SpringBoot中自定义拦截器详解 (Token校验与放行)
首先是拦截类AuthInterceptor.java中的具体逻辑,主要是有继承BaseInterceptor.java 类,而这个BaseInterceptor.java类继承了HandlerInterceptorAdapter类,然后拦截类AuthInterceptor.java实现了其中的preHandle方法
以下是全部代码
拦截器主要逻辑类——PreAuthInterceptor.java
@Slf4j @Component public class PreAuthInterceptor extends BaseInterceptor { public static final String AUTHED_TOKEN = "authorized_token"; @Autowired private TokenService tokenService; @Override public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception { if (!(handler instanceof HandlerMethod)) { return true; } //放行逻辑 HandlerMethod method = (HandlerMethod) handler; DisableAuth auth = method.getMethod().getAnnotation(DisableAuth.class); if (isDisableAuth(auth)) { return super.preHandle(request, response, handler); } HttpSession session = request.getSession(); String accessToken=session.getAttribute("accessToken")!=null?session.getAttribute("accessToken").toString():null; Object data=session.getAttribute("userData"); if(StringUtils.isBlank(accessToken)) { //获取token String token=getAuthToken(request); if (StringUtils.isBlank(token)) { setResponse(request, response, "400","Error: token is null"); return false; } // 3.查询token是否正确 MapcheckToken = tokenService.checkToken(request, token); String states = checkToken.get("code"); data=checkToken.get("data"); if (!states.equals("200")) { setResponse(request, response, "0", checkToken.get("msg")); return false; } session.setAttribute("accessToken",token); session.setAttribute("userData",data); } // 将userinfo写入到request请求中 //request.setAttribute(Constants.REQUEST_ATTR_USER_ID, account.getId()); request.setAttribute(USER_INFO,data ); return true; } private static boolean isDisableAuth(DisableAuth auth) { return auth != null; } /** * 获取http请求头部或者参数中的token值 * * @param request * http请求传递的值 * @return 返回token */ private String getAuthToken(HttpServletRequest request) { String token = request.getHeader("accessToken"); if (token == null) { token = request.getParameter("accessToken"); } return token; } public static List<String> decode(String authString) { List<String> strings = null; if (StringUtils.isBlank(authString)) { return null; } List<String> words = Splitter.on(" ").splitToList(authString); if (words.size() != 2) { return null; } switch (words.get(0)) { case "Basic": try { String decoding = new String(BaseEncoding.base64().decode(words.get(1)), Charsets.UTF_8); strings = Splitter.on(":").splitToList(decoding); Preconditions.checkArgument(strings.size() == 2); } catch (IllegalArgumentException e) { throw new HttpClientErrorException(HttpStatus.UNAUTHORIZED, "bad authorization"); } return strings; default: throw new HttpClientErrorException(HttpStatus.UNAUTHORIZED, "unsupported authorization"); } } @VisibleForTesting public static String encode(String token) { String encoding = Joiner.on(":").join("", token); return Joiner.on(" ").join("Basic", BaseEncoding.base64().encode(encoding.getBytes())); } }
父类BaseInterceptor.java 这个类里面的代码其实与token校验关系不大
@Slf4j public class BaseInterceptor implements AsyncHandlerInterceptor { public static final String USER_KEY = "USER_ID"; public static final String USER_INFO = "USER_INFO"; public void setResponse(HttpServletRequest request, HttpServletResponse response, String messageKey, String message) { response.setContentType("application/json;charset=UTF-8"); try (Writer writer = response.getWriter()) { Map<String, Object> resultMap = new HashMap<>(); resultMap.put("code", messageKey); resultMap.put("message", message); logger(request, resultMap); JSON.writeJSONString(writer, resultMap); writer.flush(); } catch (IOException e) { log.error("response 设置操作异常:" + e); } } public void setResponse(HttpServletRequest request, HttpServletResponse response, String messageKey) { setResponse(request,response,messageKey,"OK"); } /** * 记录日志 */ private void logger(HttpServletRequest request, Map<String, Object> resultMap) { StringBuffer msg = new StringBuffer(); msg.append("异常拦截日志:"); msg.append("[uri:").append(request.getRequestURI()).append("]"); Enumeration<String> enumer = request.getParameterNames(); while (enumer.hasMoreElements()) { String name = enumer.nextElement(); String[] values = request.getParameterValues(name); msg.append("[").append(name).append("="); if (values != null) { int i = 0; for (String value : values) { i++; msg.append(value); if (i < values.length) { msg.append("|"); } } } msg.append("]"); } msg.append(JSON.toJSONString(resultMap)); log.warn(msg.toString()); } }
有的接口需要token校验,有的并不需要,所以还要一个放行的逻辑。
可以直接用自定义注解来实现
自定义注解@DisableAuth 代码
@Retention(RetentionPolicy.RUNTIME) @Target(ElementType.METHOD) @Documented @Inherited public @interface DisableAuth { }
权限的校验拦截器
@Configuration public class WebMvcConfig implements WebMvcConfigurer { @Autowired private PreAuthInterceptor preAuthInterceptor; // @Autowired // private LoginUserHandlerMethodArgumentResolver loginUserHandlerMethodArgumentResolver; @Override public void addInterceptors(InterceptorRegistry registry) { // addPathPatterns("/**") 表示拦截所有的请求, // addPathPatterns("/api/**") 表示拦截/api/ 下的所有路径请求, // addPathPatterns("/api/*") 表示拦截/api/abc,拦截/api/aaa , 不拦截 /api/abc/def // addPathPatterns("/api/**").excludePathPatterns("/api/login", "/api/register") 表示拦截/api/ 下的所有路径请求,但不拦截 /api/login 和 /api/register registry.addInterceptor(preAuthInterceptor).addPathPatterns("/**"); } }