我想将API的所有功能锁定在身份验证之后。我管理它,所以发送一个会话cookie,但我不想检查cookie是否在每个函数中都有效。肯定有更好的办法,对吧?我知道我不应该以明文形式保存密码,但此代码仅用于测试目的。登录:
@RestController
@EnableSpringHttpSession
public class OnlineMapping {
@Autowired
private UserRepository userRepository;
@PostMapping(path = "/online")
public ResponseEntity<?> onlineRequest(@RequestBody OnlineRequest onlineRequest, HttpSession session) {
User user;
user = userRepository.findUserByUsernameAndPassword(onlineRequest.username, onlineRequest.password);
if (user!=null){
user.setLatestTimeStamp(System.currentTimeMillis());
return new ResponseEntity<>("You are now online, Enjoy!", HttpStatus.OK);
} else {
session.setAttribute("valid", false);
session.invalidate();
return new ResponseEntity<>("Invalid login", HttpStatus.valueOf(401));
}
}
}
示例函数:
public ResponseEntity<?> createMessage(@RequestBody MessageCreateRequest messageCreateRequest, HttpSession session) {
if (session.getAttribute("valid").equals(true)){ //I dont want this
Message m = new Message();
m.setContent(messageCreateRequest.content);
m.setSenderID(messageCreateRequest.senderID);
m.setChannelID(messageCreateRequest.channelID);
m.setTimeStamp(System.currentTimeMillis());
messageRepository.save(m);
return new ResponseEntity<>("Message created!", HttpStatus.OK);
}//
return new ResponseEntity<>("Invalid Session", HttpStatus.UNAUTHORIZED);
}```
您可以使用Spring Security检查会话cookie验证:
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) {
http
.sessionManagement(session -> session
.sessionCreationPolicy(SessionCreationPolicy.ALWAYS)
);
return http.build();
}
饼干:JSESSIONID
在这种情况下,你会有自动会话cookie验证。
https://docs.spring.io/spring-security/reference/servlet/authentication/session-management.html
但是我建议使用JWT令牌(OAuth 2.0标准)。使用Spring Security可以很容易地通过Spring -boot-start -oauth2-resource-server dependency来验证和注入令牌