我们开发系统时候,肯定希望用户登录后才能进入主页面去访问其他服务,但要是没有拦截功能的话,他就可以直接通过url访问或者post注入攻击了。
因此我们可以通过在后端添加拦截过滤功能把没登录的用户给拦截下来,让他去先登录(只需要拦截就行,跳转回登录界面是前端做的)
要做的事情如下:
在启动类上添加注解@ServletComponentScan
@SpringBootApplication
@ServletComponentScan
@EnableTransactionManagement
public class ReggieApplication {
public static void main(String[] args) {
SpringApplication.run(ReggieApplication.class, args);
}
}
写一个自定义的过滤器,比如叫LooginCheckFilter
实现Filter接口里的doFilter方法,并在这个filter里完成对应逻辑
@WebFilter(filterName = "looginCheckFilter",urlPatterns = "/*")
@Slf4j
public class LooginCheckFilter implements Filter {
// 路径匹配器,这个是springboot给我们提供用于路径匹配的工具
public static final AntPathMatcher PATH_MATCHER = new AntPathMatcher();
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
// 这里强转类型没啥问题,因为是http请求,所以其实就是HttpServletRequest和HttpServletResponse
HttpServletRequest servletRequest = (HttpServletRequest) request;
HttpServletResponse servletResponse = (HttpServletResponse) response;
log.info("请求路径为:{}", servletRequest.getRequestURI());
// 设置不要拦截的请求,**会包含"/"也就是目录下的所有文件和文件夹都包含了
String[] urls = new String[]{
"/employee/login",
"/employee/layout",
"/backend/**",
"/front/**",
"/swagger-ui.html",
"/user/code",
"/user/login"
};
if (match(servletRequest.getRequestURI(),urls)){
// 放行
chain.doFilter(servletRequest,servletResponse);
return;
}
// 需要验证的请求
if (servletRequest.getSession().getAttribute("user") != null){
UserContext.setUserId(user.getId());
// 放行
chain.doFilter(servletRequest,servletResponse);
}else if (servletRequest.getSession().getAttribute("employee") !=null){
UserContext.setUserId(employee.getId());
// 放行
chain.doFilter(servletRequest,servletResponse);
}else {
// 这里会把我们的通用返回包装为一个json回给前端
response.getWriter().write(JSONUtil.toJsonStr(R.error("NOTLOGIN")));
}
}
// 匹配url
public boolean match(String url,String[] urls){
for (String item : urls) {
if (PATH_MATCHER.match(item, url)){
return true;
}
}
return false;
}
}