springboot前后端分离Java后端跨越问题解决

📅 2026/7/9 16:19:39
springboot前后端分离Java后端跨越问题解决
前后端分离的思想由来已久不妨尝试一下从上手开始先把代码写出来再究细节。代码下载https://github.com/jimolonely/AuthServer前言以前服务端为什么能识别用户呢对是session每个session都存在服务端浏览器每次请求都带着sessionId就是一个字符串于是服务器根据这个sessionId就知道是哪个用户了。那么问题来了用户很多时服务器压力很大如果采用分布式存储session又可能会出现不同步问题那么前后端分离就很好的解决了这个问题。前后端分离思想在用户第一次登录成功后服务端返回一个token回来这个token是根据userId进行加密的密钥只有服务器知道然后浏览器每次请求都把这个token放在Header里请求这样服务器只需进行简单的解密就知道是哪个用户了。这样服务器就能专心处理业务用户多了就加机器。当然如果非要讨论安全性那又有说不完的话题了。下面通过SpringBoot框架搭建一个后台进行token构建。构建springboot项目我的目录结构结果未按标准书写仅作说明不管用什么IDE最后我们只看pom.xml里的依赖为了尽可能简单就不连数据库了登陆时用固定的。devtools用于修改代码后自动重启jjwt加密这么麻烦的事情可以用现成的查看https://github.com/jwtk/jjwtparent groupIdorg.springframework.boot/groupId artifactIdspring-boot-starter-parent/artifactId version1.5.2.RELEASE/version relativePath / !-- lookup parent from repository -- /parent properties project.build.sourceEncodingUTF-8/project.build.sourceEncoding project.reporting.outputEncodingUTF-8/project.reporting.outputEncoding java.version1.8/java.version /properties dependencies dependency groupIdorg.springframework.boot/groupId artifactIdspring-boot-starter-web/artifactId /dependency !-- JJWT -- dependency groupIdio.jsonwebtoken/groupId artifactIdjjwt/artifactId version0.6.0/version /dependency dependency groupIdorg.springframework.boot/groupId artifactIdspring-boot-devtools/artifactId optionaltrue/optional /dependency dependency groupIdorg.springframework.boot/groupId artifactIdspring-boot-starter-test/artifactId scopetest/scope /dependency /dependencies登录这里的加密密钥是base64EncodedSecretKeyimport java.util.Date; import javax.servlet.ServletException; import org.springframework.web.bind.annotation.PostMapping; import org.springframework.web.bind.annotation.RequestBody; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestParam; import org.springframework.web.bind.annotation.RestController; import io.jsonwebtoken.Jwts; import io.jsonwebtoken.SignatureAlgorithm; RestController RequestMapping(/) public class HomeController { PostMapping(/login) public String login(RequestParam(username) String name, RequestParam(password) String pass) throws ServletException { String token ; if (!admin.equals(name)) { throw new ServletException(找不到该用户); } if (!1234.equals(pass)) { throw new ServletException(密码错误); } token Jwts.builder().setSubject(name).claim(roles, user).setIssuedAt(new Date()) .signWith(SignatureAlgorithm.HS256, base64EncodedSecretKey).compact(); return token; } }测试token现在就可以测试生成的token了我们采用postman过滤器这肯定是必须的呀当然也可以用AOP。过滤要保护的url同时在过滤器里进行token验证token验证public class JwtFilter extends GenericFilterBean { Override public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { HttpServletRequest request (HttpServletRequest) req; HttpServletResponse response (HttpServletResponse) res; String authHeader request.getHeader(Authorization); if (OPTIONS.equals(request.getMethod())) { response.setStatus(HttpServletResponse.SC_OK); chain.doFilter(req, res); } else { if (authHeader null || !authHeader.startsWith(Bearer )) { throw new ServletException(不合法的Authorization header); } // 取得token String token authHeader.substring(7); try { Claims claims Jwts.parser().setSigningKey(base64EncodedSecretKey).parseClaimsJws(token).getBody(); request.setAttribute(claims, claims); } catch (Exception e) { throw new ServletException(Invalid Token); } chain.doFilter(req, res); } } }要保护的url/user下的SpringBootApplication public class AuthServerApplication { Bean public FilterRegistrationBean jwtFilter() { FilterRegistrationBean rbean new FilterRegistrationBean(); rbean.setFilter(new JwtFilter()); rbean.addUrlPatterns(/user/*);// 过滤user下的链接 return rbean; } public static void main(String[] args) { SpringApplication.run(AuthServerApplication.class, args); } }UserController这个是必须经过过滤才可以访问的RestController RequestMapping(/user) public class UserController { GetMapping(/success) public String success() { return 恭喜您登录成功; } GetMapping(/getEmail) public String getEmail() { return xxxxqq.com; } }关键测试假设我们的Authorization错了肯定是通不过的当输入刚才服务器返回的正确token允许跨域请求现在来说前端和后端是两个服务器了所以需要允许跨域Configuration public class CorsConfig { Bean public FilterRegistrationBean corsFilter() { UrlBasedCorsConfigurationSource source new UrlBasedCorsConfigurationSource(); CorsConfiguration config new CorsConfiguration(); config.setAllowCredentials(true); config.addAllowedOrigin(*); config.addAllowedHeader(*); config.addAllowedMethod(OPTION); config.addAllowedMethod(GET); config.addAllowedMethod(POST); config.addAllowedMethod(PUT); config.addAllowedMethod(HEAD); config.addAllowedMethod(DELETE); source.registerCorsConfiguration(/**, config); FilterRegistrationBean bean new FilterRegistrationBean(new CorsFilter(source)); bean.setOrder(0); return bean; } Bean public WebMvcConfigurer mvcConfigurer() { return new WebMvcConfigurerAdapter() { Override public void addCorsMappings(CorsRegistry registry) { registry.addMapping(/**).allowedMethods(GET, PUT, POST, GET, OPTIONS); } }; } }下次是采用VueJS写的前端如何请求。