一、 過濾器與攔截器的差別
過濾器:可以修改request,需要在servlet容器中實作,隻能在方法請求前後使用。用于篩選。
攔截器:不能修改request,可以調用IOC容器中的各種依賴,可以詳細到每個方法。用于終止流程。
1.配置需要過濾的接口
在resource檔案夾下,建立一個存放方法名/路徑的yml檔案。eg:method.yml
// 路徑名示例
method:
map: {
"[/base/data/getList]": '2,3',
"[/base/data/getPage]": '2,3'
}
// 方法名示例
method:
map: {
getList: '2,3',
getPage: '2,3'
}
獲得配置檔案中的map值
import lombok.Data;
import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.stereotype.Component;
import java.util.Map;
@Component
@Data
@ConfigurationProperties(prefix = "method")
public class MethodConfig {
Map<String, String> map;
}
在啟動類配置讀取配置檔案
//yaml屬性源PropertySourcesPlaceholderConfigurer對象
@Bean
public static PropertySourcesPlaceholderConfigurer properties() {
PropertySourcesPlaceholderConfigurer configurer = new
PropertySourcesPlaceholderConfigurer();
YamlPropertiesFactoryBean yaml = new YamlPropertiesFactoryBean();
yaml.setResources(new ClassPathResource("method.yml"));
configurer.setProperties(yaml.getObject());
return configurer;
}
2.自定義Filter
import lombok.AllArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.junit.platform.commons.util.StringUtils;
import org.springframework.core.annotation.Order;
import org.springframework.stereotype.Component;
import org.springframework.web.filter.OncePerRequestFilter;
import javax.annotation.Resource;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.*;
@Slf4j
@Component
@AllArgsConstructor
public class VerifyFilter extends OncePerRequestFilter {
// 自定義異常抛出路徑
private static final String errorFilterPath = "/filter/errorFilter";
private static final String errorCode = "errorCode";
// 請求類型
private static final String METHOD_GET = "GET";
private static final String METHOD_POST = "POST";
// 從yml檔案中讀取map
@Resource
private final MethodConfig methodConfig;
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
// 獲得接口路徑 /base/data/getList
String requestURI = request.getRequestURI();
//先判斷該路徑是否需要資料校驗
// 從配置檔案中讀取接口的資料權限,沒有配置說明不需要資料權限
Map<String, String> map = methodConfig.getmap();
String str = map.get(requestURI);
// 查詢該接口所關聯的角色,判斷使用者是否屬于其中,如果該接口未綁定角色,說明不需要進行資料校驗,直接跳回
if (StringUtils.isBlank(str)) {
filterChain.doFilter(request, response);
return;
}
List<String> orgTypeList = Arrays.asList(orgTypeStr.split(","));
log.info("進入資料校驗攔截器, 接口路徑 = " + request.getRequestURI());
// 從token中獲得使用者資訊
User user = getUserByToken();
String orgType = user.getOrgType();
if (!orgTypeList.contains(orgType)) {
// 抛異常,無權限
request.setAttribute(errorCode, "資料校驗未通過");
// 重定向至抛出異常的接口
request.getRequestDispatcher(errorFilterPath).forward(request, response);
return;
}
// 如果使用者是 valid類型,則需要校驗code參數
if ("valid".equals(orgType)) {
Integer code = lusEntity.getCode();
HttpServletRequest req = (HttpServletRequest)request;
String codeParam= null;
String method = req.getMethod();
if (METHOD_POST.equals(method)) {
// post 請求,獲得Json格式的參數
// 自定義wrapper,過濾、讀取request請求參數
XssHttpServletRequestWrapper requestWrapper = new XssHttpServletRequestWrapper((HttpServletRequest) request);
Map<String, Object> bodyMap = requestWrapper.getBodyMap(requestWrapper.getInputStream());
if (bodyMap != null && bodyMap.get("code") != null) {
codeParam = bodyMap.get("code").toString();
}
} else {
// get 請求,直接取出參數
codeParam = request.getParameter("code");
}
if (!code.toString().equals(codeParam)) {
// 抛異常
request.setAttribute(errorCode, "資料校驗未通過");
// 重定向至抛出異常的接口
request.getRequestDispatcher(errorFilterPath).forward(request, response);
return;
}
}
filterChain.doFilter(request, response);
}
}
3.自定義wrapper
HttpServletRequestWrapper
當使用filter時,會出現需要擷取或者改變HttpServletRequest對象的參數的情況。但是java.util.Map包裝的HttpServletRequest對象的參數是不可改變的。我們不能改變對象本身,但是可以通過裝飾模式來改變其狀态。
HttpServletRequestWrapper類是HttpServletRequest類的裝飾類。想要改變在httpServletRequest中的參數,可以通過httpServletRequest的裝飾類HttpServletRequestWrapper來實作,隻需要在裝飾類中按照需要重寫其getParameter(getParameterValues)方法即可。
@RequestBody
以流的形式讀取request中的Json資料。讀取流時,getReader()和getInputStream()隻能調用一次。因為讀取一次,标記一次目前的位置。第二次讀取就從标記位置繼續讀取,是以會讀不到資料。
獲得參數
重寫HttpServletRequestWrapper,可以把request儲存下來。再通過過濾器,把儲存下來的request填充進去,可以實作多次讀取request。
XssHttpServletRequestWrapper
import cn.hutool.core.io.IoUtil;
import cn.hutool.core.util.StrUtil;
import com.alibaba.fastjson.JSONObject;
import javax.servlet.ReadListener;
import javax.servlet.ServletInputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import java.io.*;
import java.nio.charset.StandardCharsets;
import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.Map;
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
/**
* 沒被包裝過的HttpServletRequest(特殊場景,需要自己過濾)
*/
HttpServletRequest orgRequest;
/**
* 友善重複讀取requestBody,由于每次都會在filter建立,是以整個生命周期中是單例的,注意線程安全問題
*/
private byte[] requestBody;
/**
* html過濾
*/
private final static HTMLFilter htmlFilter = new HTMLFilter();
public XssHttpServletRequestWrapper(HttpServletRequest request) throws IOException {
super(request);
orgRequest = request;
// 擷取Json參數體
InputStream is = request.getInputStream();
ByteArrayOutputStream baos = new ByteArrayOutputStream();
byte buff[] = new byte[1024];
int read;
while ((read = is.read(buff)) > 0) {
baos.write(buff, 0, read);
}
requestBody = baos.toByteArray();
}
@Override
public ServletInputStream getInputStream() throws IOException {
String json = null;
//儲存内容。友善多次擷取requestBody
if (null == this.requestBody) {
ByteArrayOutputStream baos = new ByteArrayOutputStream();
IoUtil.copy(super.getInputStream(), baos);
this.requestBody = baos.toByteArray();
}
//為空,直接傳回
json = new String(this.requestBody, StandardCharsets.UTF_8);
json = xssEncode(json);
if (StrUtil.isBlank(json)) {
return super.getInputStream();
}
final ByteArrayInputStream bis = new ByteArrayInputStream(json.getBytes("utf-8"));
return new ServletInputStream() {
@Override
public boolean isFinished() {
return true;
}
@Override
public boolean isReady() {
return true;
}
@Override
public void setReadListener(ReadListener readListener) {
}
@Override
public int read() throws IOException {
return bis.read();
}
};
}
@Override
public String getParameter(String name) {
String value = super.getParameter(xssEncode(name));
if (StrUtil.isNotBlank(value)) {
value = xssEncode(value);
}
return value;
}
@Override
public String[] getParameterValues(String name) {
String[] parameters = super.getParameterValues(name);
if (parameters == null || parameters.length == 0) {
return null;
}
for (int i = 0; i < parameters.length; i++) {
parameters[i] = xssEncode(parameters[i]);
}
return parameters;
}
@Override
public Map<String,String[]> getParameterMap() {
Map<String,String[]> map = new LinkedHashMap<>();
Map<String,String[]> parameters = super.getParameterMap();
for (String key : parameters.keySet()) {
String[] values = parameters.get(key);
for (int i = 0; i < values.length; i++) {
values[i] = xssEncode(values[i]);
}
map.put(key, values);
}
return map;
}
@Override
public String getHeader(String name) {
String value = super.getHeader(xssEncode(name));
if (StrUtil.isNotBlank(value)) {
value = xssEncode(value);
}
return value;
}
private String xssEncode(String input) {
return htmlFilter.filter(input);
}
/**
* 擷取最原始的request
*/
public HttpServletRequest getOrgRequest() {
return orgRequest;
}
/**
* 擷取最原始的request
*/
public static HttpServletRequest getOrgRequest(HttpServletRequest request) {
if (request instanceof XssHttpServletRequestWrapper) {
return ((XssHttpServletRequestWrapper) request).getOrgRequest();
}
return request;
}
//擷取request請求body中參數
public Map<String,Object> getBodyMap(InputStream in) {
String param= null;
BufferedReader streamReader=null;
try {
streamReader = new BufferedReader( new InputStreamReader(in, "UTF-8"));
StringBuilder responseStrBuilder = new StringBuilder();
String inputStr;
while ((inputStr = streamReader.readLine()) != null)
responseStrBuilder.append(inputStr);
if(!JsonUtil.getInstance().validate(responseStrBuilder.toString())){
return new HashMap<String, Object>();
}
JSONObject jsonObject = JSONObject.parseObject(responseStrBuilder.toString());
if(jsonObject==null){
return new HashMap<String, Object>();
}
param = jsonObject.toJSONString();
} catch (Exception e) {
e.printStackTrace();
}finally{
if(streamReader!=null){
try {
streamReader.close();
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
}
return JSONObject.parseObject(param,Map.class);
}
}
XssFilter
把儲存下來的request填充并傳遞下去
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
/**
* XSS過濾
*/
public class XssFilter implements Filter {
@Override
public void init(FilterConfig config) throws ServletException {
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
ServletRequest requestWrapper = null;
if (request instanceof HttpServletRequest) {
requestWrapper = new XssHttpServletRequestWrapper((HttpServletRequest) request);
}
if (requestWrapper == null) {
chain.doFilter(request, response);
} else {
chain.doFilter(requestWrapper, response);
}
}
@Override
public void destroy() {
}
}
4.校驗字元串是否是合法的JSON格式
方法一:工具類
import java.text.CharacterIterator;
import java.text.StringCharacterIterator;
import org.apache.commons.lang3.StringUtils;
/**
* 用于校驗字元串是否是合法的JSON格式
*/
public class JsonUtil {
private CharacterIterator it;
private char c;
private int col;
private static JsonUtil instance;
/**
* 擷取類的執行個體
*
* @return 類的執行個體
*/
public static JsonUtil getInstance() {
if (instance == null) {
instance = new JsonUtil();
}
return instance;
}
/**
* 驗證一個字元串是否是合法的JSON串
*
* @param input 要驗證的字元串
* @return true-合法 ,false-非法
*/
public boolean validate(String input) {
if(StringUtils.isBlank(input)){
return false;
}
input = input.trim();
boolean ret = valid(input);
return ret;
}
private boolean valid(String input) {
if ("".equals(input)) {
return false;
}
boolean ret = true;
it = new StringCharacterIterator(input);
c = it.first();
col = 1;
if (!value()) {
ret = error("value", 1);
} else {
skipWhiteSpace();
if (c != CharacterIterator.DONE) {
ret = error("end", col);
}
}
return ret;
}
private boolean value() {
return literal("true") || literal("false") || literal("null") || string() || number() || object() || array();
}
private boolean literal(String text) {
CharacterIterator ci = new StringCharacterIterator(text);
char t = ci.first();
if (c != t) return false;
int start = col;
boolean ret = true;
for (t = ci.next(); t != CharacterIterator.DONE; t = ci.next()) {
if (t != nextCharacter()) {
ret = false;
break;
}
}
nextCharacter();
if (!ret) error("literal " + text, start);
return ret;
}
private boolean array() {
return aggregate('[', ']', false);
}
private boolean object() {
return aggregate('{', '}', true);
}
private boolean aggregate(char entryCharacter, char exitCharacter, boolean prefix) {
if (c != entryCharacter) return false;
nextCharacter();
skipWhiteSpace();
if (c == exitCharacter) {
nextCharacter();
return true;
}
for (; ; ) {
if (prefix) {
int start = col;
if (!string()) return error("string", start);
skipWhiteSpace();
if (c != ':') return error("colon", col);
nextCharacter();
skipWhiteSpace();
}
if (value()) {
skipWhiteSpace();
if (c == ',') {
nextCharacter();
} else if (c == exitCharacter) {
break;
} else {
return error("comma or " + exitCharacter, col);
}
} else {
return error("value", col);
}
skipWhiteSpace();
}
nextCharacter();
return true;
}
private boolean number() {
if (!Character.isDigit(c) && c != '-') return false;
int start = col;
if (c == '-') nextCharacter();
if (c == '0') {
nextCharacter();
} else if (Character.isDigit(c)) {
while (Character.isDigit(c))
nextCharacter();
} else {
return error("number", start);
}
if (c == '.') {
nextCharacter();
if (Character.isDigit(c)) {
while (Character.isDigit(c))
nextCharacter();
} else {
return error("number", start);
}
}
if (c == 'e' || c == 'E') {
nextCharacter();
if (c == '+' || c == '-') {
nextCharacter();
}
if (Character.isDigit(c)) {
while (Character.isDigit(c))
nextCharacter();
} else {
return error("number", start);
}
}
return true;
}
private boolean string() {
if (c != '"') return false;
int start = col;
boolean escaped = false;
for (nextCharacter(); c != CharacterIterator.DONE; nextCharacter()) {
if (!escaped && c == '\\') {
escaped = true;
} else if (escaped) {
if (!escape()) {
return false;
}
escaped = false;
} else if (c == '"') {
nextCharacter();
return true;
}
}
return error("quoted string", start);
}
private boolean escape() {
int start = col - 1;
if (" \\\"/bfnrtu".indexOf(c) < 0) {
return error("escape sequence \\\",\\\\,\\/,\\b,\\f,\\n,\\r,\\t or \\uxxxx ", start);
}
if (c == 'u') {
if (!ishex(nextCharacter()) || !ishex(nextCharacter()) || !ishex(nextCharacter())
|| !ishex(nextCharacter())) {
return error("unicode escape sequence \\uxxxx ", start);
}
}
return true;
}
private boolean ishex(char d) {
return "0123456789abcdefABCDEF".indexOf(c) >= 0;
}
private char nextCharacter() {
c = it.next();
++col;
return c;
}
private void skipWhiteSpace() {
while (Character.isWhitespace(c)) {
nextCharacter();
}
}
private boolean error(String type, int col) {
return false;
}
}
方法二:捕獲異常
import cn.hutool.json.JSONUtil;
Object param;
JSONObject jsonObject = new JSONObject();
try {
// 将參數轉為jsonObject
jsonObject = JSONUtil.parseObj(param);
} catch (Exception e) {
// 不是json格式,額外處理。
}
5.抛出filter自定義異常
在filter過濾器中使用throw直接抛出自定義異常,會傳回request内部的500錯誤碼,而無法傳回自定義的錯誤碼和内容。
此處使用在filter中重定向至傳回錯誤碼的控制層接口,用來實作傳回自定義異常。
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
import javax.servlet.http.HttpServletRequest;
@RequestMapping("/filter")
@RestController
public class FilterController {
/**
* 捕獲filter中的異常并提示
* @param request
* @return
*/
@RequestMapping("errorFilter")
public RestResponse verifyUserFilter(HttpServletRequest request) {
String code = request.getAttribute("errorCode").toString();
return RestResponse.exception(code);
}
}
參考文章:
用一個執行個體來說明HttpServletRequestWrapper類的使用
spring boot攔截器中擷取request post請求中的參數
springMVC攔截器從Request中擷取Json格式并解決request的請求流隻能讀取一次的問題
![Java小案例——随機數猜測随機數猜測[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)