现网中有个应用A,之前一直是请求透传访问的,最近从安全方面考虑将该A应用不直接暴露给客户端访问,而是从有一定安全校验机制的应用B做访问入口,由B的后端将HTTP请求中转到A,再将A的响应通过B输出到客户端。这种方案有两个好处,1.可以利用应用B已有的安全校验机制,而不需要应用A再复制一份安全校验。2.原来在客户端需要同时访问应用A和应用B,这就涉及到浏览器的同源策略的安全性问题,所以在配置上必须让应用A和应用B在同一个域名之下,经过这种改造就不存在这种问题了。
看起来功能实现很简单,客户端访问应用B,应用B的后端用apache的httpclient访问应用A,再将应用A的响应写入B应用的响应中。HttpClient调用一般步骤:构造请求方法(HttpPost),构造请求参数内容,将请求参数塞入请求方法对象,发送请求,解析响应。代码如下:
Java代码 下载
HttpClient httpclient = new DefaultHttpClient();
try {
//new一个HttpPost
HttpPost httppost = new HttpPost(url);
if (paramMap != null) {
//构造NameValuePair的内容塞到HttpPost中
List<NameValuePair> formparams = new ArrayList<>();// 用于存放请求参数
for (Map.Entry<String, Object> entry : paramMap.entrySet()) {
String key = entry.getKey();
Object value = entry.getValue();
if (value instanceof String) {
formparams.add(new BasicNameValuePair(key, String.valueOf(value)));
} else if (value instanceof List) {
List<Object> objectList = (List) value;
if (CollectionUtils.isNotEmpty(objectList)) {
for (Object object : objectList) {
formparams.add(new BasicNameValuePair(key, String.valueOf(object)));
}
}
}else if(value instanceof Number){
formparams.add(new BasicNameValuePair(key, String.valueOf(value)));
}else{
throw new Exception("不支持该类型");
}
}
UrlEncodedFormEntity entity = new UrlEncodedFormEntity(formparams, encode);
httppost.setEntity(entity);
}
httppost.setHeader("Connection", "close");
HttpParams params = httpclient.getParams();
HttpConnectionParams.setConnectionTimeout(params, connectiontimeout);
HttpConnectionParams.setSoTimeout(params, readtimeout);
//发送post请求
HttpResponse httpResponse = httpclient.execute(httppost);
//解析响应内容,将输出流写入响应
if (httpResponse.getStatusLine().getStatusCode() == HttpStatus.SC_OK) {
HttpEntity httpEntity = httpResponse.getEntity();
httpEntity.writeTo(response.getOutputStream());
}
EntityUtils.consume(httpResponse.getEntity());
} catch (Exception e) {
e.printStackTrace();
} finally {
if (httpclient != null) {
httpclient.getConnectionManager().shutdown();
}
}
就是这么简单一需求还是有坑,测试发现原来的导出文件请求通过这种流中转之后文件名不显示了。
这种情况一看就知道是响应头中丢失了信息,通过HttpResponse能够获取到所有A响应的的Header,取出来塞到B的响应中不就行了?代码如下:
Java代码 下载
HttpResponse httpResponse = httpclient.execute(httppost);// 发送post 请求
if (httpResponse.getStatusLine().getStatusCode() == HttpStatus.SC_OK) {
HttpEntity httpEntity = httpResponse.getEntity();
httpEntity.writeTo(response.getOutputStream());
if (httpResponse.getFirstHeader("Content-Disposition") != null) {
//文件导出时在响应中添加文件内容的响应header
response.setHeader("Content-Disposition", httpResponse.getFirstHeader("Content-Disposition").getValue());
}
}
结果发现这样写却并没有放到响应头报文中。
跟踪源码,调用response.setHeader方法最终会执行到具体web容器的setHeader方法,我本地跑的tomcat,所以最终执行的是org.apache.catalina.connector.ResponseFacade类的setHeader方法:
Java代码
@Override
public void setHeader(String name, String value) {
if (isCommitted()) {
return;
}
response.setHeader(name, value);
}
原来在设置header之前会调用一下isCommitted方法判断要输出的内容是否已经提交:
Java代码 下载
@Override
public boolean isCommitted() {
if (response == null) {
throw new IllegalStateException(
sm.getString("responseFacade.nullResponse"));
}
return (response.isAppCommitted());
}
Java代码
/**
* Application commit flag accessor.
*/
public boolean isAppCommitted() {
return (this.appCommitted || isCommitted() || isSuspended()
|| ((getContentLength() > 0)
&& (getContentWritten() >= getContentLength())));
}
所以设置响应头的代码要在设置响应的输出流之前调用,否则无效:
Java代码 下载
if (httpResponse.getStatusLine().getStatusCode() == HttpStatus.SC_OK) {
String headerName;
for (Header header : httpResponse.getAllHeaders()) {
headerName = header.getName();
switch (headerName){
//这里根据需要自己添加需要输出的响应头
case "Content-Disposition":
case "Content-Type":
response.setHeader(headerName, header.getValue());
break;
}
}
HttpEntity httpEntity = httpResponse.getEntity();
httpEntity.writeTo(response.getOutputStream());
}