头条资讯网站

用户注册

1. 用户名合法性检测（长度，敏感词（包括管理员等），重复，特殊字符（颜文字，html标签等））
2. 密码长度要求
3. 密码salt加密，密码加强监测
4. 用户邮件/短信激活

LoginController：

    @RequestMapping(path = {"/reg/"}, method = {RequestMethod.GET, RequestMethod.POST})    @ResponseBody    public String reg(Model model, @RequestParam("username") String username,                      @RequestParam("password") String password,                      @RequestParam(value="rember", defaultValue = "0") int rememberme,                      HttpServletResponse response) {        try {            Map<String, Object> map = userService.register(username, password);            if (map.containsKey("ticket")) {                Cookie cookie = new Cookie("ticket", map.get("ticket").toString());                cookie.setPath("/");                if (rememberme > 0) {                    cookie.setMaxAge(3600*24*5);                }                response.addCookie(cookie);                return ToutiaoUtil.getJSONString(0, "注册成功");            } else {                return ToutiaoUtil.getJSONString(1, map);            }        } catch (Exception e) {            logger.error("注册异常" + e.getMessage());            return ToutiaoUtil.getJSONString(1, "注册异常");        }    }

页面访问

• 客户端：带token的HTTP请求
• 服务端：
  ① 根据token获取用户id
  ② 根据用户id获取用户的具体信息
  ③ 用户和页面访问权限处理
  ④ 渲染页面/跳转页面

拦截器Interceptor

public interface HandlerInterceptor{    //preHandle里面判断权限     boolean preHandle(HttpServletRequest var1, HttpServletResponse var2, Object var3) throws Exception;     //postHandle里设置数据，记log    void postHandle(HttpServletRequest var1, HttpServletResponse var2, Object var3, ModelAndView var4) throws Exception;    void afterCompletion(HttpServletRequest var1, HttpServletResponse var2, Object var3, Exception var4) throws Exception;}

重写的：

package com.nowcoder.interceptor;import com.nowcoder.dao.LoginTicketDAO;import com.nowcoder.dao.UserDAO;import com.nowcoder.model.HostHolder;import com.nowcoder.model.LoginTicket;import com.nowcoder.model.User;import org.springframework.beans.factory.annotation.Autowired;import org.springframework.stereotype.Component;import org.springframework.web.servlet.HandlerInterceptor;import org.springframework.web.servlet.ModelAndView;import javax.servlet.http.Cookie;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;import java.util.Date;/** * Created by nowcoder on 2016/7/3. */@Componentpublic class PassportInterceptor implements HandlerInterceptor {    @Autowired    private LoginTicketDAO loginTicketDAO;    @Autowired    private UserDAO userDAO;    @Autowired    private HostHolder hostHolder;    @Override    public boolean preHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o) throws Exception {        String ticket = null;        if (httpServletRequest.getCookies() != null) {            for (Cookie cookie : httpServletRequest.getCookies()) {                if (cookie.getName().equals("ticket")) {//判断cookie中是否有ticket字段                    ticket = cookie.getValue();//如果有ticket字段，则把ticket字段的值赋给变量ticket                    break;                }            }        }        //对ticket的值进行检验        if (ticket != null) {            LoginTicket loginTicket = loginTicketDAO.selectByTicket(ticket);            //            if (loginTicket == null || loginTicket.getExpired().before(new Date()) || loginTicket.getStatus() != 0) {                return true;            }            //为了进入Controller以后仍然能够被引用做好准备，提前保存起来            User user = userDAO.selectById(loginTicket.getUserId());            hostHolder.setUser(user);//使用HostHolder保存当前登录的用户        }        return true;    }    @Override    public void postHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, ModelAndView modelAndView) throws Exception {        if (modelAndView != null && hostHolder.getUser() != null) {            modelAndView.addObject("user", hostHolder.getUser());        }    }    @Override    public void afterCompletion(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, Exception e) throws Exception {        hostHolder.clear();    }}

用户数据安全性

• HTTPS注册页
• 公钥加密私钥解密，支付宝h5页面的支付密码加密
• 用户密码salt防止破解
• token有效期
• 单一平台的单点登录，登录IP异常检验
• 用户状态的权限判断
• 添加验证码机制，防止爆破和批量注册