0

我正在开发一个提供 REST 接口的 Spring-MVC 后端(和 GWT 前端)。出于安全原因,它应该在每个请求上验证一个令牌。现在的问题是:我怎样才能检查那个令牌而不在每个控制器中写它应该检查它?我想到了一个类,它的方法在请求到达负责的控制器之前运行并检查令牌,如果它有效,它将把数据传递给控制器​​。

通过网络发送的 JSON 数据将如下所示:

{
    "data":
    {
        "id":1,
        "firstName":"firstExample",
        "lastName":"lastExample"
    },
    "csrf":"myCSRFToken"
}

我的 Spring 设置的其余部分如下所示:

网页.xml:

<context-param>
    <param-name>contextClass</param-name>
    <param-value>org.springframework.web.context.support.AnnotationConfigWebApplicationContext</param-value>
</context-param>
<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>myapp.server.AppConfig</param-value>
</context-param>

<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<servlet>
    <servlet-name>dispatcher</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
    <servlet-name>dispatcher</servlet-name>
    <url-pattern>/rest/*</url-pattern>
</servlet-mapping>

调度程序-servlet.xml:

<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p"
xmlns:context="http://www.springframework.org/schema/context" xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.1.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.1.xsd">

    <context:component-scan base-package="myapp.server.controller" />

    <mvc:annotation-driven />

</beans>

AppConfig.java:

@Configuration
@EnableWebMvc
public class AppConfig {
    //
}

个人控制器:

@Controller
@RequestMapping("/persons")
public class PersonController {
    @ResponseBody
    @RequestMapping(method = RequestMethod.GET)
    public Collection<Person> list() {
        //
    }
}

所以基本思想是,我的 CSRFCheck.java 类将首先接收每​​个请求。它将检查 CSRF 令牌并将 JSON 的“数据”部分的内容转发给负责的控制器。所以控制器只会收到:

{
    "id":1,
    "firstName":"firstExample",
    "lastName":"lastExample"
}

我对 Spring 完全陌生,我想知道我必须在哪里修改我的配置才能使其按预期工作。

谢谢!

它现在在 dispatcher-servlet.xml 中使用此代码:

<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p"
xmlns:context="http://www.springframework.org/schema/context" xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.1.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.1.xsd">

<context:component-scan base-package="myapp.server.controller" />

<mvc:annotation-driven />

<mvc:interceptors>  
     <bean class="myapp.server.XSRFInterceptor" />
</mvc:interceptors>

</beans>

但是为什么它不能与这个 AppConfig.java 一起工作?:

@Configuration
@EnableWebMvc
@ComponentScan(basePackages="myapp.server.controller") 
public class AppConfig extends WebMvcConfigurerAdapter {
    @Override
    public void addInterceptors(InterceptorRegistry registry) {
        registry.addInterceptor(new XSRFInterceptor());
    }
}

还有一个问题:如何修改传递给控制器​​的 JSON?

问题 1 的解决方案(xml 与 java):

调度程序-servlet.xml:

<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p"
xmlns:context="http://www.springframework.org/schema/context" xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.1.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.1.xsd">

</beans>

AppConfig.java 同上

CSRFInterceptor.java:

@Component
public class CSRFInterceptor extends HandlerInterceptorAdapter {
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {

        // Some code

        return true;
    }
}

尚待解决:如何在拦截器中处理 JSON 数据?

4

0 回答 0