更新时间:2022-04-19 23:32:12
没有什么可以阻止您以创造性的方式使用Authorization标头,即通过将Android ID嵌入其中.然后,为了向终端添加身份验证,可以使用AOP拦截器:
Nothing prevents you from using Authorization header in a creative way, i.e., by embedding the Android ID into it. Then, in order to add authentication to your endpoints, you can use an AOP interceptor:
受保护的操作标记界面:
Protected operation marker interface:
@Target({ElementType.METHOD})
@Retention(RetentionPolicy.RUNTIME)
public @interface ProtectedOperation {
}
拦截器:
@Aspect
@Component
public class SecurityAspect {
private CorporateService corpService; // this is your custom service to check Android IDs
@Autowired
public SecurityAspect(CorporateService corpService) {
this.corpService = corpService;
}
@Around("@annotation(operation)")
public Object protectedOperationPermissionCheck(final ProceedingJoinPoint pjp, final ProtectedOperation operation) throws Throwable {
ServletRequestAttributes requestAttributes = (ServletRequestAttributes) RequestContextHolder.currentRequestAttributes();
String header = requestAttributes.getRequest().getHeader("Authorization");
String androidId = // get the ID from header - try not to use existing authorization header formats like Bearer, Negotiate etc. to avoid collision with other authentication systems
if (corpService.isAuthorized(androidId)) {
return pjp.proceed();
}
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
response.flushBuffer();
return null;
}
}
确保为您的@Aspect
支持添加spring-boot-starter-aop
依赖项到pom.xml中
Make sure to add the spring-boot-starter-aop
dependency to your pom.xml, for @Aspect
support
保护端点,在@ProtectedOperation
中注释控制器中的端点方法,然后将@EnableAspectJAutoProxy
添加到您的Spring Boot应用程序中
to protect an endpoint, annotate the endpoint method in your controller with @ProtectedOperation
, and add @EnableAspectJAutoProxy
to your Spring Boot application