Springboot实现filter拦截token验证和跨域
背景
web验证授权合法的⼀般分为下⾯⼏种
使⽤session作为验证合法⽤户访问的验证⽅式
使⽤⾃⼰实现的token
使⽤OCA标准
在使⽤API接⼝授权验证时,token是⾃定义的⽅式实现起来不需要引⼊其他东西,关键是简单实⽤。
合法登陆后⼀般使⽤⽤户UID+盐值+时间戳使⽤多层对称加密⽣成token并放⼊分布式缓存中设置固定的过期时间长(和session的⽅式有些相同),这样当⽤户访问时使⽤token可以解密获取它的UID并据此验证其是否是合法的⽤户。
springboot中实现filter
⼀种是注解filter
⼀种是显⽰的硬编码注册filter
先有filter
import javax.servlet.annotation.WebFilter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Component;
import springfox.documentation.spring.web.json.Json;
import com.alibaba.fastjson.JSON;
import java.io.IOException;
import java.io.OutputStreamWriter;
import java.io.PrintWriter;
import java.io.UnsupportedEncodingException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
/***************
* token验证拦截
* @author bamboo zjcjava@163
* @time 2017-08-01
*/
@Component
//@WebFilter(urlPatterns = { "/api/v/*" }, filterName = "tokenAuthorFilter")
public class TokenAuthorFilter implements Filter {
private static Logger logger = LoggerFactory
.getLogger(TokenAuthorFilter.class);
@Override
public void destroy() {
}
@Override
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse rep = (HttpServletResponse) response;
//设置允许跨域的配置
// 这⾥填写你允许进⾏跨域的主机ip(正式上线时可以动态配置具体允许的域名和IP)
rep.setHeader("Access-Control-Allow-Origin", "*");
// 允许的访问⽅法
rep.setHeader("Access-Control-Allow-Methods","POST, GET, PUT, OPTIONS, DELETE, PATCH");
// Access-Control-Max-Age ⽤于 CORS 相关配置的缓存
rep.setHeader("Access-Control-Max-Age", "3600");
rep.setHeader("Access-Control-Allow-Headers","token,Origin, X-Requested-With, Content-Type, Accept"); response.setCharacterEncoding("UTF-8");
response.setContentType("application/json; charset=utf-8");
String token = Header("token");//header⽅式
ResultInfo resultInfo = new ResultInfo();
boolean isFilter = false;
String method = ((HttpServletRequest) request).getMethod();
if (method.equals("OPTIONS")) {
rep.setStatus(HttpServletResponse.SC_OK);
}else{
if (null == token || token.isEmpty()) {
resultInfo.setCode(Constant.UN_AUTHORIZED);
resultInfo.setMsg("⽤户授权认证没有通过!客户端请求参数中⽆token信息");
} else {
if (TokenUtil.volidateToken(token)) {
resultInfo.setCode(Constant.SUCCESS);
resultInfo.setMsg("⽤户授权认证通过!");
isFilter = true;
} else {
resultInfo.setCode(Constant.UN_AUTHORIZED);
resultInfo.setMsg("⽤户授权认证没有通过!客户端请求参数token信息⽆效");
}
}
if (Code() == Constant.UN_AUTHORIZED) {// 验证失败
PrintWriter writer = null;
OutputStreamWriter osw = null;
try {
osw = new OutputStream(),
"UTF-8");
writer = new PrintWriter(osw, true);
String jsonStr = JSONString(resultInfo);
writer.write(jsonStr);
writer.flush();
writer.close();
osw.close();
} catch (UnsupportedEncodingException e) {
<("过滤器返回信息失败:" + e.getMessage(), e);
} catch (IOException e) {
<("过滤器返回信息失败:" + e.getMessage(), e);
} finally {
if (null != writer) {
writer.close();
}
if (null != osw) {
osw.close();
}
}
return;
}
if (isFilter) {
logger.info("token filter过滤ok!");
chain.doFilter(request, response);
}
}
}
@Override
springframework作用public void init(FilterConfig arg0) throws ServletException {
}
}
注解配置filter
加上如下配置则启动时会根据注解加载此filter
@WebFilter(urlPatterns = { “/api/*” }, filterName = “tokenAuthorFilter”)
硬编码注册filter
在application.java中加⼊如下代码
//注册filter
@Bean
public FilterRegistrationBean filterRegistrationBean() {
FilterRegistrationBean registrationBean = new FilterRegistrationBean();
TokenAuthorFilter tokenAuthorFilter = new TokenAuthorFilter();
registrationBean.setFilter(tokenAuthorFilter);
List<String> urlPatterns = new ArrayList<String>();
urlPatterns.add("/api/*");
registrationBean.setUrlPatterns(urlPatterns);
return registrationBean;
}
以上两种⽅式都可以实现filter
跨域说明
springboot可以设置全局跨域,但是对于filter中的拦截地址并不其中作⽤,因此需要在dofilter中再次设置⼀次区局设置跨域⽅式如下
⽅式1.在application.java中加⼊如下代码
//跨域设置
private CorsConfiguration buildConfig() {
CorsConfiguration corsConfiguration = new CorsConfiguration();
corsConfiguration.addAllowedOrigin("*");
corsConfiguration.addAllowedHeader("*");
corsConfiguration.addAllowedMethod("*");
return corsConfiguration;
}
/**
* 跨域过滤器
* @return
*/
@Bean
public CorsFilter corsFilter() {
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
return new CorsFilter(source);
}
⽅式2.配置注解
必须集成WebMvcConfigurerAdapter类
/
**********
* 跨域 CORS:使⽤⽅法3
* ⽅法:
1服务端设置Respone Header头中Access-Control-Allow-Origin
2配合前台使⽤jsonp
3继承WebMvcConfigurerAdapter 添加配置类
blog.csdn/hanghangde/article/details/53946366
* @author xialeme
*
*/
@Configuration
public class CorsConfig extends WebMvcConfigurerAdapter{
/* @Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**")
.allowedOrigins("*")
.allowCredentials(true)
.allowedMethods("GET", "POST", "DELETE", "PUT")
.maxAge(3600);
} */
private CorsConfiguration buildConfig() {
CorsConfiguration corsConfiguration = new CorsConfiguration();
corsConfiguration.addAllowedOrigin("*"); // 1
corsConfiguration.addAllowedHeader("*"); // 2
corsConfiguration.addAllowedMethod("*"); // 3
return corsConfiguration;
}
@Bean
public CorsFilter corsFilter() {
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); isterCorsConfiguration("/**", buildConfig()); // 4
return new CorsFilter(source);
}
}
版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。
发表评论