springmvc跨域+token验证
1)app后台跨域设置
2)拦截器中设置http报文header中token
3)token的生成实现
====================================================================================================
1,app后台跨域的设置
1.1 springmvc4 有直接在请求映射中对跨域的处理,只需加一个@CrossOrign()
- @CrossOrigin(origins = "http://localhost:9000")
- @GetMapping("/greeting")
- public Greeting greeting(@RequestParam(required=false, defaultValue="World") String name) {
- System.out.println("==== in greeting ====");
- return new Greeting(counter.incrementAndGet(), String.format(template, name));
- }
对全局请求路径的拦截的,则需要在配置类里声明:
- @Bean
- public WebMvcConfigurer corsConfigurer() {
- return new WebMvcConfigurerAdapter() {
- @Override
- public void addCorsMappings(CorsRegistry registry) {
- registry.addMapping("/greeting-javaconfig").allowedOrigins("http://localhost:9000");
- }
- };
- }
“/greeting-javaconfig” 则是你定义的请求路径了,你也可以直接设置为 /api/* 之类的,allowedOrigins也可以匹配成 *
可以参考官方文档:https://spring.io/guides/gs/rest-service-cors/
1.2 通过filter过滤器进行处理
其实,spring的拦截器也是可以处理跨域的问题,但对于post+json的支持不是很好,用拦截器的支持会好一些:
首先,定义拦截器:
- public class CrossFilter extends OncePerRequestFilter {
- @Override
- protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
- if (request.getHeader("Access-Control-Request-Method") != null && "OPTIONS".equals(request.getMethod())) {
- // CORS "pre-flight" request
- response.addHeader("Access-Control-Allow-Origin", "*");
- response.addHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE");
- response.addHeader("Access-Control-Allow-Headers", "Content-Type");
- response.addHeader("Access-Control-Max-Age", "1800");//30 min
- }
- filterChain.doFilter(request, response);
- }
- }
其次,在web.xml设置过滤:
- <filter>
- <filter-name>cors</filter-name>
- <filter-class>cn.***.filter.CrossFilter</filter-class>
- </filter>
- <filter-mapping>
- <filter-name>cors</filter-name>
- <url-pattern>/*</url-pattern>
- </filter-mapping>
当然spring4 appalication.xml 也可以配置成:
- <mvc:cors>
- <mvc:mapping path="/**" allowed-origins="*" allow-credentials="true" max-age="1800" allowed-methods="GET,POST,OPTIONS"/>
- </mvc:cors>
3)我的配置类配置:
- import org.slf4j.Logger;
- import org.slf4j.LoggerFactory;
- import org.springframework.beans.factory.annotation.Autowired;
- import org.springframework.context.annotation.*;
- import org.springframework.core.env.Environment;
- import org.springframework.web.cors.CorsConfiguration;
- import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
- import org.springframework.web.filter.CorsFilter;
- import org.springframework.web.servlet.HandlerInterceptor;
- import org.springframework.web.servlet.ViewResolver;
- import org.springframework.web.servlet.config.annotation.*;
- import org.springframework.web.servlet.mvc.Controller;
- import org.springframework.web.servlet.view.InternalResourceViewResolver;
- import java.util.ArrayList;
- import java.util.List;
- /**
- * Created by ThinkPad on 2017/6/15.
- */
- @Configuration
- @EnableWebMvc
- @ComponentScan(basePackages = {"com.ouyang.teson"},useDefaultFilters = true)
- @PropertySource({"classpath:teson.properties"})
- public class WebConfig extends WebMvcConfigurerAdapter{
- private final static Logger logger = LoggerFactory.getLogger(WebConfig.class);
- public ViewResolver viewResolver() {
- InternalResourceViewResolver viewResolver = new InternalResourceViewResolver();
- viewResolver.setPrefix("/WEB-INF/views/jsp/function/");
- viewResolver.setSuffix(".jsp");
- return viewResolver;
- }
- //静态文件
- @Override
- public void addResourceHandlers(ResourceHandlerRegistry registry) {
- logger.info("addResourceHandlers");
- registry.addResourceHandler("/static/**").addResourceLocations("/WEB-INF/static/");
- }
- //允许跨域的接口
- @Override
- public void addCorsMappings(CorsRegistry registry) {
- registry.addMapping("/api/*").allowedOrigins("*")
- .allowCredentials(false)
- .allowedMethods("GET", "POST", "DELETE", "PUT")
- .allowedHeaders("Access-Control-Allow-Origin","Access-Control-Allow-Headers","Access-Control-Allow-Methods"
- ,"Access-Control-Max-Age")
.exposedHeaders("Access-Control-Allow-Origin")
.maxAge(3600);
}- }
2) 在拦截器中设置token
在拦截器中设置token这个比较简单,我就直接带过了,看配置:
拦截器类:HeaderTokenInterceptor.java
- package com.ouyang.teson.intercept;
- import com.ouyang.teson.WebConfig;
- import com.ouyang.teson.util.JwtUtil;
- import org.slf4j.Logger;
- import org.slf4j.LoggerFactory;
- import org.springframework.beans.factory.annotation.Autowired;
- import org.springframework.web.servlet.HandlerInterceptor;
- import org.springframework.web.servlet.ModelAndView;
- import javax.servlet.http.HttpServletRequest;
- import javax.servlet.http.HttpServletResponse;
- import java.io.IOException;
- import java.io.PrintWriter;
- /**
- * Created by ThinkPad on 2017/6/20.
- */
- public class HeaderTokenInterceptor implements HandlerInterceptor {
- private final static Logger logger = LoggerFactory.getLogger(HeaderTokenInterceptor.class);
- @Autowired
- JwtUtil jwtUtil;
- @Override
- public boolean preHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o) throws Exception {
- // String contentPath=httpServletRequest.getContextPath();
- // System.out.println("contenxPath:"+contentPath);
- String requestURI=httpServletRequest.getRequestURI();
- String tokenStr=httpServletRequest.getParameter("token");
- String token="";
- if(requestURI.contains("/api/")){
- token=httpServletRequest.getHeader("token");
- if(token==null && tokenStr==null){
- System.out.println("real token:======================is null");
- String str="{'errorCode':801,'message':'缺少token,无法验证','data':null}";
- dealErrorReturn(httpServletRequest,httpServletResponse,str);
- return false;
- }
- if(tokenStr!=null){
- token=tokenStr;
- }
- token=jwtUtil.updateToken(token);
- System.out.println("real token:=============================="+token);
- System.out.println("real ohter:=============================="+httpServletRequest.getHeader("Cookie"));
- }
- httpServletResponse.setHeader("token",token);
- /* httpServletResponse.setHeader("Access-Control-Allow-Origin", "*");
- httpServletResponse.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization");
- httpServletResponse.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, PUT");*/
- return true;
- }
- @Override
- public void postHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, ModelAndView modelAndView) throws Exception {
- }
- @Override
- public void afterCompletion(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, Exception e) throws Exception {
- }
- // 检测到没有token,直接返回不验证
- public void dealErrorReturn(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse,Object obj){
- String json = (String)obj;
- PrintWriter writer = null;
- httpServletResponse.setCharacterEncoding("UTF-8");
- httpServletResponse.setContentType("text/html; charset=utf-8");
- try {
- writer = httpServletResponse.getWriter();
- writer.print(json);
- } catch (IOException ex) {
- logger.error("response error",ex);
- } finally {
- if (writer != null)
- writer.close();
- }
- }
- }
- httpServletResponse.setHeader("token",token)是设置返回response的header的token信息,每一次拦截的时候,会查看是否有token,如果没有就直接报错
在webconfig.java 类中添加以下两个方法:
- @Override
- public void addInterceptors(InterceptorRegistry registry) {
- registry.addInterceptor(getTokenHeader())
- .addPathPatterns("/api/*")
- .excludePathPatterns(
- "/robots.txt");
- }
- //token 在header的拦截器
- @Bean
- public HandlerInterceptor getTokenHeader(){
- return new HeaderTokenInterceptor();
- }
3) token的实现
token的实现使用jwt组件生成token,如果想要自己通过md5,或者rsa加密生成token也比较简便了,只是这个token要缓存起来,每次进行验证,验证完更新token。更新token主要是更新token里包含的时间,防止token过期。如果使用token的话,可以不用存放缓存,对于登陆验证成功后,我们会生成token,这个token还能带有用户的id等基本信息,我们就可以验证他的过期时间,id等信息。
关于jwt 组件的介绍,可以去看看我的 java组件的jwt的介绍。
直接进入主题了:
maven需要导入
- <!-- java-web-token 验证授权-->
- <dependency>
- <groupId>com.auth0</groupId>
- <artifactId>java-jwt</artifactId>
- <version>3.2.0</version>
- </dependency>
- <!-- https://mvnrepository.com/artifact/io.jsonwebtoken/jjwt -->
- <dependency>
- <groupId>io.jsonwebtoken</groupId>
- <artifactId>jjwt</artifactId>
- <version>0.7.0</version>
- </dependency>
jjwt 主要是对jwt进一步封装,可以快速开发web的token认证。
jwt工具类:jwtUtil.java
- package com.ouyang.teson.util;
- import io.jsonwebtoken.Claims;
- import io.jsonwebtoken.JwtBuilder;
- import io.jsonwebtoken.Jwts;
- import io.jsonwebtoken.SignatureAlgorithm;
- import org.springframework.beans.factory.annotation.Value;
- import org.springframework.stereotype.Component;
- import sun.misc.BASE64Decoder;
- import sun.misc.BASE64Encoder;
- import javax.crypto.spec.SecretKeySpec;
- import javax.xml.bind.DatatypeConverter;
- import java.security.Key;
- import java.util.Date;
- /**
- * Created by ThinkPad on 2017/6/17.
- */
- @Component
- public class JwtUtil {
- public static String sercetKey="mingtianhenganghao";
- public final static long keeptime=1800000;
- /* @Value("${token.sercetKey}")
- public static String sercetKey;
- @Value("${token.keeptime:30000}")
- public static long keeptime;*/
- public static String generToken(String id, String issuer, String subject){
- long ttlMillis=keeptime;
- SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.HS256;
- long nowMillis = System.currentTimeMillis();
- Date now = new Date(nowMillis);
- byte[] apiKeySecretBytes = DatatypeConverter.parseBase64Binary(sercetKey);
- Key signingKey = new SecretKeySpec(apiKeySecretBytes, signatureAlgorithm.getJcaName());
- JwtBuilder builder = Jwts.builder().setId(id)
- .setIssuedAt(now);
- if(subject!=null){
- builder.setSubject(subject);
- }
- if(issuer!=null){
- builder.setIssuer(issuer);
- }
- builder .signWith(signatureAlgorithm, signingKey);
- if (ttlMillis >= 0) {
- long expMillis = nowMillis + ttlMillis;
- Date exp = new Date(expMillis);
- builder.setExpiration(exp);
- }
- return builder.compact();
- }
- public String updateToken(String token){
- try {
- Claims claims=verifyToken(token);
- String id=claims.getId();
- String subject=claims.getSubject();
- String issuer=claims.getIssuer();
- Date date = claims.getExpiration();
- return generToken(id, issuer, subject);
- }catch (Exception ex){
- ex.printStackTrace();
- }
- return "0";
- }
- public String updateTokenBase64Code(String token) {
- BASE64Encoder base64Encoder=new BASE64Encoder();
- BASE64Decoder decoder = new BASE64Decoder();
- try {
- token=new String(decoder.decodeBuffer(token),"utf-8");
- Claims claims=verifyToken(token);
- String id=claims.getId();
- String subject=claims.getSubject();
- String issuer=claims.getIssuer();
- Date date = claims.getExpiration();
- String newToken = generToken(id, issuer, subject);
- return base64Encoder.encode(newToken.getBytes());
- }catch (Exception ex){
- ex.printStackTrace();
- }
- return "0";
- }
- public static Claims verifyToken(String token){
- Claims claims = Jwts.parser()
- .setSigningKey(DatatypeConverter.parseBase64Binary(sercetKey))
- .parseClaimsJws(token).getBody();
- return claims;
- }
- }
关于拦截器的处理token,及更新token,上面已经给出代码,这里不再列出。来看一下简单的控制类,仅供学习,如果要运用到生产环境还得各种配置和测试。
登陆的控制方法:
- @RequestMapping("/login")
- public String login(String name,String password, Model model){
- if(name==null || password==null){
- return "error";
- }
- String token = jwtUtil.generToken("xiaoming",null,null);
- model.addAttribute("token", token);
- return "redirect:/api/liu";
- }
这里没有做验证,只是简单根据账户密码,生成token后,重定向;接下来的任务就交给拦截器了,拦截器会拦截/api/* 下的请求,然后请求参数有token的会验证token,并更新token,并把token放到header里。
这里可以看到token字符串有两个点,最好把jwt生成的token进行base64位编码,jwtUtil.java里有updateTokenBase64Code(String token)就是处理token进行base64位编码的。
springmvc跨域+token验证的更多相关文章
- springmvc跨域+token验证(app后台框架搭建二)
这是app后台框架搭建的第二课,主要针对app应用是跨域的运用,讲解怎么配置跨域服务:其次讲解怎么进行token验证,通过拦截器设置token验证和把token设置到http报文中.主要有如下: ...
- SpringMVC跨域问题排查以及源码实现
SpringMVC跨域问题排查以及源码实现 最近一次项目中,将SpringMVC版本从4.1.1升级到4.3.10,出现跨域失败的情况.关于同源策略和跨域解决方案,网上有很多资料. 项目采用的方式是通 ...
- c#关于JWT跨域身份验证解决方案
学习程序,不是记代码,而是学习一种思想,以及对代码的理解和思考. JSON Web Token(JWT)是目前最流行的跨域身份验证解决方案.为了网络应用环境间传递声明而执行的一种基于JSON的开发标准 ...
- JWT跨域身份验证解决方案
JSON Web Token(JWT)是目前最流行的跨域身份验证解决方案.本文介绍JWT的原理和用法. 1. 当前跨域身份验证的问题 Internet服务无法与用户身份验证分开.一般过程如下.1.用户 ...
- SpringMvc跨域支持
SpringMvc跨域支持 在controller层加上注解@CrossOrigin可以实现跨域 该注解有两个参数 1,origins : 允许可访问的域列表 2,maxAge:飞行前响应的缓存持续 ...
- SpringMvc 跨域处理
导读 由于浏览器对于JavaScript的同源策略的限制,导致A网站(Ajax请求)不能通过JS去访问B网站的数据,于是跨域问题就出现了. 跨域指的是域名.端口.协议的组合不同就是跨域. http:/ ...
- 关于springmvc跨域
spingMVC 3.X跨域 关于跨域问题,主要用的比较多的是cros跨域. 详细介绍请看https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Acces ...
- springmvc跨域
//mvc默认是text/plain;charset=ISO-8859-1@RequestMapping(value = "/xxx", produces = "appl ...
- springmvc跨域(转)
跨域资源共享 CORS 详解 原文链接:http://www.ruanyifeng.com/blog/2016/04/cors.html 作者: 阮一峰 日期: 2016年4月12日 CORS是 ...
随机推荐
- 交叉编译iperf源代码
<Iperf简介> Iperf 是一个网络性能测试工具.Iperf可以测试最大TCP和UDP带宽性能,具有多种参数和UDP特性,可以根据需要调整,可以报告带宽.延迟抖动和数据包丢失. &l ...
- uoj386 【UNR #3】鸽子固定器
link (似乎很久没写题解了) 题意: n个物品,每个物品有a,b两个值,给定A,B,现在最多选其中m个,要求最大化选出的物品中[b权值和的B次方-a极差的A次方]. $n\leq 2\times ...
- vmware10上三台虚拟机的Hadoop2.5.1集群搭建
由于官方版本的Hadoop是32位,若在64位Linux上安装,则必须先重新在64位环境下编译Hadoop源代码.本环境采用编译后的hadoop2.5.1 . 安装参考博客: 1 http://www ...
- [转]android中drawable资源的解释及例子
原文链接: http://blog.csdn.net/wode_dream/article/details/38584693 文章中的内容参考Dev Guide中的Drawable R ...
- zoj 2966 Build The Electric System 最小生成树
Escape Time II Time Limit: 20 Sec Memory Limit: 256 MB 题目连接 http://acm.zju.edu.cn/onlinejudge/showP ...
- AJAX传递数组
在前台中Jq代码中中用JSON.stringify()将数组转换成 JSON字符串.在后台用json_decode()将JSON字符串转换成数组. 1.JSON.stringify(value [, ...
- win2003服务器装spl2008,打安全补丁后无法进入SQL Server Management Studio
解决方法就是:卸载垃圾的360安全卫士,用windows自带的更新工具更新系统补丁,就好了
- Practice safe dc/dc converter
Short-circuit protection is an obvious requirement for a power supply, especially when its load conn ...
- Si4455 低电流 Sub-GHz收发器
Silicon Labs 的 Si4455 是易于使用的低电流 Sub-GHz EZRadio® 收发器.覆盖所有主要波段,结合了即插即用的简单性和需要处理各种不同应用的灵活性.紧凑的 3 mm x ...
- Eclipse配置Struts2问题:ClassNotFoundException: org...dispatcher.ng.filter.StrutsPrepareAndExecuteFilter
我的解决方案 一开始,我是依照某本教材,配置了User Libraries(名为struts-2.2.3, 可供多个项目多次使用), 然后直接把struts-2.2.3引入过来(这个包不会真正的放在项 ...