今天遇到一个坑,首页接口不需要token,使用了@IgnoreSecurity,然后在调试接口的时候,即使不传Token,照样能使用ThreadLocal获取到用户信息,经过多次测试并且老大解惑才发现,当AuthInterceptor拦截token的时候,遇到了IgnoreSecurity,跳过了判断,此时应该做ThreadLocal判断,如果Token为空或者不对的时候,ThreadLocal要remove。
UserContext获取用户信息
/**
* 获取登录信息
*/
@Data
@Component
public class UserContext {
private static final ThreadLocal<LoginUserData> resources = new ThreadLocal<LoginUserData>();
public static LoginUserData getUserData() {
LoginUserData loginUserData= resources.get();
if(loginUserData == null) {
ResultUtil.error(ExceptionEnum.USER_IS_ERROR);
}
return loginUserData;
}
public static void setUserData(LoginUserData userData) {
resources.set(userData);
}
//防止内存泄漏
public static void remove(){
resources.remove();
}
}
AuthInterceptor里面的片段
if (method.isAnnotationPresent(IgnoreSecurity.class)) {
if (StrUtil.isNotEmpty(token)) {
String userId = userService.getUserByUuid(token);
String userDataStr = (String) redisUtils.get(RedisConstants.ACCOUNT_TOKEN_PREFIX + token);
if (userId != null && userDataStr != null) {
request.setAttribute("userId", userId);
LoginUserData loginUserData = JSONObject.parseObject(userDataStr, LoginUserData.class);
UserContext.setUserData(loginUserData);
}else {
UserContext.remove();
}
}else {
UserContext.remove();
}
return true;
}