Spring Security自定义AuthenticationManager实现手机号/密码双认证
作者:袖梨
2026-06-04
01整体思路 3 步走
- 1. 自定义认证提供者
CustomAuthenticationProvider:
识别登录方式,分发给对应
UserDetailsService。 - 2. 双 Service:
•
UserDetailsService验证账号密码•
PhoneNumberUserService验证手机号验证码 - 3. 配置注入:把自定义提供者塞进 Spring Security,让它乖乖听话。
02自定义认证提供者
public class CustomAuthenticationProvider implements AuthenticationProvider {
private final UserDetailsService userDetailsService; // 账号密码验证
private final PasswordEncoder passwordEncoder; // 密码加密器
private final PhoneNumberUserService phoneNumberUserService; // 手机号验证
public CustomAuthenticationProvider(UserDetailsService userDetailsService,
PasswordEncoder passwordEncoder,
PhoneNumberUserService phoneNumberUserService) {
this.userDetailsService = userDetailsService;
this.passwordEncoder = passwordEncoder;
this.phoneNumberUserService = phoneNumberUserService;
}
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
String principal = (String) authentication.getPrincipal(); // username:xxx 或 phone:xxx
String credentials = (String) authentication.getCredentials(); // 密码或验证码
UserDetails userDetails;
if (principal.startsWith("username:")) { // 账号密码登录
String username = principal.substring("username:".length());
userDetails = userDetailsService.loadUserByUsername(username);
if (!passwordEncoder.matches(credentials, userDetails.getPassword())) {
throw new BadCredentialsException("密码错误");
}
} else if (principal.startsWith("phone:")) { // 手机号登录
String phoneNumber = principal.substring("phone:".length());
userDetails = phoneNumberUserService.loadUserByPhoneNumber(phoneNumber); // 这里验证码校验可放在 service 内,也可前置过滤器
else{
throw new BadCredentialsException("登录方式不支持");
}
// 生成已认证令牌
UsernamePasswordAuthenticationToken result = new UsernamePasswordAuthenticationToken(userDetails, credentials, userDetails.getAuthorities());
result.setDetails(authentication.getDetails());
return result;
}
@Override public boolean supports (Class < ? > authentication){
return UsernamePasswordAuthenticationToken.class.isAssignableFrom(authentication);
}
}
}
注解:
- 1. 前缀识别:用
username:和phone:做路由,避免写两套接口。 - 2. 职责分离:验证码校验交给
PhoneNumberUserService,保持单一职责。 - 3. 线程安全:所有依赖通过构造器注入,无共享可变状态,天然并发友好。
03双 Service 实现
UserDetailsService(账号密码版)
@Service
@RequiredArgsConstructor
public class UserDetailsServiceImpl implements UserDetailsService {
private final UserMapper userMapper;
private final MenuMapper menuMapper;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
User user = userMapper.selectOne(new LambdaQueryWrapper<User>().eq(User::getUserName, username));
if (user == null) throw new UsernameNotFoundException("用户不存在");
List<String> perms = menuMapper.selectPermsByUserId(user.getId());
perms.add(user.getRoles()); // 合并角色
return new LoginUser(user, perms);
}
}
PhoneNumberUserService(手机号验证码版)
@Service
@RequiredArgsConstructor
public class PhoneNumberUserService {
private final UserMapper userMapper;
private final MenuMapper menuMapper;
private final RedisTemplate<String, String> redisTemplate; // 缓存验证码
public UserDetails loadUserByPhoneNumber(String phoneNumber) { // 1️ 查库
User user = userMapper.selectOne(new LambdaQueryWrapper<User>().eq(User::getPhonenumber, phoneNumber));
if (user == null)
throw new RuntimeException("手机号未注册"); // 2️ 查权限
List<String> perms = menuMapper.selectPermsByUserId(user.getId());
perms.add(user.getRoles()); // 3️验证码校验示例(可前置过滤器)
//String codeInRedis = redisTemplate.opsForValue().get("SMS:" + phoneNumber);
return new LoginUser(user, perms);
}
}
注解:
- 1. LambdaQueryWrapper:MyBatis-Plus 写法,链式清爽。
- 2. 角色权限合并:把角色当权限塞到同一集合,后续授权更丝滑。
- 3. 验证码解耦:校验逻辑可放在 Service,也可前置过滤器,灵活插拔。
04SecurityConfig:把自定义提供者塞进去
@Configuration
@EnableWebSecurity
@RequiredArgsConstructor
public class SecurityConfig {
private final AuthenticationConfiguration authenticationConfiguration;
//密码加密器
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean
public UserDetailsService userDetailsService() {
return new UserDetailsServiceImpl();
}
@Bean
public PhoneNumberUserService phoneNumberUserService() {
return new PhoneNumberUserService();
}
@Bean
public CustomAuthenticationProvider customAuthenticationProvider() {
return new CustomAuthenticationProvider(userDetailsService(), passwordEncoder(), phoneNumberUserService());
}
@Bean
public AuthenticationManager authenticationManager() throws Exception {
// 替换默认 AuthenticationManager
return new ProviderManager(customAuthenticationProvider());
}
}
注解:
- 1. ProviderManager:Spring Security 的核心调度器,塞入我们的 Provider 就能接管认证。
- 2. 构造器注入:Spring 推荐写法,避免循环依赖。
- 3. 无 @Autowired:全部显式 Bean,方便单测 Mock。
05登录接口:一行代码双通道
@RestController
@RequestMapping("/auth")
@RequiredArgsConstructor
public class AuthController {
private final AuthenticationManager authenticationManager;
private final RedisTemplate<String, Object> redisTemplate;
@PostMapping("/login")
public Result login(@RequestBody LoginDTO dto) {
String principal = dto.getLoginType() == 1 ? "username:" + dto.getUsername() : "phone:" + dto.getPhone();
UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(principal, dto.getCredential());
Authentication authenticate = authenticationManager.authenticate(token);
LoginUser loginUser = (LoginUser) authenticate.getPrincipal();
String jwt = JwtUtil.createJWT(loginUser.getUser().getId().toString());
redisTemplate.opsForValue().set("login:" + loginUser.getUser().getId(), loginUser);
return Result.OK("登录成功", Map.of("token", jwt));
}
}
注解:
- 1. DTO 统一:前端传
loginType=1账号密码,2手机号验证码,后端零 if-else。 - 2. JWT + Redis:无状态 Token + 在线用户信息缓存,分布式登录稳稳的。
- 3. 异常透传:认证失败直接抛异常,被全局异常处理器统一包装,前端拿到统一格式。
测试
| 登录方式 | 请求体 | 返回 |
|---|---|---|
| 账号密码 | {"loginType":1,"username":"yuqn","credential":"123456"} | {"msg":"登录成功","token":"eyJ..."} |
| 手机验证码 | {"loginType":2,"phone":"13800138000","credential":"8888"} | 同上 |
