SpringBoot中自定义拦截器详解 (Token校验与放行)
首先是拦截类AuthInterceptor.java中的具体逻辑,主要是有继承BaseInterceptor.java 类,而这个BaseInterceptor.java类继承了HandlerInterceptorAdapter类,然后拦截类AuthInterceptor.java实现了其中的preHandle方法
以下是全部代码
拦截器主要逻辑类——PreAuthInterceptor.java
@Slf4j
@Component
public class PreAuthInterceptor extends BaseInterceptor {
public static final String AUTHED_TOKEN = "authorized_token";
@Autowired
private TokenService tokenService;
@Override
public boolean preHandle(HttpServletRequest request,
HttpServletResponse response, Object handler) throws Exception {
if (!(handler instanceof HandlerMethod)) {
return true;
}
//放行逻辑
HandlerMethod method = (HandlerMethod) handler;
DisableAuth auth = method.getMethod().getAnnotation(DisableAuth.class);
if (isDisableAuth(auth)) {
return super.preHandle(request, response, handler);
}
HttpSession session = request.getSession();
String accessToken=session.getAttribute("accessToken")!=null?session.getAttribute("accessToken").toString():null;
Object data=session.getAttribute("userData");
if(StringUtils.isBlank(accessToken)) {
//获取token
String token=getAuthToken(request);
if (StringUtils.isBlank(token)) {
setResponse(request, response, "400","Error: token is null");
return false;
}
// 3.查询token是否正确
Map checkToken = tokenService.checkToken(request, token);
String states = checkToken.get("code");
data=checkToken.get("data");
if (!states.equals("200")) {
setResponse(request, response, "0", checkToken.get("msg"));
return false;
}
session.setAttribute("accessToken",token);
session.setAttribute("userData",data);
}
// 将userinfo写入到request请求中
//request.setAttribute(Constants.REQUEST_ATTR_USER_ID, account.getId());
request.setAttribute(USER_INFO,data );
return true;
}
private static boolean isDisableAuth(DisableAuth auth) {
return auth != null;
}
/**
* 获取http请求头部或者参数中的token值
*
* @param request
* http请求传递的值
* @return 返回token
*/
private String getAuthToken(HttpServletRequest request) {
String token = request.getHeader("accessToken");
if (token == null) {
token = request.getParameter("accessToken");
}
return token;
}
public static List<String> decode(String authString) {
List<String> strings = null;
if (StringUtils.isBlank(authString)) {
return null;
}
List<String> words = Splitter.on(" ").splitToList(authString);
if (words.size() != 2) {
return null;
}
switch (words.get(0)) {
case "Basic":
try {
String decoding = new String(BaseEncoding.base64().decode(words.get(1)), Charsets.UTF_8);
strings = Splitter.on(":").splitToList(decoding);
Preconditions.checkArgument(strings.size() == 2);
} catch (IllegalArgumentException e) {
throw new HttpClientErrorException(HttpStatus.UNAUTHORIZED, "bad authorization");
}
return strings;
default:
throw new HttpClientErrorException(HttpStatus.UNAUTHORIZED, "unsupported authorization");
}
}
@VisibleForTesting
public static String encode(String token) {
String encoding = Joiner.on(":").join("", token);
return Joiner.on(" ").join("Basic", BaseEncoding.base64().encode(encoding.getBytes()));
}
}
父类BaseInterceptor.java 这个类里面的代码其实与token校验关系不大
@Slf4j
public class BaseInterceptor implements AsyncHandlerInterceptor {
public static final String USER_KEY = "USER_ID";
public static final String USER_INFO = "USER_INFO";
public void setResponse(HttpServletRequest request,
HttpServletResponse response, String messageKey, String message) {
response.setContentType("application/json;charset=UTF-8");
try (Writer writer = response.getWriter()) {
Map<String, Object> resultMap = new HashMap<>();
resultMap.put("code", messageKey);
resultMap.put("message", message);
logger(request, resultMap);
JSON.writeJSONString(writer, resultMap);
writer.flush();
} catch (IOException e) {
log.error("response 设置操作异常:" + e);
}
}
public void setResponse(HttpServletRequest request,
HttpServletResponse response, String messageKey) {
setResponse(request,response,messageKey,"OK");
}
/**
* 记录日志
*/
private void logger(HttpServletRequest request, Map<String, Object> resultMap) {
StringBuffer msg = new StringBuffer();
msg.append("异常拦截日志:");
msg.append("[uri:").append(request.getRequestURI()).append("]");
Enumeration<String> enumer = request.getParameterNames();
while (enumer.hasMoreElements()) {
String name = enumer.nextElement();
String[] values = request.getParameterValues(name);
msg.append("[").append(name).append("=");
if (values != null) {
int i = 0;
for (String value : values) {
i++;
msg.append(value);
if (i < values.length) {
msg.append("|");
}
}
}
msg.append("]");
}
msg.append(JSON.toJSONString(resultMap));
log.warn(msg.toString());
}
}
有的接口需要token校验,有的并不需要,所以还要一个放行的逻辑。
可以直接用自定义注解来实现
自定义注解@DisableAuth 代码
@Retention(RetentionPolicy.RUNTIME)
@Target(ElementType.METHOD)
@Documented
@Inherited
public @interface DisableAuth {
}
权限的校验拦截器
@Configuration
public class WebMvcConfig implements WebMvcConfigurer {
@Autowired
private PreAuthInterceptor preAuthInterceptor;
// @Autowired
// private LoginUserHandlerMethodArgumentResolver loginUserHandlerMethodArgumentResolver;
@Override
public void addInterceptors(InterceptorRegistry registry) {
// addPathPatterns("/**") 表示拦截所有的请求,
// addPathPatterns("/api/**") 表示拦截/api/ 下的所有路径请求,
// addPathPatterns("/api/*") 表示拦截/api/abc,拦截/api/aaa , 不拦截 /api/abc/def
// addPathPatterns("/api/**").excludePathPatterns("/api/login", "/api/register") 表示拦截/api/ 下的所有路径请求,但不拦截 /api/login 和 /api/register
registry.addInterceptor(preAuthInterceptor).addPathPatterns("/**");
}
}
