• SpringBoot中自定义拦截器详解 (Token校验与放行)


    SpringBoot中自定义拦截器详解 (Token校验与放行)

    标签(空格分隔): Springboot

    首先是拦截类AuthInterceptor.java中的具体逻辑,主要是有继承BaseInterceptor.java 类,而这个BaseInterceptor.java类继承了HandlerInterceptorAdapter类,然后拦截类AuthInterceptor.java实现了其中的preHandle方法

    以下是全部代码

    拦截器主要逻辑类——AuthInterceptor.java

    package com.byted.store.aspect;
    
    
    import com.byted.store.service.AuthAccessTokenService;
    import com.google.common.annotations.VisibleForTesting;
    import com.google.common.base.Charsets;
    import com.google.common.base.Joiner;
    import com.google.common.base.Preconditions;
    import com.google.common.base.Splitter;
    import com.google.common.io.BaseEncoding;
    import lombok.extern.slf4j.Slf4j;
    import org.apache.commons.lang3.StringUtils;
    import org.springframework.http.HttpHeaders;
    import org.springframework.http.HttpStatus;
    import org.springframework.stereotype.Component;
    import org.springframework.web.client.HttpClientErrorException;
    import org.springframework.web.method.HandlerMethod;
    
    import javax.annotation.Resource;
    import javax.servlet.http.HttpServletRequest;
    import javax.servlet.http.HttpServletResponse;
    import java.util.List;
    
    /**
     * @program: parent
     * @description: Auth
     * @author: zhaobo.zeus
     * @create: 2020-12-20 20:41
     **/
    @Slf4j
    @Component
    public class PreAuthInterceptor extends BaseInterceptor {
    
        public static final String AUTHED_TOKEN = "authorized_token";
    
        @Resource
        private AuthAccessTokenService authAccessTokenService;
    
        @Override
        public boolean preHandle(HttpServletRequest request,
                                 HttpServletResponse response, Object handler) throws Exception {
    
            if (!(handler instanceof HandlerMethod)) {
                return true;
            }
            //放行逻辑
            HandlerMethod method = (HandlerMethod) handler;
            DisableAuth auth = method.getMethod().getAnnotation(DisableAuth.class);
            if (isDisableAuth(auth)) {
                return super.preHandle(request, response, handler);
            }
            //获取token
            List<String> Base64_token = decode(request.getHeader(HttpHeaders.AUTHORIZATION));
    
            String bizOrOwner = Base64_token.get(0);
            String token = Base64_token.get(1);
    
            System.out.println(bizOrOwner);
    
            if (StringUtils.isBlank(token)) {
                setResponse(request, response, "400","Error: token is null");
                return false;
            }
    
            // 3.查询token是否正确
            String biz = authAccessTokenService.getBizByTokenString(token);
    
            if (biz == null) {
                setResponse(request, response, "404","Error: token is invalid");
                return false;
            }
    
            // 将userId写入到request请求中
            //request.setAttribute(Constants.REQUEST_ATTR_USER_ID, account.getId());
            //request.setAttribute("UserToken", accessToken);
            request.setAttribute("biz", biz);
    
            return true;
        }
    
        private static boolean isDisableAuth(DisableAuth auth) {
            return auth != null;
        }
    
        /**
         * 获取http请求头部或者参数中的token值
         *
         * @param request
         *            http请求传递的值
         * @return 返回token
         */
        private String getAuthToken(HttpServletRequest request) {
            String token = request.getHeader("accessToken");
    
            if (token == null) {
                token = request.getParameter("accessToken");
            }
            return token;
        }
    
        public static List<String> decode(String authString) {
    
            List<String> strings = null;
            if (StringUtils.isBlank(authString)) {
                return null;
            }
            List<String> words = Splitter.on(" ").splitToList(authString);
            if (words.size() != 2) {
                return null;
            }
            switch (words.get(0)) {
                case "Basic":
                    try {
                        String decoding = new String(BaseEncoding.base64().decode(words.get(1)), Charsets.UTF_8);
                        strings = Splitter.on(":").splitToList(decoding);
                        Preconditions.checkArgument(strings.size() == 2);
                    } catch (IllegalArgumentException e) {
                        throw new HttpClientErrorException(HttpStatus.UNAUTHORIZED, "bad authorization");
                    }
                    return strings;
                default:
                    throw new HttpClientErrorException(HttpStatus.UNAUTHORIZED, "unsupported authorization");
            }
        }
    
        @VisibleForTesting
        public static String encode(String token) {
            String encoding = Joiner.on(":").join("", token);
            return Joiner.on(" ").join("Basic", BaseEncoding.base64().encode(encoding.getBytes()));
        }
    }
    
    

    父类BaseInterceptor.java 这个类里面的代码其实与token校验关系不大

    package com.byted.store.aspect;
    import java.io.IOException;
    import java.io.Writer;
    import java.util.Enumeration;
    import java.util.HashMap;
    import java.util.Map;
    
    import javax.servlet.http.HttpServletRequest;
    import javax.servlet.http.HttpServletResponse;
    
    import lombok.extern.slf4j.Slf4j;
    
    import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
    
    import com.alibaba.fastjson.JSON;
    /**
     * @program: parent
     * @description: BaseInterceptor
     * @author: zhaobo.zeus
     * @create: 2020-12-20 20:42
     **/
    @Slf4j
    public abstract class BaseInterceptor extends HandlerInterceptorAdapter {
    
    
        public void setResponse(HttpServletRequest request,
                                HttpServletResponse response, String messageKey,String message) {
    
            response.setContentType("application/json;charset=UTF-8");
            try (Writer writer = response.getWriter()) {
                Map<String, Object> resultMap = new HashMap<>();
                resultMap.put("code", messageKey);
                resultMap.put("message", message);
    
                logger(request, resultMap);
                JSON.writeJSONString(writer, resultMap);
                writer.flush();
            } catch (IOException e) {
                log.error("response 设置操作异常:" + e);
            }
        }
    
        public void setResponse(HttpServletRequest request,
                                HttpServletResponse response, String messageKey) {
            setResponse(request,response,messageKey,"OK");
    
        }
    
    
        /**
         * 记录日志
         */
        private void logger(HttpServletRequest request, Map<String, Object> resultMap) {
            StringBuffer msg = new StringBuffer();
            msg.append("异常拦截日志:");
            msg.append("[uri:").append(request.getRequestURI()).append("]");
            Enumeration<String> enumer = request.getParameterNames();
            while (enumer.hasMoreElements()) {
                String name = enumer.nextElement();
                String[] values = request.getParameterValues(name);
                msg.append("[").append(name).append("=");
                if (values != null) {
                    int i = 0;
                    for (String value : values) {
                        i++;
                        msg.append(value);
                        if (i < values.length) {
                            msg.append("|");
                        }
                    }
                }
                msg.append("]");
            }
            msg.append(JSON.toJSONString(resultMap));
    
            log.warn(msg.toString());
        }
    }
    
    

    回到拦截器逻辑类中会发现我重写了preHandle方法
    原文链接 : https://blog.csdn.net/azhegps/article/details/99342891
    这样我们所有的请求都会经过拦截器的逻辑,如果请求不符合逻辑就会被拦截到,并不会执行到方法内部。

    有的接口需要token校验,有的并不需要,所以还要一个放行的逻辑。
    可以直接用自定义注解来实现

    自定义注解@DisableAuth 代码

    package com.byted.store.aspect;
    
    import java.lang.annotation.Documented;
    import java.lang.annotation.ElementType;
    import java.lang.annotation.Inherited;
    import java.lang.annotation.Retention;
    import java.lang.annotation.RetentionPolicy;
    import java.lang.annotation.Target;
    
    /**
     * @program: parent
     * @description: 非鉴权注解,Controller使用此注解,过滤器将不拦截
     * @author: zhaobo.zeus
     * @create: 2020-12-20 20:44
     **/
    
    @Retention(RetentionPolicy.RUNTIME)
    @Target(ElementType.METHOD)
    @Documented
    @Inherited
    public @interface DisableAuth {
    
    }
    

    在需要放行的方法上加上自定义注解@DisableAuth

  • 相关阅读:
    from表单提交数组数据
    由于被认为是客户端对错误(例如:畸形的请求语法、无效的请求信息帧或者虚拟的请求路由),服务器无法或不会处理当前请求。
    form表单提交的几种方式
    DuplicateMappingException: Table [xx] contains physical column name referred to by multiple ... .
    oracle之报错:ORA-00054: 资源正忙,要求指定 NOWAIT
    json对象与json字符串的转换
    免费的maven的archetype-catalog.xml文件下载
    SpringBoot集成Hibernate
    log4j.properties的配置信息
    service里无法注入mapper,mapper空指针
  • 原文地址:https://www.cnblogs.com/hit-zb/p/14182159.html
Copyright © 2020-2023  润新知