Spring boot+ Spring security 实现图片验证码验证
2024-06-27 03:41:36
springboot+security实现用户权限管理后,登陆要求增加图片验证码
pring security使用众多的过滤器对url进行拦截,以此来进行权限管理。Spring security不允许我们修改默认的filter实现,但是可以加入自己的filter。登录验证的流程是,用户登陆会被AuthenticationProcessingFilter拦截,调用AuthenticationManager的实现,而AuthenticationManager会调用ProviderManager来获取用户验证信息。如果验证通过会将用户的权限信息封装成User对象放到spring的全局缓存SecurityContextHolder中,以备后面访问资源时使用。忽略验证用户信息的部分,我们可以通过AuthenticationProcessingFilter来检验验证码,并达到验证失败时拒绝用户登录的目的。
直接上代码:
验证码工具
public class VerifyCodeUtils {//字体只显示大写,去掉了1,0,i,o几个容易混淆的字符public static final String VERIFY_CODES = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";private static Random random = new Random();/*** 使用系统默认字符源生成验证码** @param verifySize 验证码长度* @return*/public static String generateVerifyCode(int verifySize) {return generateVerifyCode(verifySize, VERIFY_CODES);}/*** 使用指定源生成验证码** @param verifySize 验证码长度* @param sources 验证码字符源* @return*/public static String generateVerifyCode(int verifySize, String sources) {if (sources == null || sources.length() == 0) {sources = VERIFY_CODES;}int codesLen = sources.length();Random rand = new Random(System.currentTimeMillis());StringBuilder verifyCode = new StringBuilder(verifySize);for (int i = 0; i < verifySize; i++) {verifyCode.append(sources.charAt(rand.nextInt(codesLen - 1)));}return verifyCode.toString();}/*** 生成随机验证码文件,并返回验证码值** @param w* @param h* @param outputFile* @param verifySize* @return* @throws IOException*/public static String outputVerifyImage(int w, int h, File outputFile, int verifySize) throws IOException {String verifyCode = generateVerifyCode(verifySize);outputImage(w, h, outputFile, verifyCode);return verifyCode;}/*** 输出随机验证码图片流,并返回验证码值** @param w* @param h* @param os* @param verifySize* @return* @throws IOException*/public static String outputVerifyImage(int w, int h, OutputStream os, int verifySize) throws IOException {String verifyCode = generateVerifyCode(verifySize);outputImage(w, h, os, verifyCode);return verifyCode;}/*** 生成指定验证码图像文件** @param w* @param h* @param outputFile* @param code* @throws IOException*/public static void outputImage(int w, int h, File outputFile, String code) throws IOException {if (outputFile == null) {return;}File dir = outputFile.getParentFile();if (!dir.exists()) {dir.mkdirs();}try {outputFile.createNewFile();FileOutputStream fos = new FileOutputStream(outputFile);outputImage(w, h, fos, code);fos.close();} catch (IOException e) {throw e;}}/*** 输出指定验证码图片流** @param w* @param h* @param os* @param code* @throws IOException*/public static void outputImage(int w, int h, OutputStream os, String code) throws IOException {int verifySize = code.length();BufferedImage image = new BufferedImage(w, h, BufferedImage.TYPE_INT_RGB);Random rand = new Random();Graphics2D g2 = image.createGraphics();g2.setRenderingHint(RenderingHints.KEY_ANTIALIASING, RenderingHints.VALUE_ANTIALIAS_ON);Color[] colors = new Color[5];Color[] colorSpaces = new Color[]{Color.WHITE, Color.CYAN,Color.GRAY, Color.LIGHT_GRAY, Color.MAGENTA, Color.ORANGE,Color.PINK, Color.YELLOW};float[] fractions = new float[colors.length];for (int i = 0; i < colors.length; i++) {colors[i] = colorSpaces[rand.nextInt(colorSpaces.length)];fractions[i] = rand.nextFloat();}Arrays.sort(fractions);g2.setColor(Color.GRAY);// 设置边框色g2.fillRect(0, 0, w, h);Color c = getRandColor(200, 250);g2.setColor(c);// 设置背景色g2.fillRect(0, 2, w, h - 4);//绘制干扰线Random random = new Random();g2.setColor(getRandColor(160, 200));// 设置线条的颜色for (int i = 0; i < 20; i++) {int x = random.nextInt(w - 1);int y = random.nextInt(h - 1);int xl = random.nextInt(6) + 1;int yl = random.nextInt(12) + 1;g2.drawLine(x, y, x + xl + 40, y + yl + 20);}// 添加噪点float yawpRate = 0.05f;// 噪声率int area = (int) (yawpRate * w * h);for (int i = 0; i < area; i++) {int x = random.nextInt(w);int y = random.nextInt(h);int rgb = getRandomIntColor();image.setRGB(x, y, rgb);}shear(g2, w, h, c);// 使图片扭曲g2.setColor(getRandColor(100, 160));int fontSize = h - 4;Font font = new Font("Algerian", Font.ITALIC, fontSize);g2.setFont(font);char[] chars = code.toCharArray();for (int i = 0; i < verifySize; i++) {AffineTransform affine = new AffineTransform();affine.setToRotation(Math.PI / 4 * rand.nextDouble() * (rand.nextBoolean() ? 1 : -1), (w / verifySize) * i + fontSize / 2, h / 2);g2.setTransform(affine);g2.drawChars(chars, i, 1, ((w - 10) / verifySize) * i + 5, h / 2 + fontSize / 2 - 10);}g2.dispose();ImageIO.write(image, "jpg", os);}private static Color getRandColor(int fc, int bc) {if (fc > 255) {fc = 255;}if (bc > 255) {bc = 255;}int r = fc + random.nextInt(bc - fc);int g = fc + random.nextInt(bc - fc);int b = fc + random.nextInt(bc - fc);return new Color(r, g, b);}private static int getRandomIntColor() {int[] rgb = getRandomRgb();int color = 0;for (int c : rgb) {color = color << 8;color = color | c;}return color;}private static int[] getRandomRgb() {int[] rgb = new int[3];for (int i = 0; i < 3; i++) {rgb[i] = random.nextInt(255);}return rgb;}private static void shear(Graphics g, int w1, int h1, Color color) {shearX(g, w1, h1, color);shearY(g, w1, h1, color);}private static void shearX(Graphics g, int w1, int h1, Color color) {int period = random.nextInt(2);boolean borderGap = true;int frames = 1;int phase = random.nextInt(2);for (int i = 0; i < h1; i++) {double d = (double) (period >> 1)* Math.sin((double) i / (double) period+ (6.2831853071795862D * (double) phase)/ (double) frames);g.copyArea(0, i, w1, 1, (int) d, 0);if (borderGap) {g.setColor(color);g.drawLine((int) d, i, 0, i);g.drawLine((int) d + w1, i, w1, i);}}}private static void shearY(Graphics g, int w1, int h1, Color color) {int period = random.nextInt(40) + 10; // 50;boolean borderGap = true;int frames = 20;int phase = 7;for (int i = 0; i < w1; i++) {double d = (double) (period >> 1)* Math.sin((double) i / (double) period+ (6.2831853071795862D * (double) phase)/ (double) frames);g.copyArea(i, 0, 1, h1, 0, (int) d);if (borderGap) {g.setColor(color);g.drawLine(i, (int) d, i, 0);g.drawLine(i, (int) d + h1, i, h1);}}}}
controller获取验证码
@RequestMapping(value="image",method= RequestMethod.GET)public void authImage(HttpServletRequest request, HttpServletResponse response) throws IOException {response.setHeader("Pragma", "No-cache");response.setHeader("Cache-Control", "no-cache");response.setDateHeader("Expires", 0);response.setContentType("image/jpeg");HttpSession session = request.getSession();// 生成随机字串String verifyCode = VerifyCodeUtils.generateVerifyCode(4);session.removeAttribute("verCode");session.removeAttribute("codeTime");session.setAttribute("verCode", verifyCode.toLowerCase());session.setAttribute("codeTime", LocalDateTime.now());// 生成图片int w = 100, h = 30;OutputStream out = response.getOutputStream();VerifyCodeUtils.outputImage(w, h, out, verifyCode);}
这里需要注意的一点:在security里将获取图片验证码的路径添加到不拦截路径里,否则会被拦截。
验证码过滤器:
public class CaptchaAuthenticationFilter extends AbstractAuthenticationProcessingFilter {Logger logger = Logger.getLogger(CaptchaAuthenticationFilter.class);private String processUrl;private MyAuthenctiationFailureHandler myAuthenctiationFailureHandler;public CaptchaAuthenticationFilter(String defaultFilterProcessesUrl,MyAuthenctiationFailureHandler myAuthenctiationFailureHandler) {super(defaultFilterProcessesUrl);this.processUrl = defaultFilterProcessesUrl;this.myAuthenctiationFailureHandler = myAuthenctiationFailureHandler;setAuthenticationFailureHandler(myAuthenctiationFailureHandler);}@Overridepublic void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {HttpServletRequest req = (HttpServletRequest) request;HttpServletResponse res = (HttpServletResponse) response;if (processUrl.equals(req.getServletPath()) && "POST".equalsIgnoreCase(req.getMethod())) {Object expect = req.getSession().getAttribute("verCode");String code = req.getParameter("VerificationCode");logger.info("========expect: " + expect + " code:" + code);try {validImage(req, res, code, expect);} catch (AuthenticationException e) {myAuthenctiationFailureHandler.onAuthenticationFailure(req, res, e);return;}}chain.doFilter(request, response);}@Overridepublic Authentication attemptAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {return null;}/*** @param* @param* @param code 获取的验证码参数* @param verCode session中保存的验证码* @throws IOException* @throws ServletException*/public void validImage(HttpServletRequest req, HttpServletResponse res, String code, Object verCode) throws IOException {String verCodeStr = null;if (null == verCode) {throw new InsufficientAuthenticationException("验证码失效,请重新获取");} else {verCodeStr = verCode.toString();}if (null == code) {throw new InsufficientAuthenticationException("验证码不能为空");}LocalDateTime localDateTime = (LocalDateTime) req.getSession().getAttribute("codeTime");long past = localDateTime.atZone(ZoneId.systemDefault()).toInstant().toEpochMilli();long now = LocalDateTime.now().atZone(ZoneId.systemDefault()).toInstant().toEpochMilli();if (verCodeStr == null || code == null || code.isEmpty() || !verCodeStr.equalsIgnoreCase(code)) {throw new InsufficientAuthenticationException("验证码错误");/**超时两分钟*/} else if ((now - past) / 1000 / 60 > 2) {throw new InsufficientAuthenticationException("验证码已过期,重新获取");} else {//验证成功,删除存储的验证码和时间req.getSession().removeAttribute("verCode");req.getSession().removeAttribute("codeTime");}}
}
处理验证码验证失败后的请求:
@Component("myAuthenctiationFailureHandler")
public class MyAuthenctiationFailureHandler extends SimpleUrlAuthenticationFailureHandler {private Logger logger = LoggerFactory.getLogger(getClass());@Overridepublic void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,AuthenticationException exception) throws IOException, ServletException {logger.info("登录失败");response.setContentType("application/json;charset=UTF-8");Result result = new Result(null, Status.ERROR,exception.getMessage());response.getWriter().write(new ObjectMapper().writeValueAsString(result));}
}
最后,在WebSecurityConfig 里的configure方法中添加实现的过滤器即可
@Overrideprotected void configure(HttpSecurity http) throws Exception {http.csrf().disable();http.addFilterBefore(new CaptchaAuthenticationFilter("/login", myAuthenctiationFailureHandler), UsernamePasswordAuthenticationFilter.class);http.authorizeRequests().withObjectPostProcessor(new ObjectPostProcessor<FilterSecurityInterceptor>() {@Overridepublic <O extends FilterSecurityInterceptor> O postProcess(O o) {o.setSecurityMetadataSource(metadataSource);o.setAccessDecisionManager(urlAccessDecisionManager);return o;}}).and().formLogin().loginPage("/loginP").loginProcessingUrl("/login").usernameParameter("username").passwordParameter("password").failureHandler(new AuthenticationFailureHandler() {@Overridepublic void onAuthenticationFailure(HttpServletRequest req,HttpServletResponse resp,AuthenticationException e) throws IOException {resp.setContentType("application/json;charset=utf-8");Result result = null;if (e instanceof BadCredentialsException ||e instanceof UsernameNotFoundException) {result = new Result(null, Status.ERROR,"用户名或者密码错误");} else if (e instanceof LockedException) {result = new Result(null, Status.ERROR,"账户被锁定,请联系管理员!");} else {result = new Result(null, Status.ERROR,"登录失败");}resp.setStatus(HttpServletResponse.SC_UNAUTHORIZED);ObjectMapper om = new ObjectMapper();PrintWriter out = resp.getWriter();out.write(om.writeValueAsString(result));out.flush();out.close();}}).successHandler(new AuthenticationSuccessHandler() {@Overridepublic void onAuthenticationSuccess(HttpServletRequest req,HttpServletResponse resp,Authentication auth) throws IOException {resp.setContentType("application/json;charset=utf-8");Result result =new Result(UserUtils.getCurrentUser(),Status.SUCCESS,"登录成功!");ObjectMapper om = new ObjectMapper();PrintWriter out = resp.getWriter();out.write(om.writeValueAsString(result));out.flush();out.close();}}).permitAll().and().logout().logoutUrl("/logout").logoutSuccessHandler(new LogoutSuccessHandler() {@Overridepublic void onLogoutSuccess(HttpServletRequest req, HttpServletResponse resp, Authentication authentication) throws IOException, ServletException {resp.setContentType("application/json;charset=utf-8");Result result =new Result(null,Status.SUCCESS,"退出成功!");ObjectMapper om = new ObjectMapper();PrintWriter out = resp.getWriter();out.write(om.writeValueAsString(result));out.flush();out.close();}}).permitAll().and().csrf().disable().exceptionHandling().accessDeniedHandler(deniedHandler);}Spring boot+ Spring security 实现图片验证码验证相关推荐
- Spring Boot+Spring Security+JWT 实现token验证
Spring Boot+Spring Security+JWT 实现token验证 什么是JWT? JWT的工作流程 JWT的主要应用场景 JWT的结构 SpringBoot+Spring Secur ...
- Spring Boot + Spring Security + JWT + 微信小程序登录
Spring Boot + Spring Security + JWT + 微信小程序登录整合教程 参考文章 文章目录 整合思想 整合步骤 1. AuthenticationToken 2. Auth ...
- Spring boot 使用QQ邮箱进行一个验证登入
Spring boot 使用QQ邮箱进行一个验证登入 QQ邮箱开启权限 在QQ邮箱设置->账户里面,往下拉找到这个开启,手机号验证成功后会有一串英文字符串是待会儿要用到的密码. prom.xml ...
- Spring Boot解决无法访问图片的问题
Spring Boot解决无法访问图片的问题 参考文章: (1)Spring Boot解决无法访问图片的问题 (2)https://www.cnblogs.com/yang101/p/11442802 ...
- springboot jwt token前后端分离_基于Spring Boot+Spring Security+JWT+Vue前后端分离的开源项目...
一.前言 最近整合Spring Boot+Spring Security+JWT+Vue 完成了一套前后端分离的基础项目,这里把它开源出来分享给有需要的小伙伴们 功能很简单,单点登录,前后端动态权限配 ...
- java byte 图片浏览器直接显示_以Spring Boot的方式显示图片或下载文件到浏览器的示例代码...
以Java web的方式显示图片到浏览器以Java web的方式下载服务器文件到浏览器 以Spring Boot的方式显示图片或下载文件到浏览器 请求例子:http://localhost:8080/ ...
- 基于 java Swing 客户端 和 Spring Boot/Spring Cloud Alibaba 后台管理系统
基于 java Swing 客户端 和 Spring Boot/Spring Cloud & Alibaba 后台管理系统 基于 java Swing 客户端 和 Spring Boot/Sp ...
- Spring Boot+Spring Cloud实现itoken项目
itoken项目简介 开发环境 操作系统: Windows 10 Enterprise 开发工具: Intellij IDEA 数据库: MySql 5.7.22 Java SDK: Oracle J ...
- Spring Boot Spring MVC 异常处理的N种方法
默认行为 根据Spring Boot官方文档的说法: For machine clients it will produce a JSON response with details of the e ...
最新文章
- tf.squeeze示例代码
- Core Animation1-简介
- WIN7的CMD界面下输入ipconfig后提示不是内部或外外部命令,也不是可运行的程序或批处理文件...
- Linux 添加ssh 公钥访问
- jQuery性能优化指南(转载)
- 关闭后天 树莓派_陪你一起玩树莓派-系统安装
- Qt学习笔记-QSS装饰控件
- S2011打印机的IP设置
- Rust 生命周期太难学、最想实现与 C++ 互操作,Rust 2020 调查报告发布!
- grafana默认用户名密码_提升运维格调?Grafana整合Zabbix
- 大学书信选3(新年心语)
- 为什么空集是集合的子集_空集为什么是任何集合的子集和非任何空集的真子集呢...
- java入口函数_Java 函数入口
- DevExpress:可左右滑动的图片框ImageSlider
- php.bak是什么,bak文件是什么
- 使用信号量机制解决生产者消费者问题
- 如何设置Outlook的归档文件路径
- 一人之辩,重于九鼎之宝
- ApiCloud链接云端数据库
- 否定之否定规律之重回编程之路