Spring security adds graphics verification code

For this requirement, there are more solutions on the web, such as using filter, custom provider ...
My approach is to use a way to increase authenticationprovider. The specific implementation is as follows:
1, add Webauthenticationdetails implementation class, save authentication Code information

public class Customwebauthenticationdetails extends Webauthenticationdetails {private Strin

    G Imagecode;

    Private String Session_imagecode;

    Private long session_imagetime;
        Public customwebauthenticationdetails (HttpServletRequest request) {super (request);
        This.imagecode = Request.getparameter ("Imagecode");
        This.session_imagecode = (String) request.getsession (). getattribute ("Session_imagecode");
        String session_verifytime = (string) request.getsession (). getattribute ("Session_imagetime");
        if (session_verifytime = = null) {this.session_imagetime= 0L;
        else {this.session_imagetime= Long.parselong (session_verifytime);
    } public String Getimagecode () {return imagecode;
    Public String Getsession_imagecode () {return session_imagecode;
    Public long Getsession_imagetime () {return session_imagetime; }
}

2, add Authenticationdetailssource implementation class

@Component public
class Customauthenticationdetailssource implements authenticationdetailssource< HttpServletRequest, webauthenticationdetails> {
    @Override public
    webauthenticationdetails builddetails ( HttpServletRequest context) {return to
        new customwebauthenticationdetails (context);
    }
}

3, custom Authenticationprovider implementation class, and add to the validation list to

@Component public class Customauthenticationprovider implements Authenticationprovider {@Override public authent Ication Authenticate (authentication authentication) throws Authenticationexception {Customwebauthenticationdetail  
        s details = (customwebauthenticationdetails) authentication.getdetails ();
        String Imagecode = Details.getimagecode ();
        String Session_imagecode = Details.getsession_imagecode ();

        Long session_imagetime = Details.getsession_imagetime ();
        if (Imagecode = null | | session_imagecode = = NULL) {throw new Imagecodeillegalexception ("Authenticode error");
        } if (!imagecode.equals (Session_imagecode)) {throw new Imagecodeillegalexception ("Authenticode error");
            }else{Long nowtime = System.currenttimemillis (); 
            if ((nowtime-session_imagetime)/1000 > 60) {//greater than 60s, timeout throw new Imagecodeillegalexception ("Authenticode has timed out"); } return null; If the following are to beVerify the provider of the password, here you need to return null} @Override public Boolean supports (class<?> authentication) {retur
    n Authentication.equals (Usernamepasswordauthenticationtoken.class); }
}

4, adding configuration in the Websecurityconfigureradapter implementation class

 @Configuration @EnableWebSecurity @EnableGlobalMethodSecurity (prepostenabled = True, Securedenabled = true) public class Securityconfiguration extends Websecurityconfigureradapter {@Inject private A

    Uthenticationdetailssource
 
In order to achieve the "burn after" effect, the validation code is added to the class with successful login and failed post-processing

@Component public
class Ajaxauthenticationsuccesshandler extends Simpleurlauthenticationsuccesshandler {

    @ autowired
    private Passwordservice passwordservice;

    @Override public
    void onauthenticationsuccess (HttpServletRequest request, httpservletresponse response,
        Authentication authentication)
        throws IOException, servletexception {

            //Remove Authentication Code
            request.getsession (). RemoveAttribute ("Session_verifyobj");
            Request.getsession (). RemoveAttribute ("Session_verifyobjtime");
            Response.setstatus (HTTPSERVLETRESPONSE.SC_OK);
    }
 
@Component public
class Ajaxauthenticationfailurehandler extends Simpleurlauthenticationfailurehandler {

    @ autowired
    private Passwordservice passwordservice;

    @Override public
    void Onauthenticationfailure (HttpServletRequest request, httpservletresponse response,
        Authenticationexception exception) throws IOException, servletexception {

            //Remove Authentication Code
            request.getsession (). RemoveAttribute ("Session_imgecode");
            Request.getsession (). RemoveAttribute ("Session_imagetime");
            ..... Response.senderror (httpservletresponse.sc_unauthorized, "Authentication failed");
    }
 
Then add the relevant configuration in the Websecurityconfigureradapter implementation class

    .....
    and ().
    formlogin ().
    Loginprocessingurl ("/api/login").
    Successhandler ( Ajaxauthenticationsuccesshandler)//Focus
    . Failurehandler (Ajaxauthenticationfailurehandler)//Focus
    . Usernameparameter ("username")
    . Passwordparameter ("password")
    . Authenticationdetailssource ( Authenticationdetailssource)
    . Permitall ()
    ...
 
The next article will explore the use of authenticationprovider, and do not hide usernotfoundexception solutions when users cannot find them