities); this .principal = principal; super .setAuthenticated( true ); } public Object getPrincipal() { return this .principal; } @Override public Object getCredentials() { return null ; } public void setAuthenticated( boolean isAuthenticated) throws IllegalArgumentException { if (isAuthenticated) { throw new IllegalArgumentException( "Cannot set this token to trusted - use constructor which takes a GrantedAuthority list instead" ); } super .setAuthenticated( false ); } @Override public void eraseCredentials() { super .eraseCredentials(); } } |
手机号登录校验逻辑
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
/** * @author lengleng * @date 2018/1/9 * 手机号登录校验逻辑 */ public class MobileAuthenticationProvider implements AuthenticationProvider { private UserService userService; @Override public Authentication authenticate(Authentication authentication) throws AuthenticationException { MobileAuthenticationToken mobileAuthenticationToken = (MobileAuthenticationToken) authentication; UserVo userVo = userService.findUserByMobile((String) mobileAuthenticationToken.getPrincipal()); UserDetailsImpl userDetails = buildUserDeatils(userVo); if (userDetails == null ) { throw new InternalAuthenticationServiceException( "手机号不存在:" + mobileAuthenticationToken.getPrincipal()); } MobileAuthenticationToken authenticationToken = new MobileAuthenticationToken(userDetails, userDetails.getAuthorities()); authenticationToken.setDetails(mobileAuthenticationToken.getDetails()); return authenticationToken; } private UserDetailsImpl buildUserDeatils(UserVo userVo) { return new UserDetailsImpl(userVo); } @Override public boolean supports(Class<?> authentication) { return MobileAuthenticationToken. class .isAssignableFrom(authentication); } public UserService getUserService() { return userService; } public void setUserService(UserService userService) { this .userService = userService; } } |
登录过程filter处理
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
|
/** * @author lengleng * @date 2018/1/9 * 手机号登录验证filter */ public class MobileAuthenticationFilter extends AbstractAuthenticationProcessingFilter { public static final String SPRING_SECURITY_FORM_MOBILE_KEY = "mobile" ; private String mobileParameter = SPRING_SECURITY_FORM_MOBILE_KEY; private boolean postOnly = true ; public MobileAuthenticationFilter() { super ( new AntPathRequestMatcher(SecurityConstants.MOBILE_TOKEN_URL, "POST" )); } public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException { if (postOnly && !request.getMethod().equals(HttpMethod.POST.name())) { throw new AuthenticationServiceException( "Authentication method not supported: " + request.getMethod()); } String mobile = obtainMobile(request); if (mobile == null ) { mobile = "" ; } mobile = mobile.trim(); MobileAuthenticationToken mobileAuthenticationToken = new MobileAuthenticationToken(mobile); setDetails(request, mobileAuthenticationToken); return this .getAuthenticationManager().authenticate(mobileAuthenticationToken); } protected String obtainMobile(HttpServletRequest request) { return request.getParameter(mobileParameter); } protected void setDetails(HttpServletRequest request, MobileAuthenticationToken authRequest) { authRequest.setDetails(authenticationDetailsSource.buildDetails(request)); } public void setPostOnly( boolean postOnly) { this .postOnly = postOnly; } public String getMobileParameter() { return mobileParameter; } public void setMobileParameter(String mobileParameter) { this .mobileParameter = mobileParameter; } public boolean isPostOnly() { return postOnly; } } |
生产token 位置
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
|
/** * @author lengleng * @date 2018/1/8 * 手机号登录成功,返回oauth token */ @Component public class MobileLoginSuccessHandler implements org.springframework.security.web.authentication.AuthenticationSuccessHandler { private Logger logger = LoggerFactory.getLogger(getClass()); @Autowired private ObjectMapper objectMapper; @Autowired private ClientDetailsService clientDetailsService; @Autowired private AuthorizationServerTokenServices authorizationServerTokenServices; @Override public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) { String header = request.getHeader( "Authorization" ); if (header == null || !header.startsWith( "Basic " )) { throw new UnapprovedClientAuthenticationException( "请求头中client信息为空" ); } try { String[] tokens = extractAndDecodeHeader(header); assert tokens.length == 2 ; String clientId = tokens[ 0 ]; String clientSecret = tokens[ 1 ]; JSONObject params = new JSONObject(); params.put( "clientId" , clientId); params.put( "clientSecret" , clientSecret); params.put( "authentication" , authentication); ClientDetails clientDetails = clientDetailsService.loadClientByClientId(clientId); TokenRequest tokenRequest = new TokenRequest(MapUtil.newHashMap(), clientId, clientDetails.getScope(), "mobile" ); OAuth2Request oAuth2Request = tokenRequest.createOAuth2Request(clientDetails); OAuth2Authentication oAuth2Authentication = new OAuth2Authentication(oAuth2Request, authentication); OAuth2AccessToken oAuth2AccessToken = authorizationServerTokenServices.createAccessToken(oAuth2Authentication); logger.info( "获取token 成功:{}" , oAuth2AccessToken.getValue()); response.setCharacterEncoding(CommonConstant.UTF8); response.setContentType(CommonConstant.CONTENT_TYPE); PrintWriter printWriter = response.getWriter(); printWriter.append(objectMapper.writeValueAsString(oAuth2AccessToken)); } catch (IOException e) { throw new BadCredentialsException( "Failed to decode basic authentication token" ); } } /** * Decodes the header into a username and password. * * @throws BadCredentialsException if the Basic header is not present or is not valid * Base64 */ private String[] extractAndDecodeHeader(String header) throws IOException { byte [] base64Token = header.substring( 6 ).getBytes( "UTF-8" ); byte [] decoded; try { decoded = Base64.decode(base64Token); } catch (IllegalArgumentException e) { throw new BadCredentialsException( "Failed to decode basic authentication token" ); } String token = new String(decoded, CommonConstant.UTF8); int delim = token.indexOf( ":" ); if (delim == - 1 ) { throw new BadCredentialsException( "Invalid basic authentication token" ); } return new String[]{token.substring( 0 , delim), token.substring(delim + 1 )}; } } |
配置以上自定义
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
//** * @author lengleng * @date 2018 / 1 / 9 * 手机号登录配置入口 */ @Component public class MobileSecurityConfigurer extends SecurityConfigurerAdapter<DefaultSecurityFilterChain, HttpSecurity> { @Autowired private MobileLoginSuccessHandler mobileLoginSuccessHandler; @Autowired private UserService userService; @Override public void configure(HttpSecurity http) throws Exception { MobileAuthenticationFilter mobileAuthenticationFilter = new MobileAuthenticationFilter(); mobileAuthenticationFilter.setAuthenticationManager(http.getSharedObject(AuthenticationManager. class )); mobileAuthenticationFilter.setAuthenticationSuccessHandler(mobileLoginSuccessHandler); MobileAuthenticationProvider mobileAuthenticationProvider = new MobileAuthenticationProvider(); mobileAuthenticationProvider.setUserService(userService); http.authenticationProvider(mobileAuthenticationProvider) .addFilterAfter(mobileAuthenticationFilter, UsernamePasswordAuthenticationFilter. class ); } } |
在spring security 配置 上边定一个的那个聚合配置
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
/** * @author lengleng * @date 2018年01月09日14:01:25 * 认证服务器开放接口配置 */ @Configuration @EnableResourceServer public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter { @Autowired private FilterUrlsPropertiesConifg filterUrlsPropertiesConifg; @Autowired private MobileSecurityConfigurer mobileSecurityConfigurer; @Override public void configure(HttpSecurity http) throws Exception { registry .antMatchers( "/mobile/token" ).permissionAll() .anyRequest().authenticated() .and() .csrf().disable(); http.apply(mobileSecurityConfigurer); } } |
使用
curl -H "Authorization:Basic cGlnOnBpZw==" -d "grant_type=mobile&scope=server&mobile=17034642119&code=" http://localhost:9999/auth/mobile/token
源码
基于Spring Cloud、Spring Security Oauth2.0开发企业级认证与授权,提供常见服务监控、链路追踪、日志分析、缓存管理、任务调度等实现
整个逻辑是参考spring security 自身的 usernamepassword 登录模式实现,可以参考其源码。
验证码的发放、校验逻辑比较简单,方法后通过全局fiter 判断请求中code 是否和 手机号匹配集合,重点逻辑是令牌的参数
以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持服务器之家。
原文链接:https://juejin.im/post/5a5810826fb9a01ca47a6d11