- 功能介绍
登录 、用户名验证、 注册、 忘记密码、提交问题答案(具有有效期的token,通过Guava的缓存来实现)、重置密码(分为两种)、获取用户信息、更新用户信息、退出登录 - 学习目标
横向越权、纵向越权安全漏洞
MD5明文加密及增加salt值
Guava缓存的使用高复用服务响应对象的设计思想及抽象封装
Mybatis-plugin
Session的使用方法
局部演进 - 数据表设计
- 接口设计
@Controller @RequestMapping("/user/") public class UserController { }
ServerResponse高复用
package com.mmall.common; import org.codehaus.jackson.annotate.JsonIgnore; import org.codehaus.jackson.map.annotate.JsonSerialize; import java.io.Serializable; @JsonSerialize(include = JsonSerialize.Inclusion.NON_NULL) //保证序列化json的时候,如果是null的对象,key也会消失 public class ServerResponse<T> implements Serializable { private int status; private String msg; private T data; private ServerResponse(int status){ this.status = status; } private ServerResponse(int status,T data){ this.status = status; this.data = data; } private ServerResponse(int status,String msg,T data){ this.status = status; this.msg = msg; this.data = data; } private ServerResponse(int status,String msg){ this.status = status; this.msg = msg; } @JsonIgnore //使之不在json序列化结果当中 public boolean isSuccess(){ return this.status == ResponseCode.SUCCESS.getCode(); } public int getStatus(){ return status; } public T getData(){ return data; } public String getMsg(){ return msg; } public static <T> ServerResponse<T> createBySuccess(){ return new ServerResponse<T>(ResponseCode.SUCCESS.getCode()); } public static <T> ServerResponse<T> createBySuccessMessage(String msg){ return new ServerResponse<T>(ResponseCode.SUCCESS.getCode(),msg); } public static <T> ServerResponse<T> createBySuccess(T data){ return new ServerResponse<T>(ResponseCode.SUCCESS.getCode(),data); } public static <T> ServerResponse<T> createBySuccess(String msg,T data){ return new ServerResponse<T>(ResponseCode.SUCCESS.getCode(),msg,data); } public static <T> ServerResponse<T> createByError(){ return new ServerResponse<T>(ResponseCode.ERROR.getCode(),ResponseCode.ERROR.getDesc()); } public static <T> ServerResponse<T> createByErrorMessage(String errorMessage){ return new ServerResponse<T>(ResponseCode.ERROR.getCode(),errorMessage); } public static <T> ServerResponse<T> createByErrorCodeMessage(int errorCode,String errorMessage){ return new ServerResponse<T>(errorCode,errorMessage); } }
接口类package com.mmall.service; import com.mmall.pojo.User; import com.mmall.common.ServerResponse; /** * Created by userwang on 2018/3/12. */ public interface IUserService { ServerResponse<User> login(String username, String password); ServerResponse<String> register(User user); ServerResponse<String> checkValid(String str,String type); ServerResponse selectQuestion(String username); ServerResponse<String> checkAnswer(String username,String question,String answer); ServerResponse<String> forgetResetPassword(String username,String passwordNew,String forgetToken); ServerResponse<String> resetPassword(String passwordOld,String passwordNew,User user); ServerResponse<User> updateInformation(User user); ServerResponse<User> getInformation(Integer userId); ServerResponse checkAdminRole(User user); }
####1.登录
/user/login.do post(代码需要post方式请求),开放get,方便调试
request
username,password
response
fail
{
"status": 1,
"msg": "密码错误"
}
success
{
"status": 0,
"data": {
"id": 12,
"username": "aaa",
"email": "aaa@163.com",
"phone": null,
"role": 0,
"createTime": 1479048325000,
"updateTime": 1479048325000
}
}
####2.注册 /user/register.do
request
username,password,email,phone,question,answer
response
success
{
"status": 0,
"msg": "校验成功"
}
fail
{
"status": 1,
"msg": "用户已存在"
}
####3.检查用户名是否有效
/user/check_valid.do
/check_valid.do?str=admin&type=username就是检查用户名。
request
str,type
str可以是用户名也可以是email。对应的type是username和email
response
success
{
"status": 0,
"msg": "校验成功"
}
fail
{
"status": 1,
"msg": "用户已存在"
}
####4.获取登录用户信息 /user/get_user_info.do
request
无参数
response
success
{
"status": 0,
"data": {
"id": 12,
"username": "aaa",
"email": "aaa@163.com",
"phone": null,
"role": 0,
"createTime": 1479048325000,
"updateTime": 1479048325000
}
}
fail
{
"status": 1,
"msg": "用户未登录,无法获取当前用户信息"
}
####5.忘记密码 /user/forget_get_question.do
localhost:8080/user/forget_get_question.do?username=geely
request
username
response
success
{
"status": 0,
"data": "这里是问题"
}
fail
{
"status": 1,
"msg": "该用户未设置找回密码问题"
}
####6.提交问题答案 /user/forget_check_answer.do
localhost:8080/user/forget_check_answer.do?username=aaa&question=aa&answer=sss
request
username,question,answer
response
正确的返回值里面有一个token,修改密码的时候需要用这个。传递给下一个接口
success
{
"status": 0,
"data": "531ef4b4-9663-4e6d-9a20-fb56367446a5"
}
fail
{
"status": 1,
"msg": "问题答案错误"
}
####7.忘记密码的重设密码 /user/forget_reset_password.do
localhost:8080/user/forget_reset_password.do?username=aaa&passwordNew=xxx&forgetToken=531ef4b4-9663-4e6d-9a20-fb56367446a5
request
username,passwordNew,forgetToken
response
success
{
"status": 0,
"msg": "修改密码成功"
}
fail
{
"status": 1,
"msg": "修改密码操作失效"
}
或
{
"status": 1,
"msg": "token已经失效"
}
####8.登录中状态重置密码 /user/reset_password.do
request
passwordOld,passwordNew
response
success
{
"status": 0,
"msg": "修改密码成功"
}
fail
{
"status": 1,
"msg": "旧密码输入错误"
}
####9.登录状态更新个人信息 /user/update_information.do
request
email,phone,question,answer
response
success
{
"status": 0,
"msg": "更新个人信息成功"
}
fail
{
"status": 1,
"msg": "用户未登录"
}
####10.获取当前登录用户的详细信息,并强制登录 /user/get_information.do
request
无参数
response
success
{
"status": 0,
"data": {
"id": 1,
"username": "admin",
"password": "",
"email": "admin@163.com",
"phone": "13800138000",
"question": "question",
"answer": "answer",
"role": 1,
"createTime": 1478422605000,
"updateTime": 1491305256000
}
}
fail
{
"status": 10,
"msg": "用户未登录,无法获取当前用户信息,status=10,强制登录"
}
####11.退出登录 /user/logout.do
request
无
response
success
{
"status": 0,
"msg": "退出成功"
}
fail
{
"status": 1,
"msg": "服务端异常"
}