Spring boot + session + 注解 實(shí)現(xiàn)簡(jiǎn)單的安全驗(yàn)證和權(quán)限管理(一)

寫在前面:本文一共分兩個(gè)部分,第一個(gè)部通過(guò)注解+session的形式實(shí)現(xiàn)接口的安全驗(yàn)證,第二個(gè)部分實(shí)現(xiàn)通過(guò)注解的形式實(shí)現(xiàn)簡(jiǎn)單的權(quán)限管理。

安全驗(yàn)證部分

0、基本配置

pom.xml文件

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.2.7.RELEASE</version>
        <relativePath/> <!-- lookup parent from repository -->
    </parent>
    <groupId>com.rootchen</groupId>
    <artifactId>demo</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <name>demo</name>
    <description>權(quán)限驗(yàn)證</description>

    <properties>
        <java.version>1.8</java.version>
        <mybatisplus.version>3.0.7.1</mybatisplus.version>
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
        <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
    </properties>

    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
            <exclusions>
                <exclusion>
                    <artifactId>spring-boot-starter-tomcat</artifactId>
                    <groupId>org.springframework.boot</groupId>
                </exclusion>
            </exclusions>
        </dependency>

        <!-- undertow容器 -->
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-undertow</artifactId>
        </dependency>
        <dependency>
            <groupId>org.projectlombok</groupId>
            <artifactId>lombok</artifactId>
            <optional>true</optional>
        </dependency>
        <!-- 數(shù)據(jù)庫(kù) -->
        <dependency>
            <groupId>mysql</groupId>
            <artifactId>mysql-connector-java</artifactId>
            <scope>runtime</scope>
        </dependency>
        <!-- mybatis-plus依賴 -->
        <dependency>
            <groupId>com.baomidou</groupId>
            <artifactId>mybatis-plus-boot-starter</artifactId>
            <version>${mybatisplus.version}</version>
        </dependency>
        <dependency>
            <groupId>com.baomidou</groupId>
            <artifactId>mybatis-plus</artifactId>
            <version>${mybatisplus.version}</version>
        </dependency>
        <dependency>
            <groupId>com.baomidou</groupId>
            <artifactId>mybatis-plus-generator</artifactId>
            <version>${mybatisplus.version}</version>
        </dependency>
        <dependency>
            <groupId>com.baomidou</groupId>
            <artifactId>mybatis-plus-support</artifactId>
            <version>2.1.9</version>
        </dependency>
        <!-- 模板引擎 -->
        <dependency>
            <groupId>org.freemarker</groupId>
            <artifactId>freemarker</artifactId>
            <version>2.3.28</version>
        </dependency>
        <!-- java 工具包-->
        <dependency>
            <groupId>cn.hutool</groupId>
            <artifactId>hutool-all</artifactId>
            <version>5.0.5</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
            <exclusions>
                <exclusion>
                    <groupId>org.junit.vintage</groupId>
                    <artifactId>junit-vintage-engine</artifactId>
                </exclusion>
            </exclusions>
        </dependency>
    </dependencies>

    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
        </plugins>
    </build>

</project>

application.properties

server.port=8009
################
#   數(shù)據(jù)庫(kù)配置
################
spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver
spring.datasource.username=用戶名
spring.datasource.password=密碼
spring.datasource.url=jdbc:mysql://localhost:3306/db_demo?useUnicode=true&characterEncoding=utf8&serverTimezone=GMT%2B8&useSSL=false

####################
# mybatis-plus 配置
####################

# 如果是放在src/main/java目錄下 classpath:/com/your package/*/mapper/*Mapper.xml
# 如果是放在resource目錄 classpath:/mapper/*Mapper.xml
mybatis-plus.mapper-locations=classpath:/mapper/*Mapper.xml
mybatis-plus.global-config.banner=false
#主鍵類型  0:"數(shù)據(jù)庫(kù)ID自增", 1:"用戶輸入ID",2:"全局唯一ID (數(shù)字類型唯一ID)", 3:"全局唯一ID UUID";
mybatis-plus.global-config.db-config.id-type=auto
#字段策略 0:"忽略判斷",1:"非 NULL 判斷"),2:"非空判斷"
mybatis-plus.global-config.db-config.field-strategy=not_null
#駝峰下劃線轉(zhuǎn)換
mybatis-plus.global-config.db-config.table-underline=true
#邏輯刪除配置(下面3個(gè)配置)
# 邏輯刪除全局值(1表示已刪除,這也是Mybatis Plus的默認(rèn)配置)
mybatis-plus.global-config.db-config.logic-delete-value=1
# 邏輯未刪除全局值(0表示未刪除,這也是Mybatis Plus的默認(rèn)配置)
mybatis-plus.global-config.db-config.logic-not-delete-value=0
#配置返回?cái)?shù)據(jù)庫(kù)(column下劃線命名&&返回java實(shí)體是駝峰命名),自動(dòng)匹配無(wú)需as(沒開啟這個(gè),SQL需要寫as: select user_id as userId)
mybatis-plus.configuration.map-underscore-to-camel-case=true
#session過(guò)期時(shí)間
server.servlet.session.timeout=30m

1、目錄結(jié)構(gòu)

目錄結(jié)構(gòu)

2、文件內(nèi)容

2.0 NotAuth注解類

import java.lang.annotation.*;

/**
 * 免鑒權(quán)注解
 */
@Target({ElementType.TYPE, ElementType.METHOD})
@Retention(RetentionPolicy.RUNTIME)
@Inherited
@Documented
public @interface NotAuth {
}

2.1 MvcConfig.java

//注入自己編寫的攔截器
    @Bean
    public SecurityInterceptor securityInterceptor(){
        return new SecurityInterceptor();
    }
    
    //放行的url配置
    @Override
    public void addInterceptors(InterceptorRegistry registry) {
        registry.addInterceptor(securityInterceptor())
                .excludePathPatterns("/static/*")
                .excludePathPatterns("/error")
                .addPathPatterns("/**");
    }

2.2 mybatis-plus 配置
mybatis-plus官網(wǎng)
2.3 自定義返回結(jié)果
參考這篇文章
2.4 BaseExceptionHandler.java

@RestControllerAdvice
public class BaseExceptionHandler {
    private final static Logger logger = LoggerFactory.getLogger(BaseExceptionHandler.class);
      
    //空參數(shù)處理
    @ExceptionHandler(MethodArgumentNotValidException.class)
    public SR<List> handlerBindException(MethodArgumentNotValidException e) {
        BindingResult result = e.getBindingResult();
        List<String> errorList = new ArrayList<>();
        if (result.hasErrors()) {

            List<ObjectError> errors = result.getAllErrors();

            errors.forEach(p -> {
                FieldError fieldError = (FieldError) p;
                logger.error("Data check failure : object{" + fieldError.getObjectName() + "},field{" + fieldError.getField() +
                        "},errorMessage{" + fieldError.getDefaultMessage() + "}");

                errorList.add(fieldError.getDefaultMessage());
            });

        }
        return SR.error(Const.CODE.EXCEPTION_PARAM.getCode(), Const.CODE.EXCEPTION_PARAM.getDesc(), errorList);

    }
  
    //登錄處理
    @ExceptionHandler(LoginExceptionHandler.class)
    public SR loginExceptionHandler(LoginExceptionHandler e){
        logger.info(e.getMessage());
        return SR.error(Const.CODE.NEED_LOGIN.getCode(), Const.CODE.NEED_LOGIN.getDesc());
    }
    //其他異常處理
    @ExceptionHandler(RuntimeException.class)
    public SR runtimeExceptionHandler(RuntimeException e){
        logger.error(e.getMessage());
        return SR.errorMsg("系統(tǒng)錯(cuò)誤");
    }

2.5 LoginExceptionHandler

public class LoginExceptionHandler extends RuntimeException{
}

2.6 SecurityCheck

public class SecurityCheck {
    /**
     * 登錄校驗(yàn)
     *
     * @param session
     * @return Boolean
     */
    public static Boolean isLoginSuccess(HttpSession session) {
        User user = (User) session.getAttribute(Const.CURRENT_USER);
        if (user != null) {
            return true;
        }
        return false;
    }

}

2.7 SecurityInterceptor

public class SecurityInterceptor implements HandlerInterceptor {
    @Override
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {

       if ( hasPermission(handler,request)){
           return true;
       }
       throw new LoginExceptionHandler("未登錄");
    }


    /**
     * 接口權(quán)限判斷
     * @param handler
     * @param request
     * @return
     */
    private boolean hasPermission(Object handler,HttpServletRequest request){
        if (handler instanceof HandlerMethod){
            HandlerMethod handlerMethod = (HandlerMethod) handler;
            //獲取接口上的注解,如果有注解則放行,沒有注解則進(jìn)行驗(yàn)證
            NotAuth notAuth = handlerMethod.getMethod().getAnnotation(NotAuth.class);
            if (notAuth == null){
                if (SecurityCheck.isLoginSuccess(request.getSession())){
                    return true;
                }
                return false;
            }
        }
        return true;
    }

    @Override
    public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception {

    }

    @Override
    public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception {
    
    }
}

測(cè)試

0 編寫測(cè)試controller

@RestController
@RequestMapping("/demo/")
public class UserController {

    @Autowired
    private UserMapper userMapper;

    //登錄
    @NotAuth
    @PostMapping("login")
    public SR login(@Valid @RequestBody User user, HttpServletRequest request){
        //加密
        user.setPassword(DigestUtil.md5Hex(user.getPassword()));
        User user1 = userMapper.checkUser(user);
        if (user1 == null){
            return SR.error(Const.CODE.ERROR.getCode(),"用戶名或者密碼錯(cuò)誤");
        }
        rrequest.getSession().setAttribute(Const.CURRENT_USER,user);
        return SR.okMsg(Const.CODE.SUCCESS.getDesc());
    }

    //注冊(cè)
    @NotAuth
    @PostMapping("regist")
    public SR regist(@Valid @RequestBody User user){
        user.setPassword(DigestUtil.md5Hex(user.getPassword()));
        userMapper.insertUser(user);
        return SR.okMsg(Const.CODE.SUCCESS.getDesc());
    }


    //獲取所有用戶
    @GetMapping("/getAllUser")
    public SR getAllUser(){
        List<User> users = userMapper.selectAllUser();
        return SR.ok(users);
    }
    
    //退出登錄
    @NotAuth
    @GetMapping("/logout")
    public SR Logout(HttpServletRequest request){
        request.getSession().removeAttribute(Const.CURRENT_USER);
        return SR.ok("登出成功");
    }
    
}

注:crud請(qǐng)自己去寫

接口上有NotAuth注解的都是不需要驗(yàn)證的,沒有NotAuth都是需要驗(yàn)證的

測(cè)試:
未登錄獲取所有用戶接口


接口被打回

注冊(cè)用戶


接口成功訪問(wèn)

登錄
當(dāng)用戶名密碼為空時(shí)被打回

密碼為空

用戶名密碼都輸入

再次訪問(wèn)獲取所有用戶接口


注意在postman里測(cè)試session的時(shí)候
把登錄成功后的sessionid復(fù)制到第二個(gè)請(qǐng)求的cookie里




最后一步登出測(cè)試




再次訪問(wèn)獲取所有用戶接口

這期就這樣了~~
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時(shí)請(qǐng)結(jié)合常識(shí)與多方信息審慎甄別。
平臺(tái)聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡(jiǎn)書系信息發(fā)布平臺(tái),僅提供信息存儲(chǔ)服務(wù)。

友情鏈接更多精彩內(nèi)容