转载请注明出处spring boot 实例之 用户登录--碧波之心简书
上两篇完成了用户信息表的增删查,接下来增加用户登录功能。采用spring security来进行权限控制。我们希望用户可以通过用户名+密码、邮箱+密码、手机号+验证码、微信登录三种登录途径。
先用来完成用户名+密码或手机号+验证码登录。
前面做的用户信息表不是用来登录的,那些信息只是用户的基本信息。为了在用户列表请求得到的数据中不包含密码、手机号等敏感信息。把登录用的数据分开保存,关联到用户信息。
建立对象
创建数据模型 Safety
package com.biboheart.demo.user.domain;
import javax.persistence.Entity;
import javax.persistence.GeneratedValue;
import javax.persistence.GenerationType;
import javax.persistence.Id;
import javax.persistence.Table;
import lombok.Data;
@Data
@Entity
@Table(name = "bh_user_safety")
public class Safety {
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
private Long id; // ID
private Long uid; // 用户ID
private String username; // 用户名
private String mobile; // 手机号
private String password; // 密码
private Long createTime; // 创建时间
private Long updateTime; // 最后修改时间
}
创建repository
package com.biboheart.demo.user.repository;
import com.biboheart.demo.user.basejpa.CustomRepository;
import com.biboheart.demo.user.domain.Safety;
public interface SafetyRepository extends CustomRepository<Safety, Long> {
Safety findByUsernameAndUidNot(String username, Long uid);
Safety findByMobileAndUidNot(String mobile, Long uid);
@Transactional
void deleteByUid(Long uid);
}
创建service
package com.biboheart.demo.user.service;
import com.biboheart.brick.exception.BhException;
import com.biboheart.demo.user.domain.Safety;
public interface SafetyService {
public Safety save(Safety safety) throws BhException;
public void delete(Long id, Long uid);
public Safety load(Long uid, String username, String mobile);
}
package com.biboheart.demo.user.service.impl;
import org.apache.commons.codec.digest.DigestUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import com.biboheart.brick.exception.BhException;
import com.biboheart.brick.utils.CheckUtils;
import com.biboheart.brick.utils.TimeUtils;
import com.biboheart.demo.user.domain.Safety;
import com.biboheart.demo.user.repository.SafetyRepository;
import com.biboheart.demo.user.service.SafetyService;
@Service
public class SafetyServiceImpl implements SafetyService {
@Autowired
private SafetyRepository safetyRepository;
@Override
public Safety save(Safety safety) throws BhException {
if (null == safety.getId()) {
safety.setId(0L);
}
if (CheckUtils.isEmpty(safety.getUid())) {
throw new BhException("必须关联到用户");
}
if (CheckUtils.isEmpty(safety.getUsername())) {
if (!CheckUtils.isEmpty(safety.getMobile())) {
safety.setUsername(safety.getMobile());
}
}
if (CheckUtils.isEmpty(safety.getUsername())) {
throw new BhException("用户名不能为空");
}
Safety source = safetyRepository.findByUid(safety.getUid());
if (null != source) {
safety.setId(source.getId());
}
source = safetyRepository.findByUsername(safety.getUsername());
if (null != source) {
if (!safety.getUid().equals(source.getUid())) {
throw new BhException("用户名已经被占用");
}
if (!source.getId().equals(safety.getId())) {
if (CheckUtils.isEmpty(safety.getId())) {
safety.setId(source.getId());
} else {
safetyRepository.deleteById(source.getId());
}
}
}
source = safetyRepository.findByMobile(safety.getMobile());
if (null != source) {
if (!safety.getUid().equals(source.getUid())) {
throw new BhException("用户名已经被占用");
}
if (!source.getId().equals(safety.getId())) {
if (CheckUtils.isEmpty(safety.getId())) {
safety.setId(source.getId());
} else {
safetyRepository.deleteById(source.getId());
}
}
}
if (!CheckUtils.isEmpty(safety.getPassword()) && safety.getPassword().length() != 32) {
safety.setPassword(DigestUtils.md5Hex(safety.getPassword()));
}
Long now = TimeUtils.getCurrentTimeInMillis();
if (CheckUtils.isEmpty(safety.getCreateTime())) {
safety.setCreateTime(now);
}
safety.setUpdateTime(now);
safety = safetyRepository.save(safety);
return safety;
}
@Override
public void delete(Long id, Long uid) {
if (!CheckUtils.isEmpty(uid)) {
safetyRepository.deleteByUid(uid);
}
if (!CheckUtils.isEmpty(id)) {
safetyRepository.deleteById(id);
}
}
@Override
public Safety load(Long uid, String username, String mobile) {
Safety safety = null;
if (!CheckUtils.isEmpty(uid)) {
safety = safetyRepository.findByUid(uid);
}
if (null == safety && !CheckUtils.isEmpty(username)) {
safety = safetyRepository.findByUsername(username);
}
if (null == safety && !CheckUtils.isEmpty(mobile)) {
safety = safetyRepository.findByMobile(mobile);
}
return safety;
}
}
创建控制器
这里我们先做一个保存的API,如果不保存一个密码的话,登录的功能不方便测试。先简单的实现用户登录的功能,接下去再优化,修改。把能考虑到的不安全因素解决。
package com.biboheart.demo.user.controller;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RestController;
import com.biboheart.brick.exception.BhException;
import com.biboheart.brick.model.BhResponseResult;
import com.biboheart.brick.utils.CheckUtils;
import com.biboheart.demo.user.domain.Safety;
import com.biboheart.demo.user.domain.User;
import com.biboheart.demo.user.service.SafetyService;
import com.biboheart.demo.user.service.UserService;
@RestController
public class SafetyController {
@Autowired
private UserService userService;
@Autowired
private SafetyService safetyService;
@RequestMapping(value = "/userapi/safety/save", method = {RequestMethod.POST})
public BhResponseResult<?> save(Safety safety) throws BhException {
User user = userService.load(safety.getUid());
if (null == user) {
// 如果不是对某个用户设置登录参数则创建一个新用户,用户注册时
user = new User();
String name = safety.getUsername();
if (CheckUtils.isEmpty(name)) {
name = safety.getMobile();
}
user.setName(name);
user = userService.save(user);
}
safety.setUid(user.getId());
safety = safetyService.save(safety);
return new BhResponseResult<>(0, "success", null != safety);
}
}
创建一个用户
创建一个用户名为biboheart,手机号为15000000000,密码为test的用户。用户前面的列表接口能查到最新创建的用户。
开始登录功能
引入spring security组件,开始开发用户登录功能。
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
创建包:com.biboheart.demo.user.security,用户登录功能都在这个包中完成。
创建security配置文件
package com.biboheart.demo.user.security;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import com.biboheart.demo.user.security.filter.BhAuthenticationFilter;
import com.biboheart.demo.user.security.provider.MobileCodeAuthenticationProvider;
import com.biboheart.demo.user.security.provider.UsernamePasswordAuthenticationProvider;
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
private UsernamePasswordAuthenticationProvider usernamePasswordAuthenticationProvider;
@Autowired
private MobileCodeAuthenticationProvider mobileCodeAuthenticationProvider;
@Autowired
@Qualifier("authenticationManagerBean")
private AuthenticationManager authenticationManager;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.authenticationProvider(mobileCodeAuthenticationProvider)
.authenticationProvider(usernamePasswordAuthenticationProvider);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
.csrf().disable()
.addFilterAt(bhAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class)
.authorizeRequests()
.antMatchers("/", "/home", "/loginIn", "/oauth/authorize", "/oauth/token").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.permitAll();
// @formatter:on
}
@Bean
public BhAuthenticationFilter bhAuthenticationFilter() {
BhAuthenticationFilter filter = new BhAuthenticationFilter();
filter.setAuthenticationManager(authenticationManager);
return filter;
}
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
}
因为我们有两种登录方式,所以我们建立usernamePasswordAuthenticationProvider和mobileCodeAuthenticationProvider两个provider来处理登录请求。
UsernamePasswordAuthenticationToken是spring security内置的token对象。我们就不再定义了,需要定义一个MobileCodeAuthenticationToken在包com.biboheart.demo.user.security.tokens中
package com.biboheart.demo.user.security.tokens;
import java.util.Collection;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.SpringSecurityCoreVersion;
public class MobileCodeAuthenticationToken extends AbstractAuthenticationToken {
private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
private final Object principal;
private String credentials;
public MobileCodeAuthenticationToken(Object principal, String credentials) {
super(null);
this.principal = principal;
this.credentials = credentials;
setAuthenticated(false);
}
public MobileCodeAuthenticationToken(Object principal, Collection<? extends GrantedAuthority> authorities) {
super(authorities);
this.principal = principal;
this.credentials = null;
super.setAuthenticated(true); // must use super, as we override
}
// ~ Methods
// ========================================================================================================
public String getCredentials() {
return this.credentials;
}
public Object getPrincipal() {
return this.principal;
}
public void setAuthenticated(boolean isAuthenticated) throws IllegalArgumentException {
if (isAuthenticated) {
throw new IllegalArgumentException(
"Cannot set this token to trusted - use constructor which takes a GrantedAuthority list instead");
}
super.setAuthenticated(false);
}
@Override
public void eraseCredentials() {
super.eraseCredentials();
credentials = null;
}
}
创建过滤器
创建一个过滤器,替换掉原来的UsernamePasswordAuthenticationFilter过滤器。定义为BhAuthenticationFilter 继承至 AbstractAuthenticationProcessingFilter。
package com.biboheart.demo.user.security.filter;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.util.Assert;
import com.biboheart.demo.user.security.tokens.MobileCodeAuthenticationToken;
public class BhAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
// ~ Static fields/initializers
// =====================================================================================
public static final String SPRING_SECURITY_FORM_USERNAME_KEY = "username";
public static final String SPRING_SECURITY_FORM_PASSWORD_KEY = "password";
public static final String SPRING_SECURITY_FORM_AUTYPE_KEY = "autype";
private String usernameParameter = SPRING_SECURITY_FORM_USERNAME_KEY;
private String passwordParameter = SPRING_SECURITY_FORM_PASSWORD_KEY;
private String autypeParameter = SPRING_SECURITY_FORM_AUTYPE_KEY;
private boolean postOnly = true;
// ~ Constructors
// ===================================================================================================
public BhAuthenticationFilter() {
super(new AntPathRequestMatcher("/login", "POST"));
}
@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
throws AuthenticationException, IOException, ServletException {
if (postOnly && !request.getMethod().equals("POST")) {
throw new AuthenticationServiceException(
"Authentication method not supported: " + request.getMethod());
}
String username = obtainUsername(request);
String password = obtainPassword(request);
String autype = obtainAutype(request);
System.out.println(this.getClass().getName() + "----autype:" + autype);
if (username == null) {
username = "";
}
if (password == null) {
password = "";
}
if (autype == null) {
autype = "";
}
username = username.trim();
AbstractAuthenticationToken authRequest = null;
switch(autype) {
case "mobileCode":
authRequest = new MobileCodeAuthenticationToken(username, password);
break;
default:
authRequest = new UsernamePasswordAuthenticationToken(username, password);
break;
}
/*UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(
username, password);*/
// Allow subclasses to set the "details" property
setDetails(request, authRequest);
return this.getAuthenticationManager().authenticate(authRequest);
}
protected String obtainPassword(HttpServletRequest request) {
return request.getParameter(passwordParameter);
}
protected String obtainUsername(HttpServletRequest request) {
return request.getParameter(usernameParameter);
}
protected String obtainAutype(HttpServletRequest request) {
return request.getParameter(autypeParameter);
}
protected void setDetails(HttpServletRequest request,
AbstractAuthenticationToken authRequest) {
authRequest.setDetails(authenticationDetailsSource.buildDetails(request));
}
public void setAutypeParameter(String autypeParameter) {
Assert.hasText(autypeParameter, "Autype parameter must not be empty or null");
this.autypeParameter = autypeParameter;
}
public void setUsernameParameter(String usernameParameter) {
Assert.hasText(usernameParameter, "Username parameter must not be empty or null");
this.usernameParameter = usernameParameter;
}
public void setPasswordParameter(String passwordParameter) {
Assert.hasText(passwordParameter, "Password parameter must not be empty or null");
this.passwordParameter = passwordParameter;
}
public void setPostOnly(boolean postOnly) {
this.postOnly = postOnly;
}
public final String getUsernameParameter() {
return usernameParameter;
}
public final String getPasswordParameter() {
return passwordParameter;
}
}
对于登录请求,我们接收三个参数。分别是:username,password,autype。autype参数用于告知登录类型:默认为用户名密码方式,mobileCode为手机号验证码方式。如果是mobileCode方式,那么username对应的是手机号,password对应的是验证码。
通过SecurityConfiguration中的.addFilterAt(bhAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class)插入过滤器。
实现用户认证
用户名密码认证的实现
package com.biboheart.demo.user.security.provider;
import java.util.HashSet;
import java.util.Set;
import org.apache.commons.codec.digest.DigestUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.stereotype.Component;
import com.biboheart.brick.utils.CheckUtils;
import com.biboheart.demo.user.domain.Safety;
import com.biboheart.demo.user.domain.User;
import com.biboheart.demo.user.service.SafetyService;
import com.biboheart.demo.user.service.UserService;
@Component
public class UsernamePasswordAuthenticationProvider implements AuthenticationProvider {
@Autowired
private SafetyService safetyService;
@Autowired
private UserService userService;
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
String username = (authentication.getPrincipal() == null) ? "NONE_PROVIDED" : authentication.getName();
String password = (String) authentication.getCredentials();
if (CheckUtils.isEmpty(password)) {
throw new BadCredentialsException("密码不能为空");
}
Safety safety = safetyService.load(null, username, null);
if (null == safety) {
throw new BadCredentialsException("用户不存在");
}
User user = userService.load(safety.getUid());
if (null == user) {
throw new BadCredentialsException("用户不存在");
}
if (password.length() != 32) {
password = DigestUtils.md5Hex(password);
}
if (!password.equals(safety.getPassword())) {
throw new BadCredentialsException("用户名或密码不正确");
}
UsernamePasswordAuthenticationToken result = new UsernamePasswordAuthenticationToken(username, password, listUserGrantedAuthorities(user.getId()));
result.setDetails(authentication.getDetails());
return result;
}
@Override
public boolean supports(Class<?> authentication) {
System.out.println(this.getClass().getName() + "---supports");
return (UsernamePasswordAuthenticationToken.class.isAssignableFrom(authentication));
}
private Set<GrantedAuthority> listUserGrantedAuthorities(Long uid) {
Set<GrantedAuthority> authorities = new HashSet<GrantedAuthority>();
if (CheckUtils.isEmpty(uid)) {
return authorities;
}
authorities.add(new SimpleGrantedAuthority("ROLE_USER"));
return authorities;
}
}
手机号验证码认证的实现
package com.biboheart.demo.user.security.provider;
import java.util.HashSet;
import java.util.Set;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.stereotype.Component;
import com.biboheart.brick.utils.CheckUtils;
import com.biboheart.demo.user.domain.Safety;
import com.biboheart.demo.user.domain.User;
import com.biboheart.demo.user.security.tokens.MobileCodeAuthenticationToken;
import com.biboheart.demo.user.service.SafetyService;
import com.biboheart.demo.user.service.UserService;
@Component
public class MobileCodeAuthenticationProvider implements AuthenticationProvider {
@Autowired
private SafetyService safetyService;
@Autowired
private UserService userService;
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
String mobile = (authentication.getPrincipal() == null) ? "NONE_PROVIDED" : authentication.getName();
String code = (String) authentication.getCredentials();
if (CheckUtils.isEmpty(code)) {
throw new BadCredentialsException("验证码不能为空");
}
Safety safety = safetyService.load(null, null, mobile);
if (null == safety) {
throw new BadCredentialsException("用户不存在");
}
User user = userService.load(safety.getUid());
if (null == user) {
throw new BadCredentialsException("用户不存在");
}
// 手机号验证码业务还没有开发,先用4个0验证
if (!code.equals("0000")) {
throw new BadCredentialsException("验证码不正确");
}
UsernamePasswordAuthenticationToken result = new UsernamePasswordAuthenticationToken(safety.getUsername(), code, listUserGrantedAuthorities(user.getId()));
result.setDetails(authentication.getDetails());
return result;
}
@Override
public boolean supports(Class<?> authentication) {
System.out.println(this.getClass().getName() + "---supports");
return (MobileCodeAuthenticationToken.class.isAssignableFrom(authentication));
}
private Set<GrantedAuthority> listUserGrantedAuthorities(Long uid) {
Set<GrantedAuthority> authorities = new HashSet<GrantedAuthority>();
if (CheckUtils.isEmpty(uid)) {
return authorities;
}
authorities.add(new SimpleGrantedAuthority("ROLE_USER"));
return authorities;
}
}
更多的认证方式照着扩展就可以了。
用户登录界面
用户登录需要界面,未登录时要跳转到登录界面,登录成功后要跳转到首页。
页面跳转控制器
package com.biboheart.demo.user.security.controller;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
@Controller
public class SecurityController {
@RequestMapping(value = "/login", method = RequestMethod.GET)
public String loginPage() {
return "login";
}
}
首页控制器
package com.biboheart.demo.user.controller;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
@Controller
public class HelloController {
@RequestMapping(value = { "/", "/home" }, method = RequestMethod.GET)
public String homePage() {
return "index";
}
@RequestMapping(value = "/hello", method = RequestMethod.GET)
public String hello() {
return "hello";
}
}
index.html
<!DOCTYPE html>
<html lang="zh-CN">
<head>
<meta charset="UTF-8"></meta>
<title>Spring Security入门</title>
</head>
<body>
<h1>欢迎使用Spring Security!</h1>
<p>
点击 <a href="/hello">这里</a> 打个招呼吧
</p>
</body>
</html>
hello.html
<!DOCTYPE html>
<html lang="zh-CN" xmlns:th="http://www.thymeleaf.org">
<head>
<meta charset="UTF-8"></meta>
<title>Hello World!</title>
</head>
<body>
<h1>Hello world!</h1>
<a href="/logout">注销</a>
<form th:action="@{/logout}" method="post">
<input type="submit" value="Sign Out"/>
</form>
<h1 th:inline="text">Hello [[${#httpServletRequest.remoteUser}]]!</h1>
</body>
</html>
login.html
<!DOCTYPE html>
<html lang="zh-CN" xmlns:th="http://www.thymeleaf.org">
<head>
<meta charset="UTF-8"></meta>
<title>登录</title>
</head>
<body>
<div th:if="${param.containsKey('error')}">
<p class="error">登录不成功,可能是用户名/密码错了</p>
</div>
<div th:if="${param.containsKey('logout')}">
<h4>成功 </h4>
<p>您已经成功退出</p>
</div>
<form method="post" role="form">
<div class="form-group">
用户名密码认证 <input name="autype" type="radio" value="usernamePassword" checked="checked"/>
手机号验证码 <input name="autype" type="radio" value="mobileCode"/>
</div>
<div class="form-group">
<label for="username">用户名:</label>
<input type='text' name='username'/>
</div>
<div class="form-group">
<label for="password">密码:</label>
<input type='password' name='password'/>
</div>
<!-- <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/> -->
<button class="btn btn-primary" type="submit">登录</button>
</form>
With Github: <a href="/login/github">click here</a>
</body>
</html>
在pom.xml中引入组件
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
首页是允许访问的,点击“这里”的链接。就进入登录页面。
选择手机号验证码登录:
实际上这里用户和密码输入的是手机号和验证码(0000),前端可以控制,根据不同的选择改下提示文字。
点击登录后进入hello页面
可以点击注销,再试试用户名密码登录。
总结
- 创建用户认证的信息对象;
- 引入spring security;
- spring security配置文件;
- 自定义token;
- 自定义provider;
-
登录页面
当前目录结构: