SpringBoot中自定义拦截器详解 (Token校验与放行)

作者: adm 分类: java 发布时间: 2021-09-16

首先是拦截类AuthInterceptor.java中的具体逻辑,主要是有继承BaseInterceptor.java 类,而这个BaseInterceptor.java类继承了HandlerInterceptorAdapter类,然后拦截类AuthInterceptor.java实现了其中的preHandle方法

以下是全部代码

拦截器主要逻辑类——PreAuthInterceptor.java

@Slf4j
@Component
public class PreAuthInterceptor extends BaseInterceptor {

    public static final String AUTHED_TOKEN = "authorized_token";
   @Autowired
   private TokenService tokenService;


    @Override
    public boolean preHandle(HttpServletRequest request,
                             HttpServletResponse response, Object handler) throws Exception {

        if (!(handler instanceof HandlerMethod)) {
            return true;
        }
        //放行逻辑
        HandlerMethod method = (HandlerMethod) handler;
        DisableAuth auth = method.getMethod().getAnnotation(DisableAuth.class);
        if (isDisableAuth(auth)) {
            return super.preHandle(request, response, handler);
        }

        HttpSession session = request.getSession();
        String accessToken=session.getAttribute("accessToken")!=null?session.getAttribute("accessToken").toString():null;
        Object data=session.getAttribute("userData");
        if(StringUtils.isBlank(accessToken)) {
            //获取token

            String token=getAuthToken(request);

            if (StringUtils.isBlank(token)) {
                setResponse(request, response, "400","Error: token is null");
                return false;
            }
            // 3.查询token是否正确
            Map checkToken = tokenService.checkToken(request, token);
            String states = checkToken.get("code");
            data=checkToken.get("data");
            if (!states.equals("200")) {
                setResponse(request, response, "0", checkToken.get("msg"));
                return false;
            }
            session.setAttribute("accessToken",token);
            session.setAttribute("userData",data);
        }

        // 将userinfo写入到request请求中
        //request.setAttribute(Constants.REQUEST_ATTR_USER_ID, account.getId());

        request.setAttribute(USER_INFO,data );
        return true;
    }

private static boolean isDisableAuth(DisableAuth auth) {
return auth != null;
}

/**
* 获取http请求头部或者参数中的token值
*
* @param request
* http请求传递的值
* @return 返回token
*/
private String getAuthToken(HttpServletRequest request) {
String token = request.getHeader("accessToken");

if (token == null) {
token = request.getParameter("accessToken");
}
return token;
}

public static List<String> decode(String authString) {

List<String> strings = null;
if (StringUtils.isBlank(authString)) {
return null;
}
List<String> words = Splitter.on(" ").splitToList(authString);
if (words.size() != 2) {
return null;
}
switch (words.get(0)) {
case "Basic":
try {
String decoding = new String(BaseEncoding.base64().decode(words.get(1)), Charsets.UTF_8);
strings = Splitter.on(":").splitToList(decoding);
Preconditions.checkArgument(strings.size() == 2);
} catch (IllegalArgumentException e) {
throw new HttpClientErrorException(HttpStatus.UNAUTHORIZED, "bad authorization");
}
return strings;
default:
throw new HttpClientErrorException(HttpStatus.UNAUTHORIZED, "unsupported authorization");
}
}

@VisibleForTesting
public static String encode(String token) {
String encoding = Joiner.on(":").join("", token);
return Joiner.on(" ").join("Basic", BaseEncoding.base64().encode(encoding.getBytes()));
}
}

父类BaseInterceptor.java 这个类里面的代码其实与token校验关系不大

@Slf4j
public  class BaseInterceptor implements AsyncHandlerInterceptor {

    public static final String USER_KEY = "USER_ID";
    public static final String USER_INFO = "USER_INFO";
    public void setResponse(HttpServletRequest request,
                            HttpServletResponse response, String messageKey, String message) {

        response.setContentType("application/json;charset=UTF-8");
        try (Writer writer = response.getWriter()) {
            Map<String, Object> resultMap = new HashMap<>();
            resultMap.put("code", messageKey);
            resultMap.put("message", message);

            logger(request, resultMap);
            JSON.writeJSONString(writer, resultMap);
            writer.flush();
        } catch (IOException e) {
            log.error("response 设置操作异常:" + e);
        }
    }

    public void setResponse(HttpServletRequest request,
                            HttpServletResponse response, String messageKey) {
        setResponse(request,response,messageKey,"OK");

    }


    /**
     * 记录日志
     */
    private void logger(HttpServletRequest request, Map<String, Object> resultMap) {
        StringBuffer msg = new StringBuffer();
        msg.append("异常拦截日志:");
        msg.append("[uri:").append(request.getRequestURI()).append("]");
        Enumeration<String> enumer = request.getParameterNames();
        while (enumer.hasMoreElements()) {
            String name = enumer.nextElement();
            String[] values = request.getParameterValues(name);
            msg.append("[").append(name).append("=");
            if (values != null) {
                int i = 0;
                for (String value : values) {
                    i++;
                    msg.append(value);
                    if (i < values.length) {
                        msg.append("|");
                    }
                }
            }
            msg.append("]");
        }
        msg.append(JSON.toJSONString(resultMap));

        log.warn(msg.toString());
    }
}

有的接口需要token校验,有的并不需要,所以还要一个放行的逻辑。
可以直接用自定义注解来实现

自定义注解@DisableAuth 代码

@Retention(RetentionPolicy.RUNTIME)
@Target(ElementType.METHOD)
@Documented
@Inherited
public @interface DisableAuth {

}

权限的校验拦截器

@Configuration
public class WebMvcConfig implements WebMvcConfigurer {
    @Autowired
    private PreAuthInterceptor preAuthInterceptor;
   // @Autowired
   // private LoginUserHandlerMethodArgumentResolver loginUserHandlerMethodArgumentResolver;

    @Override
    public void addInterceptors(InterceptorRegistry registry) {
// addPathPatterns("/**") 表示拦截所有的请求,
// addPathPatterns("/api/**") 表示拦截/api/ 下的所有路径请求,
// addPathPatterns("/api/*") 表示拦截/api/abc,拦截/api/aaa , 不拦截 /api/abc/def
// addPathPatterns("/api/**").excludePathPatterns("/api/login", "/api/register") 表示拦截/api/ 下的所有路径请求,但不拦截 /api/login 和 /api/register
        registry.addInterceptor(preAuthInterceptor).addPathPatterns("/**");
    }


}

如果觉得我的文章对您有用,请随意赞赏。您的支持将鼓励我继续创作!