spring - JAVA WEB 授权问题请教。

Question

编写好了JAVA WEB，想像桌面软件那样，第一次使用的时候需要输入一个key,验证通过则能使用整个系统，否则就无法访问任何页面。

• key可以包含授权使用时长，比如1个月。

• 没有输入正确的key,则无论访问什么url路径，都会跳转到输入key的页面（和用户的登录页面一样）

请问这该怎么实现？

Answer 1

Simply speaking, there are two types

1. Generate key based on the other party’s machine.

   Just implement an encryption method yourself. (Algorithms such as summary algorithms that do not require inverse solutions are sufficient)
   Then obtain the main hardware of the computer where the project is deployed, such as the motherboard, network card, hard drive, etc., use these data to calculate a value in the project, and fill it in with the user If the entered keys are relatively the same, the formal project will be started. If they are different, you will be prompted to fill in the key. mac地址 As for how to obtain the other party's hardware information, it's up to you. For example, just ask the comrade who deployed the project to send it back to you, and then you use that calculation to calculate a key and send it back.
   

2. You generate a key yourself and distribute it everywhere.
   For example, build another web service, use this machine to generate a batch

   and distribute it. Then after the project is started, first request this server to perform the verification. The server will verify whether the key exists, whether it has been used, and send the used one. Is the key machine the same machine as the first activation? (Just use the same irreversible algorithm) UUID Or even simpler, use a pseudo-random algorithm (reversible algorithm). A batch of keys can be calculated based on the seed, and the seed can be decoded for each key.
   Decrypt the input key when the project is started to determine whether it is the seed.
   

Answer 2

• The premise is that you have already given this key to the customer through other means.

• Verify whether the access is illegal through strong verification such as cookie判断是否已经登陆,如果验证比较严谨,你这种按授权来的也可以加些ip地址,macaddress, after all, your customer base is probably not the general public.

• The authorized usage period, you said it is calculated on a one-month basis, and some advanced customers may calculate it on a half-year basis, so this is decided when generating.
  You can use redis to store your For this redis存储你的这个key,可以设置过期时间,每次访问从cookie取key(多数是要加密的),根据key可以去redis, you can set the expiration time, and get

  from cookie for each visit (most of them need to be encrypted). According to
, you can go to redis to get the remaining authorization time.

• springmvc

  If you fail to verify the key and access any page, you must jump back to the page where you entered the key. The question has a
tag, so you should know that the requests are intercepted and then processed before jumping. You should have an idea.

🎜 🎜

Answer 3

I don’t know how your key and user are bound. It should be the user's unique identifier. The unique identifier and key of the matching user can be stored in the database or cache to determine whether the user has permission. As for page jumps, a filter is enough.

Answer 4

You can generate a secret key after logging in successfully, store it in a cookie and set the cookie expiration date. Verify it every time you refresh the web page. This is a relatively simple method

Answer 5

In the absence of other external certificates, what is the difference between the subject's requirement and "record the login status for a period of time after logging in using the username and password"?

Answer 6

Thank you for your replies, but I'm sorry that I can only accept one answer.