此版本仍在开发中，尚未被视为稳定版本。对于最新的稳定版本，请使用 Spring Security 6.4.5！spring-doc.cadn.net.cn

一次性令牌登录

Spring Security 通过oneTimeTokenLogin()DSL 的在深入研究实施细节之前，请务必阐明框架中 OTT 功能的范围，重点介绍支持和不支持的功能。spring-doc.cadn.net.cn

了解一次性令牌与一次性密码

将一次性令牌（OTT）与一次性密码（OTP）混淆是很常见的，但在 Spring Security 中，这些概念在几个关键方面有所不同。为清楚起见，我们假设 OTP 是指 TOTP（基于时间的一次性密码）或 HOTP（基于 HMAC 的一次性密码）。spring-doc.cadn.net.cn

设置要求

OTT：不需要初始设置。用户无需提前配置任何内容。spring-doc.cadn.net.cn
OTP：通常需要设置，例如生成密钥并与外部工具共享密钥以生成一次性密码。spring-doc.cadn.net.cn

Token Delivery

OTT：通常是自定义的OneTimeTokenGenerationSuccessHandler必须实现，负责将 Token 交付给最终用户。spring-doc.cadn.net.cn
OTP：令牌通常由外部工具生成，因此无需通过应用程序将其发送给用户。spring-doc.cadn.net.cn

代币生成

OTT：这OneTimeTokenService.generate(GenerateOneTimeTokenRequest)方法需要OneTimeToken要返回，强调服务器端生成。spring-doc.cadn.net.cn
OTP：令牌不一定在服务器端生成，通常由客户端使用共享密钥创建。spring-doc.cadn.net.cn

总之，一次性令牌（OTT）提供了一种无需额外帐户设置即可对用户进行身份验证的方法，将其与一次性密码（OTP）区分开来，后者通常涉及更复杂的设置过程，并依赖外部工具生成令牌。spring-doc.cadn.net.cn

一次性令牌登录分两个主要步骤进行。spring-doc.cadn.net.cn

用户通过提交其用户标识符（通常是用户名）来请求令牌，令牌通常以 Magic Link 的形式通过电子邮件、短信等方式发送给他们。spring-doc.cadn.net.cn
用户将令牌提交到一次性令牌登录终端节点，如果有效，则用户登录。spring-doc.cadn.net.cn

在以下部分中，我们将探讨如何根据您的需求配置 OTT 登录。spring-doc.cadn.net.cn

默认登录页面和默认一次性令牌提交页面

当oneTimeTokenLogin()默认情况下，一次性令牌登录页面由 org.springframework.security.web.authentication.ui：DefaultLoginPageGeneratingFilter[] 自动生成。 DSL 还将设置DefaultOneTimeTokenSubmitPageGeneratingFilter以生成默认的 One-Time Token 提交页面。spring-doc.cadn.net.cn

将 Token 发送给用户

Spring Security 无法合理地确定应将令牌交付给用户的方式。因此，自定义OneTimeTokenGenerationSuccessHandler根据您的需求将 Token 投递给用户。最常见的交付策略之一是 Magic Link，通过电子邮件、短信等。在以下示例中，我们将创建一个 magic link 并将其发送到用户的电子邮件。spring-doc.cadn.net.cn

一次性令牌登录配置

Javaspring-doc.cadn.net.cn
Kotlinspring-doc.cadn.net.cn

@Configuration
@EnableWebSecurity
public class SecurityConfig {

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) {
        http
            // ...
            .formLogin(Customizer.withDefaults())
            .oneTimeTokenLogin(Customizer.withDefaults());
        return http.build();
    }

}

import org.springframework.mail.SimpleMailMessage;
import org.springframework.mail.javamail.JavaMailSender;

@Component (1)
public class MagicLinkOneTimeTokenGenerationSuccessHandler implements OneTimeTokenGenerationSuccessHandler {

    private final MailSender mailSender;

    private final OneTimeTokenGenerationSuccessHandler redirectHandler = new RedirectOneTimeTokenGenerationSuccessHandler("/ott/sent");

    // constructor omitted

    @Override
    public void handle(HttpServletRequest request, HttpServletResponse response, OneTimeToken oneTimeToken) throws IOException, ServletException {
        UriComponentsBuilder builder = UriComponentsBuilder.fromHttpUrl(UrlUtils.buildFullRequestUrl(request))
                .replacePath(request.getContextPath())
                .replaceQuery(null)
                .fragment(null)
                .path("/login/ott")
                .queryParam("token", oneTimeToken.getTokenValue()); (2)
        String magicLink = builder.toUriString();
        String email = getUserEmail(oneTimeToken.getUsername()); (3)
        this.mailSender.send(email, "Your Spring Security One Time Token", "Use the following link to sign in into the application: " + magicLink); (4)
        this.redirectHandler.handle(request, response, oneTimeToken); (5)
    }

    private String getUserEmail() {
        // ...
    }

}

@Controller
class PageController {

    @GetMapping("/ott/sent")
    String ottSent() {
        return "my-template";
    }

}

@Configuration
@EnableWebSecurity
class SecurityConfig {

        @Bean
        open fun filterChain(http: HttpSecurity): SecurityFilterChain {
            http{
                formLogin {}
                oneTimeTokenLogin {  }
            }
            return http.build()
        }
}

import org.springframework.mail.SimpleMailMessage;
import org.springframework.mail.javamail.JavaMailSender;

@Component (1)
class MagicLinkOneTimeTokenGenerationSuccessHandler(
    private val mailSender: MailSender,
    private val redirectHandler: OneTimeTokenGenerationSuccessHandler = RedirectOneTimeTokenGenerationSuccessHandler("/ott/sent")
) : OneTimeTokenGenerationSuccessHandler {

    override fun handle(request: HttpServletRequest, response: HttpServletResponse, oneTimeToken: OneTimeToken) {
        val builder = UriComponentsBuilder.fromHttpUrl(UrlUtils.buildFullRequestUrl(request))
            .replacePath(request.contextPath)
            .replaceQuery(null)
            .fragment(null)
            .path("/login/ott")
            .queryParam("token", oneTimeToken.getTokenValue()) (2)
        val magicLink = builder.toUriString()
        val email = getUserEmail(oneTimeToken.getUsername()) (3)
        this.mailSender.send(email, "Your Spring Security One Time Token", "Use the following link to sign in into the application: $magicLink")(4)
        this.redirectHandler.handle(request, response, oneTimeToken) (5)
    }

    private fun getUserEmail(): String {
        // ...
    }
}

@Controller
class PageController {

    @GetMapping("/ott/sent")
    fun ottSent(): String {
        return "my-template"
    }
}

1	使`MagicLinkOneTimeTokenGenerationSuccessHandler`一个 Spring bean
2	使用`token`作为查询参数
3	根据用户名检索用户的电子邮件
4	使用`JavaMailSender`使用神奇链接将电子邮件发送给用户的 API
5	使用`RedirectOneTimeTokenGenerationSuccessHandler`执行重定向到所需 URL 的作

电子邮件内容将类似于：spring-doc.cadn.net.cn

使用以下链接登录应用程序：http://localhost:8080/login/ott?token=a830c444-29d8-4d98-9b46-6aba7b22fe5bspring-doc.cadn.net.cn

默认提交页面将检测到 URL 具有tokenquery 参数，并将自动使用 token 值填充 form 字段。spring-doc.cadn.net.cn

更改一次性令牌生成 URL

默认情况下，GenerateOneTimeTokenFilter倾听POST /ott/generate请求。可以使用generateTokenUrl(String)DSL 方法：spring-doc.cadn.net.cn

更改生成 URL

Javaspring-doc.cadn.net.cn
Kotlinspring-doc.cadn.net.cn

@Configuration
@EnableWebSecurity
public class SecurityConfig {

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) {
        http
            // ...
            .formLogin(Customizer.withDefaults())
            .oneTimeTokenLogin((ott) -> ott
                .generateTokenUrl("/ott/my-generate-url")
            );
        return http.build();
    }

}

@Component
public class MagicLinkOneTimeTokenGenerationSuccessHandler implements OneTimeTokenGenerationSuccessHandler {
    // ...
}

@Configuration
@EnableWebSecurity
class SecurityConfig {

        @Bean
        open fun filterChain(http: HttpSecurity): SecurityFilterChain {
            http {
                //...
                formLogin { }
                oneTimeTokenLogin {
                    generateTokenUrl = "/ott/my-generate-url"
                }
            }
            return http.build()
        }
}

@Component
class MagicLinkOneTimeTokenGenerationSuccessHandler : OneTimeTokenGenerationSuccessHandler {
     // ...
}

更改默认提交页面 URL

默认的一次性令牌提交页面由DefaultOneTimeTokenSubmitPageGeneratingFilter并倾听GET /login/ott. URL 也可以更改，如下所示：spring-doc.cadn.net.cn

配置默认提交页面 URL

Javaspring-doc.cadn.net.cn
Kotlinspring-doc.cadn.net.cn

@Configuration
@EnableWebSecurity
public class SecurityConfig {

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) {
        http
            // ...
            .formLogin(Customizer.withDefaults())
            .oneTimeTokenLogin((ott) -> ott
                .submitPageUrl("/ott/submit")
            );
        return http.build();
    }

}

@Component
public class MagicLinkGenerationSuccessHandler implements OneTimeTokenGenerationSuccessHandler {
    // ...
}

@Configuration
@EnableWebSecurity
class SecurityConfig {

        @Bean
        open fun filterChain(http: HttpSecurity): SecurityFilterChain {
            http {
                //...
                formLogin { }
                oneTimeTokenLogin {
                    submitPageUrl = "/ott/submit"
                }
            }
            return http.build()
        }
}

@Component
class MagicLinkOneTimeTokenGenerationSuccessHandler : OneTimeTokenGenerationSuccessHandler {
     // ...
}

禁用默认提交页面

如果您想使用自己的一次性令牌提交页面，您可以禁用默认页面，然后提供自己的终端节点。spring-doc.cadn.net.cn

禁用默认提交页面

Javaspring-doc.cadn.net.cn
Kotlinspring-doc.cadn.net.cn

@Configuration
@EnableWebSecurity
public class SecurityConfig {

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) {
        http
            .authorizeHttpRequests((authorize) -> authorize
                .requestMatchers("/my-ott-submit").permitAll()
                .anyRequest().authenticated()
            )
            .formLogin(Customizer.withDefaults())
            .oneTimeTokenLogin((ott) -> ott
                .showDefaultSubmitPage(false)
            );
        return http.build();
    }

}

@Controller
public class MyController {

    @GetMapping("/my-ott-submit")
    public String ottSubmitPage() {
        return "my-ott-submit";
    }

}

@Component
public class OneTimeTokenGenerationSuccessHandler implements OneTimeTokenGenerationSuccessHandler {
    // ...
}

@Configuration
@EnableWebSecurity
class SecurityConfig {

   @Bean
   open fun filterChain(http: HttpSecurity): SecurityFilterChain {
            http {
                authorizeHttpRequests {
                    authorize("/my-ott-submit", authenticated)
                    authorize(anyRequest, authenticated)
                }
                formLogin { }
                oneTimeTokenLogin {
                    showDefaultSubmitPage = false
                }
            }
            return http.build()
    }
}

@Controller
class MyController {

   @GetMapping("/my-ott-submit")
   fun ottSubmitPage(): String {
       return "my-ott-submit"
   }
}

@Component
class MagicLinkOneTimeTokenGenerationSuccessHandler : OneTimeTokenGenerationSuccessHandler {
     // ...
}

自定义如何生成和使用一次性令牌

定义生成和消费一次性 Token 的常用作的接口是OneTimeTokenService. Spring Security 使用InMemoryOneTimeTokenService作为该接口的默认实现（如果未提供）。对于生产环境，请考虑使用JdbcOneTimeTokenService.spring-doc.cadn.net.cn

自定义OneTimeTokenService包括但不限于：spring-doc.cadn.net.cn

更改一次性令牌过期时间spring-doc.cadn.net.cn
存储来自 generate token 请求的更多信息spring-doc.cadn.net.cn
更改令牌值的创建方式spring-doc.cadn.net.cn
使用一次性令牌时的其他验证spring-doc.cadn.net.cn

有两个选项可用于自定义OneTimeTokenService. 一种选择是将其作为 bean 提供，这样它就可以被oneTimeTokenLogin()DSL：spring-doc.cadn.net.cn

将 OneTimeTokenService 作为 Bean 传递

Javaspring-doc.cadn.net.cn
Kotlinspring-doc.cadn.net.cn

@Configuration
@EnableWebSecurity
public class SecurityConfig {

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) {
        http
            // ...
            .formLogin(Customizer.withDefaults())
            .oneTimeTokenLogin(Customizer.withDefaults());
        return http.build();
    }

    @Bean
    public OneTimeTokenService oneTimeTokenService() {
        return new MyCustomOneTimeTokenService();
    }

}

@Component
public class MagicLinkOneTimeTokenGenerationSuccessHandler implements OneTimeTokenGenerationSuccessHandler {
    // ...
}

@Configuration
@EnableWebSecurity
class SecurityConfig {

    @Bean
    open fun filterChain(http: HttpSecurity): SecurityFilterChain {
        http {
            //...
            formLogin { }
            oneTimeTokenLogin { }
        }
        return http.build()
    }

    @Bean
    open fun oneTimeTokenService(): OneTimeTokenService {
        return MyCustomOneTimeTokenService()
    }
}

@Component
class MagicLinkOneTimeTokenGenerationSuccessHandler : OneTimeTokenGenerationSuccessHandler {
     // ...
}

第二个选项是将OneTimeTokenService实例添加到 DSL 中，这在有多个SecurityFilterChain和不同的OneTimeTokenService他们每个人都需要。spring-doc.cadn.net.cn

使用 DSL 传递 OneTimeTokenService

Javaspring-doc.cadn.net.cn
Kotlinspring-doc.cadn.net.cn

@Configuration
@EnableWebSecurity
public class SecurityConfig {

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) {
        http
            // ...
            .formLogin(Customizer.withDefaults())
            .oneTimeTokenLogin((ott) -> ott
                .oneTimeTokenService(new MyCustomOneTimeTokenService())
            );
        return http.build();
    }

}

@Component
public class MagicLinkOneTimeTokenGenerationSuccessHandler implements OneTimeTokenGenerationSuccessHandler {
    // ...
}

@Configuration
@EnableWebSecurity
class SecurityConfig {

    @Bean
    open fun filterChain(http: HttpSecurity): SecurityFilterChain {
        http {
            //...
            formLogin { }
            oneTimeTokenLogin {
                oneTimeTokenService = MyCustomOneTimeTokenService()
            }
        }
        return http.build()
    }

}

@Component
class MagicLinkOneTimeTokenGenerationSuccessHandler : OneTimeTokenGenerationSuccessHandler {
     // ...
}

自定义 GenerateOneTimeTokenRequest 实例

出于多种原因，您可能希望调整 GenerateOneTimeTokenRequest。例如，您可能希望将 expiresIn 设置为 10 分钟，而 Spring Security 默认将其设置为 5 分钟。spring-doc.cadn.net.cn

您可以通过将 GenerateOneTimeTokenRequestResolver 发布为@Bean来自定义 GenerateOneTimeTokenRequest 的元素，如下所示：spring-doc.cadn.net.cn

Javaspring-doc.cadn.net.cn
Kotlinspring-doc.cadn.net.cn

@Bean
GenerateOneTimeTokenRequestResolver generateOneTimeTokenRequestResolver() {
    DefaultGenerateOneTimeTokenRequestResolver delegate = new DefaultGenerateOneTimeTokenRequestResolver();
        return (request) -> {
		    GenerateOneTimeTokenRequest generate = delegate.resolve(request);
		    return new GenerateOneTimeTokenRequest(generate.getUsername(), Duration.ofSeconds(600));
	};
}

@Bean
fun generateRequestResolver() : GenerateOneTimeTokenRequestResolver {
    return DefaultGenerateOneTimeTokenRequestResolver().apply {
        this.setExpiresIn(Duration.ofMinutes(10))
    }
}