1. Overview
1.概述
In this tutorial, we’re going to implement Two Factor Authentication functionality with a Soft Token and Spring Security.
在本教程中,我们将通过软令牌和Spring Security实现双因素认证功能。
We’re going to be adding the new functionality into an existing, simple login flow and use the Google Authenticator app to generate the tokens.
我们将在现有的简单登录流程中添加新功能,并使用Google Authenticator 应用程序来生成令牌。
Simply put, two factor authentication is a verification process which follows the well known principle of “something the user knows and something the user has”.
简单地说,双因素认证是一个验证过程,它遵循众所周知的原则:”用户知道的东西和用户拥有的东西”。
And so, users provide an extra “verification token” during authentication – a one-time password verification code based on Time-based One-time Password TOTP algorithm.
于是,用户在认证过程中提供一个额外的 “验证令牌”–基于基于时间的一次性密码TOTP算法的一次性密码验证码。
2. Maven Configuration
2.Maven配置
First, in order to use Google Authenticator in our app we need to:
首先,为了在我们的应用程序中使用谷歌认证器,我们需要。
- Generate secret key
- Provide secret key to the user via QR-code
- Verify token entered by the user using this secret key.
We will use a simple server-side library to generate/verify one-time password by adding the following dependency to our pom.xml:
我们将使用一个简单的服务器端库,通过在我们的pom.xml中添加以下依赖项来生成/验证一次性密码。
<dependency>
<groupId>org.jboss.aerogear</groupId>
<artifactId>aerogear-otp-java</artifactId>
<version>1.0.0</version>
</dependency>3. User Entity
3.用户实体
Next, we will modify our user entity to hold extra information – as follows:
接下来,我们将修改我们的用户实体,以容纳额外的信息–如下所示。
@Entity
public class User {
...
private boolean isUsing2FA;
private String secret;
public User() {
super();
this.secret = Base32.random();
...
}
}Note that:
请注意,。
- We save a random secret code for each user to be used later in generating verification code
- Our 2-step verification is optional
4. Extra Login Parameter
4.额外的登录参数
First, we will need to adjust our security configuration to accept extra parameter – verification token. We can accomplish that by using custom AuthenticationDetailsSource:
首先,我们需要调整我们的安全配置以接受额外的参数–验证令牌。我们可以通过使用自定义的AuthenticationDetailsSource来实现。
Here is our CustomWebAuthenticationDetailsSource:
这里是我们的CustomWebAuthenticationDetailsSource。
@Component
public class CustomWebAuthenticationDetailsSource implements
AuthenticationDetailsSource<HttpServletRequest, WebAuthenticationDetails> {
@Override
public WebAuthenticationDetails buildDetails(HttpServletRequest context) {
return new CustomWebAuthenticationDetails(context);
}
}and here is CustomWebAuthenticationDetails:
而这里是CustomWebAuthenticationDetails。
public class CustomWebAuthenticationDetails extends WebAuthenticationDetails {
private String verificationCode;
public CustomWebAuthenticationDetails(HttpServletRequest request) {
super(request);
verificationCode = request.getParameter("code");
}
public String getVerificationCode() {
return verificationCode;
}
}And our security configuration:
还有我们的安全配置。
@Configuration
@EnableWebSecurity
public class LssSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private CustomWebAuthenticationDetailsSource authenticationDetailsSource;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.formLogin()
.authenticationDetailsSource(authenticationDetailsSource)
...
}
}And finally add the extra parameter to our login form:
最后将额外的参数添加到我们的登录表格中。
<labelth:text="#{label.form.login2fa}">
Google Authenticator Verification Code
</label>
<input type='text' name='code'/>Note: We need to set our custom AuthenticationDetailsSource in our security configuration.
注意:我们需要在安全配置中设置我们的自定义AuthenticationDetailsSource。
5. Custom Authentication Provider
5.自定义认证提供者
Next, we’ll need a custom AuthenticationProvider to handle extra parameter validation:
接下来,我们将需要一个自定义的AuthenticationProvider来处理额外的参数验证。
public class CustomAuthenticationProvider extends DaoAuthenticationProvider {
@Autowired
private UserRepository userRepository;
@Override
public Authentication authenticate(Authentication auth)
throws AuthenticationException {
String verificationCode
= ((CustomWebAuthenticationDetails) auth.getDetails())
.getVerificationCode();
User user = userRepository.findByEmail(auth.getName());
if ((user == null)) {
throw new BadCredentialsException("Invalid username or password");
}
if (user.isUsing2FA()) {
Totp totp = new Totp(user.getSecret());
if (!isValidLong(verificationCode) || !totp.verify(verificationCode)) {
throw new BadCredentialsException("Invalid verfication code");
}
}
Authentication result = super.authenticate(auth);
return new UsernamePasswordAuthenticationToken(
user, result.getCredentials(), result.getAuthorities());
}
private boolean isValidLong(String code) {
try {
Long.parseLong(code);
} catch (NumberFormatException e) {
return false;
}
return true;
}
@Override
public boolean supports(Class<?> authentication) {
return authentication.equals(UsernamePasswordAuthenticationToken.class);
}
}Note that – after we verified the one-time-password verification code, we simply delegated authentication downstream.
请注意–在我们验证了一次性密码验证码后,我们只是将认证委托给下游。
Here is our Authentication Provider bean
这里是我们的认证提供者Bean
@Bean
public DaoAuthenticationProvider authProvider() {
CustomAuthenticationProvider authProvider = new CustomAuthenticationProvider();
authProvider.setUserDetailsService(userDetailsService);
authProvider.setPasswordEncoder(encoder());
return authProvider;
}6. Registration Process
6.注册程序
Now, in order for users to be able to use the application to generate the tokens, they’ll need to set things up properly when they register.
现在,为了让用户能够使用该应用程序生成令牌,他们需要在注册时进行适当设置。
And so, we’ll need to do few simple modifications to the registration process – to allow users who have chosen to use 2-step verification to scan the QR-code they need to login later.
因此,我们需要对注册过程做一些简单的修改–允许选择使用两步验证的用户扫描他们以后需要登录的QR码。
First, we add this simple input to our registration form:
首先,我们将这个简单的输入添加到我们的注册表格中。
Use Two step verification <input type="checkbox" name="using2FA" value="true"/>Then, in our RegistrationController – we redirect users based on their choices after confirming registration:
然后,在我们的RegistrationController中 – 我们在确认注册后根据用户的选择重定向。
@GetMapping("/registrationConfirm")
public String confirmRegistration(@RequestParam("token") String token, ...) {
String result = userService.validateVerificationToken(token);
if(result.equals("valid")) {
User user = userService.getUser(token);
if (user.isUsing2FA()) {
model.addAttribute("qr", userService.generateQRUrl(user));
return "redirect:/qrcode.html?lang=" + locale.getLanguage();
}
model.addAttribute(
"message", messages.getMessage("message.accountVerified", null, locale));
return "redirect:/login?lang=" + locale.getLanguage();
}
...
}And here is our method generateQRUrl():
这里是我们的方法generateQRUrl()。
public static String QR_PREFIX =
"https://chart.googleapis.com/chart?chs=200x200&chld=M%%7C0&cht=qr&chl=";
@Override
public String generateQRUrl(User user) {
return QR_PREFIX + URLEncoder.encode(String.format(
"otpauth://totp/%s:%s?secret=%s&issuer=%s",
APP_NAME, user.getEmail(), user.getSecret(), APP_NAME),
"UTF-8");
}And here is our qrcode.html:
这里是我们的qrcode.html。
<html>
<body>
<div id="qr">
<p>
Scan this Barcode using Google Authenticator app on your phone
to use it later in login
</p>
<img th:src="${param.qr[0]}"/>
</div>
<a href="/login" class="btn btn-primary">Go to login page</a>
</body>
</html>Note that:
请注意,。
- generateQRUrl() method is used to generate QR-code URL
- This QR-code will be scanned by users mobile phones using Google Authenticator app
- The app will generate a 6-digit code that is valid for only 30 seconds which is desired verification code
- This verification code will be verified while login using our custom AuthenticationProvider
7. Enable Two Step Verification
7.启用两步验证
Next, we will make sure that users can change their login preferences at any time – as follows:
接下来,我们将确保用户可以在任何时候改变他们的登录偏好–如下所示。
@PostMapping("/user/update/2fa")
public GenericResponse modifyUser2FA(@RequestParam("use2FA") boolean use2FA)
throws UnsupportedEncodingException {
User user = userService.updateUser2FA(use2FA);
if (use2FA) {
return new GenericResponse(userService.generateQRUrl(user));
}
return null;
}And here is updateUser2FA():
这里是updateUser2FA()。
@Override
public User updateUser2FA(boolean use2FA) {
Authentication curAuth = SecurityContextHolder.getContext().getAuthentication();
User currentUser = (User) curAuth.getPrincipal();
currentUser.setUsing2FA(use2FA);
currentUser = repository.save(currentUser);
Authentication auth = new UsernamePasswordAuthenticationToken(
currentUser, currentUser.getPassword(), curAuth.getAuthorities());
SecurityContextHolder.getContext().setAuthentication(auth);
return currentUser;
}And here is the front-end:
而这里是前端。
<div th:if="${#authentication.principal.using2FA}">
You are using Two-step authentication
<a href="#" onclick="disable2FA()">Disable 2FA</a>
</div>
<div th:if="${! #authentication.principal.using2FA}">
You are not using Two-step authentication
<a href="#" onclick="enable2FA()">Enable 2FA</a>
</div>
<br/>
<div id="qr" style="display:none;">
<p>Scan this Barcode using Google Authenticator app on your phone </p>
</div>
<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.11.2/jquery.min.js"></script>
<script type="text/javascript">
function enable2FA(){
set2FA(true);
}
function disable2FA(){
set2FA(false);
}
function set2FA(use2FA){
$.post( "/user/update/2fa", { use2FA: use2FA } , function( data ) {
if(use2FA){
$("#qr").append('<img src="'+data.message+'" />').show();
}else{
window.location.reload();
}
});
}
</script>8. Conclusion
8.结论
In this quick tutorial, we illustrated how to do a two-factor authentication implementation using a Soft Token with Spring Security.
在这个快速教程中,我们说明了如何使用Spring Security的软令牌进行双因素认证的实现。
The full source code can be found – as always – over on GitHub.
完整的源代码可以一如既往地在GitHub上找到–超过。