spring-security-5.0版本之UsernamePasswordFilter

首先,先上代码。

package pn.empire.security.filter;

import java.security.interfaces.RSAPrivateKey;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.ResourceBundle;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.commons.lang3.StringUtils;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.util.Assert;

import pn.empire.security.exception.CodeException;
import pn.empire.security.exception.ForbidIPException;
import pn.empire.util.NetWorkUtil;
import pn.empire.util.RSAUtils;

public class UsernamePasswordFilter
        extends org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter {
    // ~ Static fields/initializers
    // =====================================================================================
    // 用户名
    public static final String SPRING_SECURITY_FORM_USERNAME_KEY = "j_username";
    // 密码
    public static final String SPRING_SECURITY_FORM_PASSWORD_KEY = "j_password";
    public static final String SPRING_SECURITY_FORM_REDERICT_KEY = "spring-security-redirect";

    private String usernameParameter = SPRING_SECURITY_FORM_USERNAME_KEY;
    private String passwordParameter = SPRING_SECURITY_FORM_PASSWORD_KEY;
    private boolean postOnly = true;

    private String redirectParameter = SPRING_SECURITY_FORM_REDERICT_KEY;
    // ~ Methods
    // ========================================================================================================

    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
            throws AuthenticationException {
        if (postOnly && !request.getMethod().equals("POST")) {
            throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod());
        }
        if (request == null) {
            throw new AuthenticationServiceException("request is null");
        }
        String username = obtainUsername(request);
        String password = obtainPassword(request);
        String code = request.getParameter("code");
        String sessionCode = (String) request.getSession(true).getAttribute("code");
        request.getSession(true).removeAttribute("code");
        if (sessionCode == null) {
            throw new CodeException("您的验证码已过期,请刷新验证码!");
        }
        // 验证码相关
        if (code == null) {
            throw new CodeException("请输入验证码");
        }
        if (!code.toLowerCase().equals(sessionCode.toLowerCase())) {
            throw new CodeException("请正确输入验证码!");
        }
        ResourceBundle resource = ResourceBundle.getBundle("forbidip");
        String forbidIpsStr = resource.getString("ip.address");
        List forbidIps = new ArrayList();
        if (forbidIpsStr != null && forbidIpsStr.indexOf(",") != -1) {
            String[] ips = forbidIpsStr.split(",");
            forbidIps = Arrays.asList(ips);
        }
        String ip = "";
        ip = NetWorkUtil.getIpAddress(request);
        if (ip.indexOf("非法地址:") != -1) {
            throw new ForbidIPException("非法IP");
        }
        if (forbidIps.size() > 0 && forbidIps.contains(ip)) {
            throw new ForbidIPException("非法IP");
        }
        RSAPrivateKey privateKey = (RSAPrivateKey) request.getSession().getAttribute("privateKey");
        try {
            String str = RSAUtils.decryptByPrivateKey(password, privateKey);
            password = StringUtils.reverse(str);
        } catch (Exception e) {
            e.printStackTrace();
        }

        String redirectUrl = obtainRedercitUrl(request);
        if (username == null) {
            username = "";
        }

        if (password == null) {
            password = "";
        }
        // 自定义回调URL,若存在则放入Session
        if (redirectUrl != null && !"".equals(redirectUrl)) {
            request.getSession().setAttribute("callCustomRediretUrl", redirectUrl);
        }
        username = username.trim();
        // 在这里处理密码或者用户名
        UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);
        // Allow subclasses to set the "details" property
        setDetails(request, authRequest);
        return this.getAuthenticationManager().authenticate(authRequest);
    }

    /**
     * Enables subclasses to override the composition of the password, such as by
     * including additional values and a separator.
     * 

* This might be used for example if a postcode/zipcode was required in addition to * the password. A delimiter such as a pipe (|) should be used to separate the * password and extended value(s). The AuthenticationDao will need to * generate the expected password in a corresponding manner. *

* * @param request * so that request attributes can be retrieved * * @return the password that will be presented in the Authentication * request token to the AuthenticationManager */ protected String obtainPassword(HttpServletRequest request) { return request.getParameter(passwordParameter); } /** * Enables subclasses to override the composition of the username, such as by * including additional values and a separator. * * @param request * so that request attributes can be retrieved * * @return the username that will be presented in the Authentication * request token to the AuthenticationManager */ protected String obtainUsername(HttpServletRequest request) { return request.getParameter(usernameParameter); } /** * Provided so that subclasses may configure what is put into the authentication * request's details property. * * @param request * that an authentication request is being created for * @param authRequest * the authentication request object that should have its details * set */ protected void setDetails(HttpServletRequest request, UsernamePasswordAuthenticationToken authRequest) { authRequest.setDetails(authenticationDetailsSource.buildDetails(request)); } /** * Sets the parameter name which will be used to obtain the username from the login * request. * * @param usernameParameter * the parameter name. Defaults to "username". */ public void setUsernameParameter(String usernameParameter) { Assert.hasText(usernameParameter, "Username parameter must not be empty or null"); this.usernameParameter = usernameParameter; } /** * Sets the parameter name which will be used to obtain the password from the login * request.. * * @param passwordParameter * the parameter name. Defaults to "password". */ public void setPasswordParameter(String passwordParameter) { Assert.hasText(passwordParameter, "Password parameter must not be empty or null"); this.passwordParameter = passwordParameter; } /** * Defines whether only HTTP POST requests will be allowed by this filter. If set to * true, and an authentication request is received which is not a POST request, an * exception will be raised immediately and authentication will not be attempted. The * unsuccessfulAuthentication() method will be called as if handling a failed * authentication. *

* Defaults to true but may be overridden by subclasses. */ public void setPostOnly(boolean postOnly) { this.postOnly = postOnly; } protected String obtainRedercitUrl(HttpServletRequest request) { return request.getParameter(redirectParameter); } }

说一下变量:
1.SPRING_SECURITY_FORM_USERNAME_KEY:这个静态常量定义了页面传递到后台中用户名的变量名。
2.SPRING_SECURITY_FORM_PASSWORD_KEY:这个静态常量定义了页面传递到后台中用户密码的变量名。
3.SPRING_SECURITY_FORM_REDERICT_KEY:这个静态常量定义了页面传递到后台中路径的变量名,因为是ajax登录,所以可以通过该变量控制登录成功后跳转至哪里。如果是表单登录,应该可以通过重定向来实现。
核心方法attemptAuthentication:

        if (postOnly && !request.getMethod().equals("POST")) {
            throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod());
        }

上面这一段代码控制了登录请求只能以post方式进行。

        String code = request.getParameter("code");
        String sessionCode = (String) request.getSession(true).getAttribute("code");
        request.getSession(true).removeAttribute("code");
        if (sessionCode == null) {
            throw new CodeException("您的验证码已过期,请刷新验证码!");
        }
        // 验证码相关
        if (code == null) {
            throw new CodeException("请输入验证码");
        }
        if (!code.toLowerCase().equals(sessionCode.toLowerCase())) {
            throw new CodeException("请正确输入验证码!");
        }

上面代码简单实现了一个验证码校验功能,在访问登录页面时,后台生成验证码并存储到session中,之后取值移除并进行校验,此处抛出了自定义异常CodeException,目的是方便失败后进行异常捕捉,明确错误信息并提示给用户。

        ResourceBundle resource = ResourceBundle.getBundle("forbidip");
        String forbidIpsStr = resource.getString("ip.address");
        List forbidIps = new ArrayList();
        if (forbidIpsStr != null && forbidIpsStr.indexOf(",") != -1) {
            String[] ips = forbidIpsStr.split(",");
            forbidIps = Arrays.asList(ips);
        }
        String ip = "";
        ip = NetWorkUtil.getIpAddress(request);
        if (ip.indexOf("非法地址:") != -1) {
            throw new ForbidIPException("非法IP");
        }
        if (forbidIps.size() > 0 && forbidIps.contains(ip)) {
            throw new ForbidIPException("非法IP");
        }

上面代码是通过读取配置文件进行ip限制,如果是当前ip被禁止则抛出自定义异常。
当然请求的ip是从request中取得,此种获取ip的方法并不可靠,聊胜于无,如果大家有好的方法,欢迎指导。

       RSAPrivateKey privateKey = (RSAPrivateKey)request.getSession().getAttribute("privateKey");
        try {
            String str = RSAUtils.decryptByPrivateKey(password, privateKey);
            password = StringUtils.reverse(str);
        } catch (Exception e) {
            e.printStackTrace();
        }

这一段代码是对前台传递过来的密码进行rsa解密,目前公钥私钥都是存储在session 中的,每个会话都是单独生成的,至于此种做法是否更加安全,待验证。

至于redirectUrl,此属性是为了登录成功后配合ajax可以跳转到指定路径。

  setDetails(request, authRequest);
  return this.getAuthenticationManager().authenticate(authRequest);

设置details,这里就是设置org.springframework.security.web.authentication.WebAuthenticationDetails实例到details中
之后会通过UserDetailServiceImpl进行校验。
以上便是UsernamePasswordFilter的主要内容了。
之后会写UserDetailServiceImpl。

你可能感兴趣的:(spring-security-5.0版本之UsernamePasswordFilter)