• 注册
• 登陆
• 浏览
• Interceptor
• 未登录跳转
• 数据安全性
• 注册
建立一个loginticket,分别对应mvc ,包含用户id 过期时间,状态,ticket,写DAO层对应的crud; services更改状态;
public Map<String, Object> register(String username, String password) {
Map<String, Object> map = new HashMap <>();
//做判断的类,判断账号密码非空;
if (StringUtils.isBlank(username)) {
map.put("msg", "用户名不能为空");
return map;
}
if (StringUtils.isBlank(password)) {
map.put("msg", "密码不能为空");
return map;
}
//做判断,判断注册用户数据库中不存在;
User user = userDAO.selectByName(username);
if (user != null) {
map.put("msg", "用户名已经被注册");
return map;
}
//增强密码强度,加sort
//将用户增加到数据库;
user = new User();
user.setName(username);
user.setSalt(UUID.randomUUID().toString().substring(0, 5));
user.setHeadUrl(head);
user.setPassword(WendaUtil.MD5(password+user.getSalt()));
userDAO.addUser(user);
// 登陆
String ticket = addLoginTicket(user.getId());
map.put("ticket", ticket);
return map;
}
注册模块需要注意的问题:
1. 用户名合法性检测(长度,敏感词,重复,特殊字符)
2. 密码长度要求
3. 密码salt加密,密码强度检测(md5库)
4. 用户邮件/短信激活
• 登陆
登陆:
1.服务器密码校验/三方校验回调,token登记
1.1服务器端token关联userid
1.2客户端存储token(app存储本地,浏览器存储cookie)
2.服务端/客户端token有效期设置(记住登陆)
注:token可以是sessionid,或者是cookie里的一个key
public Map<String, Object> login(String username, String password) {
Map<String, Object> map = new HashMap<String, Object>();
if (StringUtils.isBlank(username)) {
map.put("msg", "用户名不能为空");
return map;
}
if (StringUtils.isBlank(password)) {
map.put("msg", "密码不能为空");
return map;
}
User user = userDAO.selectByName(username);
if (user == null) {
map.put("msg", "用户名不存在");
return map;
}
if (!WendaUtil.MD5(password+user.getSalt()).equals(user.getPassword())) {
map.put("msg", "密码不正确");
return map;
}
String ticket = addLoginTicket(user.getId());
map.put("ticket", ticket);
map.put("userId", user.getId());
return map;
}
• 浏览
1. 客户端:带token的HTTP请求
2. 服务端:
1. 根据token获取用户id
2. 根据用户id获取用户的具体信息
3. 用户和页面访问权限处理
4. 渲染页面/跳转页面
控制层
@Controller
public class LoginController {
private static final Logger logger = LoggerFactory.getLogger(LoginController.class);
@Autowired
UserService userService;
@Autowired
EventProducer eventProducer;
//注册需要参数,user username;
@RequestMapping(path = {"/reg/"}, method = {RequestMethod.POST})
public String reg(Model model, @RequestParam("username") String username,
@RequestParam("password") String password,
@RequestParam("next") String next,
@RequestParam(value="rememberme", defaultValue = "false") boolean rememberme,
HttpServletResponse response) {
try {
Map<String, Object> map = userService.register(username, password);
if (map.containsKey("ticket")) {
Cookie cookie = new Cookie("ticket", map.get("ticket").toString());
cookie.setPath("/");
if (rememberme) {
cookie.setMaxAge(3600*24*5);
}
response.addCookie(cookie);
if (StringUtils.isNotBlank(next)) {
return "redirect:" + next;
}
return "redirect:/";
} else {
model.addAttribute("msg", map.get("msg"));
return "login";
}
} catch (Exception e) {
logger.error("注册异常" + e.getMessage());
model.addAttribute("msg", "服务器错误");
return "login";
}
}
@RequestMapping(path = {"/reglogin"}, method = {RequestMethod.GET})
public String regloginPage(Model model, @RequestParam(value = "next", required = false) String next) {
model.addAttribute("next", next);
return "login";
}
@RequestMapping(path = {"/login/"}, method = {RequestMethod.POST})
public String login(Model model, @RequestParam("username") String username,
@RequestParam("password") String password,
@RequestParam(value="next", required = false) String next,
@RequestParam(value="rememberme", defaultValue = "false") boolean rememberme,
HttpServletResponse response) {
try {
Map<String, Object> map = userService.login(username, password);
if (map.containsKey("ticket")) {
Cookie cookie = new Cookie("ticket", map.get("ticket").toString());
cookie.setPath("/");
if (rememberme) {
cookie.setMaxAge(3600*24*5);
}
response.addCookie(cookie);
eventProducer.fireEvent(new EventModel(EventType.LOGIN)
.setActorId((int)map.get("userId")));
if (StringUtils.isNotBlank(next)) {
return "redirect:" + next;
}
return "redirect:/";
} else {
model.addAttribute("msg", map.get("msg"));
return "login";
}
} catch (Exception e) {
logger.error("登陆异常" + e.getMessage());
return "login";
}
}
@RequestMapping(path = {"/logout"}, method = {RequestMethod.GET, RequestMethod.POST})
public String logout(@CookieValue("ticket") String ticket) {
userService.logout(ticket);
return "redirect:/";
}
}
• Interceptor
1:判断用户是谁;
2:判断用户有没有过期;
直接继承HandlerInterceptor接口,重写方法;