背景
在用户登录或执行敏感操作时,我们引入了二次验证机制,以全面提升后台安全性。具体而言:
- 登录时的图形验证:通过图形验证码,有效防范恶意攻击和自动化脚本,确保初始登录的安全性。
- 针对海外用户的 TG 验证码二次验证:额外增加基于 Telegram 验证码的身份验证,进一步增强安全保障。
- 谷歌验证:谷歌验证器分为两种,一种是对敏感操作的认证,我们增加了注解进行强制验证,另外一种是行为检查式的验证,通常是半小时内必须输入一次验证的等式。
这种双重验证机制,不仅强化了登录行为的安全性,还为敏感操作提供了更加稳固的保护措施,实现了对系统安全的多层次防护,本章节只讲mfa的后台配置、行为校验拦截器和表结构。
常量
如下定义了两个常量,用来保存用户是否绑定google的标识,这两个值将保存在t_frame_user_ref表中,在下面的段落中将会介绍。
_GOOGLE_MFA_USER_SECRET_REF_FlAG_ATTR_NAME("GOOGLE_MFA_USER_SECRET_BIND_FLAG", "谷歌验证绑定标识", "system.mfa.google.secret.flag"),_GOOGLE_MFA_USER_SECRET_REF_ATTR_NAME("GOOGLE_MFA_USER_SECRET_KEY", "谷歌key", "system.mfa.google.secret.key"),
表结构
其中google的密钥要用aes加密处理。
CREATE TABLE `t_frame_user_ref` (`id` bigint NOT NULL AUTO_INCREMENT,`user_id` varchar(200) CHARACTER SET utf8mb3 COLLATE utf8mb3_general_ci NOT NULL,`attribute_name` varchar(50) CHARACTER SET utf8mb3 COLLATE utf8mb3_general_ci NOT NULL,`attribute_value` varchar(200) CHARACTER SET utf8mb3 COLLATE utf8mb3_general_ci DEFAULT NULL,`create_by` varchar(50) CHARACTER SET utf8mb3 COLLATE utf8mb3_general_ci DEFAULT NULL,`create_date` datetime DEFAULT NULL,`update_by` varchar(50) CHARACTER SET utf8mb3 COLLATE utf8mb3_general_ci DEFAULT NULL,`update_date` datetime DEFAULT NULL,`remark` varchar(255) CHARACTER SET utf8mb3 COLLATE utf8mb3_general_ci DEFAULT NULL,PRIMARY KEY (`user_id`,`attribute_name`) USING BTREE,KEY `ak_kid` (`id`) USING BTREE
) ENGINE=InnoDB AUTO_INCREMENT=40 DEFAULT CHARSET=utf8mb3;
API类
里面的代码太多了,这里就只贴出一部分,详细代码请参考GitCode - 全球开发者的开源社区,开源代码托管平台GitCode是面向全球开发者的开源社区,包括原创博客,开源代码托管,代码协作,项目管理等。与开发者社区互动,提升您的研发效率和质量。https://gitcode.com/YouYouLongLong/springcloud-framework/blob/master/springcloud-tester/com.longyou.commservice/src/main/java/com/longyou/comm/conntroller/UserMfaController.java
@RestController
@RequestMapping("/user/mfa")
@SystemResource(path = "/common/user/mfa")
@Api(value = "UserMfaController", tags = "双因子验证API")
@Slf4j
public class UserMfaController {@Autowiredprivate FrameUserRefService frameUserRefService;@Value("${system.mfa.expired-time:1800}")private Long expiredTime;/*** 校验谷歌验证码是否已经绑定** @return* @throws Exception*/@ApiOperation("校验谷歌验证码是否已经绑定")@GetMapping("/checkUserGoogleSecretBindStatus")@SystemResource
// @AuthLog(bizType = "framework", desc = "校验谷歌验证码是否已经绑定", operateLogType = OperateLogType.LOG_TYPE_FRONTEND)public CommonApiResult<Map<String, Object>> checkUserGoogleSecretBindStatus() throws Exception {LoginUserDetails loginUserDetails = RequestContextManager.single().getRequestContext().getUser();CommonApiResult<Map<String, Object>> responseResult = CommonApiResult.createSuccessResult();FrameUserRefVO frameUserRefVO = frameUserRefService.getUserRefByAttributeName(loginUserDetails.getId(),_GOOGLE_MFA_USER_SECRET_REF_FlAG_ATTR_NAME.value());final Map<String, Object> returnData = new LinkedHashMap<>();if (frameUserRefVO != null && "true".equals(frameUserRefVO.getAttributeValue())) {returnData.put(_GOOGLE_MFA_USER_SECRET_REF_FlAG_ATTR_NAME.value(), true);} else {String googleSecretEnc = GoogleAuthenticatorUtil.single().getCurrentUserVerifyKey(true);if (googleSecretEnc == null) {frameUserRefVO = GoogleAuthenticatorUtil.single().createNewUserRefVO(loginUserDetails);frameUserRefService.create(frameUserRefVO);googleSecretEnc = frameUserRefVO.getAttributeValue();}final String googleSecret = AES128Util.single().decrypt(googleSecretEnc);returnData.put(_GOOGLE_MFA_USER_SECRET_REF_FlAG_ATTR_NAME.value(), false);returnData.put("description", CORRELATION_YOUR_GOOGLE_KEY.description());returnData.put("secret", googleSecret);returnData.put("secretQRBarcode", GoogleAuthenticatorUtil.single().getQRBarcode(loginUserDetails.getUsername(), googleSecret));
// returnData.put("secretQRBarcodeURL",
// GoogleAuthenticatorUtil.single().getQRBarcodeURL(loginUserDetails.getUsername(), "", googleSecret));RedisUtil.single().set(__MFA_TOKEN_USER_GOOGLE_SECRET_CACHE_KEY + loginUserDetails.getId(), googleSecretEnc);}responseResult.setData(returnData);return responseResult;}/*** 绑定谷歌验证码** @return* @throws Exception*/@ApiOperation("绑定谷歌验证")@GetMapping("/bindUserGoogleSecret")@SystemResource(value = "bindUserGoogleSecret", description = "绑定谷歌验证")@AuthLog(bizType = "framework", desc = "绑定谷歌验证", operateLogType = OperateLogType.LOG_TYPE_FRONTEND)public CommonApiResult<FrameUserRefVO> bindUserGoogleSecret() throws Exception {// 绑定的时候每次都要重新的生成一个出来String googleSecret = GoogleAuthenticatorUtil.single().getCurrentUserVerifyKey();if (!GoogleAuthenticatorUtil.single().checkGoogleVerifyCode(googleSecret)) {throw new BusinessException("system.error.google.valid", 400);}LoginUserDetails loginUserDetails = RequestContextManager.single().getRequestContext().getUser();CommonApiResult<FrameUserRefVO> responseResult = CommonApiResult.createSuccessResult();FrameUserRefVO frameUserRefVO = frameUserRefService.getUserRefByAttributeName(loginUserDetails.getId(),_GOOGLE_MFA_USER_SECRET_REF_FlAG_ATTR_NAME.value());if (frameUserRefVO == null) {frameUserRefVO = new FrameUserRefVO();frameUserRefVO.setUserId(loginUserDetails.getId());frameUserRefVO.setAttributeName(_GOOGLE_MFA_USER_SECRET_REF_FlAG_ATTR_NAME.value());frameUserRefVO.setAttributeValue("true");frameUserRefVO.setRemark(_GOOGLE_MFA_USER_SECRET_REF_FlAG_ATTR_NAME.description());frameUserRefService.create(frameUserRefVO);} else {frameUserRefVO.setAttributeValue("true");frameUserRefService.update(frameUserRefVO);}responseResult.setData(frameUserRefVO);ThreadUtil.execAsync(() -> RedisUtil.single().removeUserLoginToken(loginUserDetails.getId()));return responseResult;}
行为校验过滤器
主要是对操作过程中的二次验证,按配置的时间间隔进行校验,如果用户在redis的mfa校验已经过期了,那么要重新校验,其中过期的KEY是和你的IP进行绑定的。
GitCode - 全球开发者的开源社区,开源代码托管平台GitCode是面向全球开发者的开源社区,包括原创博客,开源代码托管,代码协作,项目管理等。与开发者社区互动,提升您的研发效率和质量。https://gitcode.com/YouYouLongLong/springcloud-framework/blob/master/core-common-parent/mfa-common/src/main/java/com/unknow/first/mfa/config/MfaFilterConfig.java
package com.unknow.first.mfa.config;import static org.cloud.constant.LoginTypeConstant.LoginTypeEnum.LOGIN_BY_ADMIN_USER;
import static org.cloud.constant.MfaConstant.CORRELATION_GOOGLE_NOT_VERIFY_OR_EXPIRE;import com.unknow.first.util.GoogleAuthenticatorUtil;
import java.io.IOException;
import java.util.List;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import lombok.Setter;
import org.cloud.constant.CoreConstant;
import org.cloud.context.RequestContext;
import org.cloud.context.RequestContextManager;
import org.cloud.core.redis.RedisUtil;
import org.cloud.entity.LoginUserDetails;
import org.cloud.exception.BusinessException;
import org.cloud.utils.HttpServletUtil;
import org.cloud.utils.IPUtil;
import org.jetbrains.annotations.NotNull;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpStatus;
import org.springframework.web.filter.OncePerRequestFilter;/*** mfa验证器,目前只支持google*/
@ConfigurationProperties(prefix = "system.mfa")
@Configuration
@ConditionalOnProperty(prefix = "system.mfa", name = "enabled", matchIfMissing = true)
public class MfaFilterConfig {public final static String __MFA_TOKEN_USER_CACHE_KEY = "system:mfa:user:verify:result:"; // 校验结果public final static String __MFA_TOKEN_USER_GOOGLE_SECRET_CACHE_KEY = "system:mfa:user:secret:result:"; // 谷歌key@Setterprivate List<String> excludeUri; // 默认为内部调用的url也可以自己添加private final CoreConstant.MfaAuthType mfaAuthType = CoreConstant.MfaAuthType.GOOGLE; //默认为google验证@Beanpublic FilterRegistrationBean<?> mfaWebFilter() {this.excludeUri.add("/v2/api-docs");this.excludeUri.add("/inner/**/*");this.excludeUri.add("/user/verify/generate/*");this.excludeUri.add("/user/mfa/**");this.excludeUri.add("/app/userRef/isBindLoginIp");this.excludeUri.add("/app/userRef/ipLoginLockFlagOpen");this.excludeUri.add("/app/userRef/changeLoginIp");this.excludeUri.add("/app/userRef/getCurrentIp");this.excludeUri.add("/user/menu/getMenus");FilterRegistrationBean<?> registration = new FilterRegistrationBean<>(new MfaWebFilter(excludeUri));registration.addUrlPatterns("/*");registration.setName("mfaWebFilter");registration.setOrder(100);return registration;}static class MfaWebFilter extends OncePerRequestFilter {private final List<String> noMfaCheckUrl; // 默认为内部调用的url也可以自己添加public MfaWebFilter(List<String> noMfaCheckUrl) {this.noMfaCheckUrl = noMfaCheckUrl;}@Overrideprotected void doFilterInternal(@NotNull HttpServletRequest httpServletRequest, @NotNull HttpServletResponse httpServletResponse,@NotNull FilterChain filterChain) throws ServletException, IOException {if (HttpServletUtil.single().isExcludeUri(httpServletRequest, noMfaCheckUrl)) {filterChain.doFilter(httpServletRequest, httpServletResponse);return;}// 如果数据字典中关闭了双因子校验,那么不进行双因子校验,关闭数据字典的全局配置,防止密码泄露后可以更改此项目绕过google
// TSystemDicItem dicItem = SystemDicUtil.single().getDicItem("systemConfig", "isMfaVerify");
// if (dicItem != null && StringUtils.hasLength(dicItem.getDicItemValue()) && "false".equals(dicItem.getDicItemValue())) {
// filterChain.doFilter(httpServletRequest, httpServletResponse);
// return;
// }RequestContext currentRequestContext = RequestContextManager.single().getRequestContext();LoginUserDetails user = currentRequestContext.getUser();// 只有需要登录鉴权的接口并且用户类型为管理员才需要校验双因子if (user == null || (!LOGIN_BY_ADMIN_USER.userType.equals(user.getUserType()))) {filterChain.doFilter(httpServletRequest, httpServletResponse);return;}try {GoogleAuthenticatorUtil.single().verifyCurrentUserBindGoogleKey();} catch (BusinessException businessException) {try {HttpServletUtil.single().handlerBusinessException(businessException, httpServletResponse);} catch (Exception e) {logger.warn("校验google验证绑定情况失败时将信息写入到response时失败," + e.getMessage());}logger.error("用户未绑定google");return;}final String ipHash = RedisUtil.single().getMd5Key(IPUtil.single().getIpAddress(httpServletRequest));Boolean isValidatePass = RedisUtil.single().get(__MFA_TOKEN_USER_CACHE_KEY + user.getId() + ":" + ipHash);// 如果规定时间内校验过并且未过期,那么不校验if (isValidatePass != null && isValidatePass) {filterChain.doFilter(httpServletRequest, httpServletResponse);} else {try {HttpServletUtil.single().handlerBusinessException(new BusinessException(CORRELATION_GOOGLE_NOT_VERIFY_OR_EXPIRE.value(),CORRELATION_GOOGLE_NOT_VERIFY_OR_EXPIRE.description(), HttpStatus.BAD_REQUEST.value()), httpServletResponse);} catch (Exception e) {logger.warn("校验google验证是否有效时将信息写入到response时失败," + e.getMessage());}logger.error("用户google未校验或者校验失效了");}}}
}
总结
本篇内容介绍了如何绑定及在操作过程中的定时的Google验证器的行为校验及如何检测的处理,下篇将介绍一些工具类和业务强制校验的实现过程