使用自定义注解校验用户授权和获取授权信息

/********************** 自定义 授权拦截注解***********************************/

@Target({ElementType.METHOD, ElementType.TYPE})
@Retention(RetentionPolicy.RUNTIME)
public @interface AuthToken {
boolean required() default true;
}

/********************** 自定义 授权信息注解***********************************/
@Target({ElementType.PARAMETER})
@Retention(RetentionPolicy.RUNTIME)
@Documented
@ApiIgnore
public @interface AuthUser {
}

/****************************** 用户授权登录拦截 *************************************/
@Component
@Slf4j
public class AuthUserInterceptor implements HandlerInterceptor {

@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
throws AuthorizationException {
if (!(handler instanceof HandlerMethod)) {
return true;
}
HandlerMethod handlerMethod = (HandlerMethod) handler;
Method method = handlerMethod.getMethod();
// 如果不是映射到方法查看controller层注解
if (method.isAnnotationPresent(AuthToken.class) || handlerMethod.getBeanType().isAnnotationPresent(AuthToken.class)) {
//登录验证
AuthToken authToken = method.isAnnotationPresent(AuthToken.class) ?
method.getAnnotation(AuthToken.class) : handlerMethod.getBeanType().getAnnotation(AuthToken.class);
if (authToken.required()) {
// 从 http 请求头中取出 token
String token = request.getHeader(IAuthConst.KEY_AUTHORIZATION);
// token认证
if (null == token) {
throw new AuthorizationException(IAuthConst.KEY_AUTHORIZATION + "不能为空");
}
// 在此根据token获取到用户授权信息,然后写入到request
request.setAttribute(IAuthConst.KEY_USER_ID, 1);
request.setAttribute(IAuthConst.KEY_USER_NAME, "admin");
}
}
return true;
}
}

/***********************************用户信息字段 Resolver*****************************************/
@Component
public class AuthUserMethodArgumentResolver implements HandlerMethodArgumentResolver {
/**
* 此方法拦截加了注解的参数 方法
*
* @param parameter
* @return
*/
@Override
public boolean supportsParameter(MethodParameter parameter) {
if (parameter.hasParameterAnnotation(AuthUser.class)) {
return true;
}
return false;
}

/**
* 对加了自定义注解的方法进行业务操做
*
* @return
* @throws Exception
*/
@Override
public Object resolveArgument(MethodParameter parameter,
ModelAndViewContainer mavContainer,
NativeWebRequest webRequest,
WebDataBinderFactory binderFactory) {
if (parameter.hasParameterAnnotation(AuthUser.class)) {
HttpServletRequest servletRequest = webRequest.getNativeRequest(HttpServletRequest.class);
Object userIdObj = servletRequest.getAttribute(IAuthConst.KEY_USER_ID);
Object userNameObj = servletRequest.getAttribute(IAuthConst.KEY_USER_NAME);
if (userIdObj != null && userNameObj != null && userIdObj instanceof Integer) {
return new UserBase(Integer.parseInt(userIdObj.toString())
, userNameObj.toString());
}
}
return null;
}
}

/*************************** 添加拦截器到spring*****************************************/
@Configuration
public class MyWebMvcConfigurerAdapter extends WebMvcConfigurerAdapter {
//注册到spring容器中
@Resource
private AuthUserMethodArgumentResolver handlerParameterResolver;

//添加对方法的拦截
@Override
public void addArgumentResolvers(List<HandlerMethodArgumentResolver> argumentResolvers) {
argumentResolvers.add(handlerParameterResolver);
super.addArgumentResolvers(argumentResolvers);
}

/**
* 添加对用户授权的拦截器
* @param registry
*/
@Override
public void addInterceptors(InterceptorRegistry registry) {
// 可添加多个
registry.addInterceptor(new AuthUserInterceptor()).addPathPatterns("/**");
}
}

使用自定义注解校验用户授权和获取授权信息

上一篇:无括号和svg的xss构造利用


下一篇:grafan+cadvisor+prometheus监控docker