title: redis-login-limitation
利用 redis 實現登陸次數限制, 注解 + aop, 核心代碼很簡單.
基本思路
比如希望達到的要求是這樣: 在 1min 內登陸異常次數達到5次, 鎖定該用戶 1h
那么登陸請求的參數中, 會有一個參數唯一標識一個 user, 比如 郵箱/手機號/userName
用這個參數作為key存入redis, 對應的value為登陸錯誤的次數, string 類型, 并設置過期時間為 1min. 當獲取到的 value == "4" , 說明當前請求為第 5 次登陸異常, 鎖定.
所謂的鎖定, 就是將對應的value設置為某個標識符, 比如"lock", 并設置過期時間為 1h
核心代碼
定義一個注解, 用來標識需要登陸次數校驗的方法
package io.github.xiaoyureed.redispractice.anno;import java.lang.annotation.*;@Documented@Target({ElementType.METHOD})@Retention(RetentionPolicy.RUNTIME)public @interface RedisLimit { /** * 標識參數名, 必須是請求參數中的一個 */ String identifier(); /** * 在多長時間內監控, 如希望在 60s 內嘗試 * 次數限制為5次, 那么 watch=60; unit: s */ long watch(); /** * 鎖定時長, unit: s */ long lock(); /** * 錯誤的嘗試次數 */ int times();}編寫切面, 在目標方法前后進行校驗, 處理...
package io.github.xiaoyureed.redispractice.aop;@Component@Aspect// Ensure that current advice is outer compared with ControllerAOP// so we can handling login limitation Exception in this aop advice.//@Order(9)@Slf4jpublic class RedisLimitAOP { @Autowired private StringRedisTemplate stringRedisTemplate; @Around("@annotation(io.github.xiaoyureed.redispractice.anno.RedisLimit)") public Object handleLimit(ProceedingJoinPoint joinPoint) { MethodSignature methodSignature = (MethodSignature) joinPoint.getSignature(); final Method method = methodSignature.getMethod(); final RedisLimit redisLimitAnno = method.getAnnotation(RedisLimit.class);// 貌似可以直接在方法參數中注入 todo final String identifier = redisLimitAnno.identifier(); final long watch = redisLimitAnno.watch(); final int times = redisLimitAnno.times(); final long lock = redisLimitAnno.lock(); // final ServletRequestAttributes att = (ServletRequestAttributes) RequestContextHolder.currentRequestAttributes(); // final HttpServletRequest request = att.getRequest(); // final String identifierValue = request.getParameter(identifier); String identifierValue = null; try { final Object arg = joinPoint.getArgs()[0]; final Field declaredField = arg.getClass().getDeclaredField(identifier); declaredField.setAccessible(true); identifierValue = (String) declaredField.get(arg); } catch (NoSuchFieldException e) { log.error(">>> invalid identifier [{}], cannot find this field in request params", identifier); } catch (IllegalAccessException e) { e.printStackTrace(); } if (StringUtils.isBlank(identifierValue)) { log.error(">>> the value of RedisLimit.identifier cannot be blank, invalid identifier: {}", identifier); } // check User locked final ValueOperations<String, String> ssOps = stringRedisTemplate.opsForValue(); final String flag = ssOps.get(identifierValue); if (flag != null && "lock".contentEquals(flag)) { final BaseResp result = new BaseResp(); result.setErrMsg("user locked"); result.setCode("1"); return new ResponseEntity<>(result, HttpStatus.OK); } ResponseEntity result; try { result = (ResponseEntity) joinPoint.proceed(); } catch (Throwable e) { result = handleLoginException(e, identifierValue, watch, times, lock); } return result; } private ResponseEntity handleLoginException(Throwable e, String identifierValue, long watch, int times, long lock) { final BaseResp result = new BaseResp(); result.setCode("1"); if (e instanceof LoginException) { log.info(">>> handle login exception..."); final ValueOperations<String, String> ssOps = stringRedisTemplate.opsForValue(); Boolean exist = stringRedisTemplate.hasKey(identifierValue); // key doesn't exist, so it is the first login failure if (exist == null || !exist) { ssOps.set(identifierValue, "1", watch, TimeUnit.SECONDS); result.setErrMsg(e.getMessage()); return new ResponseEntity<>(result, HttpStatus.OK); } String count = ssOps.get(identifierValue); // has been reached the limitation if (Integer.parseInt(count) + 1 == times) { log.info(">>> [{}] has been reached the limitation and will be locked for {}s", identifierValue, lock); ssOps.set(identifierValue, "lock", lock, TimeUnit.SECONDS); result.setErrMsg("user locked"); return new ResponseEntity<>(result, HttpStatus.OK); } ssOps.increment(identifierValue); result.setErrMsg(e.getMessage() + "; you have try " + ssOps.get(identifierValue) + "times."); } log.error(">>> RedisLimitAOP cannot handle {}", e.getClass().getName()); return new ResponseEntity<>(result, HttpStatus.OK); }}這樣使用:
package io.github.xiaoyureed.redispractice.web;@RestControllerpublic class SessionResources { @Autowired private SessionService sessionService; /** * 1 min 之內嘗試超過5次, 鎖定 user 1h */ @RedisLimit(identifier = "name", watch = 30, times = 5, lock = 10) @RequestMapping(value = "/session", method = RequestMethod.POST) public ResponseEntity<LoginResp> login(@Validated @RequestBody LoginReq req) { return new ResponseEntity<>(sessionService.login(req), HttpStatus.OK); }}references
https://github.com/xiaoyureed/redis-login-limitation
總結
