https://blog.csdn.net/qq_36085004/article/details/83348144

2018年10月24日 17:59:29 PerkinsLi 阅读数:232

文章目录

  • API校验

    • 场景
    • 实现思路
    • 代码
      • 拦截器:
      • 拦截器注册:
  • 登录token权限验证
    • 场景
    • 实现思路
    • 代码
      • jwt生成token代码
      • 拦截器代码:
      • 拦截器注册:

API校验

场景

在前后端分离开发时,后端获取数据就是通过异步请求调我们的API接口,但是,如果我们不做安全处理,其他人也可以直接调我们的API,这会让我们的数据泄露。因此,为了让我们的API只能被我们允许的人调用,我们对我们的API进行安全处理,他人在调用我们的API时需要进行校验,符合的才允许调用API。

实现思路

客户端:
调用我们API的人需要用时间戳timestamp,随机字符串noncestr,请求参数以升序排列拼接成一个字符串,并使用MD5进行加密生成一个签名sign。
在发送请求时,将timestamp, noncestr,sign发送给后台

后台:
编写一个拦截器,将所有的请求拦截。
在拦截器中进行请求校验:
1,请求参数sign是否为空,为空返回false。
2,timestamp 加十分钟(超过10分钟请求过期)是否小于服务端当前时间戳,小于返回false。
3,后台获取所有参数,以同样的规则拼接字符串,使用MD5加密,得到一个签名,用得到的签名和请求传来的签名进行比较,相同则放行,不同返回false。

代码

拦截器:

<span style="color:rgba(0, 0, 0, 0.75)"><span style="color:#000000"><code class="language-Java">package com.xyy.edlp.intercepter;import org.springframework.util.DigestUtils;
import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.util.*;/*** @Author: perkins*/
public class ApiSignatureInterceptor extends HandlerInterceptorAdapter {@Overridepublic boolean preHandle(HttpServletRequest request, HttpServletResponse response,Object handler) throws Exception {Enumeration<String> paramNames = request.getParameterNames();String timestamp = request.getHeader("timestamp");long timestampDate = Long.valueOf(timestamp) + 1000*60*10;long currDate = System.currentTimeMillis();// 请求过期if (timestampDate < currDate) {response.setStatus(403);return false;}String noncestr = request.getHeader("noncestr");String signature = request.getParameter("sign");System.out.println(signature);if (signature == null) {response.setStatus(403);return false;}Map map = new HashMap();//获取所有的请求参数while (paramNames.hasMoreElements()) {String paramName = paramNames.nextElement();String[] paramValues = request.getParameterValues(paramName);if (paramValues.length > 0) {String paramValue = paramValues[0];System.out.println(paramName);if (paramValue.length() != 0 && !"sign".equals(paramName)) {map.put(paramName, paramValue);}}}Set setKey = map.keySet();Object[] keys = setKey.toArray();// 将请求参数升序排序Arrays.sort(keys);StringBuilder strBuilder = new StringBuilder();for (Object str : keys) {strBuilder.append(str.toString());strBuilder.append(map.get(str.toString()));}strBuilder.append("noncestr");strBuilder.append(noncestr);strBuilder.append("timestamp");strBuilder.append(timestamp);System.out.println(strBuilder.toString());String newSignature = DigestUtils.md5DigestAsHex(strBuilder.toString().getBytes()).toUpperCase();if (!signature.equals(newSignature)) {response.setStatus(403);return false;}return true;}
}</code></span></span>
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79

拦截器注册:

<span style="color:rgba(0, 0, 0, 0.75)"><span style="color:#000000"><code class="language-Java">@Configuration
public class WebConfig implements WebMvcConfigurer {@Overridepublic void addInterceptors(InterceptorRegistry registry){registry.addInterceptor(new ApiSignatureInterceptor());}
}
</code></span></span>
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7

登录token权限验证

场景

系统中,有的api必须用户登陆了才能够调用,因此,必须给这样的api进行安全防护。

实现思路

1,客户端调用登录接口,登录成功,使用JWT生成一个token,将token以UID—token键值对的形式存入redis,返回给客户端一个token和UID。
2,创建一个拦截器,对需要登录权限的接口进行拦截,判断请求中是否有token,根据UID从redis中取出对应的token,对请求中的token进行验证,然后再使用JWT验证token,都没问题放行,否则返回false。

代码

jwt生成token代码

<span style="color:rgba(0, 0, 0, 0.75)"><span style="color:#000000"><code class="language-java"><span style="color:#c678dd">package</span> com<span style="color:#999999">.</span>xyy<span style="color:#999999">.</span>edlp<span style="color:#999999">.</span>util<span style="color:#999999">;</span><span style="color:#c678dd">import</span> com<span style="color:#999999">.</span>auth0<span style="color:#999999">.</span>jwt<span style="color:#999999">.</span>JWT<span style="color:#999999">;</span>
<span style="color:#c678dd">import</span> com<span style="color:#999999">.</span>auth0<span style="color:#999999">.</span>jwt<span style="color:#999999">.</span>JWTVerifier<span style="color:#999999">;</span>
<span style="color:#c678dd">import</span> com<span style="color:#999999">.</span>auth0<span style="color:#999999">.</span>jwt<span style="color:#999999">.</span>algorithms<span style="color:#999999">.</span>Algorithm<span style="color:#999999">;</span>
<span style="color:#c678dd">import</span> com<span style="color:#999999">.</span>auth0<span style="color:#999999">.</span>jwt<span style="color:#999999">.</span>exceptions<span style="color:#999999">.</span>JWTDecodeException<span style="color:#999999">;</span>
<span style="color:#c678dd">import</span> com<span style="color:#999999">.</span>auth0<span style="color:#999999">.</span>jwt<span style="color:#999999">.</span>interfaces<span style="color:#999999">.</span>DecodedJWT<span style="color:#999999">;</span><span style="color:#c678dd">import</span> java<span style="color:#999999">.</span>io<span style="color:#999999">.</span>UnsupportedEncodingException<span style="color:#999999">;</span>
<span style="color:#c678dd">import</span> java<span style="color:#999999">.</span>util<span style="color:#999999">.</span>Date<span style="color:#999999">;</span><span style="color:#5c6370">/*** @Author: perkins*/</span>
<span style="color:#c678dd">public</span> <span style="color:#c678dd">class</span> JwtUtil <span style="color:#999999">{</span><span style="color:#c678dd">private</span> <span style="color:#c678dd">static</span> <span style="color:#c678dd">final</span> String encodeSecretKey <span style="color:#669900">=</span> <span style="color:#669900">"XX#$%()(#*!()!KL<><MQLMNQNQJQKsdfkjsdrow32234545fdf>?N<:{LWPW"</span><span style="color:#999999">;</span><span style="color:#5c6370">/*** token过期时间*/</span><span style="color:#c678dd">private</span> <span style="color:#c678dd">static</span> <span style="color:#c678dd">final</span> <span style="color:#c678dd">long</span> EXPIRE_TIME <span style="color:#669900">=</span> <span style="color:#98c379">1000</span> <span style="color:#669900">*</span> <span style="color:#98c379">60</span> <span style="color:#669900">*</span> <span style="color:#98c379">60</span> <span style="color:#669900">*</span> <span style="color:#98c379">24</span> <span style="color:#669900">*</span> <span style="color:#98c379">7</span><span style="color:#999999">;</span><span style="color:#5c6370">/*** 生成token* @return*/</span><span style="color:#c678dd">public</span> <span style="color:#c678dd">static</span> String <span style="color:#61aeee">createToken</span><span style="color:#999999">(</span>String account<span style="color:#999999">)</span> <span style="color:#999999">{</span><span style="color:#c678dd">try</span> <span style="color:#999999">{</span>Date date <span style="color:#669900">=</span> <span style="color:#c678dd">new</span> Date<span style="color:#999999">(</span>System<span style="color:#999999">.</span><span style="color:#61aeee">currentTimeMillis</span><span style="color:#999999">(</span><span style="color:#999999">)</span> <span style="color:#669900">+</span> EXPIRE_TIME<span style="color:#999999">)</span><span style="color:#999999">;</span>Algorithm algorithm <span style="color:#669900">=</span> Algorithm<span style="color:#999999">.</span><span style="color:#61aeee">HMAC256</span><span style="color:#999999">(</span>account <span style="color:#669900">+</span> encodeSecretKey<span style="color:#999999">)</span><span style="color:#999999">;</span><span style="color:#c678dd">return</span> JWT<span style="color:#999999">.</span><span style="color:#61aeee">create</span><span style="color:#999999">(</span><span style="color:#999999">)</span><span style="color:#999999">.</span><span style="color:#61aeee">withExpiresAt</span><span style="color:#999999">(</span>date<span style="color:#999999">)</span><span style="color:#999999">.</span><span style="color:#61aeee">withClaim</span><span style="color:#999999">(</span><span style="color:#669900">"account"</span><span style="color:#999999">,</span> account<span style="color:#999999">)</span><span style="color:#999999">.</span><span style="color:#61aeee">sign</span><span style="color:#999999">(</span>algorithm<span style="color:#999999">)</span><span style="color:#999999">;</span><span style="color:#999999">}</span> <span style="color:#c678dd">catch</span> <span style="color:#999999">(</span>UnsupportedEncodingException e<span style="color:#999999">)</span> <span style="color:#999999">{</span><span style="color:#c678dd">return</span> null<span style="color:#999999">;</span><span style="color:#999999">}</span><span style="color:#999999">}</span><span style="color:#5c6370">/*** 校验token是否失效* @param token* @return*/</span><span style="color:#c678dd">public</span> <span style="color:#c678dd">static</span> <span style="color:#c678dd">boolean</span> <span style="color:#61aeee">checkToken</span><span style="color:#999999">(</span>String token<span style="color:#999999">,</span> String account<span style="color:#999999">)</span> <span style="color:#999999">{</span><span style="color:#c678dd">try</span> <span style="color:#999999">{</span>Algorithm algorithm <span style="color:#669900">=</span> Algorithm<span style="color:#999999">.</span><span style="color:#61aeee">HMAC256</span><span style="color:#999999">(</span>account <span style="color:#669900">+</span> encodeSecretKey<span style="color:#999999">)</span><span style="color:#999999">;</span>JWTVerifier verifier <span style="color:#669900">=</span> JWT<span style="color:#999999">.</span><span style="color:#61aeee">require</span><span style="color:#999999">(</span>algorithm<span style="color:#999999">)</span><span style="color:#999999">.</span><span style="color:#61aeee">build</span><span style="color:#999999">(</span><span style="color:#999999">)</span><span style="color:#999999">;</span>DecodedJWT jwt <span style="color:#669900">=</span> verifier<span style="color:#999999">.</span><span style="color:#61aeee">verify</span><span style="color:#999999">(</span>token<span style="color:#999999">)</span><span style="color:#999999">;</span><span style="color:#c678dd">return</span> <span style="color:#56b6c2">true</span><span style="color:#999999">;</span><span style="color:#999999">}</span> <span style="color:#c678dd">catch</span> <span style="color:#999999">(</span>UnsupportedEncodingException e<span style="color:#999999">)</span> <span style="color:#999999">{</span><span style="color:#c678dd">return</span> <span style="color:#56b6c2">false</span><span style="color:#999999">;</span><span style="color:#999999">}</span><span style="color:#999999">}</span><span style="color:#5c6370">/*** 获取用户account* @param token* @return*/</span><span style="color:#c678dd">public</span> <span style="color:#c678dd">static</span> String <span style="color:#61aeee">getAccount</span><span style="color:#999999">(</span>String token<span style="color:#999999">)</span><span style="color:#999999">{</span><span style="color:#c678dd">try</span> <span style="color:#999999">{</span>DecodedJWT jwt <span style="color:#669900">=</span> JWT<span style="color:#999999">.</span><span style="color:#61aeee">decode</span><span style="color:#999999">(</span>token<span style="color:#999999">)</span><span style="color:#999999">;</span><span style="color:#c678dd">return</span> jwt<span style="color:#999999">.</span><span style="color:#61aeee">getClaim</span><span style="color:#999999">(</span><span style="color:#669900">"account"</span><span style="color:#999999">)</span><span style="color:#999999">.</span><span style="color:#61aeee">asString</span><span style="color:#999999">(</span><span style="color:#999999">)</span><span style="color:#999999">;</span><span style="color:#999999">}</span> <span style="color:#c678dd">catch</span> <span style="color:#999999">(</span>JWTDecodeException e<span style="color:#999999">)</span> <span style="color:#999999">{</span><span style="color:#c678dd">return</span> null<span style="color:#999999">;</span><span style="color:#999999">}</span><span style="color:#999999">}</span><span style="color:#999999">}</span></code></span></span>
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73

拦截器代码:

<span style="color:rgba(0, 0, 0, 0.75)"><span style="color:#000000"><code class="language-Java">public class JwtInterceptor extends HandlerInterceptorAdapter {@AutowiredRedisUtil redisUtil;@Overridepublic boolean preHandle(HttpServletRequest request,HttpServletResponse response,Object handler) throws Exception {String token = request.getHeader("Authorization");if (token == null) {response.setStatus(401);return false;}String account = JwtUtil.getAccount(token);String redisToken = redisUtil.get(RedisKey.TP_STORE_KEY + account);boolean isExpire = JwtUtil.checkToken(token, account);if (redisToken == null || redisToken != token || isExpire) {response.setStatus(401);return false;}return true;}
}
</code></span></span>
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26

拦截器注册:

<span style="color:rgba(0, 0, 0, 0.75)"><span style="color:#000000"><code class="language-Java">@Configuration
public class WebConfig implements WebMvcConfigurer {// 再拦截器中使用了RedisUtil bean类,但是拦截器执行实在spring容器bean初始化之前的// RedisUtil 将无法注入,为了解决该问题,将JwtInterceptor拦截器先配置为一个bean// 在注册拦截器时,直接使用配置的bean@Beanpublic JwtInterceptor jwtInterceptor(){return new JwtInterceptor();}@Overridepublic void addInterceptors(InterceptorRegistry registry){registry.addInterceptor(jwtInterceptor()).addPathPatterns("/tp_store/logout");}
}
</code></span></span>
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17

现在才知道,零基础学习高级Java后,年薪可以这么多! 
零基础学IT选Java,易学、高薪、前景广,100万人才缺口,互联网必备人才

Springboot 实现api校验和登录验证相关推荐

  1. Springboot实现短信登录验证

    Springboot学习笔记--Java实现短信登录验证功能--Servlet/SSM/SpringBoot都可以用 小白记录一下短信验证登入的实现,方便以后可以拿来直接用. 发短信平台:互亿无线 官 ...

  2. SpringBoot+jwt+shiro实现登录验证及接口权限校验

    SpringBoot+jwt+shiro+token实现对接口权限校验 最近在一个项目上实现登录模块,就想到了权限验证功能,了解了Spring Security和Shiro之后,决定使用Shiro来实 ...

  3. SpringBoot+MybatisPlus+Vue项目(一):登录验证

    文章目录 创建vue-cli项目 创建SpringBoot项目 Vue-cli:登录页面 SpringBoot登录验证 Vue-cli实现登录登录验证 小结 创建vue-cli项目 安装基础工具:No ...

  4. 淘宝api 登录验证

    淘宝api登录验证代码 using System; using System.Collections.Generic; using System.ComponentModel; using Syste ...

  5. SpringBoot+Vue项目中实现登录验证码校验

    SpringBoot+Vue项目中实现登录验证码校验 在各大项目中,为保证数据的安全性,通常在登录页面加入验证码校验,以防止爬虫带来的数据泄露危机.本文将介绍在前后端分离的项目中,怎样实现图形验证码校 ...

  6. java SpringBoot登录验证token拦截器

    用户访问接口验证,如果用户没有登录,则不让他访问除登录外的任何接口. 实现思路: 1.前端登录,后端创建token(通过JWT这个依赖),返给前端 2.前端访问其他接口,传递token,后端判断tok ...

  7. SpringBoot+JWT实现登陆token验证并存储用户信息

    基于Token的JWT认证 JWT:Json web token 是为了在网络应用环境间传递声明而执行的一种基于JSON传输格式的开放标准,可实现无状态.分布式的Web应用授权. 缺点:用户主动注销, ...

  8. SpringBoot学习之单点登录

    SpringBoot学习之单点登录 单点登录 登录 注销 部署 实现 主要功能 重要步骤 sso-client拦截未登录请求 sso-server拦截未登录请求 sso-server验证用户登录信息 ...

  9. 微服务-API网关-身份验证

    一.身份验证介绍 身份验证通常是进入系统的第一道大闸,要求用户出具登录此系统的身份证明.其实在实际情况下,很多人开发的系统都没有身份验证功能或者就只有普通用户名和密码验证功能,这样的系统其实都是不完善 ...

最新文章

  1. ECCV20| 3D目标检测时序融合网络
  2. 8)排序①排序算法之交换排序[1]冒泡排序法
  3. 5训练需要更改参数吗_PM2.5和臭氧需要协同控制吗?
  4. Calendar的获取变化日期
  5. 【2012百度之星/初赛上】C:集合的交与并
  6. 纯CSS3动画按钮效果
  7. Action 和Func
  8. 应用机器学习(二):k-NN 分类器
  9. 随手记_ubuntu下配置vscode+cmake c++开发环境
  10. 1024 科学计数法
  11. c语言0x00如何不截断_数组越界及其避免方法,C语言数组越界详解
  12. GoLang之取地址符、指针
  13. 有关选择的作文素材分享
  14. 移动手机消息推送机制
  15. Android 更换 APP logo 无效问题处理
  16. Google Dremel数据模型详解
  17. 三、python调用打印机,打印文字
  18. 1. 无法解析的外部符号 “__declspec(dllimport) const XXX::vftable“ ` 2. `无法定义 dllimport 实体`
  19. jquery设置cursor的属性改变光标的类型(形状)
  20. 『跟着雨哥学AI』系列之八:趣味案例——有关NLP任务数据预处理的那些事儿...

热门文章

  1. 010-WebBuilder-编写可复用模块+阶段实战效果与代码
  2. 小话设计模式(番外二)委托模式
  3. 40、卤代烷灭火系统模拟喷气试验
  4. javamail发送邮件到qq邮箱图片不能显示问题
  5. 【git】You have not concluded your merge (MERGE_HEAD exists).
  6. 合数python_python输出100以内的质数与合数
  7. 竞赛复盘(1)- CCF BDCI 2019 互联网新闻情感分析
  8. EPD服务器主机分销V2.8系统网站源码
  9. 一款json查询操作神器
  10. 关于服务器基本概念汇总