Vždy som si myslela, že rodinné väzby sú úžasná vec. Hlavne keď je v rodine pokoj, vzájomné porozumenie a ochota pomôcť. Ale to funguje iba dovtedy, kým jedna strana nezmení láskavosť na povinnosť a podpor# SpringSecurity
“`
“`
## 自定义用户认证逻辑
1. 处理用户信息获取逻辑 **UserDetailsService**
`public class MyUserDetailsService implements UserDetailsService{}`
2. 处理用户校验逻辑 **UserDetails**
`public class MyUser implements UserDetails{}`
3. 处理密码加密解密 **PasswordEncoder**
“`
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
“`
## 个性化用户认证流程
1. 自定义登录界面
+ 编写登录页面**login.html**
+ 编写跳转至登录页面的Controller
2. 自定义登录成功处理
+ 实现**AuthenticationSuccessHandler**接口
+ 在SecurityConfig中配置
“`
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.formLogin()
.loginPage(“/authentication/require”)
.loginProcessingUrl(“/authentication/form”)
.successHandler(myAuthenticationSuccessHandler)
.and()
.authorizeRequests()
.antMatchers(“/authentication/require”, securityProperties.getBrowser().getLoginPage()).permitAll()
.anyRequest()
.authenticated()
.and()
.csrf().disable();
}
“`
3. 自定义登录失败处理
+ 实现**AuthenticationFailureHandler**
+ 在SecurityConfig中配置
“`
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.formLogin()
.loginPage(“/authentication/require”)
.loginProcessingUrl(“/authentication/form”)
.successHandler(myAuthenticationSuccessHandler)
.failureHandler(myAuthenticationFailureHandler)
.and()
.authorizeRequests()
.antMatchers(“/authentication/require”, securityProperties.getBrowser().getLoginPage()).permitAll()
.anyRequest()
.authenticated()
.and()
.csrf().disable();
}
“`
## 图片验证码
1. 根据随机数生成图片
+ 生成随机数
“`
public static String createRandomString() {
int[] numbers = { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9 };
Random random = new Random();
StringBuffer stringBuffer = new StringBuffer();
for (int i = 0; i < 4; i++) {
int j = random.nextInt(10);
stringBuffer.append(Integer.toString(numbers[j]));
}
return stringBuffer.toString();
}
```
+ 根据随机数生成图片
```
/**
* 生成验证码图片
* @param randomString
* @return
*/
public static BufferedImage createRandomImage(String randomString) {
// 在内存中创建图象
int width = 70, height = 30;
BufferedImage image = new BufferedImage(width, height, BufferedImage.TYPE_INT_RGB);
// 获取图形上下文
Graphics g = image.getGraphics();
// 生成随机类
Random random = new Random();
// 设定背景色
g.setColor(getRandColor(200, 250));
g.fillRect(0, 0, width, height);
// 设定字体
g.setFont(new Font("Times New Roman", Font.PLAIN, 24));
// 画边框
g.setColor(getRandColor(160, 200));
g.drawRect(0, 0, width - 1, height - 1);
// 随机产生155条干扰线,使图象中的认证码不易被其它程序探测到
g.setColor(getRandColor(160, 200));
for (int i = 0; i < 155; i++) {
int x = random.nextInt(width);
int y = random.nextInt(height);
int xl = random.nextInt(12);
int yl = random.nextInt(12);
g.drawLine(x, y, x + xl, y + yl);
}
// 取随机产生的认证码(4位数字)
String sRand = "";
for (int i = 0; i < randomString.length(); i++) {
String rand = randomString.substring(i, i + 1);
sRand += rand;
// 将认证码显示到图象中
g.setColor(new Color(20 + random.nextInt(110), 20 + random.nextInt(110), 20 + random.nextInt(110)));
// 调用函数出来的颜色相同,可能是因为种子太接近,所以只能直接生成
g.drawString(rand, 15 * i + 6, 24);
}
// 图象生效
g.dispose();
return image;
}
```
2. 将随机数存到session中
```
@RestController
public class ValidateCodeController {
public static final String SESSION_KEY = "SESSION_KEY_IMAGE_CODE";
private SessionStrategy sessionStrategy = new HttpSessionSessionStrategy();
@RequestMapping("/code/image")
public void createCode(HttpServletRequest request, HttpServletResponse response) throws IOException {
ImageCode imageCode = createImageCode(request);
sessionStrategy.setAttribute(new ServletWebRequest(request), SESSION_KEY, imageCode);
ImageIO.write(imageCode.getImage(), "JPEG", response.getOutputStream());
}
private ImageCode createImageCode(HttpServletRequest request) {
String randomString = RandomNumberUtil.createRandomString();
BufferedImage randomImage = RandomNumberUtil.createRandomImage(randomString);
return new ImageCode(randomImage, randomString, 60);
}
}
```
3. 登录时校验验证码
+ 编写验证码校验过滤器,继承`OncePerRequestFilter`
```
public class ValidateCodeFilter extends OncePerRequestFilter {
private AuthenticationFailureHandler authenticationFailureHandler;
private SessionStrategy sessionStrategy = new HttpSessionSessionStrategy();
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
if (StringUtils.equals("/authentication/form", request.getRequestURI())
&& StringUtils.equalsIgnoreCase(request.getMethod(), "post")) {
try {
validate(new ServletWebRequest(request));
} catch (ValidateCodeException e) {
authenticationFailureHandler.onAuthenticationFailure(request, response, e);
return;
}
}
filterChain.doFilter(request, response);
}
private void validate(ServletWebRequest request) throws ServletRequestBindingException {
ImageCode codeInSession = (ImageCode) sessionStrategy.getAttribute(request, ValidateCodeController.SESSION_KEY);
String codeInRequest = ServletRequestUtils.getStringParameter(request.getRequest(), "imageCode");
if (StringUtils.isBlank(codeInRequest)) {
throw new ValidateCodeException("验证码的值不能为空");
}
if (codeInSession == null) {
throw new ValidateCodeException("验证码不存在");
}
if (codeInSession.isExpried()) {
sessionStrategy.removeAttribute(request, ValidateCodeController.SESSION_KEY);
throw new ValidateCodeException("验证码已过期");
}
if (!StringUtils.equals(codeInSession.getCode(), codeInRequest)) {
throw new ValidateCodeException("验证码不匹配");
}
sessionStrategy.removeAttribute(request, ValidateCodeController.SESSION_KEY);
}
}
```
+ 将过滤器添加到SpringSecurity的过滤链中
```
//security配置类中
@Autowired
private AuthenticationFailureHandler myAuthenticationFailureHandler;
@Override
protected void configure(HttpSecurity http) throws Exception {
ValidateCodeFilter validateCodeFilter = new ValidateCodeFilter();
validateCodeFilter.setAuthenticationFailureHandler(myAuthenticationFailureHandler);
http.addFilterBefore(validateCodeFilter, UsernamePasswordAuthenticationFilter.class)
.formLogin()
.loginPage("/authentication/require")
.loginProcessingUrl("/authentication/form")
.successHandler(myAuthenticationSuccessHandler)
.failureHandler(myAuthenticationFailureHandler)
.and()
.authorizeRequests()
.antMatchers("/authentication/require", securityProperties.getBrowser().getLoginPage(), "/code/image").permitAll()
.anyRequest()
.authenticated()
.Keďže som už dnes vyčerpaná, rozhodla som sa dať si skleničku vína a ísť spať skôr.
