用户注册
- 用户名合法性检测(长度,敏感词(包括管理员等),重复,特殊字符(颜文字,html标签等))
- 密码长度要求
- 密码salt加密,密码加强监测
- 用户邮件/短信激活
LoginController:
@RequestMapping(path = {"/reg/"}, method = {RequestMethod.GET, RequestMethod.POST})
@ResponseBody
public String reg(Model model, @RequestParam("username") String username,
@RequestParam("password") String password,
@RequestParam(value="rember", defaultValue = "0") int rememberme,
HttpServletResponse response) {
try {
Map<String, Object> map = userService.register(username, password);
if (map.containsKey("ticket")) {
Cookie cookie = new Cookie("ticket", map.get("ticket").toString());
cookie.setPath("/");
if (rememberme > 0) {
cookie.setMaxAge(3600*24*5);
}
response.addCookie(cookie);
return ToutiaoUtil.getJSONString(0, "注册成功");
} else {
return ToutiaoUtil.getJSONString(1, map);
}
} catch (Exception e) {
logger.error("注册异常" + e.getMessage());
return ToutiaoUtil.getJSONString(1, "注册异常");
}
}
页面访问
- 客户端:带token的HTTP请求
- 服务端:
① 根据token获取用户id
② 根据用户id获取用户的具体信息
③ 用户和页面访问权限处理
④ 渲染页面/跳转页面
拦截器Interceptor
public interface HandlerInterceptor{
//preHandle里面判断权限
boolean preHandle(HttpServletRequest var1, HttpServletResponse var2, Object var3) throws Exception;
//postHandle里设置数据,记log
void postHandle(HttpServletRequest var1, HttpServletResponse var2, Object var3, ModelAndView var4) throws Exception;
void afterCompletion(HttpServletRequest var1, HttpServletResponse var2, Object var3, Exception var4) throws Exception;
}
重写的:
package com.nowcoder.interceptor;
import com.nowcoder.dao.LoginTicketDAO;
import com.nowcoder.dao.UserDAO;
import com.nowcoder.model.HostHolder;
import com.nowcoder.model.LoginTicket;
import com.nowcoder.model.User;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import org.springframework.web.servlet.HandlerInterceptor;
import org.springframework.web.servlet.ModelAndView;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.util.Date;
/**
* Created by nowcoder on 2016/7/3.
*/
@Component
public class PassportInterceptor implements HandlerInterceptor {
@Autowired
private LoginTicketDAO loginTicketDAO;
@Autowired
private UserDAO userDAO;
@Autowired
private HostHolder hostHolder;
@Override
public boolean preHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o) throws Exception {
String ticket = null;
if (httpServletRequest.getCookies() != null) {
for (Cookie cookie : httpServletRequest.getCookies()) {
if (cookie.getName().equals("ticket")) {//判断cookie中是否有ticket字段
ticket = cookie.getValue();//如果有ticket字段,则把ticket字段的值赋给变量ticket
break;
}
}
}
//对ticket的值进行检验
if (ticket != null) {
LoginTicket loginTicket = loginTicketDAO.selectByTicket(ticket);
//
if (loginTicket == null || loginTicket.getExpired().before(new Date()) || loginTicket.getStatus() != 0) {
return true;
}
//为了进入Controller以后仍然能够被引用做好准备,提前保存起来
User user = userDAO.selectById(loginTicket.getUserId());
hostHolder.setUser(user);//使用HostHolder保存当前登录的用户
}
return true;
}
@Override
public void postHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, ModelAndView modelAndView) throws Exception {
if (modelAndView != null && hostHolder.getUser() != null) {
modelAndView.addObject("user", hostHolder.getUser());
}
}
@Override
public void afterCompletion(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, Exception e) throws Exception {
hostHolder.clear();
}
}
用户数据安全性
- HTTPS注册页
- 公钥加密私钥解密,支付宝h5页面的支付密码加密
- 用户密码salt防止破解
- token有效期
- 单一平台的单点登录,登录IP异常检验
- 用户状态的权限判断
- 添加验证码机制,防止爆破和批量注册