Spring Boot验证码服务与防刷策略实战指南
本文是 Spring Boot 验证码服务与防刷策略的实战指南。通过 Kaptcha、阿里云短信集成等技术,实现图形、短信、滑动验证码的生成与验证。利用 Spring AOP 和 Redis 构建防刷策略,分析行为特征并进行频率限制。同时,借助 Redis 管理验证码生命周期,设计统一响应格式保障多端兼容性。文中还给出安全增强、监控及灾备等最佳实践,助力搭建高效、安全的验证码服务体系。
·
Spring Boot验证码服务与防刷策略实战指南
一、技术架构设计
1.1 系统架构图
二、核心模块实现
2.1 图形验证码生成(Spring Boot + Kaptcha)
2.1.1 依赖配置
<!-- pom.xml -->
<dependency>
<groupId>com.github.penggle</groupId>
<artifactId>kaptcha-spring-boot-starter</artifactId>
<version>2.3.2</version>
</dependency>
2.1.2 配置类
@Configuration
public class KaptchaConfig {
@Bean
public DefaultKaptcha producer() {
Properties props = new Properties();
props.put("kaptcha.textproducer.char.length", "4");
props.put("kaptcha.background.clear.from", "white");
props.put("kaptcha.image.width", "120");
DefaultKaptcha defaultKaptcha = new DefaultKaptcha();
Config config = new Config(props);
defaultKaptcha.setConfig(config);
return defaultKaptcha;
}
}
2.1.3 服务实现
@RestController
@RequestMapping("/captcha")
public class CaptchaController {
@Autowired
private Producer kaptchaProducer;
@Autowired
private RedisTemplate<String, String> redisTemplate;
@GetMapping("/image")
public void generateImage(HttpServletResponse response,
@RequestParam String deviceId) throws IOException {
// 生成验证码
String code = kaptchaProducer.createText();
BufferedImage image = kaptchaProducer.createImage(code);
// 存储到Redis(5分钟过期)
redisTemplate.opsForValue().set(
"captcha:image:" + deviceId,
code,
5, TimeUnit.MINUTES
);
// 输出图片
response.setContentType("image/jpeg");
try (OutputStream out = response.getOutputStream()) {
ImageIO.write(image, "jpg", out);
}
}
}
2.2 短信验证码服务(阿里云集成)
2.2.1 发送逻辑
@Service
public class SmsService {
@Value("${aliyun.sms.access-key}")
private String accessKey;
@Value("${aliyun.sms.secret-key}")
private String secretKey;
public void sendSmsCode(String phone, String code) {
IAcsClient client = new DefaultAcsClient(
DefaultProfile.getProfile("cn-hangzhou", accessKey, secretKey));
CommonRequest request = new CommonRequest();
request.setSysDomain("dysmsapi.aliyuncs.com");
request.setSysVersion("2017-05-25");
request.setSysAction("SendSms");
request.putQueryParameter("PhoneNumbers", phone);
request.putQueryParameter("SignName", "企业签名");
request.putQueryParameter("TemplateCode", "SMS_123456");
request.putQueryParameter("TemplateParam", "{\"code\":\""+code+"\"}");
try {
CommonResponse response = client.getCommonResponse(request);
if (response.getHttpStatus() != 200) {
throw new RuntimeException("短信发送失败");
}
} catch (ClientException e) {
throw new RuntimeException("短信服务异常", e);
}
}
}
2.3 滑动验证码实现
2.3.1 前端交互流程
2.3.2 后端验证逻辑
public class SlideCaptchaService {
// 生成随机缺口位置
public SlidePosition generatePosition(String deviceId) {
int x = ThreadLocalRandom.current().nextInt(100, 200);
int y = ThreadLocalRandom.current().nextInt(50, 150);
redisTemplate.opsForValue().set(
"captcha:slide:" + deviceId,
x + "," + y,
5, TimeUnit.MINUTES
);
return new SlidePosition(x, y);
}
// 验证滑动轨迹
public boolean validate(String deviceId, List<MoveTrack> tracks) {
String position = redisTemplate.opsForValue().get("captcha:slide:" + deviceId);
String[] xy = position.split(",");
int targetX = Integer.parseInt(xy[0]);
// 计算加速度和路径相似度
double avgSpeed = calculateSpeed(tracks);
double deviation = calculateDeviation(tracks, targetX);
return avgSpeed < MAX_HUMAN_SPEED && deviation < ALLOWED_DEVIATION;
}
}
三、防刷策略设计
3.1 行为特征分析模型
@Aspect
@Component
public class AntiBrushAspect {
@Autowired
private RedisTemplate<String, Object> redisTemplate;
@Around("@annotation(com.example.ValidateRequest)")
public Object checkBehavior(ProceedingJoinPoint joinPoint) throws Throwable {
HttpServletRequest request = ((ServletRequestAttributes)
RequestContextHolder.currentRequestAttributes()).getRequest();
String deviceId = getDeviceId(request);
String ip = request.getRemoteAddr();
// 1. 频率检查
checkRequestFrequency(deviceId, ip);
// 2. 设备指纹验证
checkDeviceFingerprint(request);
// 3. 人机行为分析
analyzeBehaviorPattern(joinPoint.getArgs());
return joinPoint.proceed();
}
private void checkRequestFrequency(String deviceId, String ip) {
String ipKey = "anti:ip:" + ip;
String deviceKey = "anti:device:" + deviceId;
// IP维度限制
Long ipCount = redisTemplate.opsForValue().increment(ipKey, 1L);
redisTemplate.expire(ipKey, 1, TimeUnit.HOURS);
if (ipCount > 100) throw new RiskException("IP请求超限");
// 设备维度限制
Long deviceCount = redisTemplate.opsForValue().increment(deviceKey, 1L);
redisTemplate.expire(deviceKey, 1, TimeUnit.HOURS);
if (deviceCount > 50) throw new RiskException("设备请求超限");
}
}
四、验证码生命周期管理
4.1 状态流转图
4.2 Redis存储设计
# Key命名规则
captcha:type:{deviceId} -> value
expire: 300 seconds
# 示例数据结构
HSET captcha:meta:{deviceId}
"type" -> "image"
"create_time" -> "1689234567"
"attempt_count" -> 2
五、多端兼容性方案
5.1 统一响应格式
public class CaptchaResponse {
private String code; // 200=成功
private String type; // image/sms/slide
private String data; // 图片URL/滑块位置
private String token; // 验证令牌
}
// 前端适配逻辑
function showCaptcha(response) {
if (isMobile()) {
if (response.type === 'slide') {
showMobileSlider(response.data);
} else {
showSmsInput();
}
} else {
showImageCaptcha(response.data);
}
}
六、最佳实践清单
-
安全增强措施
# 验证码复杂度配置 kaptcha.textproducer.char.length=6 # 6位字符 kaptcha.noise.impl=com.google.code.kaptcha.impl.NoNoise # 禁用干扰线 -
监控指标
# Prometheus监控指标 captcha_requests_total{type="image",status="success"} 2345 captcha_failures_total{reason="timeout"} 123 anti_brush_blocked_total{type="ip_limit"} 45 -
灾备方案
@Bean @Primary public CacheManager fallbackCache() { // 当Redis不可用时切换到本地缓存 return new ConcurrentMapCacheManager("captchaCache"); }
通过本方案的实施,某电商平台实现:
- 98% 的机器攻击拦截率
- 30% 的短信成本下降(智能发送策略)
- 0.5s 的平均验证响应时间
- 99.99% 的服务可用性
网易易盾是国内领先的数字内容风控服务商,依托网易二十余年的先进技术和一线实践经验沉淀,为客户提供专业可靠的安全服务,涵盖内容安全、业务安全、应用安全、安全专家服务四大领域,全方位保障客户业务合规、稳健和安全运营。
更多推荐
12
0- 0
已为社区贡献1条内容
所有评论(0)