- 浏览: 305958 次
文章分类
最新评论
-
流年末年:
那四个参数还是没看懂.....能不能解释下showPassst ...
我写的密码强度验证方法(原创) -
kingcs2008:
// 验证pws.jsshowPassstrength(&qu ...
我写的密码强度验证方法(原创) -
h957355152:
请问博主这个怎么用呢?我直接放到jsp里面调用showPass ...
我写的密码强度验证方法(原创) -
qq_15138059:
我写的全国省市县三级联动菜单,拿出来和大家分享了(原创) -
valenon:
评论呢?从MAIL FROM命令开始貌似就出错了:500 Er ...
如何发送伪造的电子邮件
一般来说,登录时都会要求用户输入验证码,以防止恶意登录。
可是,SpringSecurity并没有为我们提供这样的功能,所以就需要我们自己来解决了。
那么该如何解决呢,其实也挺简单的,
核对验证码信息,当然是在登录时处理的,所以,使用filter是最佳选择。
既然确定了方向,那么久该考虑如何增加这个filter了,其实可以有两种方案:
1.继承UsernamePasswordAuthenticationFilter ,在里面增加验证码验证规则即可;
2.自己定义一个filter,专门处理验证码验证;
笔者这里推荐使用第二种方案,因为第一种我们需要显示声明login-filter,所以需要修改SpringSecurity的配置文件,而方案 2根本不需要修改,只需要向一般的filter一样,在web.xml中增加配置即可,唯一需要注意的是,mapping一定要与触发login- filter的url一致,如下所示:
- < filter >
- < filter-name > imageFilter </ filter-name >
- < filter-class > com.piaoyi.common.filter.ImageFilter </ filter-class >
- </ filter >
- < filter-mapping >
- < filter-name > imageFilter </ filter-name >
- < url-pattern > /j_spring_security_check </ url-pattern >
- </ filter-mapping >
另外需要注意的是,该filter的mapping一定要声明在springSecurityFilterChain的mapping之前,这样可以保证请求先被imageFilter处理。
设计思路就是这样的,这里给出一个简单的实现。
login.jsp
- < %@ page language = "java" contentType = "text/html; charset=UTF-8"
- pageEncoding = "UTF-8" % >
- < %@ include file = "/WEB-INF/views/jsp/common/includes.jsp" % >
- <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
- < html >
- < head >
- < meta http-equiv = "Content-Type" content = "text/html; charset=UTF-8" >
- < title > 登陆 </ title >
- </ head >
- < body >
- < center >
- < div class = "error" >
- ${sessionScope.SPRING_SECURITY_LAST_EXCEPTION.message }</ div >
- < form name = 'f' id = 'f'
- action = '<%=request.getContextPath()%>/j_spring_security_check'
- method = 'POST' >
- < table style = "width: 50%" >
- < tr >
- < td style = "text-align: right; width: 35%" > 用户名称 : </ td >
- < td style = "text-align: left" > < input type = 'text'
- name = 'j_username' value = '' > </ td >
- </ tr >
- < tr >
- < td style = "text-align: right" > 密码 : </ td >
- < td style = "text-align: left" > < input type = 'password'
- name = 'j_password' /> </ td >
- </ tr >
- < tr >
- < td style = "text-align: right" > < label for = "j_captcha" > 验证码: </ label > </ td >
- < td >
- < input type = 'text' name = 'j_captcha' class = "required"
- size = '5' />
- < img id = "imageF" src = "<c:url value=" /resource/image.jsp" /> " />
- < a href = "#" id = "flashImage" > 看不清楚换一张 </ a >
- </ td >
- </ tr >
- < tr >
- < td align = "right" > < input id = "_spring_security_remember_me"
- name = "_spring_security_remember_me" type = "checkbox" value = "true" />
- </ td >
- < td > < label for = "_spring_security_remember_me" > Remember Me? </ label >
- </ td >
- </ tr >
- < tr >
- < td colspan = "2" style = "text-align: center" > < input
- type = "submit" name = "submit" value = "登录" /> </ td >
- </ tr >
- </ table >
- </ form >
- </ center >
- < script type = "text/javascript" >
- document.f.j_username.focus();
- if ('${message}' == 1) {
- alert("用户名或密码错误");
- }
- jQuery(function($){
- $("#flashImage").click(function(){
- $('#imageF').hide().attr('src','< c:url value = "/resource/image.jsp" /> '+ '?'+ Math.floor(Math.random() * 100)).fadeIn();
- });
- });
- </ script >
- </ body >
- </ html >
ImageFilter.java
- package com.piaoyi.common.filter;
- import java.io.IOException;
- import javax.servlet.Filter;
- import javax.servlet.FilterChain;
- import javax.servlet.FilterConfig;
- import javax.servlet.ServletException;
- import javax.servlet.ServletRequest;
- import javax.servlet.ServletResponse;
- import javax.servlet.http.HttpServletRequest;
- import javax.servlet.http.HttpServletResponse;
- public class ImageFilter implements Filter{
- @Override
- public void destroy() {
- // TODO Auto-generated method stub
- }
- @Override
- public void doFilter(ServletRequest arg0, ServletResponse arg1,
- FilterChain arg2) throws IOException, ServletException {
- // TODO Auto-generated method stub
- HttpServletRequest request = (HttpServletRequest) arg0;
- HttpServletResponse response = (HttpServletResponse) arg1;
- String yanzhengm = request.getParameter("j_captcha" );
- String sessionyanz = (String)request.getSession(true ).getAttribute( "yzkeyword" );
- if (yanzhengm.equals(sessionyanz)){
- arg2.doFilter(request, response);
- }else {
- response.sendRedirect("/login.do" );
- }
- }
- @Override
- public void init(FilterConfig arg0) throws ServletException {
- // TODO Auto-generated method stub
- }
- }
image.jsp
- < %@ page contentType = "image/jpeg" import = "java.awt.*,java.awt.image.*,java.util.*,javax.imageio.*" pageEncoding = "UTF-8" % >
- < %!
- Color getRandColor(int fc,int bc){//随机获得颜色,RGB格式
- Random random = new Random();
- if(fc> 255) fc = 255 ;
- if(bc> 255) bc = 255 ;
- int r = fc +random.nextInt(bc-fc);
- int g = fc +random.nextInt(bc-fc);
- int b = fc +random.nextInt(bc-fc);
- return new Color(r,g,b);
- }
- %>
- < %
- //清除缓存,每次访问该页面时都从服务器端读取
- response.setHeader("Pragma","No-cache");
- response.setHeader("Cache-Control","no-cache");
- response.setDateHeader("Expires", 0);
- // 定义显示图片的宽度和高度
- int width = 60 , height = 20 ;
- BufferedImage image = new BufferedImage(width, height, BufferedImage.TYPE_INT_RGB);
- // 画图画板
- Graphics g = image .getGraphics();
- //定义一个随机数
- Random random = new Random();
- // 设置画板背景颜色
- g.setColor(getRandColor(200,250));
- //设置画板的填充范围
- g.fillRect(0, 0, width, height);
- //设置字体
- g.setFont(new Font("Times New Roman",Font.PLAIN,18));
- // 设置线条颜色并画线,155条
- g.setColor(getRandColor(160,200));
- for (int i = 0 ;i < 155 ;i++)
- {
- int x = random .nextInt(width);
- int y = random .nextInt(height);
- int xl = random .nextInt(12);
- int yl = random .nextInt(12);
- g.drawLine(x,y,x+xl,y+yl);
- }
- // 显示数字,4位长度
- String sRand = "" ;
- for (int i = 0 ;i < 4 ;i++){
- String rand = String .valueOf(random.nextInt(10));
- sRand+=rand;
- // 设置每个数字的颜色
- g.setColor(new Color(20+random.nextInt(110),20+random.nextInt(110),20+random.nextInt(110)));
- //在画板上写数字,起始位置
- g.drawString(rand,13*i+6,16);
- }
- // 保存进session
- session.setAttribute("yzkeyword",sRand);
- //System.out.println("yzm:"+sRand);
- // 显示图片
- g.dispose();
- %>
- < %
- //转换成一张图片,格式为JPEG
- ImageIO.write(image, "JPEG", response.getOutputStream());
- out.clear();//清空缓存的内容。
- pageContext.pushBody();
- %>
applicationContext-security.xml
- <? xml version = "1.0" encoding = "UTF-8" ?>
- < beans:beans xmlns = "http://www.springframework.org/schema/security"
- xmlns:xsi = "http://www.w3.org/2001/XMLSchema-instance" xmlns:p = "http://www.springframework.org/schema/p"
- xmlns:aop = "http://www.springframework.org/schema/aop" xmlns:context = "http://www.springframework.org/schema/context"
- xmlns:jee = "http://www.springframework.org/schema/jee" xmlns:tx = "http://www.springframework.org/schema/tx"
- xmlns:util = "http://www.springframework.org/schema/util" xmlns:mvc = "http://www.springframework.org/schema/mvc"
- xmlns:tool = "http://www.springframework.org/schema/tool" xmlns:beans = "http://www.springframework.org/schema/beans"
- xsi:schemaLocation ="
- http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.1.xsd
- http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
- http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd
- http://www.springframework.org/schema/jee http://www.springframework.org/schema/jee/spring-jee-3.1.xsd
- http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.1.xsd
- http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.1.xsd
- http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.1.xsd
- http://www.springframework.org/schema/tool http://www.springframework.org/schema/tool/spring-tool-3.1.xsd
- http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"
- default-lazy-init = "true" >
- < http security = "none" pattern = "/index.do" />
- < http auto-config = 'true' access-decision-manager-ref = "accessDecisionManager"
- access-denied-page = "/index.do" >
- < intercept-url pattern = "/demo.do*" access = "IS_AUTHENTICATED_REMEMBERED" />
- < intercept-url pattern = "/**/*.do*" access = "HODLE" />
- < logout logout-url = "/logout.do" invalidate-session = "true"
- logout-success-url = "/logout.jsp" />
- < form-login login-page = "/index.do" default-target-url = "/frame.do"
- always-use-default-target = "true" authentication-failure-url = "/index.do?login_error=1" />
- < session-management >
- < concurrency-control max-sessions = "1" expired-url = "/timeout.jsp" />
- </ session-management >
- < remember-me key = "jbcpPetStore" />
- </ http >
- <!-- Automatically receives AuthenticationEvent messages -->
- < beans:bean id = "loggerListener"
- class = "org.springframework.security.authentication.event.LoggerListener" />
- < authentication-manager erase-credentials = "false" >
- < authentication-provider user-service-ref = "userService" >
- < password-encoder hash = "md5" />
- </ authentication-provider >
- </ authentication-manager >
- < beans:bean id = "userService" class = "com.piaoyi.common.security.UserService" />
- < beans:bean id = "accessDecisionManager"
- class = "org.springframework.security.access.vote.AffirmativeBased" >
- < beans:property name = "decisionVoters" >
- < beans:list >
- < beans:bean class = "org.springframework.security.access.vote.RoleVoter" />
- < beans:bean
- class = "org.springframework.security.access.vote.AuthenticatedVoter" />
- < beans:bean class = "com.piaoyi.common.security.DynamicRoleVoter" />
- </ beans:list >
- </ beans:property >
- </ beans:bean >
- </ beans:beans >
效果图如下:
另外,从网上也看到了类似的解决方案:
发表评论
-
spring-security3 配置和使用(二)承上
2011-12-22 06:42 10622、xml配置,配置内容如下: Xml代码 ... -
spring-security3 配置和使用 (一)(转载)
2011-12-22 06:43 954最近项目中要使用到spring-security,可能研究 ... -
SpringSecurity3.X--一个简单实现(转载)
2011-12-22 06:43 2675作者对springsecurity研究不深,算是个初学者吧,最 ... -
SpringSecurity3.X--前台与后台登录认证(转载)
2011-12-23 06:33 3459不过一般我们在管理系统时都会分前台与后台,也就是说,前台与后台 ... -
SpringSecurity3.X--remember-me(转载)
2011-12-22 06:44 1747笔者在SpringSecurity中配置remember-me ... -
《Spring Security3》第六章第七部分翻译(认证事件处理与小结)
2011-12-23 06:34 1344认证事件处理 ... -
《Spring Security3》第六章第六部分翻译(Spring Security基于bean的高级配置)
2011-12-23 06:34 1056Spring Security 基于bean 的高级配 ... -
《Spring Security3》第六章第五部分翻译(手动配置Spring Security设施的bean)(转载)
2011-12-23 06:34 1028手动配置Spring Security 设施的be ... -
《Spring Security3》第六章第四部分翻译(异常处理)(转载)
2011-12-23 06:34 1247理解和配置异常处理 ... -
《Spring Security3》第六章第三部分翻译(Session的管理和并发)(转载)
2011-12-24 10:20 4230Session 的管理和并发 ... -
《Spring Security3》第六章第二部分翻译(自定义AuthenticationProvider)(转载)
2011-12-24 10:21 1523实现自定义的 AuthenticationProvide ... -
《Spring Security3》第六章第一部分翻译(自定义安全过滤器)(转载)
2011-12-24 10:21 1126第六章 高级配置和扩展 到目前为止,我 ... -
《Spring Security3》第五章第四部分翻译(方法安全的高级知识和小结)(转载)
2011-12-24 10:22 1060方法安全的高级知 ... -
《Spring Security3》第五章第三部分翻译(保护业务层)
2011-12-24 10:22 892保护业务层 到目前为止,在 ... -
《Spring Security3》第五章第二部分翻译下(实现授权精确控制的方法——页面级权限)(转载)
2011-12-25 00:47 1028使用控制器逻辑进行有条件渲染内容 ... -
《Spring Security3》第五章第二部分翻译上(实现授权精确控制的方法——页面级权限)(转载)
2011-12-25 00:47 975实现授权精确控制的方法 精确的授权指的是基于用 ... -
《Spring Security3》第五章第一部分翻译(重新思考应用功能和安全) (转载)
2011-12-25 00:47 951第五章 精确的 ... -
《Spring Security3》第四章第四部分翻译(Remember me后台存储和SSL)(转载)
2011-12-25 00:47 1267将 Remember me 功能 ... -
《Spring Security3》第四章第三部分翻译下(密码加salt)(转载)
2011-12-25 00:48 1813你是否愿意在密码上添加点salt ? 如果安 ... -
《Spring Security3》第四章第三部分翻译上(配置安全的密码)(转载)
2011-12-26 00:41 1029配置安全的密码 我们 ...
相关推荐
赠送jar包:spring-security-core-5.3.9.RELEASE.jar; 赠送原API文档:spring-security-core-5.3.9.RELEASE-javadoc.jar; 赠送源代码:spring-security-core-5.3.9.RELEASE-sources.jar; 赠送Maven依赖信息文件:...
赠送jar包:spring-security-core-5.2.0.RELEASE.jar; 赠送原API文档:spring-security-core-5.2.0.RELEASE-javadoc.jar; 赠送源代码:spring-security-core-5.2.0.RELEASE-sources.jar; 赠送Maven依赖信息文件:...
赠送jar包:spring-security-rsa-1.0.10.RELEASE.jar; 赠送原API文档:spring-security-rsa-1.0.10.RELEASE-javadoc.jar; 赠送源代码:spring-security-rsa-1.0.10.RELEASE-sources.jar; 赠送Maven依赖信息文件:...
赠送jar包:spring-security-web-5.2.0.RELEASE.jar; 赠送原API文档:spring-security-web-5.2.0.RELEASE-javadoc.jar; 赠送源代码:spring-security-web-5.2.0.RELEASE-sources.jar; 赠送Maven依赖信息文件:...
赠送jar包:spring-security-jwt-1.0.10.RELEASE.jar; 赠送原API文档:spring-security-jwt-1.0.10.RELEASE-javadoc.jar; 赠送源代码:spring-security-jwt-1.0.10.RELEASE-sources.jar; 赠送Maven依赖信息文件:...
赠送jar包:spring-security-oauth2-2.3.5.RELEASE.jar; 赠送原API文档:spring-security-oauth2-2.3.5.RELEASE-javadoc.jar; 赠送源代码:spring-security-oauth2-2.3.5.RELEASE-sources.jar; 赠送Maven依赖信息...
org.springframework.spring-library-3.0.4.RELEASE.libd org.springframework.test-3.0.4.RELEASE.jar org.springframework.transaction-3.0.4.RELEASE.jar org.springframework.web.portlet-3.0.4.RELEASE.jar ...
赠送jar包:spring-security-jwt-1.0.10.RELEASE.jar; 赠送原API文档:spring-security-jwt-1.0.10.RELEASE-javadoc.jar; 赠送源代码:spring-security-jwt-1.0.10.RELEASE-sources.jar; 赠送Maven依赖信息文件:...
赠送jar包:spring-security-core-5.0.7.RELEASE.jar; 赠送原API文档:spring-security-core-5.0.7.RELEASE-javadoc.jar; 赠送源代码:spring-security-core-5.0.7.RELEASE-sources.jar; 赠送Maven依赖信息文件:...
赠送jar包:spring-security-oauth2-2.3.5.RELEASE.jar; 赠送原API文档:spring-security-oauth2-2.3.5.RELEASE-javadoc.jar; 赠送源代码:spring-security-oauth2-2.3.5.RELEASE-sources.jar; 赠送Maven依赖信息...
org.springframework.spring-library-3.1.RELEASE.libd org.springframework.test-3.1.RELEASE.jar org.springframework.transaction-3.1.RELEASE.jar org.springframework.web.portlet-3.1.RELEASE.jar org....
包含spring 3.0.5的所有jar文件: org.springframework.aop-3.0.5.RELEASE.jar org.springframework.asm-3.0.5.RELEASE.jar org.springframework.aspects-3.0.5.RELEASE.jar org.springframework.beans-3.0.5.RELEASE...
赠送jar包:spring-security-oauth2-autoconfigure-2.1.8.RELEASE.jar; 赠送原API文档:spring-security-oauth2-autoconfigure-2.1.8.RELEASE-javadoc.jar; 赠送源代码:spring-security-oauth2-autoconfigure-...
赠送jar包:spring-security-web-5.2.0.RELEASE.jar; 赠送原API文档:spring-security-web-5.2.0.RELEASE-javadoc.jar; 赠送源代码:spring-security-web-5.2.0.RELEASE-sources.jar; 赠送Maven依赖信息文件:...
赠送jar包:spring-security-config-5.2.0.RELEASE.jar; 赠送原API文档:spring-security-config-5.2.0.RELEASE-javadoc.jar; 赠送源代码:spring-security-config-5.2.0.RELEASE-sources.jar; 赠送Maven依赖信息...
spring-security-core-2.0.5.RELEASE-sources
赠送jar包:spring-security-rsa-1.0.10.RELEASE.jar; 赠送原API文档:spring-security-rsa-1.0.10.RELEASE-javadoc.jar; 赠送源代码:spring-security-rsa-1.0.10.RELEASE-sources.jar; 赠送Maven依赖信息文件:...
赠送jar包:spring-security-oauth2-autoconfigure-2.1.8.RELEASE.jar; 赠送原API文档:spring-security-oauth2-autoconfigure-2.1.8.RELEASE-javadoc.jar; 赠送源代码:spring-security-oauth2-autoconfigure-...
spring.jar spring-aop.jar spring-aop.jar spring-beans.jar spring-hibernate3.jar spring-jdbc.jar spring-struts.jar spring-web.jar
赠送jar包:spring-security-web-5.0.7.RELEASE.jar; 赠送原API文档:spring-security-web-5.0.7.RELEASE-javadoc.jar; 赠送源代码:spring-security-web-5.0.7.RELEASE-sources.jar; 赠送Maven依赖信息文件:...