最近项目中需要做web版视频通话项目,所以组长一直考虑接口安全这方面的问题。因为项目就是一个已经成形的项目,我第一步就是看现有的项目中接口安全方面是如何做的。
我发现,项目中第一步应用的就是拦截器,接着就好好学习了下。
一、拦截器是什么?
二、demo例子
1.ApiConfigurer
- package com.rcplatform.livechat.config;
- import org.springframework.context.annotation.Bean;
- import org.springframework.context.annotation.Configuration;
- import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
- import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
- import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;
- @Configuration
- public class ApiConfigurer extends WebMvcConfigurerAdapter {
- @Bean
- public WebApiInterceptor webApiInterceptor(){
- return new WebApiInterceptor();
- }
- @Override
- public void addInterceptors(InterceptorRegistry registry){
- //多个拦截器组成一个拦截器链
- //addPathPattern 用于添加拦截规则 路径,是带api接口的
- //用于排除用户的拦截
- registry.addInterceptor(webApiInterceptor())
- .addPathPatterns("/api/**")
- .excludePathPatterns("/api/login");
- super.addInterceptors(registry);
- }
- }
2.WebApiInterceptor
- package com.rcplatform.livechat.config;
- import org.springframework.web.servlet.HandlerInterceptor;
- import org.springframework.web.servlet.ModelAndView;
- import javax.servlet.http.HttpServletRequest;
- import javax.servlet.http.HttpServletResponse;
- public class WebApiInterceptor implements HandlerInterceptor{
- //方法之前拦截
- @Override
- public boolean preHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o) throws Exception {
- System.out.println("========方法执行之前开始调用拦截器===============");
- return true;
- }
- @Override
- public void postHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, ModelAndView modelAndView) throws Exception {
- }
- //方法执行之后拦截
- @Override
- public void afterCompletion(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, Exception e) throws Exception {
- System.out.println("========方法执行之后 开始调用===============");
- }
- }
3.测试例子
- //要走拦截器拦截
- @RequestMapping(value = "/register",method = RequestMethod.GET )
- @ApiOperation(value = "用户注册接口")
- public void register(){
- List<User> userList= userService.selectUsers();
- log.info("============"+userList.get(0));
- }
- //不需要拦截器拦截
- @RequestMapping(value = "/login",method = RequestMethod.GET)
- @ApiOperation(value = "用户登录接口")
- public void Login(){
- log.info("=====拦截器的是否拦截======否=====");
- }
测试结果
拦截接口register接口
扫描二维码关注公众号,回复:
1528621 查看本文章
不需要拦截login接口
三、总结
拦截器,对于所有的接口做了信息验证拦截,这只是做了安全方面的第一步。接下来接口安全方面,还需要登录tocken信息的校验,MD5 token的加密和解密,接下来,需要继续总结。
1、首选创建一个继承HandlerInterceptor的拦截器
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.web.servlet.HandlerInterceptor;
import org.springframework.web.servlet.ModelAndView;
/**
* 拦截器
*/
public
class
MyInterceptor
implements
HandlerInterceptor{
//在请求处理之前进行调用(Controller方法调用之前
@Override
public
boolean preHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o) throws Exception {
HttpSession session = httpServletRequest.getSession();
String user = (String) session.getAttribute(
"user"
);
//获取登录的session信息
if
(user!=null){
return
true;
}
else
{
httpServletResponse.sendRedirect(httpServletRequest.getContextPath()+
"/login/index"
);
//未登录自动跳转界面
return
false;
}
}
//请求处理之后进行调用,但是在视图被渲染之前(Controller方法调用之后)
@Override
public
void postHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, ModelAndView modelAndView) throws Exception {
System.out.println(
"postHandle被调用\n"
);
}
//在整个请求结束之后被调用,也就是在DispatcherServlet 渲染了对应的视图之后执行(主要是用于进行资源清理工作)
@Override
public
void afterCompletion(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, Exception e) throws Exception {
System.out.println(
"afterCompletion被调用\n"
);
}
}
|
2、继承WebMvcConfigureAdapter类,覆盖其addInterceptors接口,注册自定义的拦截器:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
@Configuration
public
class
WebMvcConfig
implements
WebMvcConfigurer {
/**
* 注册拦截器
*/
@Override
public
void addInterceptors(InterceptorRegistry registry) {
//addPathPattern后跟拦截地址,excludePathPatterns后跟排除拦截地址
registry.addInterceptor(
new
MyInterceptor()).addPathPatterns(
"/**"
).excludePathPatterns(
"/login/index"
).excludePathPatterns(
"/login/login"
);
}
}
|
这样我们就可以在用户请求到达controller层实现登录拦截了,所有用户请求都会被拦截,在prehandle方法进行登录判断,返回true则验证通过,否则失败