本次要实现的需求是,用户登录错误,输入密码错误N次后,实现用户锁定,让用户等待一段时间后重新登录,目的是为了防止黑客暴力破解用户密码 。下面上代码教程,觉得不错的客官请点赞评论支持一下,让鄙人有继续创作的动力!
功能实现的原理,是记录用户连续输入密码错误的次数,达到某个错误次数以后,比如说是5次以后,就锁定用户,暂时不让用户登录。等锁定时限以后,用户又有5次重新输入密码的机会。代码实现原理是将用户名和输入错误的密码错误的次数记录到reids里,当用户登录成功后,清除该用户的登录错误的次数,重新计算。
import org.springblade.core.redis.cache.BladeRedis;
import org.springblade.core.tool.utils.SpringUtil;import java.util.concurrent.atomic.AtomicInteger;/*** 重试限制缓存** @author tarzan* @since JDK1.8*/
public class RetryLimitCache {private static final BladeRedis REDIS_UTIL;static {REDIS_UTIL = SpringUtil.getBean(BladeRedis.class);}public static boolean isOverLimit(String username, Integer limit) {//设置次数AtomicInteger retryCount = RetryLimitCache.get(username);if (retryCount == null) {retryCount = new AtomicInteger(0);}if (retryCount.incrementAndGet() > limit) {//重试次数如果大于限制次数,就锁定return true;}//并将其保存到缓存中(有效时长30分)RetryLimitCache.put(username, retryCount, 1800L);return false;}private static void put(String userName, AtomicInteger retryNum, Long expire) {REDIS_UTIL.hSet("password_retry_cache", userName, retryNum);REDIS_UTIL.expire("password_retry_cache", expire);}private static AtomicInteger get(String userName) {return REDIS_UTIL.hGet("password_retry_cache", userName);}public static void remove(String userName) {REDIS_UTIL.hDel("password_retry_cache", userName);}}
登录接口处理类
@ApiLog("用户验证")@PostMapping("/getToken")@ApiOperation(value = "获取认证令牌", notes = "账号:account,密码:password")public Kv token(@ApiParam(value = "账号", required = true) @RequestParam(required = false) String username,@ApiParam(value = "密码", required = true) @RequestParam(required = false) String password, HttpServletRequest request) {String grantType = WebUtil.getRequest().getParameter("grant_type");return grant(username,password,grantType,request);}private Kv grant(String username,String password,String grantType,HttpServletRequest request){//固定租户idString tenantId = "000000";Kv authInfo = Kv.create();String refreshToken = WebUtil.getRequest().getParameter("refresh_token");String userType = Func.toStr(WebUtil.getRequest().getHeader(TokenUtil.USER_TYPE_HEADER_KEY), TokenUtil.DEFAULT_USER_TYPE);TokenParameter tokenParameter = new TokenParameter();tokenParameter.getArgs().set("tenantId", tenantId).set("username", username).set("password", password).set("grantType", grantType).set("refreshToken", refreshToken).set("userType", userType);ITokenGranter granter = TokenGranterBuilder.getGranter(grantType);UserInfo userInfo = granter.grant(tokenParameter);//重连次数锁定if (RetryLimitCache.isOverLimit(username, 5)) {return authInfo.set("error_code", HttpServletResponse.SC_BAD_REQUEST).set("error_description", "密码输错次数达到上限,请30分钟后重试");}if (userInfo == null || userInfo.getUser() == null) {return authInfo.set("error_code", HttpServletResponse.SC_BAD_REQUEST).set("error_description", "用户名或密码不正确");}if (Func.isEmpty(userInfo.getRoles())) {return authInfo.set("error_code", HttpServletResponse.SC_BAD_REQUEST).set("error_description", "未获得用户的角色信息");}//用户存入session,CAD异常时候,监听删除用户对于实体的锁定Long userId = userInfo.getUser().getId();request.getSession().setAttribute("userId", userId);RetryLimitCache.remove(username);return TokenUtil.createAuthInfo(userInfo);}
达到错误次数后抛出提示,登录成功后清除缓存。
以上就是所有代码。