springboot+security实现用户权限管理后,登陆要求增加图片验证码
pring security使用众多的过滤器对url进行拦截,以此来进行权限管理。Spring security不允许我们修改默认的filter实现,但是可以加入自己的filter。登录验证的流程是,用户登陆会被AuthenticationProcessingFilter拦截,调用AuthenticationManager的实现,而AuthenticationManager会调用ProviderManager来获取用户验证信息。如果验证通过会将用户的权限信息封装成User对象放到spring的全局缓存SecurityContextHolder中,以备后面访问资源时使用。忽略验证用户信息的部分,我们可以通过AuthenticationProcessingFilter来检验验证码,并达到验证失败时拒绝用户登录的目的。
直接上代码:
验证码工具
public class VerifyCodeUtils {
//字体只显示大写,去掉了1,0,i,o几个容易混淆的字符
public static final String VERIFY_CODES = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
private static Random random = new Random();
/**
* 使用系统默认字符源生成验证码
*
* @param verifySize 验证码长度
* @return
*/
public static String generateVerifyCode(int verifySize) {
return generateVerifyCode(verifySize, VERIFY_CODES);
}
/**
* 使用指定源生成验证码
*
* @param verifySize 验证码长度
* @param sources 验证码字符源
* @return
*/
public static String generateVerifyCode(int verifySize, String sources) {
if (sources == null || sources.length() == 0) {
sources = VERIFY_CODES;
}
int codesLen = sources.length();
Random rand = new Random(System.currentTimeMillis());
StringBuilder verifyCode = new StringBuilder(verifySize);
for (int i = 0; i < verifySize; i++) {
verifyCode.append(sources.charAt(rand.nextInt(codesLen - 1)));
}
return verifyCode.toString();
}
/**
* 生成随机验证码文件,并返回验证码值
*
* @param w
* @param h
* @param outputFile
* @param verifySize
* @return
* @throws IOException
*/
public static String outputVerifyImage(int w, int h, File outputFile, int verifySize) throws IOException {
String verifyCode = generateVerifyCode(verifySize);
outputImage(w, h, outputFile, verifyCode);
return verifyCode;
}
/**
* 输出随机验证码图片流,并返回验证码值
*
* @param w
* @param h
* @param os
* @param verifySize
* @return
* @throws IOException
*/
public static String outputVerifyImage(int w, int h, OutputStream os, int verifySize) throws IOException {
String verifyCode = generateVerifyCode(verifySize);
outputImage(w, h, os, verifyCode);
return verifyCode;
}
/**
* 生成指定验证码图像文件
*
* @param w
* @param h
* @param outputFile
* @param code
* @throws IOException
*/
public static void outputImage(int w, int h, File outputFile, String code) throws IOException {
if (outputFile == null) {
return;
}
File dir = outputFile.getParentFile();
if (!dir.exists()) {
dir.mkdirs();
}
try {
outputFile.createNewFile();
FileOutputStream fos = new FileOutputStream(outputFile);
outputImage(w, h, fos, code);
fos.close();
} catch (IOException e) {
throw e;
}
}
/**
* 输出指定验证码图片流
*
* @param w
* @param h
* @param os
* @param code
* @throws IOException
*/
public static void outputImage(int w, int h, OutputStream os, String code) throws IOException {
int verifySize = code.length();
BufferedImage image = new BufferedImage(w, h, BufferedImage.TYPE_INT_RGB);
Random rand = new Random();
Graphics2D g2 = image.createGraphics();
g2.setRenderingHint(RenderingHints.KEY_ANTIALIASING, RenderingHints.VALUE_ANTIALIAS_ON);
Color[] colors = new Color[5];
Color[] colorSpaces = new Color[]{Color.WHITE, Color.CYAN,
Color.GRAY, Color.LIGHT_GRAY, Color.MAGENTA, Color.ORANGE,
Color.PINK, Color.YELLOW};
float[] fractions = new float[colors.length];
for (int i = 0; i < colors.length; i++) {
colors[i] = colorSpaces[rand.nextInt(colorSpaces.length)];
fractions[i] = rand.nextFloat();
}
Arrays.sort(fractions);
g2.setColor(Color.GRAY);// 设置边框色
g2.fillRect(0, 0, w, h);
Color c = getRandColor(200, 250);
g2.setColor(c);// 设置背景色
g2.fillRect(0, 2, w, h - 4);
//绘制干扰线
Random random = new Random();
g2.setColor(getRandColor(160, 200));// 设置线条的颜色
for (int i = 0; i < 20; i++) {
int x = random.nextInt(w - 1);
int y = random.nextInt(h - 1);
int xl = random.nextInt(6) + 1;
int yl = random.nextInt(12) + 1;
g2.drawLine(x, y, x + xl + 40, y + yl + 20);
}
// 添加噪点
float yawpRate = 0.05f;// 噪声率
int area = (int) (yawpRate * w * h);
for (int i = 0; i < area; i++) {
int x = random.nextInt(w);
int y = random.nextInt(h);
int rgb = getRandomIntColor();
image.setRGB(x, y, rgb);
}
shear(g2, w, h, c);// 使图片扭曲
g2.setColor(getRandColor(100, 160));
int fontSize = h - 4;
Font font = new Font("Algerian", Font.ITALIC, fontSize);
g2.setFont(font);
char[] chars = code.toCharArray();
for (int i = 0; i < verifySize; i++) {
AffineTransform affine = new AffineTransform();
affine.setToRotation(Math.PI / 4 * rand.nextDouble() * (rand.nextBoolean() ? 1 : -1), (w / verifySize) * i + fontSize / 2, h / 2);
g2.setTransform(affine);
g2.drawChars(chars, i, 1, ((w - 10) / verifySize) * i + 5, h / 2 + fontSize / 2 - 10);
}
g2.dispose();
ImageIO.write(image, "jpg", os);
}
private static Color getRandColor(int fc, int bc) {
if (fc > 255) {
fc = 255;
}
if (bc > 255) {
bc = 255;
}
int r = fc + random.nextInt(bc - fc);
int g = fc + random.nextInt(bc - fc);
int b = fc + random.nextInt(bc - fc);
return new Color(r, g, b);
}
private static int getRandomIntColor() {
int[] rgb = getRandomRgb();
int color = 0;
for (int c : rgb) {
color = color << 8;
color = color | c;
}
return color;
}
private static int[] getRandomRgb() {
int[] rgb = new int[3];
for (int i = 0; i < 3; i++) {
rgb[i] = random.nextInt(255);
}
return rgb;
}
private static void shear(Graphics g, int w1, int h1, Color color) {
shearX(g, w1, h1, color);
shearY(g, w1, h1, color);
}
private static void shearX(Graphics g, int w1, int h1, Color color) {
int period = random.nextInt(2);
boolean borderGap = true;
int frames = 1;
int phase = random.nextInt(2);
for (int i = 0; i < h1; i++) {
double d = (double) (period >> 1)
* Math.sin((double) i / (double) period
+ (6.2831853071795862D * (double) phase)
/ (double) frames);
g.copyArea(0, i, w1, 1, (int) d, 0);
if (borderGap) {
g.setColor(color);
g.drawLine((int) d, i, 0, i);
g.drawLine((int) d + w1, i, w1, i);
}
}
}
private static void shearY(Graphics g, int w1, int h1, Color color) {
int period = random.nextInt(40) + 10; // 50;
boolean borderGap = true;
int frames = 20;
int phase = 7;
for (int i = 0; i < w1; i++) {
double d = (double) (period >> 1)
* Math.sin((double) i / (double) period
+ (6.2831853071795862D * (double) phase)
/ (double) frames);
g.copyArea(i, 0, 1, h1, 0, (int) d);
if (borderGap) {
g.setColor(color);
g.drawLine(i, (int) d, i, 0);
g.drawLine(i, (int) d + h1, i, h1);
}
}
}
}
controller获取验证码
@RequestMapping(value="image",method= RequestMethod.GET)
public void authImage(HttpServletRequest request, HttpServletResponse response) throws IOException {
response.setHeader("Pragma", "No-cache");
response.setHeader("Cache-Control", "no-cache");
response.setDateHeader("Expires", 0);
response.setContentType("image/jpeg");
HttpSession session = request.getSession();
// 生成随机字串
String verifyCode = VerifyCodeUtils.generateVerifyCode(4);
session.removeAttribute("verCode");
session.removeAttribute("codeTime");
session.setAttribute("verCode", verifyCode.toLowerCase());
session.setAttribute("codeTime", LocalDateTime.now());
// 生成图片
int w = 100, h = 30;
OutputStream out = response.getOutputStream();
VerifyCodeUtils.outputImage(w, h, out, verifyCode);
}
这里需要注意的一点:在security里将获取图片验证码的路径添加到不拦截路径里,否则会被拦截。
验证码过滤器:
public class CaptchaAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
Logger logger = Logger.getLogger(CaptchaAuthenticationFilter.class);
private String processUrl;
private MyAuthenctiationFailureHandler myAuthenctiationFailureHandler;
public CaptchaAuthenticationFilter(String defaultFilterProcessesUrl,MyAuthenctiationFailureHandler myAuthenctiationFailureHandler) {
super(defaultFilterProcessesUrl);
this.processUrl = defaultFilterProcessesUrl;
this.myAuthenctiationFailureHandler = myAuthenctiationFailureHandler;
setAuthenticationFailureHandler(myAuthenctiationFailureHandler);
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse res = (HttpServletResponse) response;
if (processUrl.equals(req.getServletPath()) && "POST".equalsIgnoreCase(req.getMethod())) {
Object expect = req.getSession().getAttribute("verCode");
String code = req.getParameter("VerificationCode");
logger.info("========expect: " + expect + " code:" + code);
try {
validImage(req, res, code, expect);
} catch (AuthenticationException e) {
myAuthenctiationFailureHandler.onAuthenticationFailure(req, res, e);
return;
}
}
chain.doFilter(request, response);
}
@Override
public Authentication attemptAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
return null;
}
/**
* @param
* @param
* @param code 获取的验证码参数
* @param verCode session中保存的验证码
* @throws IOException
* @throws ServletException
*/
public void validImage(HttpServletRequest req, HttpServletResponse res, String code, Object verCode) throws IOException {
String verCodeStr = null;
if (null == verCode) {
throw new InsufficientAuthenticationException("验证码失效,请重新获取");
} else {
verCodeStr = verCode.toString();
}
if (null == code) {
throw new InsufficientAuthenticationException("验证码不能为空");
}
LocalDateTime localDateTime = (LocalDateTime) req.getSession().getAttribute("codeTime");
long past = localDateTime.atZone(ZoneId.systemDefault()).toInstant().toEpochMilli();
long now = LocalDateTime.now().atZone(ZoneId.systemDefault()).toInstant().toEpochMilli();
if (verCodeStr == null || code == null || code.isEmpty() || !verCodeStr.equalsIgnoreCase(code)) {
throw new InsufficientAuthenticationException("验证码错误");
/**超时两分钟*/
} else if ((now - past) / 1000 / 60 > 2) {
throw new InsufficientAuthenticationException("验证码已过期,重新获取");
} else {
//验证成功,删除存储的验证码和时间
req.getSession().removeAttribute("verCode");
req.getSession().removeAttribute("codeTime");
}
}
}
处理验证码验证失败后的请求:
@Component("myAuthenctiationFailureHandler")
public class MyAuthenctiationFailureHandler extends SimpleUrlAuthenticationFailureHandler {
private Logger logger = LoggerFactory.getLogger(getClass());
@Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,
AuthenticationException exception) throws IOException, ServletException {
logger.info("登录失败");
response.setContentType("application/json;charset=UTF-8");
Result result = new Result(null, Status.ERROR,exception.getMessage());
response.getWriter().write(new ObjectMapper().writeValueAsString(result));
}
}
最后,在WebSecurityConfig 里的configure方法中添加实现的过滤器即可
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.addFilterBefore(new CaptchaAuthenticationFilter("/login", myAuthenctiationFailureHandler), UsernamePasswordAuthenticationFilter.class);
http.authorizeRequests()
.withObjectPostProcessor(new ObjectPostProcessor<FilterSecurityInterceptor>() {
@Override
public <O extends FilterSecurityInterceptor> O postProcess(O o) {
o.setSecurityMetadataSource(metadataSource);
o.setAccessDecisionManager(urlAccessDecisionManager);
return o;
}
})
.and()
.formLogin().loginPage("/loginP").loginProcessingUrl("/login")
.usernameParameter("username").passwordParameter("password")
.failureHandler(new AuthenticationFailureHandler() {
@Override
public void onAuthenticationFailure(HttpServletRequest req,
HttpServletResponse resp,
AuthenticationException e) throws IOException {
resp.setContentType("application/json;charset=utf-8");
Result result = null;
if (e instanceof BadCredentialsException ||
e instanceof UsernameNotFoundException) {
result = new Result(null, Status.ERROR,"用户名或者密码错误");
} else if (e instanceof LockedException) {
result = new Result(null, Status.ERROR,"账户被锁定,请联系管理员!");
} else {
result = new Result(null, Status.ERROR,"登录失败");
}
resp.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
ObjectMapper om = new ObjectMapper();
PrintWriter out = resp.getWriter();
out.write(om.writeValueAsString(result));
out.flush();
out.close();
}
})
.successHandler(new AuthenticationSuccessHandler() {
@Override
public void onAuthenticationSuccess(HttpServletRequest req,
HttpServletResponse resp,
Authentication auth) throws IOException {
resp.setContentType("application/json;charset=utf-8");
Result result =new Result(UserUtils.getCurrentUser(),Status.SUCCESS,"登录成功!");
ObjectMapper om = new ObjectMapper();
PrintWriter out = resp.getWriter();
out.write(om.writeValueAsString(result));
out.flush();
out.close();
}
})
.permitAll()
.and()
.logout()
.logoutUrl("/logout")
.logoutSuccessHandler(new LogoutSuccessHandler() {
@Override
public void onLogoutSuccess(HttpServletRequest req, HttpServletResponse resp, Authentication authentication) throws IOException, ServletException {
resp.setContentType("application/json;charset=utf-8");
Result result =new Result(null,Status.SUCCESS,"退出成功!");
ObjectMapper om = new ObjectMapper();
PrintWriter out = resp.getWriter();
out.write(om.writeValueAsString(result));
out.flush();
out.close();
}
})
.permitAll()
.and()
.csrf().disable()
.exceptionHandling().accessDeniedHandler(deniedHandler)
;
}