1、自定义类实现WebMvcConfigurer
@Configuration
public class APIAuthConfig implements WebMvcConfigurer {
@Bean
public APIAuthInterceptor authInterceptor() {
return new APIAuthInterceptor();
}
@Override
public void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(authInterceptor()).addPathPatterns("/**");
}
}
2.自定义一个组件类,实现HandlerInterceptor
@Component
public class APIAuthInterceptor implements HandlerInterceptor {
private final static Logger logger = LoggerFactory.getLogger(APIAuthInterceptor.class);
@Value("${app.x-api-key}")
private String xApiKey;
@Autowired
private LoginService loginService;
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
if (!(handler instanceof HandlerMethod)) {
return true;
}
String servletPath = request.getServletPath();
logger.info("请求的接口路径==========>{}", servletPath);
HandlerMethod handlerMethod = (HandlerMethod) handler;
Method method = handlerMethod.getMethod();
if (!servletPath.contains("/login/initApp")) {
return authAPI(request, response, method);
}
return true;
}
public Boolean authAPI(HttpServletRequest request, HttpServletResponse response, Method method) throws IOException {
String token = request.getHeader("x-token-key");
logger.info("token:{}", token);
response.setCharacterEncoding("UTF-8");
ServletOutputStream os = response.getOutputStream();
if (StringUtils.isEmpty(token)) {
os.write(JSON.toJSONString(new ResponseBean(ResponseBean.ERROR, "接口参数验证未通过")).getBytes());
return false;
}
JWT jwt = JWTUtil.parseToken(token);
boolean verify = jwt.setKey(xApiKey.getBytes()).verify();
if (!verify) {
os.write(JSON.toJSONString(new ResponseBean(ResponseBean.ERROR, "接口TOKEN验证未通过")).getBytes());
return false;
}
boolean validate = jwt.validate(0);
if (!validate) {
os.write(JSON.toJSONString(new ResponseBean(ResponseBean.ERROR, "接口请求时间验证未通过")).getBytes());
return false;
}
Object userId = jwt.getPayload("USER_ID");
if (null == userId) {
os.write(JSON.toJSONString(new ResponseBean(ResponseBean.ERROR, "登录失效,请重新登录")).getBytes());
return false;
}
long timestampNow = System.currentTimeMillis();
long timestamp = (Long) jwt.getPayload("ts");
long minutesDiff = (timestampNow - timestamp) / (1000 * 60);
if (Math.abs(minutesDiff) > 120) {
os.write(JSON.toJSONString(new ResponseBean(ResponseBean.ERROR, "接口时间戳验证未通过")).getBytes());
return false;
}
boolean isAdminUser = loginService.isAdminUser(String.valueOf(userId));
logger.info("isAdminUser:{}", isAdminUser);
if (isAdminUser) {
return true;
}
APIAuth apiAuth = method.getAnnotation(APIAuth.class);
if (!method.isAnnotationPresent(APIAuth.class)) {
return true;
}
logger.info("adminApi:{}", apiAuth.adminApi());
if (apiAuth.adminApi()) {
os.write(JSON.toJSONString(new ResponseBean(ResponseBean.ERROR, "没有操作权限")).getBytes());
return false;
}
return true;
}
}
3.注解类
@Target({ElementType.METHOD, ElementType.ANNOTATION_TYPE})
@Retention(RetentionPolicy.RUNTIME)
public @interface APIAuth {
boolean adminApi() default false;
}
4.控制器的请求方法上加上注解
@APIAuth(adminApi = true)
@GetMapping("/getList")
public ResponseBean getList() {
***;
}