Spring Security 图形验证码
一、图形验证码信息类
package com.xh.security.validate.code;
import java.awt.image.BufferedImage;
import java.time.LocalDateTime;
// 图片验证码信息
public class ImageCode {
// 图片
private BufferedImage image;
// 随机数
private String code;
// 过期时间
private LocalDateTime expireTime;
public ImageCode() {}
public ImageCode(BufferedImage image, String code, LocalDateTime expireTime) {
this.image = image;
this.code = code;
this.expireTime = expireTime;
}
// expireIn 过多久图形验证码 过期
public ImageCode(BufferedImage image, String code, int expireIn) {
this.image = image;
this.code = code;
this.expireTime = LocalDateTime.now().plusSeconds(expireIn);
}
// 验证是否过期
public boolean isExpire () {
return LocalDateTime.now().isAfter(expireTime);
}
public BufferedImage getImage() {
return image;
}
public void setImage(BufferedImage image) {
this.image = image;
}
public String getCode() {
return code;
}
public void setCode(String code) {
this.code = code;
}
public LocalDateTime getExpireTime() {
return expireTime;
}
public void setExpireTime(LocalDateTime expireTime) {
this.expireTime = expireTime;
}
}
二、返回图形验证码的controller
package com.xh.security.validate.code;
import java.awt.Color;
import java.awt.Font;
import java.awt.Graphics;
import java.awt.image.BufferedImage;
import java.io.IOException;
import java.util.Random;
import javax.imageio.ImageIO;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.social.connect.web.HttpSessionSessionStrategy;
import org.springframework.social.connect.web.SessionStrategy;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
import org.springframework.web.context.request.ServletWebRequest;
// 生成校验码的请求处理器
@RestController
public class ValidateCodeController {
public static final String SESSION_KEY = "SESSION_KEY_IMAGE_CODE";
private SessionStrategy sessionStrategy = new HttpSessionSessionStrategy();
@GetMapping("/code/image")
public void createCode (HttpServletRequest request, HttpServletResponse response) throws IOException {
ImageCode imageCode = createImage(request);
sessionStrategy.setAttribute(new ServletWebRequest(request), SESSION_KEY, imageCode);
ImageIO.write(imageCode.getImage(), "JPEG", response.getOutputStream());
}
private ImageCode createImage(HttpServletRequest request) {
int width = 67;
int height = 23;
BufferedImage image = new BufferedImage(width, height, BufferedImage.TYPE_INT_RGB);
Graphics g = image.getGraphics();
Random random = new Random();
g.setColor(getRandColor(200, 250));
g.fillRect(0, 0, width, height);
g.setFont(new Font("Times New Roman", Font.ITALIC, 20));
g.setColor(getRandColor(160, 200));
for (int i = 0; i < 155; i++) {
int x = random.nextInt(width);
int y = random.nextInt(height);
int xl = random.nextInt(12);
int yl = random.nextInt(12);
g.drawLine(x, y, x + xl, y + yl);
}
String sRand = "";
for (int i = 0; i < 4; i++) {
String rand = String.valueOf(random.nextInt(10));
sRand += rand;
g.setColor(new Color(20 + random.nextInt(110), 20 + random.nextInt(110), 20 + random.nextInt(110)));
g.drawString(rand, 13 * i + 6, 16);
}
g.dispose();
// 有效期
return new ImageCode(image, sRand, 60);
}
/**
* 生成随机背景条纹
*
* @param fc
* @param bc
* @return
*/
private Color getRandColor(int fc, int bc) {
Random random = new Random();
if (fc > 255) {
fc = 255;
}
if (bc > 255) {
bc = 255;
}
int r = fc + random.nextInt(bc - fc);
int g = fc + random.nextInt(bc - fc);
int b = fc + random.nextInt(bc - fc);
return new Color(r, g, b);
}
}
三、页面显示验证码
这个图片验证码请求/code/image 不需要验证:
package com.xh.security.config;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Bean
public PasswordEncoder passwordEncoder () {
return new BCryptPasswordEncoder();
}
@Autowired
private AuthenticationSuccessHandler myAuthenticationSuccessHandler;
@Autowired
private AuthenticationFailureHandler myAuthenctiationFailureHandler;
@Override
protected void configure(HttpSecurity http) throws Exception {
// http.httpBasic()// httpBasic 登录
http.formLogin()// 表单登录 来身份认证
.loginPage("/authentication/require")// 自定义登录页面
.loginProcessingUrl("/authentication/form")// 自定义登录路径
.successHandler(myAuthenticationSuccessHandler)
.failureHandler(myAuthenctiationFailureHandler)
.and()
.authorizeRequests()// 对请求授权
// error 127.0.0.1 将您重定向的次数过多
.antMatchers("/myLogin.html", "/authentication/require",
"/authentication/form","/code/image").permitAll()// 这些页面不需要身份认证,其他请求需要认证
.anyRequest() // 任何请求
.authenticated()//; // 都需要身份认证
.and()
.csrf().disable();// 禁用跨站攻击
}
}
修改 myLogin.html:
<html>
<head>
<meta charset="UTF-8">
<title>登录title>
head>
<body>
<h3>表单登录h3>
<form action="/authentication/form" method="post">
<table>
<tr>
<td>用户名:td>
<td><input type="text" name="username">td>
tr>
<tr>
<td>密码:td>
<td><input type="password" name="password">td>
tr>
<tr>
<td>图形验证码:td>
<td>
<input type="text" name="imageCode">
<img src="/code/image">
td>
tr>
<tr>
<td colspan="2"><button type="submit">登录button>td>
tr>
table>
form>
body>
html>到现在就能在页面显示验证码了,如图:
四、自定义验证异常
由于验证是基于security的所以异常需要继承AuthenticationException。
package com.xh.security.validate.code;
import org.springframework.security.core.AuthenticationException;
// AuthenticationException 是 spring security 身份验证过程中异常的基类
public class ValidateCodeException extends AuthenticationException {
private static final long serialVersionUID = -7932793974645209799L;
public ValidateCodeException(String msg) {
super(msg);
}
}
五、验证码过滤器ValidateCodeFilter
package com.xh.security.validate.code;
import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang.StringUtils;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.social.connect.web.HttpSessionSessionStrategy;
import org.springframework.social.connect.web.SessionStrategy;
import org.springframework.web.bind.ServletRequestBindingException;
import org.springframework.web.bind.ServletRequestUtils;
import org.springframework.web.context.request.ServletWebRequest;
import org.springframework.web.filter.OncePerRequestFilter;
// OncePerRequestFilter : 保证过滤器只被调用一次
public class ValidateCodeFilter extends OncePerRequestFilter {
private AuthenticationFailureHandler authenctiationFailureHandler;
private SessionStrategy sessionStrategy = new HttpSessionSessionStrategy();
// 过滤 逻辑
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
// 是一个登陆请求
if (StringUtils.equals("/authentication/form", request.getRequestURI())
&& StringUtils.equalsIgnoreCase(request.getMethod(), "POST")) {
try {
validate(new ServletWebRequest(request));
} catch (ValidateCodeException e) {
// 有异常就返回自定义失败处理器
authenctiationFailureHandler.onAuthenticationFailure(request, response, e);
return;
}
}
// 不是一个登录请求,不做校验 直接通过
filterChain.doFilter(request, response);
}
private void validate(ServletWebRequest request) throws ServletRequestBindingException {
ImageCode codeInSession = (ImageCode) sessionStrategy.getAttribute(request, ValidateCodeController.SESSION_KEY);
String codeInRequest = ServletRequestUtils.getStringParameter(request.getRequest(), "imageCode");
if (StringUtils.isBlank(codeInRequest)) {
throw new ValidateCodeException("验证码不能为空!");
}
if (codeInSession == null) {
throw new ValidateCodeException("验证码不存在");
}
if (codeInSession.isExpire()) {
sessionStrategy.removeAttribute(request, ValidateCodeController.SESSION_KEY);
throw new ValidateCodeException("验证码已过期");
}
if (!StringUtils.equals(codeInSession.getCode(), codeInRequest)) {
throw new ValidateCodeException("验证码不匹配");
}
sessionStrategy.removeAttribute(request, ValidateCodeController.SESSION_KEY);
}
public AuthenticationFailureHandler getAuthenctiationFailureHandler() {
return authenctiationFailureHandler;
}
public void setAuthenctiationFailureHandler(AuthenticationFailureHandler authenctiationFailureHandler) {
this.authenctiationFailureHandler = authenctiationFailureHandler;
}
}
六、把验证码过滤器ValidateCodeFilter加入security过滤器链前端
package com.xh.security.config;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import com.xh.security.validate.code.ValidateCodeFilter;
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Bean
public PasswordEncoder passwordEncoder () {
return new BCryptPasswordEncoder();
}
@Autowired
private AuthenticationSuccessHandler myAuthenticationSuccessHandler;
@Autowired
private AuthenticationFailureHandler myAuthenctiationFailureHandler;
@Override
protected void configure(HttpSecurity http) throws Exception {
ValidateCodeFilter validateCodeFilter = new ValidateCodeFilter();
validateCodeFilter.setAuthenctiationFailureHandler(myAuthenctiationFailureHandler);
// http.httpBasic()// httpBasic 登录
http.addFilterBefore(validateCodeFilter, UsernamePasswordAuthenticationFilter.class)
.formLogin()// 表单登录 来身份认证
.loginPage("/authentication/require")// 自定义登录页面
.loginProcessingUrl("/authentication/form")// 自定义登录路径
.successHandler(myAuthenticationSuccessHandler)
.failureHandler(myAuthenctiationFailureHandler)
.and()
.authorizeRequests()// 对请求授权
// error 127.0.0.1 将您重定向的次数过多
.antMatchers("/myLogin.html", "/authentication/require",
"/authentication/form","/code/image").permitAll()// 这些页面不需要身份认证,其他请求需要认证
.anyRequest() // 任何请求
.authenticated()//; // 都需要身份认证
.and()
.csrf().disable();// 禁用跨站攻击
}
}