*1.
登录校验逻辑**
用户登录的校验逻辑分为三个主要步骤,分别是校验验证码,校验用户状态和校验密码,具体逻辑如下
- 前端发送
username
、password
、captchaKey
、captchaCode
请求登录。 - 判断
captchaCode
是否为空,若为空,则直接响应验证码为空
;若不为空进行下一步判断。 - 根据
captchaKey
从Redis中查询之前保存的code
,若查询出来的code
为空,则直接响应验证码已过期
;若不为空进行下一步判断。 - 比较
captchaCode
和code
,若不相同,则直接响应验证码不正确
;若相同则进行下一步判断。 - 根据
username
查询数据库,若查询结果为空,则直接响应账号不存在
;若不为空则进行下一步判断。 - 查看用户状态,判断是否被禁用,若禁用,则直接响应
账号被禁
;若未被禁用,则进行下一步判断。 - 比对
password
和数据库中查询的密码,若不一致,则直接响应账号或密码错误
,若一致则进行入最后一步。 - 创建JWT,并响应给浏览器。
首先配置JWT
1.依赖
```java
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-api</artifactId>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-impl</artifactId>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-jackson</artifactId>
<scope>runtime</scope>
</dependency>
2.工具类
public class JwtUtil {
private static long tokenExpiration = 60 * 60 * 1000L;
private static SecretKey tokenSignKey = Keys.hmacShaKeyFor("M0PKKI6pYGVWWfDZw90a0lTpGYX1d4AQ".getBytes());
public static String createToken(Long userId, String username) {
String token = Jwts.builder().
setSubject("USER_INFO").
setExpiration(new Date(System.currentTimeMillis() + tokenExpiration)).
claim("userId", userId).
claim("username", username).
signWith(tokenSignKey).
compressWith(CompressionCodecs.GZIP).
compact();
return token;
}
public static Claims parseToken(String token) {
try {
Jws<Claims> claimsJws = Jwts.parserBuilder().
setSigningKey(tokenSignKey).
build().parseClaimsJws(token);
return claimsJws.getBody();
} catch (ExpiredJwtException e) {
throw new LeaseException(ResultCodeEnum.TOKEN_EXPIRED);
} catch (JwtException e) {
throw new LeaseException(ResultCodeEnum.TOKEN_INVALID);
}
}
}
3.调用
//登录
public String login(LoginVo loginVo) {
String username = loginVo.getUsername();
String password = loginVo.getPassword();
String captchaKey = loginVo.getCaptchaKey();
String captchaCode = loginVo.getCaptchaCode();
//非空校验
if(StringUtils.isEmpty(username) || StringUtils.isEmpty(password) || StringUtils.isEmpty(captchaKey)||StringUtils.isEmpty(captchaCode)){
throw new LeaseException(ResultCodeEnum.DATA_ERROR);
}
//校验验证码是否过期、错误
String sysCaptchaCode = stringRedisTemplate.opsForValue().get(captchaKey);
if(sysCaptchaCode.isEmpty()){
throw new LeaseException(ResultCodeEnum.ADMIN_CAPTCHA_CODE_EXPIRED);
}
if (!captchaCode.equals(sysCaptchaCode)){
throw new LeaseException(ResultCodeEnum.ADMIN_CAPTCHA_CODE_ERROR);
}
//校验用户名是否正确
SystemUser systemUser = systemUserMapper.selectOne(new LambdaQueryWrapper<SystemUser>().eq(SystemUser::getUsername, username));
//校验查询用户是否为空
if(systemUser==null){
throw new LeaseException(ResultCodeEnum.ADMIN_ACCOUNT_NOT_EXIST_ERROR);
}
//校验密码是否正确
String encodePassword = DigestUtils.md5DigestAsHex(password.getBytes());
if(!encodePassword.equals(systemUser.getPassword())){
throw new LeaseException(ResultCodeEnum.ADMIN_ACCOUNT_ERROR);
}
//判断用户是否被禁用
if(systemUser.getStatus().getCode()==0){
throw new LeaseException(ResultCodeEnum.ADMIN_ACCOUNT_DISABLED_ERROR);
}
**//封装 token返回**
String token = JwtUtil.createToken(systemUser.getId(), username);
return token;
}
4.编写HandlerInterceptor
/**
* 验证用户是否登录的拦截器
*/
@Component
public class AuthenticationInterceptor implements HandlerInterceptor {
//处理请求之前调用
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
//获取请求头中的token
String token = request.getHeader("access-token");
if(StringUtils.isEmpty(token)){
//抛出异常
throw new LeaseException(ResultCodeEnum.ADMIN_ACCESS_FORBIDDEN);
}else{
//使用JwtUtil工具类解析token
Claims claims = JwtUtil.parseToken(token);
//获取用户id
Long userId = claims.get("userId", Long.class);
//获取用户名
String username = claims.get("username", String.class);
//创建LoginUser对象
LoginUser loginUser = new LoginUser(userId, username);
//将LoginUser对象跟当前线程绑定
LoginUserContext.setLoginUser(loginUser);
}
return true;
}
@Override
public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception {
//将LoginUser从当前线程移除
LoginUserContext.removeLoginUser();
}
}
创建工具类 将当前线程和loginUser对象进行绑定,提供设置并获取方法 并且在上述拦截器中进行增加和删除loginUser对象
public class LoginUserContext {
public static final ThreadLocal<LoginUser> threadLocal = new ThreadLocal<>();
//向当前线程放Login对象的方法
public static void setLoginUser(LoginUser loginUser){
threadLocal.set(loginUser);
}
//从当前线程中获取LoginUser的方法
public static LoginUser getLoginUser(){
return threadLocal.get();
}
//从当前线程中将LoginUser对象移除的
public static void removeLoginUser(){
threadLocal.remove();
}
}
注意:我们约定,前端登录后,后续请求都将JWT,放置于HTTP请求的Header中,其Header的key为access-token
。
5.注册 AuthenticationInterceptor
@SpringBootConfiguration
//拦截支持路径
@EnableConfigurationProperties(value = AuthPathProperties.class)
//todo 未知的继承关系
public class MyWebMvcConfiguration implements WebMvcConfigurer {
@Autowired
private StringToBaseEnumConverter stringToBaseEnumConverter;
@Autowired
private AuthenticationInterceptor authenticationInterceptor;
@Autowired
private AuthPathProperties authPathProperties;
@Override
//注册类型转换器工厂
public void addFormatters(FormatterRegistry registry) {
registry.addConverterFactory(stringToBaseEnumConverter);
}
@Override
//注册拦截器 并添加拦截路径
public void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(authenticationInterceptor)
.addPathPatterns(authPathProperties.getInclude())
.excludePathPatterns(authPathProperties.getExclude());
}
}
注意:@EnableConfigurationProperties(value = AuthPathProperties.class)加载配置类映射
最后一步简便写法