简介
简单的先介绍一下这个小案例用到的功能或者实现的技术:
- 首先这是前后端分离式
- 使用jwt加密作为token
- 实现登入验证
- 实现角色验证
先看一下,测试过程图
- 测试登入,获取token
- 测试登入成功:将token加入头部信息
- 测试登入失败
- token为空
- token被篡改
- token过期
-
测试游客功能:
刚刚获取的token里面包含角色信息,该角色等级为2(游客)
-
测试管理员功能
管理员角色等级有1,游客是没有权限访问的
详细
先看一下文件目录
这次采用的是jpa来做的,说实在的,我觉得还不如mybatis
repository层
servic层
- 说明一点,这次测试登入没有密码,只要有用户名即可
@Service
public class UserService {
@Autowired
private UserRepository userRepository;
public String login(String username){
String token = null;
User user = userRepository.fineByName(username);
if (user != null){
try {
Map map = new HashMap();
map.put("username",user.getUsername());
map.put("role",user.getRole());
token = JwtUtils.createJWT(UUID.randomUUID().toString(), "com.zzs",map);
} catch (Exception e) {
e.printStackTrace();
}
}
return token;
}
}
配置类
/***
* mvc配置
* 包括拦截器加载
*/
@Configuration
public class WebMvcConfig implements WebMvcConfigurer {
@Override
public void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(new Myterceptor())
.addPathPatterns("/democase/**")
.excludePathPatterns("/**/login");
}
}
注解类
/***
* 角色等级
*/
@Target({ElementType.METHOD})
@Retention(RetentionPolicy.RUNTIME)
public @interface Role {
int value();
}
拦截器:
- 拦截器的功能才是重中之重
- 登入验证和角色验证的逻辑都在这里实现
/***
* 全局拦截配置
* @author zzs
*/
public class Myterceptor implements HandlerInterceptor {
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws IOException {
// // 如果不是映射到方法直接通过
// if (!(handler instanceof HandlerMethod)) {
// return true;
// }
//登入验证
String token = request.getHeader("Authorization");
System.out.println("请求token为:"+token);
Claims claims = null;
try {
claims = JwtUtils.parseJWT(token);
} catch (Exception e) {
// e.printStackTrace();
return ResponseUtils.returnFalse(response,500,e.getMessage());
}
// 判断该方法的访问权限,该角色权限等级是否能访问
HandlerMethod handlerMethod = (HandlerMethod) handler;
Method method = handlerMethod.getMethod();
Role role = method.getAnnotation(Role.class);
if (role != null){
Integer roleRange = (Integer) claims.get("role");
//role等级越小,权限越高
if (roleRange<=role.value()){
return true;
}
else {
return ResponseUtils.returnFalse(response,500,"该用户权限过低,无法访问该接口");
}
}
return true;
}
@Override
public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception {
}
}
controller层
- 说明:省去了swagger的注解
@RestController
@RequestMapping("/democase/user")
public class UserController {
@Autowired
private UserService userService;
@RequestMapping("/login")
public ResultUtils login(@ApiParam(value = "username")String username) throws Exception {
return new ResultUtils(userService.login(username),"OK",200);
}
@ApiOperation(value = "主页",httpMethod = "POST",response = Result.class)
@ApiImplicitParams({
@ApiImplicitParam(value = "Authorization",name = "Authorization",paramType = "header", dataType = "String"),
})
@RequestMapping("/index")
public ResultUtils index(){
return new ResultUtils("index","OK",200);
}
@Role(2)
@RequestMapping("/visitor")
public ResultUtils visitor(){
return new ResultUtils("游客可以使用的功能","OK",200);
}
@Role(1)
@RequestMapping("/admin")
public ResultUtils admin(){
return new ResultUtils("管理员可以使用的功能","OK",200);
}
}
最后补上 :