业务场景:系统采用了spring-cloud架构,目前分两层,1:数据展示层,2:数据连接层,为了分层清晰,我们在第一层完成用户鉴权,第二层只做单纯的接口调用。为了防止第二层接口因为某些原因,暴露出去造成恶意调用,所以我们需要对第一层的FeignClient的请求头做一次处理,带上一个类似sign来访问数据连接层!然后在到数据连接层去通过拦截器来判断从一层传来的请求是否合法!
实现方案:
1.首先需要实现RequestInterceptor这个接口
@Configuration
public class MyRequestInterceptor implements RequestInterceptor {
@Autowired
private ResourceUtil resourceUtil;
@Override
public void apply(RequestTemplate requestTemplate) {
TSUser loginUser = resourceUtil.getSessionUser();
Map<STRING,Object> wechatUserInfo = resourceUtil.getStoreUserInfo(NULL);
Map<STRING,Object> requestParam = NEW TreeMap<STRING,Object>();
IF(loginUser != NULL) {
requestTemplate.header("operatorId", loginUser.getId()+"");
requestTemplate.header("visable", loginUser.getVisable());
requestParam.put("operatorId", loginUser.getId()+"");
requestParam.put("visable", loginUser.getVisable());
}
STRING url = requestTemplate.url();
STRING TIMESTAMP = System.currentTimeMillis()+"";
requestTemplate.header("url", url+"");
requestTemplate.header("timestamp",TIMESTAMP);
requestParam.put("url", url);
requestParam.put("timestamp", TIMESTAMP);
requestTemplate.header("sign", TokenUtil.createSign(requestParam));
}
}
以上代码可以看出,我针对请求头设了一些公用参数,然后用那些参数构造了一个sign出来,然后到数据链接层去做校验该请求是否为合法请求!
2.在数据连接层的微服务中实现HandlerInterceptor(拦截器)
@Configuration
public class RequestVerifyInterceptor implements HandlerInterceptor{
public RequestVerifyInterceptor() {
}
@Override
public void afterCompletion(HttpServletRequest arg0, HttpServletResponse arg1, Object arg2, Exception arg3)
throws Exception {
// TODO Auto-generated method stub
}
@Override
public void postHandle(HttpServletRequest arg0, HttpServletResponse arg1, Object arg2, ModelAndView arg3)
throws Exception {
// TODO Auto-generated method stub
}
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object arg2) throws Exception {
// TODO Auto-generated method stub
String sign = request.getHeader("sign");
String operatorId = request.getHeader("operatorId");
String visable = request.getHeader("visable");
String timestamp = request.getHeader("timestamp");
String url = request.getHeader("url");
Map<String,Object> requestHeaderMap = new TreeMap<String,Object>();
requestHeaderMap.put("timestamp", timestamp);
requestHeaderMap.put("operatorId", operatorId);
requestHeaderMap.put("visable", visable);
requestHeaderMap.put("url", url);
String signR = TokenUtil.createSign(requestHeaderMap);
if(sign == null || !sign.equals(signR)) {
response.setCharacterEncoding("utf-8");
response.setContentType("application/json;charset=UTF-8");
response.getWriter().print(JSON.toJSONString(ResponseObj.returnError("非法请求")));
return false;
}
return true;
}
}
拦截器里面把第一层设置到请求头里面的参数全部拿出来,然后在构造出一个sign对比是否一样,不一样则表示是非法请求!