在 Spring Security 中集成多数据源和验证码登录需要结合自定义认证逻辑和过滤器链扩展。以下是完整实现方案及代码示例:
一、多数据源认证配置
1. 定义两个数据源的 UserDetailsService
// 数据源1:数据库用户
@Service("db1UserDetailsService")
public class DB1UserDetailsService implements UserDetailsService {@Autowiredprivate UserRepositoryDB1 userRepoDB1;@Overridepublic UserDetails loadUserByUsername(String username) {UserDB1 user = userRepoDB1.findByUsername(username);return new CustomUserDetails(user.getUsername(), user.getPassword(), "DB1_ROLE");}
}// 数据源2:外部API用户
@Service("db2UserDetailsService")
public class DB2UserDetailsService implements UserDetailsService {@Autowiredprivate ApiUserClient apiUserClient;@Overridepublic UserDetails loadUserByUsername(String username) {UserApi user = apiUserClient.fetchUser(username);return new CustomUserDetails(user.getUsername(), user.getPassword(), "DB2_ROLE");}
}
2. 自定义 AuthenticationProvider 选择数据源
public class MultiSourceAuthProvider implements AuthenticationProvider {@Autowired@Qualifier("db1UserDetailsService")private UserDetailsService db1Service;@Autowired@Qualifier("db2UserDetailsService")private UserDetailsService db2Service;@Autowiredprivate PasswordEncoder passwordEncoder;@Overridepublic Authentication authenticate(Authentication auth) throws AuthenticationException {String username = auth.getName();// 根据用户名前缀选择数据源(如 "db1:user")UserDetails userDetails = null;if (username.startsWith("db1:")) {userDetails = db1Service.loadUserByUsername(username.substring(4));} else if (username.startsWith("db2:")) {userDetails = db2Service.loadUserByUsername(username.substring(4));} else {throw new BadCredentialsException("Invalid username prefix");}// 验证密码if (passwordEncoder.matches((String) auth.getCredentials(), userDetails.getPassword())) {return new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities());} else {throw new BadCredentialsException("Password mismatch");}}@Overridepublic boolean supports(Class<?> authentication) {return UsernamePasswordAuthenticationToken.class.isAssignableFrom(authentication);}
}
3. 注册 AuthenticationProvider
@Configuration
@EnableWebSecurity
public class SecurityConfig {@Beanpublic SecurityFilterChain filterChain(HttpSecurity http) throws Exception {http.authorizeRequests(auth -> auth.anyRequest().authenticated()).formLogin(form -> form.loginPage("/login").defaultSuccessUrl("/home"));return http.build();}@Beanpublic AuthenticationProvider multiSourceAuthProvider() {return new MultiSourceAuthProvider();}@Beanpublic PasswordEncoder passwordEncoder() {return new BCryptPasswordEncoder();}
}
二、验证码集成
1. 生成验证码(使用 Kaptcha 库)
<!-- pom.xml 添加依赖 -->
<dependency><groupId>com.github.penggle</groupId><artifactId>kaptcha</artifactId><version>2.3.2</version>
</dependency>
@Configuration
public class CaptchaConfig {@Beanpublic Producer captchaProducer() {Properties props = new Properties();props.setProperty("kaptcha.textproducer.char.length", "4");props.setProperty("kaptcha.image.width", "120");DefaultKaptcha kaptcha = new DefaultKaptcha();kaptcha.setConfig(new Config(props));return kaptcha;}
}
2. 验证码接口与缓存
@RestController
public class CaptchaController {@Autowiredprivate Producer captchaProducer;@Autowiredprivate RedisTemplate<String, String> redisTemplate;@GetMapping("/captcha")public void generateCaptcha(HttpServletRequest request, HttpServletResponse response) throws IOException {String code = captchaProducer.createText();String sessionId = request.getSession().getId();// 存储到 Redis(过期时间 2 分钟)redisTemplate.opsForValue().set("captcha:" + sessionId, code, 2, TimeUnit.MINUTES);response.setContentType("image/jpeg");BufferedImage image = captchaProducer.createImage(code);ImageIO.write(image, "jpg", response.getOutputStream());}
}
3. 自定义验证码过滤器
public class CaptchaFilter extends OncePerRequestFilter {@Autowiredprivate RedisTemplate<String, String> redisTemplate;@Overrideprotected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {if ("/login".equals(request.getRequestURI()) && "POST".equalsIgnoreCase(request.getMethod())) {String sessionId = request.getSession().getId();String captchaCode = redisTemplate.opsForValue().get("captcha:" + sessionId);String userInput = request.getParameter("captcha");if (userInput == null || !userInput.equalsIgnoreCase(captchaCode)) {throw new AuthenticationServiceException("验证码错误");}}chain.doFilter(request, response);}
}
4. 将过滤器插入到 Spring Security 链中
@Configuration
@EnableWebSecurity
public class SecurityConfig {@Beanpublic SecurityFilterChain filterChain(HttpSecurity http) throws Exception {http.addFilterBefore(new CaptchaFilter(), UsernamePasswordAuthenticationFilter.class) // 插入验证码过滤器// 其他配置...return http.build();}
}
三、前端集成示例
<!-- login.html -->
<form action="/login" method="post"><input type="text" name="username" placeholder="用户名"><input type="password" name="password" placeholder="密码"><input type="text" name="captcha" placeholder="验证码"><img src="/captcha" onclick="this.src='/captcha?t='+new Date().getTime()"><button>登录</button>
</form>
四、关键配置总结
| 功能 | 实现方式 |
|---|---|
| 多数据源选择 | 自定义 AuthenticationProvider,根据用户名前缀选择 UserDetailsService |
| 验证码生成 | 使用 Kaptcha 生成图片,存储到 Redis |
| 验证码校验 | 自定义过滤器拦截 /login 请求,比对输入值与 Redis 缓存 |
| 密码加密 | 统一使用 BCryptPasswordEncoder |
五、扩展优化建议
- 动态数据源路由:通过注解或配置文件动态添加更多数据源。
- 验证码类型:支持短信验证码或邮件验证码。
- 限流防护:对验证码接口添加限流(如使用
Resilience4j)。 - 分布式 Session:使用 Spring Session + Redis 解决集群环境 Session 共享问题。
通过以上方案,可灵活扩展 Spring Security 的认证能力,满足复杂业务场景需求。
