验证码是为了区分人与电脑,防止电脑代替人冲击系统。在伟大的中国人民人工验证的海洋面前,验证码完全不是个事。 不过一般不是特别热门的系统是不会有人雇佣人民海洋来人工识别验证码的,所有我们的系统还是需要加入验证码机制。 在Java Web系统中验证码世界已经很多种的实现,有些很大很复杂,有些没有维护了,有些验证码人也认证不出来。。。比较合适用的就是Jcaptcha和Kcaptcha。
Captcha使用都是很简单的,通过专门的servlet生成图片,把图片的数据保存在session中,最后在处理请求的servlet中验证图片输入是否正常。当然一般都会有很多配置,因为Captcha生成图片需要时间,所有需要谨慎配置。
Kcaptcha与Shiro登录结合使用
1. Web.xml>com.google.code.kaptcha.servlet.KaptchaServlet>>2. 登录Jsp<%String error = (String) request.getAttribute(FormAuthenticationFilter.DEFAULT_ERROR_KEY_ATTRIBUTE_NAME);if(error != null){if(error.contains(“IncorrectCaptchaException”)){out.print(“用户输入验证码错误.”);}else{out.print(“登录失败,请重试.”);}}%><form action=””>Username: =”username”/> <br/> Password: ====”” /></form>3. Shiro登录Filter
a. 扩展登录UsernamePasswordToken,,加入kaptcha字段
{private String kaptcha;public CaptchaAuthenticationToken (){}public CaptchaAuthenticationToken (String username, String password,boolean rememberMe, String host, String captcha) {super(username, password, rememberMe, host);this.captcha = captcha;}(String kaptcha){this.kaptcha= kaptcha;}public String getKaptcha(){return this.kaptcha;}}
b. 扩展formAuthenticationFilter,检验用户输入验证码
{private String captchaParam = “kaptcha”;public String getCaptchaParam() {return captchaParam;}protected String getCaptcha(ServletRequest request) {return WebUtils.getCleanParam(request, getCaptchaParam());}@Overrideprotected AuthenticationToken createToken(ServletRequest request,ServletResponse response) {String username = getUsername(request);String password = getPassword(request);String captcha = getCaptcha(request);boolean rememberMe = isRememberMe(request);String host = getHost(request);return new CaptchaAuthenticationToken(username, password, rememberMe,host, captcha);}(HttpServletRequest request, CaptchaAuthenticationToken token) {String captcha = (String) request.getSession().getAttribute(ShiroConstant.CAPTCHA_SESSION_KEY);if (StringUtil.isEmpty(token.getCaptcha()) || !token.getCaptcha().equalsIgnoreCase(captcha)) {IncorrectCaptchaException(“验证码错误!”);}}/*protected void setFailureAttribute(ServletRequest request, AuthenticationException ae) {String className = ae.getClass().getName();request.setAttribute(getFailureKeyAttribute(), className);}*/(ServletRequest request, ServletResponse response) throws Exception {CaptchaAuthenticationToken token = createToken(request, response);try {doCaptchaValidate((HttpServletRequest) request, token);Subject subject = getSubject(request, response);subject.login(token);return onLoginSuccess(token, subject, request, response);} catch (AuthenticationException e) {return onLoginFailure(token, e, request, response);}}}
c. 增加 IncorrectCaptchaException
{ public IncorrectCaptchaException() {super(); } public IncorrectCaptchaException(String message, Throwable cause) {super(message, cause); } public IncorrectCaptchaException(String message) {super(message); } public IncorrectCaptchaException(Throwable cause) {super(cause); }}
d.修改Shiro配置文件,让/kaptcha.jpg的访问变成匿名
======>=”filterChainDefinitions”><value>/kaptcha.jpg = anon/styles/** = anon/login = authc/logout = logout/** = user>
如果困难是堵砖墙,拍拍它说你还不够高。
