SpringSecurity登录优雅集成图形验证码

前言

在SpringSecurity的默认登录支持组件formLogin中没有提供图形验证码的支持，目前大多数的方案都是通过新增Filter来实现。filter的方式可以实现功能，但是没有优雅的解决， 需要重新维护一套和登录相关的url，例如：loginProccessUrl,loginFailUrl,loginSuccessUrl，从软件设计角度来讲功能没有内聚。
下面为大家介绍一种优雅的解决方案。

解决思路

先获取验证码

判断图形验证码先要获取到验证码，在UsernamePasswordAuthenticationToken(UPAT)中没有字段来存储验证码，重写UPAT成本太高。可以从details字段中入手，将验证码放在details中。

判断验证码是否正确

UPAT的认证是在DaoAuthenticationProvider中完成的，如果需要判断验证码直接修改是成本比较大的方式，可以新增AuthenticationProvider来对验证码新增验证。

输出验证码

常规超过可以通过Controller来输出，但是验证码的管理需要统一，防止各种sessionKey乱飞。

代码实现

新增验证码容器：CaptchaAuthenticationDetails

public class CaptchaAuthenticationDetails extends WebAuthenticationDetails {
    private final String DEFAULT_CAPTCHA_PARAMETER_NAME = "captcha";
 private String captchaParameter = DEFAULT_CAPTCHA_PARAMETER_NAME;
/**
 * 用户提交的验证码
 */
private String committedCaptcha;
/**
 * 预设的验证码
 */
private String presetCaptcha;
 private final WebAuthenticationDetails webAuthenticationDetails;
 public CaptchaAuthenticationDetails(HttpServletRequest request) {
        super(request);
 this.committedCaptcha = request.getParameter(captchaParameter);
 this.webAuthenticationDetails = new WebAuthenticationDetails(request);
 }
    public boolean isCaptchaMatch() {
        if (this.presetCaptcha == null || this.committedCaptcha == null) {
            return false;
 }
        return this.presetCaptcha.equalsIgnoreCase(committedCaptcha);
 }
 getter ...
 setter ...
 }

这个类主要是用于保存验证码

验证码获取：CaptchaAuthenticationDetailsSource

public class CaptchaAuthenticationDetailsSource implements AuthenticationDetailsSource {
    private final CaptchaRepository captchaRepository;
 public CaptchaAuthenticationDetailsSource(CaptchaRepository captchaRepository) {
        this.captchaRepository = captchaRepository;
 }
    @Override
 public CaptchaAuthenticationDetails buildDetails(HttpServletRequest httpServletRequest) {
        CaptchaAuthenticationDetails captchaAuthenticationDetails = new CaptchaAuthenticationDetails(httpServletRequest);
 captchaAuthenticationDetails.setPresetCaptcha(captchaRepository.load(httpServletRequest));
 return captchaAuthenticationDetails;
 }
}

根据提交的参数构建CaptchaAuthenticationDetails，用户提交的验证码(committedCaptcha)从request中获取，预设的验证码(presetCaptcha)从验证码仓库(CaptchaRepostory)获取

验证码仓库实现SessionCaptchaRepository

public class SessionCaptchaRepository implements CaptchaRepository {
    private static final String CAPTCHA_SESSION_KEY = "captcha";
 /**
 * the key of captcha in session attributes */ private String captchaSessionKey = CAPTCHA_SESSION_KEY;
 @Override
 public String load(HttpServletRequest request) {
        return (String) request.getSession().getAttribute(captchaSessionKey);
 }
    @Override
 public void save(HttpServletRequest request, String captcha) {
        request.getSession().setAttribute(captchaSessionKey, captcha);
 }
    /**
 * @return sessionKey */ public String getCaptchaSessionKey() {
        return captchaSessionKey;
 }
    /**
 * @param captchaSessionKey sessionKey
 */ public void setCaptchaSessionKey(String captchaSessionKey) {
        this.captchaSessionKey = captchaSessionKey;
 }
}

这个验证码仓库是基于Session的，如果想要基于Redis只要实现CaptchaRepository即可。

对验证码进行认证CaptchaAuthenticationProvider

public class CaptchaAuthenticationProvider implements AuthenticationProvider {
    private final Logger log = LoggerFactory.getLogger(this.getClass());
 @Override
 public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        UsernamePasswordAuthenticationToken authenticationToken = (UsernamePasswordAuthenticationToken) authentication;
 CaptchaAuthenticationDetails details = (CaptchaAuthenticationDetails) authenticationToken.getDetails();
 if (!details.isCaptchaMatch()) {
            //验证码不匹配抛出异常，退出认证
 if (log.isDebugEnabled()) {
                log.debug("认证失败：验证码不匹配");
 }
            throw new CaptchaIncorrectException("验证码错误");
 }
        //替换details
 authenticationToken.setDetails(details.getWebAuthenticationDetails());
 //返回空交给下一个provider进行认证
 return null;
 }
    @Override
 public boolean supports(Class aClass) {
        return UsernamePasswordAuthenticationToken.class.isAssignableFrom(aClass);
 }
}

SpringSecurity配置

@EnableWebSecurity
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
    @Bean
 public CaptchaRepository sessionCaptchaRepository() {
        return new SessionCaptchaRepository();
 }
    @Override
 protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .anyRequest()
                .authenticated()
                .and()
                .formLogin()
                .loginProcessingUrl("/login")
                .loginPage("/login.html")
                .authenticationDetailsSource(new CaptchaAuthenticationDetailsSource(sessionCaptchaRepository()))
                .failureUrl("/login.html?error=true")
                .defaultSuccessUrl("/index.html")
                .and()
                .authenticationProvider(new CaptchaAuthenticationProvider())
                .csrf()
                .disable();
 }
    @Override
 public void configure(WebSecurity web) {
        web.ignoring()
                .mvcMatchers("/captcha", "/login.html");
 }
}

将CaptchaAuthenticationProvider加入到认证链条中，重新配置authenticationDetailsSource

提供图形验证码接口

@Controller
public class CaptchaController {
    private final CaptchaRepository captchaRepository;
 @Autowired
 public CaptchaController(CaptchaRepository captchaRepository) {
        this.captchaRepository = captchaRepository;
 }
    @RequestMapping("/captcha")
    public void captcha(HttpServletRequest request, HttpServletResponse response) throws IOException {
        RandomCaptcha randomCaptcha = new RandomCaptcha(4);
 captchaRepository.save(request, randomCaptcha.getValue());
 CaptchaImage captchaImage = new DefaultCaptchaImage(200, 60, randomCaptcha.getValue());
 captchaImage.write(response.getOutputStream());
 }
}

将生成的随机验证码(RandomCaptcha)保存到验证码仓库(CaptchaRepository)中，并将验证码图片(CaptchaImage)输出到客户端。
至此整个图形验证码认证的全流程已经结束。

代码仓库

https://gitee.com/leecho/spri...