用户身份验证：基于SpringBoot的用户身份验证工具

1.session失效时间

 在To mcat上，session的默认有效时间是30分钟。也可以通过配置文件修改session的有效时间。

 1）修改web.xml

    1

 2).yml文件

server.session.cookie.http-only= ＃是否开启HttpOnly
server.session.timeout = ＃会话超时（秒）

2.使用过滤器获取session进行身份验证(未全部测试，慎用)

1）新建Filter

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.web.servlet.ServletComponentScan;
import org.springframework.context.ApplicationContext;
import org.springframework.stereotype.Component;
import org.springframework.web.context.support.WebApplicationContextUtils;

import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;

@Component
@ServletComponentScan//让@WebFilter起作用
@WebFilter(urlPatterns = "/*")
public class MyFilter implements Filter{

    @Autowired
    private SessionKeyConfigProperties sessionKeyConfigProperties;

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {

    }

    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)
            throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        System.out.println(sessionKeyConfigProperties.getUserTypeKey());
        //通过session获取身份信息
        AuthenticationUtil authenticationUtil = new AuthenticationUtil(sessionKeyConfigProperties);
        UserTypeEnum userType = authenticationUtil.getUserAuthentication(httpServletRequest.getSession());
        //进行认证
        //认证失败
        if(userType == null){
            //...
        }
        //用户不是管理员
        if(userType != UserTypeEnum.ADMIN){
            //...
        }
        filterChain.doFilter(servletRequest,servletResponse);
    }

    @Override
    public void destroy() {

    }
}

细心的读者会发现我用了AuthenticationUtil，这是为了将读写用户身份认证信息的功能分离而设计的工具类  2）AuthenticationUtil类

import org.apache.shiro.web.session.HttpServletSession;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;

public class AuthenticationUtil {

    private SessionKeyConfigProperties configProperties;

    public AuthenticationUtil(SessionKeyConfigProperties configProperties) {
        this.configProperties = configProperties;
    }

    /**
     * 从session中获取用户的身份类型
     * @param session
     * @return 身份类型
     */
    public UserTypeEnum getUserAuthentication(HttpSession session){
        //获取session中的用户信息记录
        Object userType = session.getAttribute(configProperties.getUserTypeKey());
        //获取session中记录的用户类型
        if(userType != null && userType instanceof UserTypeEnum) {
            return (UserTypeEnum)userType;
        }
        return null;
    }

    /**
     * 将用户的身份写入session中
     * @param session
     * @param userType
     */
    public void setUserAuthentication(HttpSession session,UserTypeEnum userType){
        session.setAttribute(configProperties.getUserTypeKey(),userType);
    }
}

3）配置文件SessiionKeyConfig.properties

user_type_key = userTypeKey

4）配置读取文件SessionKeyConfigProperties.class

import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.PropertySource;
import org.springframework.stereotype.Component;

@Configuration
@PropertySource("classpath:config/SessiionKeyConfig.properties")
@Component
public class SessionKeyConfigProperties {
    @Value("${user_type_key}")
    private String userTypeKey;

    public String getUserTypeKey() {
        return userTypeKey;
    }

    public void setUserTypeKey(String userTypeKey) {
        this.userTypeKey = userTypeKey;
    }
}

5）Enum类

public enum UserTypeEnum {
    ADMIN,
    USER
}

注：本文 删除了一些package信息及部分import信息。Enum类和配置类的内容请根据项目需求及数据字典自行修改。