在當今的數位環境中,提供安全且使用者友好的身份驗證方法至關重要。一種越來越流行的方法是一次性令牌 (OTT) 身份驗證,通常以透過電子郵件發送的「魔術連結」的形式實現。 Spring Security 6.4.0 為 OTT 身份驗證提供強大的內建支持,包括即用型實現。在這份綜合指南中,我們將探討如何使用內建解決方案和自訂實作來實現安全的 OTT 身份驗證。
在深入實施之前,了解一次性令牌 (OTT) 與一次性密碼 (OTP) 的差異非常重要。雖然 OTP 系統通常需要初始設定並依賴外部工具來產生密碼,但從使用者角度來看,OTT 系統更簡單 - 它們會收到可用於身份驗證的唯一令牌(通常透過電子郵件)。
主要差異包括:
Spring Security 提供了 OneTimeTokenService 的兩種實作:
InMemoryOneTimeTokenService:
JdbcOneTimeTokenService:
以下是如何實現更簡單的記憶體解決方案:
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests(auth -> auth
.requestMatchers("/login/**", "/ott/**").permitAll()
.anyRequest().authenticated()
)
.formLogin(Customizer.withDefaults())
.oneTimeTokenLogin(Customizer.withDefaults()); // Uses InMemoryOneTimeTokenService by default
return http.build();
}
}
對於生產環境,使用 JDBC 實作:
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Autowired
JdbcTemplate jdbcTemplate;
@Bean
public OneTimeTokenService oneTimeTokenService() {
return new JdbcOneTimeTokenService(jdbcTemplate);
}
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests(auth -> auth
.requestMatchers("/login/**", "/ott/**").permitAll()
.anyRequest().authenticated()
)
.formLogin(Customizer.withDefaults())
.oneTimeTokenLogin(Customizer.withDefaults());
return http.build();
}
}
JdbcOneTimeTokenService 所需的表格結構:
CREATE TABLE one_time_tokens (
token_value VARCHAR(255) PRIMARY KEY,
username VARCHAR(255) NOT NULL,
issued_at TIMESTAMP NOT NULL,
expires_at TIMESTAMP NOT NULL,
used BOOLEAN NOT NULL
);
為了更好地控制令牌產生和驗證過程,您可以建立自訂實作:
@Entity
@Table(name = "one_time_tokens")
public class OneTimeToken {
@Id
@GeneratedValue
private Long id;
private String tokenValue;
private String username;
private LocalDateTime createdAt;
private LocalDateTime expiresAt;
private boolean used;
// Getters and setters omitted for brevity
}
@Repository
public interface OneTimeTokenRepository extends JpaRepository<OneTimeToken, Long> {
Optional<OneTimeToken> findByTokenValueAndUsedFalse(String tokenValue);
void deleteByExpiresAtBefore(LocalDateTime dateTime);
}
@Service
@Transactional
public class PersistentOneTimeTokenService implements OneTimeTokenService {
private static final int TOKEN_VALIDITY_MINUTES = 15;
@Autowired
private OneTimeTokenRepository tokenRepository;
@Override
public OneTimeToken generate(GenerateOneTimeTokenRequest request) {
String tokenValue = UUID.randomUUID().toString();
LocalDateTime now = LocalDateTime.now();
OneTimeToken token = new OneTimeToken();
token.setTokenValue(tokenValue);
token.setUsername(request.getUsername());
token.setCreatedAt(now);
token.setExpiresAt(now.plusMinutes(TOKEN_VALIDITY_MINUTES));
token.setUsed(false);
return return new DefaultOneTimeToken(token.getTokenValue(),token.getUsername(), Instant.now());
}
@Override
public Authentication consume(ConsumeOneTimeTokenRequest request) {
OneTimeToken token = tokenRepository.findByTokenValueAndUsedFalse(request.getTokenValue())
.orElseThrow(() -> new BadCredentialsException("Invalid or expired token"));
if (token.getExpiresAt().isBefore(LocalDateTime.now())) {
throw new BadCredentialsException("Token has expired");
}
token.setUsed(true);
tokenRepository.save(token);
UserDetails userDetails = loadUserByUsername(token.getUsername());
return new UsernamePasswordAuthenticationToken(
userDetails, null, userDetails.getAuthorities());
}
}
Spring Security 不處理令牌傳遞,因此您需要實現它:
@Component
public class EmailMagicLinkHandler implements OneTimeTokenGenerationSuccessHandler {
@Autowired
private JavaMailSender mailSender;
private final OneTimeTokenGenerationSuccessHandler redirectHandler =
new RedirectOneTimeTokenGenerationSuccessHandler("/ott/check-email");
@Override
public void handle(HttpServletRequest request, HttpServletResponse response,
OneTimeToken token) throws IOException, ServletException {
String magicLink = UriComponentsBuilder.fromHttpUrl(UrlUtils.buildFullRequestUrl(request))
.replacePath(request.getContextPath())
.replaceQuery(null)
.fragment(null)
.path("/login/ott")
.queryParam("token", token.getTokenValue())
.toUriString();
SimpleMailMessage message = new SimpleMailMessage();
message.setTo(getUserEmail(token.getUsername()));
message.setSubject("Your Sign-in Link");
message.setText("Click here to sign in: " + magicLink);
mailSender.send(message);
redirectHandler.handle(request, response, token);
}
}
Spring Security 提供了多種自訂選項:
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests(auth -> auth
.requestMatchers("/login/**", "/ott/**").permitAll()
.anyRequest().authenticated()
)
.formLogin(Customizer.withDefaults())
.oneTimeTokenLogin(Customizer.withDefaults()); // Uses InMemoryOneTimeTokenService by default
return http.build();
}
}
在生產中部署 OTT 驗證時:
選出正確的實作
設定電子郵件傳送
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Autowired
JdbcTemplate jdbcTemplate;
@Bean
public OneTimeTokenService oneTimeTokenService() {
return new JdbcOneTimeTokenService(jdbcTemplate);
}
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests(auth -> auth
.requestMatchers("/login/**", "/ott/**").permitAll()
.anyRequest().authenticated()
)
.formLogin(Customizer.withDefaults())
.oneTimeTokenLogin(Customizer.withDefaults());
return http.build();
}
}
Spring Security 的 OTT 支援為實現安全、用戶友好的身份驗證提供了堅實的基礎。無論您選擇內建實作還是建立自訂解決方案,您都可以為使用者提供無密碼登入選項,同時保持高安全標準。
實作 OTT 驗證時,請記住:
透過遵循本指南,您可以實現安全且使用者友好的 OTT 身份驗證系統,滿足您的應用程式的需求,同時利用 Spring Security 強大的安全功能。
參考:https://docs.spring.io/spring-security/reference/servlet/authentication/onetimetoken.html
以上是使用 Spring Security 實現一次性令牌身份驗證的詳細內容。更多資訊請關注PHP中文網其他相關文章!
