Spring Security重写AuthenticationManager实现账号密码登录或者手机号码登录
9人参与 • 2025-09-09 • Java
使用 spring security 重写authenticationmanager实现账号密码登录或者手机号码登录,spring security默认使用账号密码进行登录,通过将账号密码写入到usernamepasswordauthenticationtoken中,认证成功后创建一个包含用户信息和权限的认证令牌;在usernamepasswordauthenticationtoken认证的时候,调用userdetailsservice进行校验(此次可以自己写逻辑进行校验,如查数据库),并且返回userdetails(用户信息类)。
在此基础上实现功能:用户能够使用账号+密码登录;用户能够使用手机号码登录(个人暂时只需要用到手机号码+第三方验证码登录,可以根据需求更改配置)。
一、创建自定义认证提供者customauthenticationprovider
import com.yuqn.service.impl.phonenumberuserservice;
import org.springframework.security.authentication.authenticationprovider;
import org.springframework.security.authentication.badcredentialsexception;
import org.springframework.security.authentication.usernamepasswordauthenticationtoken;
import org.springframework.security.core.authentication;
import org.springframework.security.core.authenticationexception;
import org.springframework.security.core.userdetails.userdetails;
import org.springframework.security.core.userdetails.userdetailsservice;
import org.springframework.security.crypto.password.passwordencoder;
public class customauthenticationprovider implements authenticationprovider {
private userdetailsservice userdetailsservice;
private passwordencoder passwordencoder;
private phonenumberuserservice phonenumberuserservice;
public customauthenticationprovider(userdetailsservice userdetailsservice, passwordencoder passwordencoder, phonenumberuserservice phonenumberuserservice) {
this.userdetailsservice = userdetailsservice;
this.passwordencoder = passwordencoder;
this.phonenumberuserservice = phonenumberuserservice;
}
@override
public authentication authenticate(authentication authentication) throws authenticationexception {
// 接收认证信息
string credentials = (string) authentication.getcredentials();
string principal = (string) authentication.getprincipal();
// 判断是账号登录还是手机号登录,这里简单通过前缀区分
userdetails userdetails = null;
if (principal.startswith("username:")) {
// 账号登录
string username = principal.substring("username:".length());
userdetails = userdetailsservice.loaduserbyusername(username);
if (!passwordencoder.matches(credentials, userdetails.getpassword())) {
throw new badcredentialsexception("invalid username or password");
}
} else if (principal.startswith("phone:")) {
// 手机号登录
// 这里需要有一个根据手机号加载用户信息的方法,比如 userdetailsservice.loaduserbyphonenumber(phonenumber)
// 但由于userdetailsservice没有提供这样的方法,所以这里只是一个示例,你需要自己实现这个逻辑
string phonenumber = principal.substring("phone:".length());
// 手机号码登录
userdetails = phonenumberuserservice.loaduserbyphonenumber(phonenumber);
} else {
throw new badcredentialsexception("invalid principal format");
}
// 如果用户信息验证成功,则创建一个新的已认证令牌并返回
usernamepasswordauthenticationtoken authenticatedtoken = new usernamepasswordauthenticationtoken(userdetails, credentials, userdetails.getauthorities());
authenticatedtoken.setdetails(authentication.getdetails());
return authenticatedtoken;
}
@override
public boolean supports(class<?> authentication) {
return usernamepasswordauthenticationtoken.class.isassignablefrom(authentication);
}
}
二、创建认证业务userdetailsservice、phonenumberuserservice
创建两个验证类,用于进行用户认证,其中userdetailsservice认证账号密码登录,phonenumberuserservice认证手机号码登录(我这里手机号码唯一,通过手机号码查询用户,具体逻辑根据自己业务来)
userdetailsservice类:
/**
* @author: yuqn
* @date: 2024/5/21 23:34
* @description:
* secutiry类
* 重写登录验证方法,常规方法是 loaduserbyusername 接收传递的参数,进行security自定义的校验
* 这里重写 loaduserbyusername 方法,自定义校验方法(如查询数据库是否存在此人)
* @version: 1.0
*/
@service
public class userdetailsservice implements org.springframework.security.core.userdetails.userdetailsservice {
@autowired
private usermapper usermapper;
@autowired
private menumapper menumapper;
/**
* @author: yuqn
* @date: 2024/11/24 0:30
* @description:
* 根据用户名查询到用户信息,并且映射到userdetails
* @param: null
* @return: null
*/
@override
public userdetails loaduserbyusername(string username) throws usernamenotfoundexception {
// 查询用户
system.out.println("username==" + username);
lambdaquerywrapper<user> querywrapper = new lambdaquerywrapper<>();
querywrapper.eq(user::getusername,username);
user user = usermapper.selectone(querywrapper);
system.out.println("user = " + user);
// 如果没有用户就抛出异常
if(objects.isnull(user)){
throw new runtimeexception("用户名或者密码错误");
}
// 查询对应权限
// list<string> list = new arraylist<>(arrays.aslist("test","admin"));
list<string> list = menumapper.selectpermsbyuserid(user.getid());
list.add(user.getroles());
system.out.println("list = " + list);
// 将user封装到 loginuser 返回,security 会根据 loginuser 获取账号密码进行校验,数据库中的密码需要使用{noop}表示明文保存的,不然会报错,因为security使用的加密校验
return new loginuser(user,list);
}
}
phonenumberuserservice类:
/**
* @author: yuqn
* @date: 2024/11/26 11:09
* @description:
* 电话号码查询用户,封装到userdetails,用于customauthenticationprovider验证
* @version: 1.0
*/
@service
public class phonenumberuserservice {
@autowired
private usermapper usermapper;
@autowired
private menumapper menumapper;
/**
* @author: yuqn
* @date: 2024/11/26 11:04
* @description:
* 自定义手机号码验证
* @param: null
* @return: null
*/
public userdetails loaduserbyphonenumber(string phonenumber){
// 根据手机号码查询用户
lambdaquerywrapper<user> querywrapper = new lambdaquerywrapper<>();
querywrapper.eq(user::getphonenumber,phonenumber);
user user = usermapper.selectone(querywrapper);
// 如果没有用户就抛出异常
if(objects.isnull(user)){
throw new runtimeexception("用户名或者密码错误");
}
// 查询对应权限
// list<string> list = new arraylist<>(arrays.aslist("test","admin"));
list<string> list = menumapper.selectpermsbyuserid(user.getid());
list.add(user.getroles());
system.out.println("list = " + list);
// 将user封装到 loginuser 返回,security 会根据 loginuser 获取账号密码进行校验,数据库中的密码需要使用{noop}表示明文保存的,不然会报错,因为security使用的加密校验
return new loginuser(user,list);
}
}
三、更改配置类
注入自定义认证提供者customauthenticationprovider,从而实现逻辑。
@bean
public authenticationmanager authenticationmanagerbean() throws exception {
return authenticationconfiguration.getauthenticationmanager();
}
@bean
public passwordencoder passwordencoder(){
return new bcryptpasswordencoder();
}
@bean
public userdetailsservice userdetailsservice() {
// 返回你的userdetailsservice实现
return new userdetailsservice();
}
@bean
public phonenumberuserservice phonenumberuserservice(){
return new phonenumberuserservice();
}
@bean
public customauthenticationprovider customauthenticationprovider() {
return new customauthenticationprovider(userdetailsservice(), passwordencoder(),phonenumberuserservice());
}
四、登录业务类
登录接口调用该业务类,将用户信息存入到usernamepasswordauthenticationtoken实现自定义认证,认证成功后生成一个凭证,用户返回给调用者。
@override
public result login(user user) {
//authenticationmanager authenticate 进行用户认证,通过封装的authenticationtoken进行验证
usernamepasswordauthenticationtoken authenticationtoken = new usernamepasswordauthenticationtoken(user.getusername(),user.getpassword());
system.out.println("authenticationtoken = " + authenticationtoken);
authentication authenticate = authenticationmanager.authenticate(authenticationtoken);
system.out.println("authenticate = " + authenticate);
// 如果认证没提过,给出对应的提示
if(objects.isnull(authenticate)){
throw new runtimeexception("登录失败");
}
//如果认证通过,使用userid生成一个jwt,jwt存入responseresult返回
loginuser loginuser = (loginuser) authenticate.getprincipal();
system.out.println("loginuser:" + loginuser);
string userid = loginuser.getuser().getid().tostring();
string jwt = jwtutil.createjwt(userid);
map<string,string> map = new hashmap<>();
map.put("token",jwt);
//把完整的用户信息存入到redis userid作为key
rediscache.setcacheobject("login:" + userid, loginuser);
return result.ok("登录成功",map);
}
五、写接口
@postmapping("/user/login")
public result login(@requestbody user user){
// 登录
return loginservice.login(user);
}
六、测试
七、总结
usernamepasswordauthenticationtoken提供的方法参数是用户名、用户名+密码、用户名+密码+权限,所以使用手机号码登录,实际上是将手机号码当成用户名,通过自定义认证器进行拦截并处理,最终实现效果。
到此这篇关于spring security重写authenticationmanager实现账号密码登录或者手机号码登录的文章就介绍到这了,更多相关springsecurity authenticationmanager登录内容请搜索代码网以前的文章或继续浏览下面的相关文章希望大家以后多多支持代码网!
赞 (0)
您想发表意见!!点此发布评论
发表评论