Background description
Coders who do app back-end services know that many services are stateless, so-called stateless, here we can simply It is understood as (different from traditional web) there is no session.
So how to ensure the security of our request at this time (the security we mentioned here refers to the security of the source of the user’s request and the security of the judgment, and does not involve the security of data sources such as verification and encryption ).
Description of requirements
We want to implement a token-based request interception system to intercept each of our requests. To judge the integrity and security of user data.
So what does our interception system look like?
First of all, we carry out a pseudo-auth2.0 design a permission distribution verification mode according to the auth2.0 protocol (because I think the rules are made by people, it is not necessary for everything to be carried out in accordance with the rules, it is convenient) p>
So what is the process of token authentication?
- Client login->server
- After successful login, a token will be issued to the client
- Client Each request carries the token
- The server side intercepts the request that requires authentication
- The server side authenticates the token
- If the authentication is successful, make a request Distribute (that is, continue the request), if the authentication fails, intercept the request and return the corresponding failure status code
Key point analysis
The whole The most important thing in the process are three points:
- Token generation algorithm
- Token verification method
- For Interception of requests that require authentication
What we have to do today is the third point, how to intercept requests that require authentication
For those that require authentication The realization process of request interception
There are mainly two points in the entire interception process:
- Server filters (server filters)
- Dynamic binding (dynamic filter interceptor binding)
Server filters brief description
What is the main function of Server filters, here we are, he is mainly responsible for two places:
- Intercept requests
< li>Authentication of token in business
The code of this block is as follows
public< /span> class AuthorizationFilter implements ContainerRequestFilter { @Override < span class="hljs-function">public void filter (ContainerRequestContext requestContext) throws IOException { //Get the token submitted in the client Header String token = requestContext.getHeaderString("Authorization"); if (StringUtil.isEmpty(token)) {// TODO:Intercept response} //Determine whether the user has logged in User user = TokenUtils.sign(token); if ( user == null) { // TODO: intercept response} }}
Then you may notice that I added todo because These are the places where the request needs to be intercepted, so how can we achieve this request interception?
We use the method of throwing exceptions, the specific methods are as follows:
First, we first declare an auth verification Failed exception
public class AuthorizationException extends RuntimeException { private String response = ErrorCode.NOT_AUTHED.getMsg(); public String getResponse(){ return this.response; }}
Then catch the exception globally and output the prompt message
@Providerpublic < span class="hljs-class">class AuthExceptionMapper implements ExceptionMapper<AuthorizationException> { @Override public Response toResponse(AuthorizationException exception) { return Response.ok(exception.getResponse()).build() ; }}
Dynamic binding
In the above, we saw how to intercept a request and perform authentication, including exception handling.
Then there is a critical question, how do we intercept requests that require authentication?
For example, my login request does not need to be intercepted, and the request for personal information needs to be intercepted
How can I achieve the above effect (Answer: Dynamic binding)
So let’s take a look at what is Dynamic binding?
Let’s take a look at the official explanation
Dynamic binding is a way how to assign filters and interceptors to the resource methods in a dynamic manner.
Dynamic binding is a filter and interceptor that allocates resource methods in a dynamic manner.
So how do we use Dynamic binding to realize our function of distinguishing interception
Description of specific requirements
I want to achieve Such a function, through an annotation, I only need to mark the annotation on the class or method to intercept the corresponding class or method
So how do I achieve this dynamic filtering binding? What about fixed functions?
First, we declare a custom annotation named AuthAnnotation
Then we show our implementation method
@Providerpublic class AuthorizationFilterFeature implements DynamicFeature {@Override public void configure(ResourceInfo resourceInfo, FeatureContext context) {ListauthzSpecs = new ArrayList<>(); Annotation classAuthzSpec = resourceInfo.getResourceClass().getAnnotation(AuthAnnotation.class); Annotation methodAuthzSpec = resourceInfo.getResourceMethod().getAnnotation(AuthAnnotation.class); if (classAuthzSpec != null) authzSpecs.add(classAuthzSpec); if (methodAuthzSpec != null) authzSpecs.add(methodAuthzSpec); if (!authzSpecs.isEmpty ()) {// The api that needs to be intercepted context.register(AuthorizationFilter.class);} }}
Author: jsondream Link: http://www.jianshu.com/p/a1c2b6c16118 Source: The copyright of the short book belongs to the author. For commercial reprints, please contact the author for authorization, and for non-commercial reprints, please indicate the source.
Background description
The coder doing app back-end services knows that many services are stateless, so-called stateless, in Here we can simply understand that (different from traditional web) there is no session.
So how to ensure the security of our request at this time (the security we mentioned here refers to the security of the source of the user’s request and the security of the judgment, and does not involve the security of data sources such as verification and encryption ).
Description of requirements
We want to implement a token-based request interception system to intercept each of our requests. To judge the integrity and security of user data.
So what does our interception system look like?
First of all, we carry out a pseudo-auth2.0 design a permission distribution verification mode according to the auth2.0 protocol (because I think the rules are made by people, it is not necessary for everything to be carried out in accordance with the rules, it is convenient) p>
So what is the process of token authentication?
- Client login->server
- After successful login, a token will be issued to the client
- Client Each request carries the token
- The server side intercepts the request that requires authentication
- The server side authenticates the token
- If the authentication is successful, make a request Distribute (that is, continue the request), if the authentication fails, intercept the request and return the corresponding failure status code
Key point analysis
The whole The most important thing in the process are three points:
- Token generation algorithm
- Token verification method
- For Interception of requests that require authentication
What we have to do today is the third point, how to intercept requests that require authentication
For those that require authentication The realization process of request interception
There are mainly two points in the entire interception process:
- Server filters (server filters)
- Dynamic binding (dynamic filter interceptor binding)
Server filters brief description
What is the main function of Server filters, here we are, he is mainly responsible for two places:
- Intercept requests
< li>Authentication of token in business
The code of this block is as follows
public< /span> class AuthorizationFilter implements ContainerRequestFilter { @Override public void filter(ContainerRequestContext requestContext) throws IOException { //Get submitted in the client Header The token String token = requestContext.getHeaderString("Authorization"); if (StringUtil. isEmpty(token)) {// TODO:Intercept response} //Determine whether the user has logged in User user = TokenUtils.sign(token); if (user == null) {// T ODO:Intercept the response} }}
Then you may notice that I added todo, because these are the places where the request needs to be intercepted, then How can we implement this request to intercept it?
We used the method of throwing an exception, the specific method is as follows:
First, we first declare an exception for auth verification failure
public class AuthorizationException extends RuntimeException { private String response = ErrorCode.NOT_AUTHED.getMsg(); public String getResponse(){ return this.response; }}
Then catch this exception globally and output the prompt message
@Providerpublic class AuthExceptionMapper implements ExceptionMapper<AuthorizationException> { @Override public Response toResponse(AuthorizationException exception ) { return Response.ok(exception.getResponse()).build(); }}
Dynamic binding
In the above, we saw how to intercept a request and perform authentication, including exception handling.
Then there is a critical question, how do we intercept requests that require authentication?
For example, my login request does not need to be intercepted, and the request for personal information needs to be intercepted
How can I achieve the above effect (Answer: Dynamic binding)
So let’s take a look at what is Dynamic binding?
Let’s take a look at the official explanation
Dynamic binding is a way how to assign filters and interceptors to the resource methods in a dynamic manner.
Dynamic binding is a filter and interceptor that allocates resource methods in a dynamic manner.
So how do we use Dynamic binding to realize our function of distinguishing interception
Description of specific requirements
I want to achieve Such a function, through an annotation, I only need to mark the annotation on the class or method to intercept the corresponding class or method
So how do I achieve this dynamic filtering binding? What about fixed functions?
First, we declare a custom annotation named AuthAnnotation
Then we show our implementation method
@Providerpublic class AuthorizationFilterFeature implements DynamicFeature {@Override public void configure(ResourceInfo resourceInfo, FeatureContext context) {ListauthzSpecs = new ArrayList<>(); Annotation classAuthzSpec = resourceInfo.getResourceClass().getAnnotation(AuthAnnotation.class); Annotation methodAuthzSpec = resourceInfo.getResourceMethod().getAnnotation(AuthAnnotation.class); if (classAuthzSpec != null) authzSpecs.add(classAuthzSpec); if (methodAuthzSpec != null) authzSpecs.add(methodAuthzSpec); if (!authzSpecs.isEmpty ()) {// The api that needs to be intercepted context.register(AuthorizationFilter.class);} }}
Author: jsondream Link: http://www.jianshu.com/p/a1c2b6c16118 Source: The copyright of the short book belongs to the author. For commercial reprints, please contact the author for authorization, and for non-commercial reprints, please indicate the source.
Background description
The coder who does app back-end services knows that many services are stateless, the so-called stateless, here we can simply understand it as (Different from traditional web) There is no session.
So how to ensure the security of our request at this time (the security we mentioned here refers to the security of the source of the user’s request and the security of the judgment, and does not involve the security of data sources such as verification and encryption ).
Description of requirements
We want to implement a token-based request interception system to intercept each of our requests. To judge the integrity and security of user data.
So what does our interception system look like?
First of all, we carry out a pseudo-auth2.0 design a permission distribution verification mode according to the auth2.0 protocol (because I think the rules are made by people, it is not necessary for everything to be carried out in accordance with the rules, it is convenient) p>
So what is the process of token authentication?
- Client login->server
- After successful login, a token will be issued to the client
- Client Each request carries the token
- The server side intercepts the request that requires authentication
- The server side authenticates the token
- If the authentication is successful, make a request Distribute (that is, continue the request), if the authentication fails, intercept the request and return the corresponding failure status code
Key point analysis
The whole The most important thing in the process are three points:
- Token generation algorithm
- Token verification method
- For Interception of requests that require authentication
What we have to do today is the third point, how to intercept requests that require authentication
For those that require authentication The realization process of request interception
There are mainly two points in the entire interception process:
- Server filters (server filters)
- Dynamic binding (dynamic filter interceptor binding)
Server filters brief description
What is the main function of Server filters, here we are, he is mainly responsible for two places:
- Intercept requests
< li>Authentication of token in business
The code of this block is as follows
public< /span> class AuthorizationFilter implements ContainerRequestFilter { @Override public void filter(ContainerRequestContext requestContext) < span class="hljs-keyword">throws IOException { //Get the token submitted in the client Header String token = requestContext.getHeaderString ("Authorization"); if (StringUtil.isEmpty(token)) {// TODO:Intercept response} //Determine whether the user is logged in User user = TokenUtils.sign(token); if (user == null) {// TODO:Intercept response } }}
Then everyone may notice that I added todo, because these are the places where the request needs to be intercepted, so how do we achieve this request interception?
We use the method of throwing exceptions, the specific methods are as follows:
First, we first declare an exception for auth verification failure
public class AuthorizationException extends RuntimeException { private String response = ErrorCode.NOT_AUTHED.getMsg(); public String getResponse< span class="hljs-params">(){ return this .response; }}
Then catch the exception globally and output the prompt message
@Providerpublic class AuthExceptionMapper implements ExceptionMapper<AuthorizationException> { @Override public Response toResponse(AuthorizationException exception) { return Response.ok(exception.getResponse()).build(); }}
Dynamic binding
We have seen how Intercept a request and perform authentication verification, including exception handling.
Then there is a critical question, how do we intercept requests that require authentication?
For example, my login request does not need to be intercepted, and the request for personal information needs to be intercepted
How can I achieve the above effect (Answer: Dynamic binding)
So let’s take a look at what is Dynamic binding?
Let’s take a look at the official explanation
Dynamic binding is a way how to assign filters and interceptors to the resource methods in a dynamic manner.
Dynamic binding is a filter and interceptor that allocates resource methods in a dynamic manner.
So how do we use Dynamic binding to realize our function of distinguishing interception
Description of specific requirements
I want to achieve Such a function, through an annotation, I only need to mark the annotation on the class or method to intercept the corresponding class or method
So how do I achieve this dynamic filtering binding? What about fixed functions?
First, we declare a custom annotation named AuthAnnotation
Then we show our implementation method
@Providerpublic class AuthorizationFilterFeature implements DynamicFeature {@Override public void configure(ResourceInfo resourceInfo, FeatureContext context) {ListauthzSpecs = new ArrayList<>(); Annotation classAuthzSpec = resourceInfo.getResourceClass().getAnnotation(AuthAnnotation.class); Annotation methodAuthzSpec = resourceInfo.getResourceMethod().getAnnotation(AuthAnnotation.class); if (classAuthzSpec != null) authzSpecs.add(classAuthzSpec); if (methodAuthzSpec != null) authzSpecs.add(methodAuthzSpec); if (!authzSpecs.isEmpty ()) {// The api that needs to be intercepted context.register(AuthorizationFilter.class);} })