- 拦截未登陆用户
- 账号安全相关
- 权限相关
- 防止CSRF攻击
- 风控相关
public interface HandlerInterceptor {
* Intercept the execution of a handler. Called after HandlerMapping determined
* an appropriate handler object, but before HandlerAdapter invokes the handler.
* <p>DispatcherServlet processes a handler in an execution chain, consisting
* of any number of interceptors, with the handler itself at the end.
* With this method, each interceptor can decide to abort the execution chain,
* typically sending a HTTP error or writing a custom response.
* @param request current HTTP request
* @param response current HTTP response
* @param handler chosen handler to execute, for type and/or instance evaluation
* @return {@code true} if the execution chain should proceed with the
* next interceptor or the handler itself. Else, DispatcherServlet assumes
* that this interceptor has already dealt with the response itself.
* @throws Exception in case of errors
boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
throws Exception;
* Intercept the execution of a handler. Called after HandlerAdapter actually
* invoked the handler, but before the DispatcherServlet renders the view.
* Can expose additional model objects to the view via the given ModelAndView.
* <p>DispatcherServlet processes a handler in an execution chain, consisting
* of any number of interceptors, with the handler itself at the end.
* With this method, each interceptor can post-process an execution,
* getting applied in inverse order of the execution chain.
* @param request current HTTP request
* @param response current HTTP response
* @param handler handler (or {@link HandlerMethod}) that started async
* execution, for type and/or instance examination
* @param modelAndView the {@code ModelAndView} that the handler returned
* (can also be {@code null})
* @throws Exception in case of errors
void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView)
throws Exception;
* Callback after completion of request processing, that is, after rendering
* the view. Will be called on any outcome of handler execution, thus allows
* for proper resource cleanup.
* <p>Note: Will only be called if this interceptor's {@code preHandle}
* method has successfully completed and returned {@code true}!
* <p>As with the {@code postHandle} method, the method will be invoked on each
* interceptor in the chain in reverse order, so the first interceptor will be
* the last to be invoked.
* @param request current HTTP request
* @param response current HTTP response
* @param handler handler (or {@link HandlerMethod}) that started async
* execution, for type and/or instance examination
* @param ex exception thrown on handler execution, if any
* @throws Exception in case of errors
void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex)
throws Exception;
public class LoginInterceptor implements HandlerInterceptor {
private static final Logger logger= LoggerFactory.getLogger(LoginInterceptor.class);
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
User user = ContextUtil.getCurrentUser();
if (user == null) {
redirectLogin(request, response);
return false;
if(user.getUserType() == UserTypeEnum.SHOP.getCode()){
SSOHelper.logoutV2(request, response);
redirectLogin(request, response);
return false;
logger.info("[LoginInterceptor - preHandle ] requestUrl:{} currentUser: {} ",request.getRequestURI(),hipacUser
return true;
private void redirectLogin(HttpServletRequest request, HttpServletResponse response) throws IOException,
ServletException {
if (ContextUtil.isAjax()) {
// ajax请求
PrintWriter out = response.getWriter();
} else {
try {
StringBuilder sb=new StringBuilder(request.getRequestURI());
Enumeration<String> names = request.getParameterNames();
while (names.hasMoreElements()){
String key = names.nextElement();
response.sendRedirect(request.getContextPath() + "/admin/toIndex.do");
}catch (Exception e){
logger.error("[LoginInterceptor - redirectLogin ] fail ",e);
response.sendRedirect(request.getContextPath() + "/admin/toIndex.do");
public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler,
ModelAndView modelAndView) throws Exception {
public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex)
throws Exception {
* pc端查询登录用户信息
* @return
public static User getCurrentUser() {
String userId = getCurrentUserId();
if (StringUtils.isBlank(userId)) {
return null;
UserService userService = ApplicationContextUtil.getBean(UserService.class);
return userService.getUserById(userId);
public class AccountSecurityInterceptor implements HandlerInterceptor {
private static final Logger logger = LoggerFactory.getLogger(AccountSecurityInterceptor.class);
private TagQueryApi tagQueryApi;
private UserQueryApi userQueryApi;
public boolean preHandle(HttpServletRequest request, HttpServletResponse response,
Object handler) throws Exception {
String userId = ContextUtil.getCurrentUser().getId();
ResultData<UserTO> userTOResultData = userQueryApi.getUserInfoById(userId);
if(null == userTOResultData || null == userTOResultData.getData()){
logger.error("[LoginInterceptor - redirectSecurity]用户信息获取失败.");
return true;
ResultData<TTagValueTO> resultDate = tagQueryApi.queryTag(userId, WebConstants.USER_IS_UPDATE_PASS);
if (null == resultDate || !resultDate.isSuccess()) {
logger.error("[LoginInterceptor - redirectSecurity]获取用户打标接口失败.");
return true;
//if (null != resultDate && null != resultDate.getData()) {
if (null == resultDate.getData()) {
if (ContextUtil.isAjax()) {
// ajax请求
PrintWriter out = response.getWriter();
} else {
response.sendRedirect(request.getContextPath() + "/admin/toAccountSecurity.do");
return false;
return true;
public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler,
ModelAndView modelAndView) throws Exception {
public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler,
Exception ex) throws Exception {
public class CSRFInterceptor implements HandlerInterceptor {
private static final Logger log = LoggerFactory.getLogger(CSRFInterceptor.class);
public static final List<String> list = Lists.newArrayList(
// 顶级域名
public static final String DOMAIN = "";
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
// 验证 Referer来源
String referer = request.getHeader("Referer");
String domain="http://";
String httpsDomain = "https://";
if (StringUtils.isNotBlank(domain) && StringUtils.isNotBlank(referer) && !(referer.startsWith(domain) || referer.startsWith(httpsDomain))){
String host = getHost(referer);
if(StringUtils.isNotBlank(host) && host.endsWith(DOMAIN)){
return true;
for (String s : list) {
if (referer.startsWith(s)){
return true;
throw new Exception(302,"不可信的网站来源!referer="+referer+",handler="+handler);
return true;
private String getHost(String url){
try {
URL u = new URL(url);
String host = u.getHost();
return u.getHost();
} catch (MalformedURLException e) {
return null;
public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception {
public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception {
protected void doDispatch(HttpServletRequest request, HttpServletResponse response) throws Exception {
HttpServletRequest processedRequest = request;
HandlerExecutionChain mappedHandler = null;
boolean multipartRequestParsed = false;
WebAsyncManager asyncManager = WebAsyncUtils.getAsyncManager(request);
try {
ModelAndView mv = null;
Exception dispatchException = null;
try {
processedRequest = checkMultipart(request);
multipartRequestParsed = (processedRequest != request);
// Determine handler for the current request.
mappedHandler = getHandler(processedRequest);
if (mappedHandler == null || mappedHandler.getHandler() == null) {
noHandlerFound(processedRequest, response);
// Determine handler adapter for the current request.
HandlerAdapter ha = getHandlerAdapter(mappedHandler.getHandler());
// Process last-modified header, if supported by the handler.
String method = request.getMethod();
boolean isGet = "GET".equals(method);
if (isGet || "HEAD".equals(method)) {
long lastModified = ha.getLastModified(request, mappedHandler.getHandler());
if (logger.isDebugEnabled()) {
logger.debug("Last-Modified value for [" + getRequestUri(request) + "] is: " + lastModified);
if (new ServletWebRequest(request, response).checkNotModified(lastModified) && isGet) {
if (!mappedHandler.applyPreHandle(processedRequest, response)) {
// Actually invoke the handler.
mv = ha.handle(processedRequest, response, mappedHandler.getHandler());
if (asyncManager.isConcurrentHandlingStarted()) {
applyDefaultViewName(request, mv);
mappedHandler.applyPostHandle(processedRequest, response, mv);
catch (Exception ex) {
dispatchException = ex;
processDispatchResult(processedRequest, response, mappedHandler, mv, dispatchException);
catch (Exception ex) {
triggerAfterCompletion(processedRequest, response, mappedHandler, ex);
catch (Error err) {
triggerAfterCompletionWithError(processedRequest, response, mappedHandler, err);
finally {
if (asyncManager.isConcurrentHandlingStarted()) {
// Instead of postHandle and afterCompletion
if (mappedHandler != null) {
mappedHandler.applyAfterConcurrentHandlingStarted(processedRequest, response);
else {
// Clean up any resources used by a multipart request.
if (multipartRequestParsed) {