一、登录页面增加验证码
在上一节,我们实现使用自定义登录页面登录业务系统。在实际开发中业务系统为了安全,在登录时可能会让输入图片验证码,在本节中我们来实现在登录时要求输入图片验证码,验证码正确才能正常登录系统。
(一)实现思路
- 前台页面访问后台接口,生成图片,并把验证码字符串存入到
redis中。(使用uuid作为key值);有的同学会选择使用session存储验证码字符串,这个看实际情况,因为在集群环境下,通过session共享数据还是不太方便; - 把生成的
uuid存储到cookie中; - 在
UsernamePasswordAuthenticationFilter过滤器之前,增加相应的过滤器并对目标访问路径(登录请求/login)进行拦截,拦截后取出cookie中的uuid,然后从redis中取出实际生成的验证码; - 拿实际的验证码和用户通过前台页面输入的验证码进行比对,如果比对成功则删除
redis中的验证码,进入到下一个过滤器,对用户名和密码进行验证;如果验证失败则抛出异常,把异常信息返回到前端页面,对用户进行提示;
(二)具体步骤
1、修改登录页面
在登录页面增加显示验证码的图片的及输入验证码的输入框。图片的路径是后台的一个生成图片的接口/imagreCode。
<form id="userForm" th:action="@{/login}" method="post">
<div><label> 用户名 : <input type="text" name="username"/> </label></div>
<div><label> 密码: <input type="password" name="password"/> </label></div>
<div><label> 验证码: <input type="text" name="imageCode"/> <img src="/imageCode"> </label></div>
<div><input type="submit" value="提交"/></div>
<p th:if="${param.error}" th:text="${session?.SPRING_SECURITY_LAST_EXCEPTION?.message}" ></p>
</form>
2、增加相应接口
(1) 、增加生成验证码的工具类,具体生成验证码的实现可以在github或者网络上找开源的。
public class ImageCodeUtils
{
//使用到Algerian字体,系统里没有的话需要安装字体,字体只显示大写,去掉了1,0,i,o几个容易混淆的字符
public static final String VERIFY_CODES = "23456789ABCDEFGHJKLMNPQRSTUVWXYZ";
private static Random random = new Random();
/**
* 使用系统默认字符源生成验证码
* @param verifySize 验证码长度
* @return
*/
public static String generateVerifyCode(int verifySize){
return generateVerifyCode(verifySize, VERIFY_CODES);
}
/**
* 使用指定源生成验证码
* @param verifySize 验证码长度
* @param sources 验证码字符源
* @return
*/
public static String generateVerifyCode(int verifySize, String sources){
if(sources == null || sources.length() == 0){
sources = VERIFY_CODES;
}
int codesLen = sources.length();
Random rand = new Random(System.currentTimeMillis());
StringBuilder verifyCode = new StringBuilder(verifySize);
for(int i = 0; i < verifySize; i++){
verifyCode.append(sources.charAt(rand.nextInt(codesLen-1)));
}
return verifyCode.toString();
}
/**
* 生成随机验证码文件,并返回验证码值
* @param w
* @param h
* @param outputFile
* @param verifySize
* @return
* @throws IOException
*/
public static String outputVerifyImage(int w, int h, File outputFile, int verifySize) throws IOException{
String verifyCode = generateVerifyCode(verifySize);
outputImage(w, h, outputFile, verifyCode);
return verifyCode;
}
/**
* 输出随机验证码图片流,并返回验证码值
* @param w
* @param h
* @param os
* @param verifySize
* @return
* @throws IOException
*/
public static String outputVerifyImage(int w, int h, OutputStream os, int verifySize) throws IOException{
String verifyCode = generateVerifyCode(verifySize);
outputImage(w, h, os, verifyCode);
return verifyCode;
}
/**
* 生成指定验证码图像文件
* @param w
* @param h
* @param outputFile
* @param code
* @throws IOException
*/
public static void outputImage(int w, int h, File outputFile, String code) throws IOException{
if(outputFile == null){
return;
}
File dir = outputFile.getParentFile();
if(!dir.exists()){
dir.mkdirs();
}
try{
outputFile.createNewFile();
FileOutputStream fos = new FileOutputStream(outputFile);
outputImage(w, h, fos, code);
fos.close();
} catch(IOException e){
throw e;
}
}
/**
* 输出指定验证码图片流
* @param w
* @param h
* @param os
* @param code
* @throws IOException
*/
public static void outputImage(int w, int h, OutputStream os, String code) throws IOException{
int verifySize = code.length();
BufferedImage image = new BufferedImage(w, h, BufferedImage.TYPE_INT_RGB);
Random rand = new Random();
Graphics2D g2 = image.createGraphics();
g2.setRenderingHint(RenderingHints.KEY_ANTIALIASING,RenderingHints.VALUE_ANTIALIAS_ON);
Color[] colors = new Color[5];
Color[] colorSpaces = new Color[] { Color.WHITE, Color.CYAN,
Color.GRAY, Color.LIGHT_GRAY, Color.MAGENTA, Color.ORANGE,
Color.PINK, Color.YELLOW };
float[] fractions = new float[colors.length];
for(int i = 0; i < colors.length; i++){
colors[i] = colorSpaces[rand.nextInt(colorSpaces.length)];
fractions[i] = rand.nextFloat();
}
Arrays.sort(fractions);
g2.setColor(Color.GRAY);// 设置边框色
g2.fillRect(0, 0, w, h);
Color c = getRandColor(200, 250);
g2.setColor(c);// 设置背景色
g2.fillRect(0, 2, w, h-4);
//绘制干扰线
Random random = new Random();
g2.setColor(getRandColor(160, 200));// 设置线条的颜色
for (int i = 0; i < 20; i++) {
int x = random.nextInt(w - 1);
int y = random.nextInt(h - 1);
int xl = random.nextInt(6) + 1;
int yl = random.nextInt(12) + 1;
g2.drawLine(x, y, x + xl + 40, y + yl + 20);
}
// 添加噪点
float yawpRate = 0.05f;// 噪声率
int area = (int) (yawpRate * w * h);
for (int i = 0; i < area; i++) {
int x = random.nextInt(w);
int y = random.nextInt(h);
int rgb = getRandomIntColor();
image.setRGB(x, y, rgb);
}
shear(g2, w, h, c);// 使图片扭曲
g2.setColor(getRandColor(100, 160));
int fontSize = h-4;
Font font = new Font("Algerian", Font.ITALIC, fontSize);
g2.setFont(font);
char[] chars = code.toCharArray();
for(int i = 0; i < verifySize; i++){
AffineTransform affine = new AffineTransform();
affine.setToRotation(Math.PI / 4 * rand.nextDouble() * (rand.nextBoolean() ? 1 : -1), (w / verifySize) * i + fontSize/2, h/2);
g2.setTransform(affine);
g2.drawChars(chars, i, 1, ((w-10) / verifySize) * i + 5, h/2 + fontSize/2 - 10);
}
g2.dispose();
ImageIO.write(image, "jpg", os);
}
private static Color getRandColor(int fc, int bc) {
if (fc > 255) {
fc = 255;
}
if (bc > 255){
bc = 255;
}
int r = fc + random.nextInt(bc - fc);
int g = fc + random.nextInt(bc - fc);
int b = fc + random.nextInt(bc - fc);
return new Color(r, g, b);
}
private static int getRandomIntColor() {
int[] rgb = getRandomRgb();
int color = 0;
for (int c : rgb) {
color = color << 8;
color = color | c;
}
return color;
}
private static int[] getRandomRgb() {
int[] rgb = new int[3];
for (int i = 0; i < 3; i++) {
rgb[i] = random.nextInt(255);
}
return rgb;
}
private static void shear(Graphics g, int w1, int h1, Color color) {
shearX(g, w1, h1, color);
shearY(g, w1, h1, color);
}
private static void shearX(Graphics g, int w1, int h1, Color color) {
int period = random.nextInt(2);
boolean borderGap = true;
int frames = 1;
int phase = random.nextInt(2);
for (int i = 0; i < h1; i++) {
double d = (double) (period >> 1)
* Math.sin((double) i / (double) period
+ (6.2831853071795862D * (double) phase)
/ (double) frames);
g.copyArea(0, i, w1, 1, (int) d, 0);
if (borderGap) {
g.setColor(color);
g.drawLine((int) d, i, 0, i);
g.drawLine((int) d + w1, i, w1, i);
}
}
}
private static void shearY(Graphics g, int w1, int h1, Color color) {
int period = random.nextInt(40) + 10; // 50;
boolean borderGap = true;
int frames = 20;
int phase = 7;
for (int i = 0; i < w1; i++) {
double d = (double) (period >> 1)
* Math.sin((double) i / (double) period
+ (6.2831853071795862D * (double) phase)
/ (double) frames);
g.copyArea(i, 0, 1, h1, 0, (int) d);
if (borderGap) {
g.setColor(color);
g.drawLine(i, (int) d, i, 0);
g.drawLine(i, (int) d + h1, i, h1);
}
}
}
}
(2)、增加接口,把uuid写入到cookie中,验证码写入到redis中,并把生成验证码图片并输出到前台页面
@GetMapping("/imageCode")
public void verifyCode(HttpServletRequest request, HttpServletResponse response) throws IOException
{
/*禁止缓存*/
response.setDateHeader("Expires",0);
response.setHeader("Cache-Control", "no-store, no-cache, must-revalidate");
response.addHeader("Cache-Control", "post-check=0, pre-check=0");
response.setHeader("Pragma", "no-cache");
response.setContentType("image/jpeg");
/*获取验证码*/
String code = ImageCodeUtils.generateVerifyCode(4);
/*验证码已key,value的形式缓存到redis 存放时间一分钟*/
String uuid = UUID.randomUUID().toString();
redisTemplate.opsForValue().set(uuid,code,1, TimeUnit.MINUTES);
Cookie cookie = new Cookie("captcha",uuid);
/*key写入cookie,验证时获取*/
response.addCookie(cookie);
ServletOutputStream outputStream = response.getOutputStream();
ImageCodeUtils.outputImage(110,40,outputStream,code);
outputStream.flush();
outputStream.close();
}
3、增加过滤器
新开发一个过滤器,对/login请求进行拦截,获取存储在cookie中的uuid,根据uuid获取存储在redis中的验证码。使用用户输入的验证码和redis中存储的验证码,进行比对。
@Component
public class ImageCodeFilter extends OncePerRequestFilter implements InitializingBean {
@Autowired
private RedisTemplate redisTemplate;
private AntPathMatcher antPathMatcher = new AntPathMatcher();
/**
* 只在登录时对验证码进行拦截,验证
*/
private static String url = "/login";
@Override
protected void doFilterInternal(HttpServletRequest request,
HttpServletResponse response,
FilterChain filterChain)
throws ServletException, IOException {
response.setContentType("application/json;charset=utf-8");
String t = request.getRequestURI();
if (antPathMatcher.match(url,request.getRequestURI())&& "POST".equals(request.getMethod())){
try{
checkImageCode(request);
}catch (ImageCodeException e){
response.getWriter().write(e.getMessage());
return;
}
}
filterChain.doFilter(request,response);
}
/**
*
* Description:从cookie中取出redis的kye,拿着key取出对应的value,验证图片验证码是否正确
* @param httpServletRequest
*/
private void checkImageCode(HttpServletRequest httpServletRequest)
{
/*从cookie取值*/
Cookie[] cookies = httpServletRequest.getCookies();
String uuid = "";
for (Cookie cookie : cookies)
{
String cookieName = cookie.getName();
if ("captcha".equals(cookieName))
{
uuid = cookie.getValue();
}
}
String redisImageCode = (String) redisTemplate.opsForValue().get(uuid);
/*获取图片验证码与redis验证*/
String imageCode = httpServletRequest.getParameter("imageCode");
/*redis的验证码不能为空*/
if (StringUtils.isEmpty(redisImageCode) || StringUtils.isEmpty(imageCode))
{
throw new RuntimeException("验证码不能为空");
}
/*校验验证码*/
if (!imageCode.equalsIgnoreCase(redisImageCode))
{
throw new RuntimeException("验证码错误");
}
redisTemplate.delete(redisImageCode);
}
}
4、修改配置类
/**
注入过滤器
**/
@Autowired
private ImageCodeFilter imageCodeFilter;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.addFilterBefore(imageCodeFilter, UsernamePasswordAuthenticationFilter.class) //在用户名密码验证前加入验证码的过滤器
.authorizeRequests()
.antMatchers("/imageCode").permitAll()
.antMatchers("/hello/admin").hasRole("ROOT")
.antMatchers("/hello").hasRole("USER").anyRequest().permitAll()
.and()
.csrf().disable().
formLogin().loginPage("/login") //自定义登录页面跳转
.defaultSuccessUrl("/hello")
.successForwardUrl("/hello/admin")//登录成功后跳转
.successHandler(authSuccessHandler)
.failureHandler(authFailureHandler)
.and().httpBasic().disable()
.sessionManagement().disable()
.cors()
.and()
.logout().logoutUrl("/logout").addLogoutHandler(authLogoutHandler);
}