一次性Tokens登录
Spring Security 通过oneTimeTokenLogin()DSL 的。
在深入了解实施细节之前,重要的是要澄清框架内 OTT 功能的范围,突出显示支持的内容和不支持的内容。
了解一次性Tokens与一次性密码
将一次性Tokens (OTT) 与一次性密码 (OTP) 混淆是很常见的,但在 Spring Security 中,这些概念在几个关键方面有所不同。 为清楚起见,我们假设 OTP 指的是 TOTP(基于时间的一次性密码)或 HOTP(基于 HMAC 的一次性密码)。
Tokens交付
-
OTT:通常是自定义
OneTimeTokenGenerationSuccessHandler必须实现,负责将Tokens交付给最终用户。 -
OTP:Tokens通常由外部工具生成,因此无需通过应用程序将其发送给用户。
Tokens生成
-
OTT:这
OneTimeTokenService.generate(GenerateOneTimeTokenRequest)方法需要一个OneTimeToken返回,强调服务器端生成。 -
OTP:Tokens不一定在服务器端生成,通常由客户端使用共享密钥创建。
总之,一次性Tokens (OTT) 提供了一种无需额外帐户设置即可对用户进行身份验证的方法,这使其与一次性密码 (OTP) 区分开来,一次性密码 (OTP) 通常涉及更复杂的设置过程并依赖外部工具来生成Tokens。
一次性Tokens登录分为两个主要步骤。
-
用户通过提交他们的用户标识符(通常是用户名)来请求Tokens,Tokens通常以 Magic Link 的形式通过电子邮件、短信等方式发送给他们。
-
用户将Tokens提交到一次性Tokens登录终结点,如果有效,则用户将登录。
在以下部分中,我们将探讨如何根据您的需求配置 OTT 登录。
默认登录页面和默认一次性Tokens提交页面
当oneTimeTokenLogin()使用DSL,默认情况下,一次性Tokens登录页面由org.springframework.security.web.authentication.ui:DefaultLoginPageGeneratingFilter[]自动生成。
DSL 还将设置DefaultOneTimeTokenSubmitPageGeneratingFilter以生成默认的一次性Tokens提交页面。
将Tokens发送给用户
Spring Security 无法合理地确定将Tokens交付给用户的方式。
因此,一个习俗OneTimeTokenGenerationSuccessHandler必须提供才能根据您的需要将Tokens交付给用户。
最常见的交付策略之一是通过电子邮件、短信等方式的 Magic Link。
在下面的示例中,我们将创建一个魔术链接并将其发送到用户的电子邮件。
-
Java
-
Kotlin
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) {
http
// ...
.formLogin(Customizer.withDefaults())
.oneTimeTokenLogin(Customizer.withDefaults());
return http.build();
}
}
import org.springframework.mail.SimpleMailMessage;
import org.springframework.mail.javamail.JavaMailSender;
@Component (1)
public class MagicLinkOneTimeTokenGenerationSuccessHandler implements OneTimeTokenGenerationSuccessHandler {
private final MailSender mailSender;
private final OneTimeTokenGenerationSuccessHandler redirectHandler = new RedirectOneTimeTokenGenerationSuccessHandler("/ott/sent");
// constructor omitted
@Override
public void handle(HttpServletRequest request, HttpServletResponse response, OneTimeToken oneTimeToken) throws IOException, ServletException {
UriComponentsBuilder builder = UriComponentsBuilder.fromHttpUrl(UrlUtils.buildFullRequestUrl(request))
.replacePath(request.getContextPath())
.replaceQuery(null)
.fragment(null)
.path("/login/ott")
.queryParam("token", oneTimeToken.getTokenValue()); (2)
String magicLink = builder.toUriString();
String email = getUserEmail(oneTimeToken.getUsername()); (3)
this.mailSender.send(email, "Your Spring Security One Time Token", "Use the following link to sign in into the application: " + magicLink); (4)
this.redirectHandler.handle(request, response, oneTimeToken); (5)
}
private String getUserEmail() {
// ...
}
}
@Controller
class PageController {
@GetMapping("/ott/sent")
String ottSent() {
return "my-template";
}
}@Configuration
@EnableWebSecurity
class SecurityConfig {
@Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http{
formLogin {}
oneTimeTokenLogin { }
}
return http.build()
}
}
import org.springframework.mail.SimpleMailMessage;
import org.springframework.mail.javamail.JavaMailSender;
@Component (1)
class MagicLinkOneTimeTokenGenerationSuccessHandler(
private val mailSender: MailSender,
private val redirectHandler: OneTimeTokenGenerationSuccessHandler = RedirectOneTimeTokenGenerationSuccessHandler("/ott/sent")
) : OneTimeTokenGenerationSuccessHandler {
override fun handle(request: HttpServletRequest, response: HttpServletResponse, oneTimeToken: OneTimeToken) {
val builder = UriComponentsBuilder.fromHttpUrl(UrlUtils.buildFullRequestUrl(request))
.replacePath(request.contextPath)
.replaceQuery(null)
.fragment(null)
.path("/login/ott")
.queryParam("token", oneTimeToken.getTokenValue()) (2)
val magicLink = builder.toUriString()
val email = getUserEmail(oneTimeToken.getUsername()) (3)
this.mailSender.send(email, "Your Spring Security One Time Token", "Use the following link to sign in into the application: $magicLink")(4)
this.redirectHandler.handle(request, response, oneTimeToken) (5)
}
private fun getUserEmail(): String {
// ...
}
}
@Controller
class PageController {
@GetMapping("/ott/sent")
fun ottSent(): String {
return "my-template"
}
}| 1 | 使MagicLinkOneTimeTokenGenerationSuccessHandlera 春豆 |
| 2 | 使用token作为查询参数 |
| 3 | 根据用户名检索用户的电子邮件 |
| 4 | 使用JavaMailSenderAPI 用于向用户发送带有魔术链接的电子邮件 |
| 5 | 使用RedirectOneTimeTokenGenerationSuccessHandler以执行重定向到所需 URL |
电子邮件内容将类似于:
使用以下链接登录应用程序:http://localhost:8080/login/ott?token=a830c444-29d8-4d98-9b46-6aba7b22fe5b
默认提交页面将检测到 URL 具有tokenquery 参数,并自动用Tokens值填充表单字段。
更改一次性Tokens生成 URL
默认情况下,GenerateOneTimeTokenFilter听POST /ott/generate请求。
可以使用generateTokenUrl(String)DSL方法:
-
Java
-
Kotlin
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) {
http
// ...
.formLogin(Customizer.withDefaults())
.oneTimeTokenLogin((ott) -> ott
.generateTokenUrl("/ott/my-generate-url")
);
return http.build();
}
}
@Component
public class MagicLinkOneTimeTokenGenerationSuccessHandler implements OneTimeTokenGenerationSuccessHandler {
// ...
}@Configuration
@EnableWebSecurity
class SecurityConfig {
@Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http {
//...
formLogin { }
oneTimeTokenLogin {
generateTokenUrl = "/ott/my-generate-url"
}
}
return http.build()
}
}
@Component
class MagicLinkOneTimeTokenGenerationSuccessHandler : OneTimeTokenGenerationSuccessHandler {
// ...
}更改默认提交页面 URL
默认的一次性Tokens提交页面由DefaultOneTimeTokenSubmitPageGeneratingFilter并倾听GET /login/ott.
URL 也可以更改,如下所示:
-
Java
-
Kotlin
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) {
http
// ...
.formLogin(Customizer.withDefaults())
.oneTimeTokenLogin((ott) -> ott
.submitPageUrl("/ott/submit")
);
return http.build();
}
}
@Component
public class MagicLinkGenerationSuccessHandler implements OneTimeTokenGenerationSuccessHandler {
// ...
}@Configuration
@EnableWebSecurity
class SecurityConfig {
@Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http {
//...
formLogin { }
oneTimeTokenLogin {
submitPageUrl = "/ott/submit"
}
}
return http.build()
}
}
@Component
class MagicLinkOneTimeTokenGenerationSuccessHandler : OneTimeTokenGenerationSuccessHandler {
// ...
}禁用默认提交页面
如果要使用自己的一次性Tokens提交页面,可以禁用默认页面,然后提供自己的终结点。
-
Java
-
Kotlin
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) {
http
.authorizeHttpRequests((authorize) -> authorize
.requestMatchers("/my-ott-submit").permitAll()
.anyRequest().authenticated()
)
.formLogin(Customizer.withDefaults())
.oneTimeTokenLogin((ott) -> ott
.showDefaultSubmitPage(false)
);
return http.build();
}
}
@Controller
public class MyController {
@GetMapping("/my-ott-submit")
public String ottSubmitPage() {
return "my-ott-submit";
}
}
@Component
public class OneTimeTokenGenerationSuccessHandler implements OneTimeTokenGenerationSuccessHandler {
// ...
}@Configuration
@EnableWebSecurity
class SecurityConfig {
@Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeHttpRequests {
authorize("/my-ott-submit", authenticated)
authorize(anyRequest, authenticated)
}
formLogin { }
oneTimeTokenLogin {
showDefaultSubmitPage = false
}
}
return http.build()
}
}
@Controller
class MyController {
@GetMapping("/my-ott-submit")
fun ottSubmitPage(): String {
return "my-ott-submit"
}
}
@Component
class MagicLinkOneTimeTokenGenerationSuccessHandler : OneTimeTokenGenerationSuccessHandler {
// ...
}自定义如何生成和使用一次性Tokens
定义用于生成和使用一次性Tokens的常见作的接口是OneTimeTokenService.
Spring Security 使用InMemoryOneTimeTokenService作为该接口的默认实现,如果未提供任何接口。
对于生产环境,请考虑使用JdbcOneTimeTokenService.
自定义OneTimeTokenService是但不限于:
-
更改一次性Tokens到期时间
-
存储来自生成Tokens请求的更多信息
-
更改Tokens值的创建方式
-
使用一次性Tokens时的额外验证
有两个选项可以自定义OneTimeTokenService. 一种选择是将其作为 bean 提供,这样它就可以被oneTimeTokenLogin()DSL:
-
Java
-
Kotlin
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) {
http
// ...
.formLogin(Customizer.withDefaults())
.oneTimeTokenLogin(Customizer.withDefaults());
return http.build();
}
@Bean
public OneTimeTokenService oneTimeTokenService() {
return new MyCustomOneTimeTokenService();
}
}
@Component
public class MagicLinkOneTimeTokenGenerationSuccessHandler implements OneTimeTokenGenerationSuccessHandler {
// ...
}@Configuration
@EnableWebSecurity
class SecurityConfig {
@Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http {
//...
formLogin { }
oneTimeTokenLogin { }
}
return http.build()
}
@Bean
open fun oneTimeTokenService(): OneTimeTokenService {
return MyCustomOneTimeTokenService()
}
}
@Component
class MagicLinkOneTimeTokenGenerationSuccessHandler : OneTimeTokenGenerationSuccessHandler {
// ...
}第二种选择是传递OneTimeTokenService实例添加到 DSL,如果有多个SecurityFilterChain和不同的OneTimeTokenService他们每个人都需要。
-
Java
-
Kotlin
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) {
http
// ...
.formLogin(Customizer.withDefaults())
.oneTimeTokenLogin((ott) -> ott
.oneTimeTokenService(new MyCustomOneTimeTokenService())
);
return http.build();
}
}
@Component
public class MagicLinkOneTimeTokenGenerationSuccessHandler implements OneTimeTokenGenerationSuccessHandler {
// ...
}@Configuration
@EnableWebSecurity
class SecurityConfig {
@Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http {
//...
formLogin { }
oneTimeTokenLogin {
oneTimeTokenService = MyCustomOneTimeTokenService()
}
}
return http.build()
}
}
@Component
class MagicLinkOneTimeTokenGenerationSuccessHandler : OneTimeTokenGenerationSuccessHandler {
// ...
}自定义 GenerateOneTimeTokenRequest 实例
您可能想要调整 GenerateOneTimeTokenRequest 的原因有很多。例如,您可能希望将 expiresIn 设置为 10 分钟,Spring Security 默认将其设置为 5 分钟。
您可以通过将 GenerateOneTimeTokenRequestResolver 发布为@Bean来自定义 GenerateOneTimeTokenRequest 的元素,如下所示:
-
Java
-
Kotlin
@Bean
GenerateOneTimeTokenRequestResolver generateOneTimeTokenRequestResolver() {
DefaultGenerateOneTimeTokenRequestResolver delegate = new DefaultGenerateOneTimeTokenRequestResolver();
return (request) -> {
GenerateOneTimeTokenRequest generate = delegate.resolve(request);
return new GenerateOneTimeTokenRequest(generate.getUsername(), Duration.ofSeconds(600));
};
}@Bean
fun generateRequestResolver() : GenerateOneTimeTokenRequestResolver {
return DefaultGenerateOneTimeTokenRequestResolver().apply {
this.setExpiresIn(Duration.ofMinutes(10))
}
}