今天写一个简单的拦截器,以webService接口为例:
背景:H5的一个项目,只要调用H5webService 接口下面的方法都会触发一个AuthorityInterceptor去验证是否调用类型是H5,session是否失效.
1.需要自己定义一个Interceptor,我定义的Interceptor去验证调用类型moduleType和session:
packagecom.lcc.h5.ws;importcom.lcc.api.dto.session.SessionInfo;importcom.lcc.api.exception.AccessDeniedException;importcom.lcc.api.web.common.ModuleType;importcom.lcc.logger.Logger;importcom.lcc.logger.LoggerFactory;importcom.lcc.service.BaseAuthorityService;importorg.apache.commons.lang3.StringUtils;importorg.apache.cxf.interceptor.Fault;importorg.apache.cxf.message.Message;importorg.apache.cxf.phase.AbstractPhaseInterceptor;importorg.apache.cxf.transport.http.AbstractHTTPDestination;importjavax.servlet.http.HttpServletRequest;public class AuthorityInterceptor extends AbstractPhaseInterceptor{private static final Logger LOGGER = LoggerFactory.getLogger(AuthorityInterceptor.class);privateBaseAuthorityService authorityService;publicAuthorityInterceptor(String phase) {super(phase);
}publicAuthorityInterceptor() {this("post-stream");
}
@Overridepublic void handleMessage(Message message) throwsFault {
Fault fault= new Fault(new AccessDeniedException("illeagl moduleType access"));
fault.setStatusCode(421);
HttpServletRequest httpRequest=(HttpServletRequest) message.get(AbstractHTTPDestination.HTTP_REQUEST);
String sessionId= httpRequest.getHeader("Token");if(StringUtils.isBlank(sessionId)) {
LOGGER.info("blank session");throwfault;
}
LOGGER.info("session authority, session id {}", sessionId);
String moduleKey= httpRequest.getHeader("moduleType");if(StringUtils.isEmpty(moduleKey)) {
LOGGER.info("moduleType is empty");throwfault;
}
ModuleType module=ModuleType.fromKey(moduleKey);
SessionInfo sessionInfo= null;if(ModuleType.H5.equals(module)) {
sessionInfo=authorityService.getSessionInfo(sessionId);if (sessionInfo == null) {throwfault;
}
}else{throwfault;
}
}public voidsetAuthorityService(BaseAuthorityService authorityService) {this.authorityService =authorityService;
}
}
上面Interceptor用到的java bean:
public abstract class SessionInfo implementsSerializable {private static final long serialVersionUID = 6544973626519192604L;privateString key;//timestamp
privateLong createdAt;//unit: second
privateLong expiryTime;publicString getKey() {returnkey;
}public voidsetKey(String key) {this.key =key;
}publicLong getCreatedAt() {returncreatedAt;
}public voidsetCreatedAt(Long createdAt) {this.createdAt =createdAt;
}publicLong getExpiryTime() {returnexpiryTime;
}public voidsetExpiryTime(Long expiryTime) {this.expiryTime =expiryTime;
}
@OverridepublicString toString() {return new StringBuilder().append("{key: ").append(key).append(", createdAt: ").append(createdAt)
.append(", expiryTime: ").append(expiryTime).append("}").toString();
}
}
=====================
为了防止别人恶意访问接口,我们可以给调用类型加密,内部调用直接传入加密后的String,在后台去转换验证即可.
public enumModuleType {
H5("md5加密码");privateString key;
ModuleType(String key) {this.key =key;
}publicString getKey() {returnkey;
}
}
BaseAuthorityService及其实现类 请参考http://www.cnblogs.com/cc-java/p/6625998.html
2.Interceptor写好了,接下来就看下怎么在xml配置文件里面为webService配置Interceptor
到这里就已经为h5WebService接口配置好AuthorityInterceptor拦截器了;只要访问这个接口都会先进入拦截器里面去验证session和项目调用的类型;