重构短信登录
现有问题如上图:
- 浏览器中使用session存储验证码
- app中午cookie概念(无session)
解决方案:
- app发送和验证 验证码必须携带一个deviceId (设备id)
- 浏览器按之前的逻辑走
也就是说,这里只是验证码的存储发生了变化,那么抽出来一个存储接口,浏览器和app做不同的适配即可
package cn.mrcode.imooc.springsecurity.securitycore.validate.code;
import org.springframework.web.context.request.ServletWebRequest;
/**
* <pre>
* 验证码存储仓库接口
* </pre>
* @author zhuqiang
* @version 1.0.0
* @date 2018/8/8 13:58
* @since 1.0.0
*/
public interface ValidateCodeRepository {
/**
* 保存验证码
* @param request
* @param code
* @param validateCodeType
*/
void save(ServletWebRequest request, ValidateCode code, ValidateCodeType validateCodeType);
/**
* 获取验证码
* @param request
* @param validateCodeType
* @return
*/
ValidateCode get(ServletWebRequest request, ValidateCodeType validateCodeType);
/**
* 移除验证码
* @param request
* @param validateCodeType
*/
void remove(ServletWebRequest request, ValidateCodeType validateCodeType);
}
浏览器实现;(因为开始只有session的实现,重构线把session的抽取出来);
把session相关操作全部抽到这里了
package cn.mrcode.imooc.springsecurity.securitybrowser.validate.code.impl;
import cn.mrcode.imooc.springsecurity.securitycore.validate.code.ValidateCode;
import cn.mrcode.imooc.springsecurity.securitycore.validate.code.ValidateCodeRepository;
import cn.mrcode.imooc.springsecurity.securitycore.validate.code.ValidateCodeType;
import cn.mrcode.imooc.springsecurity.securitycore.validate.code.impl.AbstractValidateCodeProcessor;
import org.springframework.social.connect.web.HttpSessionSessionStrategy;
import org.springframework.social.connect.web.SessionStrategy;
import org.springframework.stereotype.Component;
import org.springframework.web.context.request.ServletWebRequest;
/**
* ${desc}
* @author zhuqiang
* @version 1.0.1 2018/8/8 14:06
* @date 2018/8/8 14:06
* @since 1.0
*/
@Component
public class SessionValidateCodeRepository implements ValidateCodeRepository {
/** 操作session的工具类 */
private SessionStrategy sessionStrategy = new HttpSessionSessionStrategy();
/** 验证码放入session的时候前缀 */
public final static String SESSION_KEY_PREFIX = "SESSION_KEY_FOR_CODE";
@Override
public void save(ServletWebRequest request, ValidateCode code, ValidateCodeType validateCodeType) {
sessionStrategy.setAttribute(request, getSessionKey(validateCodeType), code);
}
@Override
public ValidateCode get(ServletWebRequest request, ValidateCodeType validateCodeType) {
String sessionKey = getSessionKey(validateCodeType);
// 拿到创建 create() 存储到session的code验证码对象
return (ValidateCode) sessionStrategy.getAttribute(request, sessionKey);
}
@Override
public void remove(ServletWebRequest request, ValidateCodeType validateCodeType) {
sessionStrategy.removeAttribute(request, getSessionKey(validateCodeType));
}
/**
* 构建验证码放入session时的key; 在保存的时候也使用该key
* {@link AbstractValidateCodeProcessor#save(org.springframework.web.context.request.ServletWebRequest, cn.mrcode.imooc.springsecurity.securitycore.validate.code.ValidateCode)}
* @param validateCodeType
* @return
*/
private String getSessionKey(ValidateCodeType validateCodeType) {
return SESSION_KEY_PREFIX + validateCodeType.toString().toUpperCase();
}
}
app实现
package cn.mrcode.imooc.springsecurity.securityapp.validate.code.impl;
import cn.mrcode.imooc.springsecurity.securitycore.validate.code.ValidateCode;
import cn.mrcode.imooc.springsecurity.securitycore.validate.code.ValidateCodeException;
import cn.mrcode.imooc.springsecurity.securitycore.validate.code.ValidateCodeRepository;
import cn.mrcode.imooc.springsecurity.securitycore.validate.code.ValidateCodeType;
import cn.mrcode.imooc.springsecurity.securitycore.validate.code.impl.AbstractValidateCodeProcessor;
import org.apache.commons.lang3.StringUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.data.redis.RedisAutoConfiguration;
import org.springframework.data.redis.core.RedisTemplate;
import org.springframework.stereotype.Component;
import org.springframework.web.context.request.ServletWebRequest;
import java.util.concurrent.TimeUnit;
/**
* ${desc}
* @author zhuqiang
* @version 1.0.1 2018/8/8 14:06
* @date 2018/8/8 14:06
* @since 1.0
*/
@Component
public class RedisValidateCodeRepository implements ValidateCodeRepository {
/**
* @see RedisAutoConfiguration#redisTemplate(org.springframework.data.redis.connection.RedisConnectionFactory)
*/
@Autowired
private RedisTemplate<Object, Object> redisTemplate;
/** 验证码放入redis规则模式:CODE_{TYPE}_{DEVICEId} */
private final static String CODE_KEY_PATTERN = "CODE_%s_%s";
@Override
public void save(ServletWebRequest request, ValidateCode code, ValidateCodeType validateCodeType) {
redisTemplate.opsForValue().set(buildKey(request, validateCodeType), code, 180, TimeUnit.MINUTES);
}
@Override
public ValidateCode get(ServletWebRequest request, ValidateCodeType validateCodeType) {
String key = buildKey(request, validateCodeType);
// 拿到创建 create() 存储到session的code验证码对象
return (ValidateCode) redisTemplate.opsForValue().get(key);
}
@Override
public void remove(ServletWebRequest request, ValidateCodeType validateCodeType) {
String key = buildKey(request, validateCodeType);
redisTemplate.delete(key);
}
/**
* 构建验证码放入redis时的key; 在保存的时候也使用该key
* {@link AbstractValidateCodeProcessor#save(ServletWebRequest, ValidateCode)}
* @param validateCodeType
* @return
*/
private String buildKey(ServletWebRequest request, ValidateCodeType validateCodeType) {
String deviceId = request.getHeader("deviceId");
if (StringUtils.isBlank(deviceId)) {
throw new ValidateCodeException("请在请求头中携带deviceId参数");
}
return String.format(CODE_KEY_PATTERN, validateCodeType, deviceId);
}
}
测试
打开之前屏蔽掉的图形验证码过滤器配置
发送验证码的是不用登陆的
GET /code/sms?mobile=13012345678 HTTP/1.1
Host: localhost:8080
deviceId: 1
登陆,记得携带client信息
POST /authentication/mobile HTTP/1.1
Host: localhost:8080
Authorization: Basic bXlpZDpteWlk
deviceId: 1
Content-Type: application/x-www-form-urlencoded
smsCode=270058&mobile=13012345678
因为图形验证码和短信验证码存储只有存储这一块变更了。所以只要短信验证码的可以使用,图形验证码的也应该可以使用
