<p style="margin-top: 0px; margin-bottom: 0px; padding-top: 0px; padding-bottom: 0px;">先说明错误原因:用spring安全拦截器进行验证码的验证的时候抛出异常。</p><p style="margin-top: 0px; margin-bottom: 0px; padding-top: 0px; padding-bottom: 0px;">throw new RuntimeException("captcha validation failed due to exception", cse);</p><p style="margin-top: 0px; margin-bottom: 0px; padding-top: 0px; padding-bottom: 0px;">前台提交数据后跳转到如下方法:</p>
- package com.davidstudio.gbp.core.security.jcaptcha;
- import org.acegisecurity.captcha.CaptchaServiceProxy;
- import org.apache.log4j.Logger;
- import com.octo.captcha.service.CaptchaService;
- import com.octo.captcha.service.CaptchaServiceException;
- /**
- * 调用CaptchaService类,完jcaptcha的验证过程
- *
- *
- *
- *
- */
- public class JCaptchaServiceProxyImpl implements CaptchaServiceProxy {
- /**
- * Logger for this class
- */
- private static final Logger logger = Logger.getLogger(JCaptchaServiceProxyImpl.class);
- private CaptchaService jcaptchaService;
- public boolean validateReponseForId(String id, Object response) {
- if (logger.isDebugEnabled()) {
- logger.debug("validating captcha response");
- }
- try {
- boolean isHuman = false;
- isHuman = jcaptchaService.validateResponseForID(id, response).booleanValue();
- if (isHuman) {
- if (logger.isDebugEnabled()) {
- logger.debug("captcha passed");
- }
- } else {
- if (logger.isDebugEnabled()) {
- logger.debug("captcha failed");
- }
- }
- return isHuman;
- } catch (CaptchaServiceException cse) {
- // fixes known bug in JCaptcha
- logger.warn("captcha validation failed due to exception", cse);
- throw new RuntimeException("captcha validation failed due to exception", cse);
- }
- }
- public void setJcaptchaService(CaptchaService jcaptchaService) {
- this.jcaptchaService = jcaptchaService;
- }
- }
设置断点debug改语句不能顺利执行 jcaptchaService.validateResponseForID(id, response).booleanValue();
查了网上的资料,这个方法的作用是: 根据HttpSession的 sessionId进行验证码的验证,原理是这样的,页面生成的验证码是通过Spring中的配置生成的,查了一下配置:
- <bean id="security.filter.manager" class="org.acegisecurity.util.FilterChainProxy">
- <property name="filterInvocationDefinitionSource">
- <value>
- /**=security.filter.channel,security.filter.sessionIntegration,security.filter.logout,security.filter.thsso,security.filter.jcaptcha,security.filter.jcaptchachannel,security.filter.formAuth,security.filter.requestWrap,security.filter.exceptionTranslation,security.filter.filterInvocation
- </value>
- </property>
- </bean>
- <!-- jcaptacha过滤器 -->
- <bean id="security.filter.jcaptcha"
- class="org.acegisecurity.captcha.CaptchaValidationProcessingFilter">
- <property name="captchaService" ref="security.captcha.serviceproxy" />
- <property name="captchaValidationParameter" value="j_captcha_response" />
- </bean>
- <bean id="security.captcha.serviceproxy"
- class="com.davidstudio.gbp.core.security.jcaptcha.JCaptchaServiceProxyImpl">
- <property name="jcaptchaService" ref="security.captcha.service" />
- </bean>
- <bean id="security.captcha.service"
- class="com.octo.captcha.service.image.DefaultManageableImageCaptchaService">
- <constructor-arg type="com.octo.captcha.service.captchastore.CaptchaStore" index="0">
- <bean class="com.octo.captcha.service.captchastore.FastHashMapCaptchaStore" />
- </constructor-arg>
- <constructor-arg type="com.octo.captcha.engine.CaptchaEngine" index="1">
- <bean class="com.davidstudio.gbp.core.security.jcaptcha.CaptchaEngine" />
- </constructor-arg>
- <constructor-arg index="2">
- <value>180</value>
- </constructor-arg>
- <constructor-arg index="3">
- <value>100000</value>
- </constructor-arg>
- <constructor-arg index="4">
- <value>75000</value>
- </constructor-arg>
- </bean>
- <!-- session整合过滤器。自动将用户身份信息存放在session里。 -->
- <bean id="security.filter.sessionIntegration"
- class="org.acegisecurity.context.HttpSessionContextIntegrationFilter">
- <property name="context" value="org.acegisecurity.captcha.CaptchaSecurityContextImpl" />
- </bean>
jcaptchaService.validateResponseForID(id, response).booleanValue();
jcaptchaService.validateResponseForID(id, response).booleanValue(); 这个条件进行验证码的验证了,当然了验证码验证前面还可以有很多过滤器认证,比如说对用户名和密码的验证等等。形成一套的链式认证!
这个代理实现,这个代理实现类 又去调用com.octo.captcha.service.image.DefaultManageableImageCaptchaService
- 23 public class DefaultManageableImageCaptchaService extends AbstractManageableImageCaptchaService
- 24 implements ImageCaptchaService {
- 25 /**
- 26 * Construct a new ImageCaptchaService with a {@link FastHashMapCaptchaStore} and a {@link DefaultGimpyEngine}
- 27 * minGuarantedStorageDelayInSeconds = 180s
- 28 * maxCaptchaStoreSize = 100000
- 29 * captchaStoreLoadBeforeGarbageCollection=75000
- 30 */
- 31 public DefaultManageableImageCaptchaService() {
- 32 super(new FastHashMapCaptchaStore(), new DefaultGimpyEngine(), 180,
- 33 100000, 75000);
- 34 }
- 127 /**
- 128 * Method to validate a response to the challenge corresponding to the given ticket and remove the coresponding
- 129 * captcha from the store.
- 130 *
- 131 * @param ID the ticket provided by the buildCaptchaAndGetID method
- 132 * @return true if the response is correct, false otherwise.
- 133 * @throws CaptchaServiceException if the ticket is invalid
- 134 */
- 135 public Boolean validateResponseForID(String ID, Object response)
- 136 throws CaptchaServiceException {
- 137 if (!store.hasCaptcha(ID)) {
- 138 throw new CaptchaServiceException("Invalid ID, could not validate unexisting or already validated captcha");
- 139 } else {
- 140 Boolean valid = store.getCaptcha(ID).validateResponse(response);
- 141 store.removeCaptcha(ID);
- 142 return valid;
- 143 }
- 144 }
这个就是判断有没有验证码,如果store中没有相应的sessionId那么就抛出异常:throw new CaptchaServiceException("Invalid ID, could not validate unexisting or already validated captcha");
Boolean valid = store.getCaptcha(ID).validateResponse(response);
- 18 /**
- 19 * Simple store based on a HashMap
- 20 */
- 21 public class MapCaptchaStore implements CaptchaStore {
- 22
- 23 Map store;
- 24
- 25 public MapCaptchaStore() {
- 26 this.store = new HashMap();
- 27 }
- 28
- 29 /**
- 30 * Check if a captcha is stored for this id
- 31 *
- 32 * @return true if a captcha for this id is stored, false otherwise
- 33 */
- 34 public boolean hasCaptcha(String id) {
- 35 return store.containsKey(id);
- 36 }
- 37
- 38 /**
- 39 * Store the captcha with the provided id as key. The key is assumed to be unique, so if the same key is used twice
- 40 * to store a captcha, the store will return an exception
- 41 *
- 42 * @param id the key
- 43 * @param captcha the captcha
- 44 *
- 45 * @throws CaptchaServiceException if the captcha already exists, or if an error occurs during storing routine.
- 46 */
- 47 public void storeCaptcha(String id, Captcha captcha) throws CaptchaServiceException {
- 48 // if (store.get(id) != null) {
- 49 // throw new CaptchaServiceException("a captcha with this id already exist. This error must " +
- 50 // "not occurs, this is an implementation pb!");
- 51 // }
- 52 store.put(id, new CaptchaAndLocale(captcha));
- 53 }
上面就是CaptchaStore接口的实现类MapCaptchaStore,其中定义了一个hashMap,通过storeCaptcha(String id,Captcha captcha)方法来存储sessionId和captcha的键值对,这是进入登录页面生成的时候调用的方法,当进行验证的时候就需要hasCaptcha(String ID)方法和
- 69 /**
- 70 * Retrieve the captcha for this key from the store.
- 71 *
- 72 * @return the captcha for this id
- 73 *
- 74 * @throws CaptchaServiceException if a captcha for this key is not found or if an error occurs during retrieving
- 75 * routine.
- 76 */
- 77 public Captcha getCaptcha(String id) throws CaptchaServiceException {
- 78 Object captchaAndLocale = store.get(id);
- 79 return captchaAndLocale!=null?((CaptchaAndLocale) captchaAndLocale).getCaptcha():null;
- 80 }
但是我们是调用了MapCaptchaStore 的子类<pre name="code" class="java" style="white-space: pre-wrap; word-wrap: break-word;">FastHashMapCaptchaStore来存储信息的:同样看<pre name="code" class="java" style="white-space: pre-wrap; word-wrap: break-word;">FastHashMapCaptchaStore这个类:
- <pre name="code" class="java" style="white-space: pre-wrap; word-wrap: break-word;"> 17 public class FastHashMapCaptchaStore extends MapCaptchaStore {
- 18 public FastHashMapCaptchaStore() {
- 19 this.store = new FastHashMap();
- 20 }
- 21 }
- <pre name="code" class="java" style="white-space: pre-wrap; word-wrap: break-word;">public class FastHashMap extends HashMap {
- 67
- 68 /**
- 69 * The underlying map we are managing.
- 70 */
- 71 protected HashMap map = null;
- 72
- 73 /**
- 74 * Are we currently operating in "fast" mode?
- 75 */
- 76 protected boolean fast = false;
- 77
- 78 // Constructors
- 79 // ----------------------------------------------------------------------
- 80
- 81 /**
- 82 * Construct an empty map.
- 83 */
- 84 public FastHashMap() {
- 85 super();
- 86 this.map = new HashMap();
- 87 }
- 88
显然<pre name="code" class="java" style="white-space: pre-wrap; word-wrap: break-word;">FastHashMapCaptchaStore就是一个HashMap
- <pre name="code" class="java" style="white-space: pre-wrap; word-wrap: break-word;"> 18 * Base implementation of the ImageCaptchaService.
- 19 *
- 20 * @author <a href="mailto:mag@jcaptcha.net">Marc-Antoine Garrigue</a>
- 21 * @version 1.0
- 22 */
- 23 public abstract class AbstractManageableImageCaptchaService extends AbstractManageableCaptchaService
- 24 implements ImageCaptchaService {
- 25
- 26 protected AbstractManageableImageCaptchaService(CaptchaStore captchaStore,
- 27 com.octo.captcha.engine.CaptchaEngine captchaEngine,
- 28 int minGuarantedStorageDelayInSeconds,
- 29 int maxCaptchaStoreSize,
- 30 int captchaStoreLoadBeforeGarbageCollection) {
- 31 super(captchaStore, captchaEngine,
- 32 minGuarantedStorageDelayInSeconds, maxCaptchaStoreSize,
- 33 captchaStoreLoadBeforeGarbageCollection);
- 34 }
- 73 protected Object getChallengeClone(Captcha captcha) {
- 74 BufferedImage challenge = (BufferedImage) captcha.getChallenge();
- 75 BufferedImage clone = new BufferedImage(challenge.getWidth(), challenge.getHeight(), challenge.getType());
- 76
- 77 clone.getGraphics().drawImage(challenge, 0, 0, clone.getWidth(), clone.getHeight(), null);
- 78 clone.getGraphics().dispose();
- 79
- 80
- 81 return clone;
- 82 }
<span style="margin: 0px; padding: 0px; white-space: pre;"><img src="http://img.my.csdn.net/uploads/201211/23/1353676134_4969.png" alt="" style="border: none; max- 100%;" /> </span>
</pre><pre name="code" class="java" style="white-space: pre-wrap; word-wrap: break-word;">内存中清楚显示了hashTable中的key和value,这样就证明验证码生成成功。
后来无奈看了看发送到 sessionId在hashMap中是否有,结果是不一样,就是再hashMap中没有,为什么?不是每一次在验证码生成的时候都把sessionId放进去了吗?
原则上讲服务器在第一次访问的时候会给用户分配一个不重复的sessionId,如果服务器的session不超时就不会再给用户分配sessionId了,减少给服务器的压力,也带来了友好的体验。但是我的两次sessiId为什么不一样呢? 后来通过fiddler2这个软件(这个软件好强大可以获得发送到form表单的内容,甚至可以修改),可以看到本地存储的cookie,但是cookie是空的,就是nodata,汗啊,难怪每次都分配不同的sessionId,服务器怎么判断每次提交过去的是同一个用户呢?通过sessionId,服务器会在客户端把sessionId写在Cookie中,这样用户再次提交请求的时候,服务器如果在内存中找到用户cookie中的sessionId而且没有超时,就不再重新分配sessionId,我看了下IE浏览器,cookie被禁止了,难怪每次都是一个新的sessionId,验证码就无法验证。就报错了。
