頭條資訊網站
阿新 • • 發佈:2019-02-01
使用者註冊
- 使用者名稱合法性檢測(長度,敏感詞(包括管理員等),重複,特殊字元(顏文字,html標籤等))
- 密碼長度要求
- 密碼salt加密,密碼加強監測
- 使用者郵件/簡訊啟用
LoginController:
@RequestMapping(path = {"/reg/"}, method = {RequestMethod.GET, RequestMethod.POST})
@ResponseBody
public String reg(Model model, @RequestParam("username") String username,
@RequestParam ("password") String password,
@RequestParam(value="rember", defaultValue = "0") int rememberme,
HttpServletResponse response) {
try {
Map<String, Object> map = userService.register(username, password);
if (map.containsKey("ticket" )) {
Cookie cookie = new Cookie("ticket", map.get("ticket").toString());
cookie.setPath("/");
if (rememberme > 0) {
cookie.setMaxAge(3600*24*5);
}
response.addCookie(cookie);
return ToutiaoUtil.getJSONString(0 , "註冊成功");
} else {
return ToutiaoUtil.getJSONString(1, map);
}
} catch (Exception e) {
logger.error("註冊異常" + e.getMessage());
return ToutiaoUtil.getJSONString(1, "註冊異常");
}
}
頁面訪問
- 客戶端:帶token的HTTP請求
- 服務端:
① 根據token獲取使用者id
② 根據使用者id獲取使用者的具體資訊
③ 使用者和頁面訪問許可權處理
④ 渲染頁面/跳轉頁面
攔截器Interceptor
public interface HandlerInterceptor{
//preHandle裡面判斷許可權
boolean preHandle(HttpServletRequest var1, HttpServletResponse var2, Object var3) throws Exception;
//postHandle裡設定資料,記log
void postHandle(HttpServletRequest var1, HttpServletResponse var2, Object var3, ModelAndView var4) throws Exception;
void afterCompletion(HttpServletRequest var1, HttpServletResponse var2, Object var3, Exception var4) throws Exception;
}
重寫的:
package com.nowcoder.interceptor;
import com.nowcoder.dao.LoginTicketDAO;
import com.nowcoder.dao.UserDAO;
import com.nowcoder.model.HostHolder;
import com.nowcoder.model.LoginTicket;
import com.nowcoder.model.User;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import org.springframework.web.servlet.HandlerInterceptor;
import org.springframework.web.servlet.ModelAndView;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.util.Date;
/**
* Created by nowcoder on 2016/7/3.
*/
@Component
public class PassportInterceptor implements HandlerInterceptor {
@Autowired
private LoginTicketDAO loginTicketDAO;
@Autowired
private UserDAO userDAO;
@Autowired
private HostHolder hostHolder;
@Override
public boolean preHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o) throws Exception {
String ticket = null;
if (httpServletRequest.getCookies() != null) {
for (Cookie cookie : httpServletRequest.getCookies()) {
if (cookie.getName().equals("ticket")) {//判斷cookie中是否有ticket欄位
ticket = cookie.getValue();//如果有ticket欄位,則把ticket欄位的值賦給變數ticket
break;
}
}
}
//對ticket的值進行檢驗
if (ticket != null) {
LoginTicket loginTicket = loginTicketDAO.selectByTicket(ticket);
//
if (loginTicket == null || loginTicket.getExpired().before(new Date()) || loginTicket.getStatus() != 0) {
return true;
}
//為了進入Controller以後仍然能夠被引用做好準備,提前儲存起來
User user = userDAO.selectById(loginTicket.getUserId());
hostHolder.setUser(user);//使用HostHolder儲存當前登入的使用者
}
return true;
}
@Override
public void postHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, ModelAndView modelAndView) throws Exception {
if (modelAndView != null && hostHolder.getUser() != null) {
modelAndView.addObject("user", hostHolder.getUser());
}
}
@Override
public void afterCompletion(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, Exception e) throws Exception {
hostHolder.clear();
}
}
使用者資料安全性
- HTTPS註冊頁
- 公鑰加密私鑰解密,支付寶h5頁面的支付密碼加密
- 使用者密碼salt防止破解
- token有效期
- 單一平臺的單點登入,登入IP異常檢驗
- 使用者狀態的許可權判斷
- 新增驗證碼機制,防止爆破和批量註冊