const apiKey = '******'
const echo = '随机字符串';
const timestamp = new Date().getTime();
headers: {
'Content-Type': 'application/json;charset=utf-8',
'Cache-Control': 'no-cache;max-age=0',
'Pragma': 'no-cache',
'x-echo-key': echo,
'x-timestamp-key': timestamp,
'x-signature-key': 加密函数(apiKey + timestamp + echo),
'access-token': '校验登录的token',
'user-id': '用户ID'
}
- 后端,拦截器配置类(AuthInterceptorConfig.java)
@Configuration
public class AuthInterceptorConfig implements WebMvcConfigurer {
@Bean
public AuthInterceptor initAuthInterceptor(){
return new AuthInterceptor();
}
@Override
public void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(initAuthInterceptor())
.addPathPatterns("/col/**") //需要拦截的URL
.excludePathPatterns("/login/**"); //不需要拦截的URL
}
}
- 后端,拦截器处理类(AuthInterceptor.java)
public class AuthInterceptor implements HandlerInterceptor {
private final static Logger logger = LoggerFactory.getLogger(AuthInterceptor.class);
@Value("${app.x-api-key}")
private String x_api_key;
@Autowired
private RedisService redisService;
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
response.setCharacterEncoding("UTF-8");
response.setContentType("text/html;charset=utf-8");
String servletPath = request.getServletPath();
String xEchoKey = request.getHeader("x-echo-key");
String xTimestampKey = request.getHeader("x-timestamp-key");
String xSignatureKey = request.getHeader("x-signature-key");
String accessToken = request.getHeader("access-token");
String userId = request.getHeader("user-id");
//处理特殊请求URL
if (servletPath.contains("/**")) {
String queryString = request.getQueryString();
Map urlParams = StringUtil.queryStrToMap(queryString);
xEchoKey = urlParams.get("x-echo-key");
xTimestampKey = urlParams.get("x-timestamp-key");
xSignatureKey = urlParams.get("x-signature-key");
accessToken = urlParams.get("access-token");
userId = urlParams.get("user-id");
}
//1.接口参数非空验证
if (org.apache.commons.lang3.StringUtils.isEmpty(xEchoKey) || org.apache.commons.lang3.StringUtils.isEmpty(xTimestampKey) || org.apache.commons.lang3.StringUtils.isEmpty(xSignatureKey)) {
response.getWriter().println("非法请求,接口参数验证错误");
return false;
}
//2.签名检查
String signature = MD5.gtMD5Code(x_api_key + xTimestampKey + xEchoKey);
if (!xSignatureKey.equals(signature)) {
response.getWriter().println("非法请求,签名校验失败");
return false;
}
//3.检查时间戳
long timestampNow = System.currentTimeMillis();
long timestamp = Long.parseLong(xTimestampKey);
long minutesDiff = (timestampNow - timestamp) / (1000 * 60);
//5分钟内有效(自行设置)
if (Math.abs(minutesDiff) > 5) {
response.getWriter().println("非法请求,接口时间戳校验失败");
return false;
}
//token已经在login系统时存到redis中
String authCode = redisService.getStr("token_".concat(userId));
if (null == authCode) {
response.getWriter().println("会话已过期,请重新打开应用");
return false;
} else {
if (!accessToken.equals(authCode)) {
response.getWriter().println("会话已过期,请重新打开应用");
return false;
}
}
return true;
}
@Override
public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception {
}
@Override
public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception {
}
}
