这两天遇到一个问题,就是想做个统一登录验证过滤器
想着简单点随便加到一个现存的过滤器里面,代码如下:
package ideal4j.visual.common.filter;
import ideal4j.visual.outapi.action.OutapiAction;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.core.Ordered;
import org.springframework.core.annotation.Order;
import org.springframework.stereotype.Component;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
@Component
@Order(Ordered.HIGHEST_PRECEDENCE)//控制过滤器的级别
public class AllowOriginFilter implements Filter {
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain filterChain) throws
IOException, ServletException {
HttpServletResponse response = (HttpServletResponse) res;
HttpServletRequest reqs = (HttpServletRequest) req;
response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE");
response.setHeader("Access-Control-Max-Age", "0");
response.setHeader("Access-Control-Allow-Headers", "Origin, No-Cache, X-Requested-With, If-Modified-Since, Pragma, Last-Modified, Cache-Control, Expires, Content-Type, X-E4M-With,userId,token,Access-Control-Allow-Headers");
response.setHeader("Access-Control-Allow-Credentials", "true");
response.setHeader("XDomainRequestAllowed","1");
response.setHeader("Access-Control-llow-redentials","true");
response.setHeader("x-frame-options","SAMEORIGIN");
if ("OPTIONS".equalsIgnoreCase(((HttpServletRequest) req).getMethod())) {
response.setStatus(HttpServletResponse.SC_OK);
} else {
filterChain.doFilter(req, res);
}
}
@Override
public void destroy() {
}
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
}
然后我想着直接加到doFilter() 不就完事了,就像这样:
package ideal4j.visual.common.filter;
import ideal4j.icity.common.enumtype.CodeEnumType;
import ideal4j.icity.common.util.RequestUtils;
import ideal4j.icity.common.util.SystemConstant;
import ideal4j.visual.common.tableUtil.TableUtil;
import ideal4j.visual.outapi.action.OutapiAction;
import org.apache.commons.lang3.ObjectUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.core.Ordered;
import org.springframework.core.annotation.Order;
import org.springframework.stereotype.Component;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
@Component
@Order(Ordered.HIGHEST_PRECEDENCE)//控制过滤器的级别
public class AllowOriginFilter implements Filter {
// 是否开启登录验证
@Value("${login.verification}")
private Boolean loginVerification;
// 登录验证前缀
@Value("${login.url}")
private String loginUrl;
Logger logger = LoggerFactory.getLogger(LogMdcFilter.class);
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain filterChain) throws
IOException, ServletException {
HttpServletResponse response = (HttpServletResponse) res;
HttpServletRequest reqs = (HttpServletRequest) req;
//增加未登录验证逻辑
if (loginVerification && reqs.getServletPath().contains(loginUrl)){
if (ObjectUtils.isEmpty(RequestUtils.getSession().getAttribute(SystemConstant.SYSTEM_SESSION_USER_ID))) {
logger.error(TableUtil.tojson(CodeEnumType.FAILURE.code, "未获取到用户登录信息"));
throw new ServletException("未获取到用户登录信息");
}
}
response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE");
response.setHeader("Access-Control-Max-Age", "0");
response.setHeader("Access-Control-Allow-Headers", "Origin, No-Cache, X-Requested-With, If-Modified-Since, Pragma, Last-Modified, Cache-Control, Expires, Content-Type, X-E4M-With,userId,token,Access-Control-Allow-Headers");
response.setHeader("Access-Control-Allow-Credentials", "true");
response.setHeader("XDomainRequestAllowed","1");
response.setHeader("Access-Control-llow-redentials","true");
response.setHeader("x-frame-options","SAMEORIGIN");
if ("OPTIONS".equalsIgnoreCase(((HttpServletRequest) req).getMethod())) {
response.setStatus(HttpServletResponse.SC_OK);
} else {
filterChain.doFilter(req, res);
}
}
@Override
public void destroy() {
}
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
}
/**
* 获取session
*/
public static HttpSession getSession() {
try {
return ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest().getSession(true);
} catch (Exception e) {
logger.error("任意位置获取session异常", e);
return null;
}
}
然后怎么都获取不到SYSTEM_SESSION_USER_ID,就这个session 也是null 。但是写到另一个filter 类里面就是可以获取到的,然后我想研究一下这个@Order 注解,别人都是解释说这个注解只是声明了加载顺序,参数越小加载越早,这个我测试了是这样。
而且在我@Order(1) @Order(-1) @Order(2) @Order(-2) 的是时候,SYSTEM_SESSION_USER_ID 居然是可以获取到的。搞不明白,@Order(Ordered.HIGHEST_PRECEDENCE) 默认就是-2147483648 ,说明加载非常靠前嘛,但是为啥会影响ServletRequest呢,真实纳闷了!有没有懂的同学简单讲一讲感谢。