引言
防止横向越权,前端会传递token信息到header中,后端需要对header进行鉴权验证。
代码
定义token拦截器
@Component
@Slf4j
public class TokenAuthInterceptor implements HandlerInterceptor {
/**
* token认证配置
*/
@Resource
private TokenAuthProperties tokenAuthProperties;
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
log.info(">>>>>>>>>TokenAuthInterceptor:请求前拦截认证token, 开关:{}>>>>>>>>>>>>>", tokenAuthProperties.getTokenSwitch());
if (!tokenAuthProperties.getTokenSwitch()) {
log.info("no need to auth token.");
return true;
}
String token = request.getHeader("authentication");
if (StringUtils.isBlank(token)) {
log.error("token为空,认证失败!");
throw new Exception("token为空,认证失败!");
}
// token其他验证
... ...
log.info("token: [ {} ], 认证成功!", token);
return true;
}
}
自动配置
@Configuration
public class WebAuthConfig extends WebMvcConfigurationSupport {
@Resource
TokenAuthInterceptor tokenAuthInterceptor;
/**
* addInterceptors
*
* @param registry
*/
@Override
public void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(tokenAuthInterceptor).addPathPatterns("/**");
}
}
获取token的方法
//获取前端token
ServletRequestAttributes attributes = (ServletRequestAttributes) RequestContextHolder.getRequestAttributes();
//获取请求
HttpServletRequest request = attributes.getRequest();
if (StringUtils.isBlank(request.getHeader(AUTHENTICATION))) {
log.error("获取token失败!错误信息:token为空!");
throw new Exception("获取token失败!错误信息:token为空!");
}