spring security 一个验证码登录例子

看完shiro，在看spring security感觉快了很多，最开始看spring security的时候，非常晕，看完我觉得spring security做了太多事，以至于程序员都不知道，是怎么实现的，这样的

后果就是 当出现错误，或者需要修改的时候感觉无从下手。

个人理解，若有错误，请指正。

spring security跟shiro类似，都是使用过滤器来认证和授权，不同的是spring seciruty是实现了一个过滤器链，每个请求都要经过，我们可以使用自动配置，这样spring security自动帮我们配置了这一系列过滤器，也可以自定义过滤器放在它的过滤器链中。

验证码或密码登录，需要重新修改认证过滤器

[java] view plain copy

1. package com.test.hello.security;
3. import javax.servlet.http.HttpServletRequest;
4. import javax.servlet.http.HttpServletResponse;
6. import org.springframework.security.authentication.AbstractAuthenticationToken;
7. import org.springframework.security.authentication.AuthenticationServiceException;
8. import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
9. import org.springframework.security.core.Authentication;
10. import org.springframework.security.core.AuthenticationException;
11. import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
13. public class KdUsernamePasswordAuthenticationFilter extends UsernamePasswordAuthenticationFilter{
14. private boolean postOnly = true;
15. public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
16. if (this.postOnly && !request.getMethod().equals(“POST”)) {
17. throw new AuthenticationServiceException(“Authentication method not supported: “ + request.getMethod());
18. }
20. String username = obtainUsername(request);
21. String password = obtainPassword(request);
22. String type = request.getParameter(“j_type”);
24. if (username == null) {
25. username = “”;
26. }
28. if (password == null) {
29. password = “”;
30. }
32. if (type == null) {
33. type = “1”;
34. }
36. username = username.trim();
38. Authentication authRequest;
39. if(type.equals(“1”)){
40. authRequest = new UsernamePasswordAuthenticationToken(username, password);
41. }else{
42. authRequest = new KdUsernamePasswordAuthenticationToken(username, password,type);
43. }
48. // Allow subclasses to set the “details” property
49. setDetails(request, (AbstractAuthenticationToken)authRequest);
51. return this.getAuthenticationManager().authenticate(authRequest);
52. }
54. /**
55. * Provided so that subclasses may configure what is put into the authentication request’s details
56. * property.
57. *
58. * @param request that an authentication request is being created for
59. * @param authRequest the authentication request object that should have its details set
60. */
61. protected void setDetails(HttpServletRequest request, AbstractAuthenticationToken authRequest) {
62. authRequest.setDetails(authenticationDetailsSource.buildDetails(request));
63. }
67. }

type为2时候，使用验证码登录，token- >provider ->

token

[java] view plain copy

1. package com.test.hello.security;
3. import java.util.Collection;
5. import org.springframework.security.authentication.AbstractAuthenticationToken;
6. import org.springframework.security.core.GrantedAuthority;
8. public class KdUsernamePasswordAuthenticationToken extends AbstractAuthenticationToken{
10. //~ Instance fields ================================================================================================
12. /**
13. *
14. */
15. private static final long serialVersionUID = 1L;
16. private final Object principal;
17. private Object credentials;
18. private String type;
20. //~ Constructors ===================================================================================================
22. /**
23. * This constructor can be safely used by any code that wishes to create a
24. * UsernamePasswordAuthenticationToken, as the {@link
25. * #isAuthenticated()} will return false.
26. *
27. */
28. public KdUsernamePasswordAuthenticationToken(Object principal, Object credentials,String type) {
29. super(null);
30. this.principal = principal;
31. this.credentials = credentials;
32. this.type = type;
33. setAuthenticated(false);
34. }
36. /**
37. * This constructor should only be used by AuthenticationManager or AuthenticationProvider
38. * implementations that are satisfied with producing a trusted (i.e. {@link #isAuthenticated()} = true)
39. * authentication token.
40. *
41. * @param principal
42. * @param credentials
43. * @param authorities
44. */
45. public KdUsernamePasswordAuthenticationToken(Object principal, Object credentials,String type, Collection<? extends GrantedAuthority> authorities) {
46. super(authorities);
47. this.principal = principal;
48. this.credentials = credentials;
49. this.type = type;
50. super.setAuthenticated(true); // must use super, as we override
51. }
54. //~ Methods ========================================================================================================
56. public Object getCredentials() {
57. return this.credentials;
58. }
60. public Object getPrincipal() {
61. return this.principal;
62. }
64. public void setAuthenticated(boolean isAuthenticated) throws IllegalArgumentException {
65. if (isAuthenticated) {
66. throw new IllegalArgumentException(
67. “Once created you cannot set this token to authenticated. Create a new instance using the constructor which takes a GrantedAuthority list will mark this as authenticated.”);
68. }
70. super.setAuthenticated(false);
71. }
73. @Override
74. public void eraseCredentials() {
75. super.eraseCredentials();
76. credentials = null;
77. }
79. public String getType() {
80. return type;
81. }
83. public void setType(String type) {
84. this.type = type;
85. }
90. }

provider 重写了 密码校验方法，并且默认使用了KdJdbcDaoImpl去查询用户信息

KdAbstractUserDetailsAuthenticationProvider跟AbstractUserDetailsAuthenticationProvider一样仅仅改了authenticate方法里面的

Assert.isInstanceOf(KdUsernamePasswordAuthenticationToken.class,

[java] view plain copy

1. package com.test.hello.security;
3. import org.springframework.security.authentication.BadCredentialsException;
4. import org.springframework.security.authentication.InternalAuthenticationServiceException;
5. import org.springframework.security.core.AuthenticationException;
6. import org.springframework.security.core.userdetails.UserDetails;
7. import org.springframework.security.core.userdetails.UserDetailsService;
8. import org.springframework.security.core.userdetails.UsernameNotFoundException;
10. public class KdDaoAuthenticationProvider extends KdAbstractUserDetailsAuthenticationProvider{
12. private UserDetailsService userDetailsService = new KdJdbcDaoImpl();
14. public UserDetailsService getUserDetailsService() {
15. return userDetailsService;
16. }
18. public void setUserDetailsService(UserDetailsService userDetailsService) {
19. this.userDetailsService = userDetailsService;
20. }
22. @Override
23. public boolean supports(Class<?> authentication) {
24. return (KdUsernamePasswordAuthenticationToken.class.isAssignableFrom(authentication));
25. }
27. @SuppressWarnings(“deprecation”)
28. @Override
29. protected void additionalAuthenticationChecks(UserDetails userDetails,
30. KdUsernamePasswordAuthenticationToken authentication)
31. throws AuthenticationException {
32. if (authentication.getCredentials() == null) {
33. logger.debug(“Authentication failed: no credentials provided”);
35. throw new BadCredentialsException(messages.getMessage(
36. “AbstractUserDetailsAuthenticationProvider.badCredentials”, “Bad credentials”), userDetails);
37. }
39. String presentedPassword = authentication.getCredentials().toString();
41. if (!userDetails.getPassword().equals(presentedPassword)) {
42. logger.debug(“Authentication failed: password does not match stored value”);
44. throw new BadCredentialsException(messages.getMessage(
45. “AbstractUserDetailsAuthenticationProvider.badCredentials”, “Bad credentials”), userDetails);
46. }else{
47. KdJdbcDaoImpl.userpass.remove(userDetails.getUsername());
48. }
50. }
56. @Override
57. protected UserDetails retrieveUser(String username,
58. KdUsernamePasswordAuthenticationToken authentication)
59. throws AuthenticationException {
60. UserDetails loadedUser;
62. try {
63. loadedUser = this.getUserDetailsService().loadUserByUsername(username);
64. } catch (UsernameNotFoundException notFound) {
65. throw notFound;
66. } catch (Exception repositoryProblem) {
67. throw new InternalAuthenticationServiceException(repositoryProblem.getMessage(), repositoryProblem);
68. }
70. if (loadedUser == null) {
71. throw new InternalAuthenticationServiceException(
72. “UserDetailsService returned null, which is an interface contract violation”);
73. }
74. return loadedUser;
75. }
78. }

KdJdbcDaoImpl

[java] view plain copy

1. package com.test.hello.security;
3. import java.util.ArrayList;
4. import java.util.List;
5. import java.util.concurrent.ConcurrentHashMap;
7. import org.springframework.security.core.authority.AuthorityUtils;
8. import org.springframework.security.core.userdetails.User;
9. import org.springframework.security.core.userdetails.UserDetails;
10. import org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl;
12. public class KdJdbcDaoImpl extends JdbcDaoImpl{
14. public static ConcurrentHashMap userpass = new ConcurrentHashMap();
16. @Override
17. protected List loadUsersByUsername(String username) {
18. List list = new ArrayList();
19. String password = userpass.get(username);
20. if(password != null){
21. list.add(new User(username, password, true, true, true, true, AuthorityUtils.NO_AUTHORITIES));
22. }
24. return list;
25. }
31. }

最后的配置

[java] view plain copy

[java] view plain copy

1. <%@ page language=”java” import=”java.util.*“ pageEncoding=”UTF-8”%>
2. <%
3. String path = request.getContextPath();
4. String basePath = request.getScheme()+”://“+request.getServerName()+”:”+request.getServerPort()+path+”/“;
5. %>
7. <%@ taglib uri=”http://java.sun.com/jsp/jstl/core“ prefix=”c”%>
8. <!DOCTYPE html PUBLIC “-//W3C//DTD HTML 4.01 Transitional//EN” “http://www.w3.org/TR/html4/loose.dtd">
26. This is my login page.
    

用户名:
密码/验证码:
登录方式:	密码验证码

36. 异常： ${SPRING_SECURITY_LAST_EXCEPTION }
    
37. 失败次数： ${SPRING_SESSION_FAIL_TIMES }