關於網關的作用,這裏就不再次贅述了,我們今天的重點是zuul的Filter。通過Filter,我們可以實現安全控制,比如,只有請求參數中有用戶名和密碼的客戶端才能訪問服務端的資源。那麼如何來實現Filter了?
要想實現Filter,需要以下幾個步驟:
1、繼承ZuulFilter類,爲了驗證Filter的特性,我們這裏創建3個Filter
根據用戶名來過濾
- package com.chhliu.springcloud.zuul;
- import javax.servlet.http.HttpServletRequest;
- import com.netflix.zuul.ZuulFilter;
- import com.netflix.zuul.context.RequestContext;
- public class AccessUserNameFilter extends ZuulFilter {
- @Override
- public Object run() {
- RequestContext ctx = RequestContext.getCurrentContext();
- HttpServletRequest request = ctx.getRequest();
- System.out.println(String.format("%s AccessUserNameFilter request to %s", request.getMethod(), request.getRequestURL().toString()));
- String username = request.getParameter("username");// 獲取請求的參數
- if(null != username && username.equals("chhliu")) {// 如果請求的參數不爲空,且值爲chhliu時,則通過
- ctx.setSendZuulResponse(true);// 對該請求進行路由
- ctx.setResponseStatusCode(200);
- ctx.set("isSuccess", true);// 設值,讓下一個Filter看到上一個Filter的狀態
- return null;
- }else{
- ctx.setSendZuulResponse(false);// 過濾該請求,不對其進行路由
- ctx.setResponseStatusCode(401);// 返回錯誤碼
- ctx.setResponseBody("{\"result\":\"username is not correct!\"}");// 返回錯誤內容
- ctx.set("isSuccess", false);
- return null;
- }
- }
- @Override
- public boolean shouldFilter() {
- return true;// 是否執行該過濾器,此處爲true,說明需要過濾
- }
- @Override
- public int filterOrder() {
- return 0;// 優先級爲0,數字越大,優先級越低
- }
- @Override
- public String filterType() {
- return "pre";// 前置過濾器
- }
- }
filterType:返回一個字符串代表過濾器的類型,在zuul中定義了四種不同生命週期的過濾器類型,具體如下:
pre
:可以在請求被路由之前調用route
:在路由請求時候被調用post
:在route和error過濾器之後被調用error
:處理請求時發生錯誤時被調用
filterOrder
:通過int值來定義過濾器的執行順序
shouldFilter
:返回一個boolean類型來判斷該過濾器是否要執行,所以通過此函數可實現過濾器的開關。在上例中,我們直接返回true,所以該過濾器總是生效
run
:過濾器的具體邏輯。需要注意,這裏我們通過ctx.setSendZuulResponse(false)
令zuul過濾該請求,不對其進行路由,然後通過ctx.setResponseStatusCode(401)
設置了其返回的錯誤碼
過濾器間的協調
過濾器沒有直接的方式來訪問對方。 它們可以使用RequestContext共享狀態,這是一個類似Map的結構,具有一些顯式訪問器方法用於被認爲是Zuul的原語,內部是使用ThreadLocal實現的,有興趣的同學可以看下源碼。
再建一個過濾器,根據密碼來過濾:
- package com.chhliu.springcloud.zuul;
- import javax.servlet.http.HttpServletRequest;
- import com.netflix.zuul.ZuulFilter;
- import com.netflix.zuul.context.RequestContext;
- public class AccessPasswordFilter extends ZuulFilter {
- @Override
- public Object run() {
- RequestContext ctx = RequestContext.getCurrentContext();
- HttpServletRequest request = ctx.getRequest();
- System.out.println(String.format("%s AccessPasswordFilter request to %s", request.getMethod(), request.getRequestURL().toString()));
- String username = request.getParameter("password");
- if(null != username && username.equals("123456")) {
- ctx.setSendZuulResponse(true);
- ctx.setResponseStatusCode(200);
- ctx.set("isSuccess", true);
- return null;
- }else{
- ctx.setSendZuulResponse(false);
- ctx.setResponseStatusCode(401);
- ctx.setResponseBody("{\"result\":\"password is not correct!\"}");
- ctx.set("isSuccess", false);
- return null;
- }
- }
- @Override
- public boolean shouldFilter() {
- RequestContext ctx = RequestContext.getCurrentContext();
- return (boolean) ctx.get("isSuccess");// 如果前一個過濾器的結果爲true,則說明上一個過濾器成功了,需要進入當前的過濾,如果前一個過濾器的結果爲false,則說明上一個過濾器沒有成功,則無需進行下面的過濾動作了,直接跳過後面的所有過濾器並返回結果
- }
- @Override
- public int filterOrder() {
- return 1; // 優先級設置爲1
- }
- @Override
- public String filterType() {
- return "pre";
- }
- }
- package com.chhliu.springcloud.zuul;
- import javax.servlet.http.HttpServletRequest;
- import com.netflix.zuul.ZuulFilter;
- import com.netflix.zuul.context.RequestContext;
- public class AccessTokenFilter extends ZuulFilter {
- @Override
- public Object run() {
- RequestContext ctx = RequestContext.getCurrentContext();
- HttpServletRequest request = ctx.getRequest();
- System.out.println(String.format("%s AccessTokenFilter request to %s", request.getMethod(),
- request.getRequestURL().toString()));
- ctx.setSendZuulResponse(true);
- ctx.setResponseStatusCode(200);
- ctx.setResponseBody("{\"name\":\"chhliu\"}");// 輸出最終結果
- return null;
- }
- @Override
- public boolean shouldFilter() {
- return true;
- }
- @Override
- public int filterOrder() {
- return 0;
- }
- @Override
- public String filterType() {
- return "post";// 在請求被處理之後,會進入該過濾器
- }
- }
- @Bean
- public AccessUserNameFilter accessUserNameFilter() {
- return new AccessUserNameFilter();
- }
- @Bean
- public AccessPasswordFilter accessPasswordFilter(){
- return new AccessPasswordFilter();
- }
(1)請求爲:http://localhost:8768/h2service/user/1?username=chhliu
測試結果爲:
{"result":"password is not correct!"}控制檯打印結果
- GET AccessUserNameFilter request to http://localhost:8768/h2service/user/1
- GET AccessPasswordFilter request to http://localhost:8768/h2service/user/1
後臺無sql打印,說明請求沒有被路由
(2)請求爲:http://localhost:8768/h2service/user/1?password=123456
測試結果爲:
{"result":"username is not correct!"}控制檯打印結果:
- GET AccessUserNameFilter request to http://localhost:8768/h2service/user/1
後臺無sql打印,說明請求沒有被路由
(3)請求爲:http://localhost:8768/h2service/user/1?password=123456&username=chhliu
測試結果爲:
- {
- "id": 1,
- "username": "user1",
- "name": "張三",
- "age": 20,
- "balance": 100.00
- }
- GET AccessUserNameFilter request to http://localhost:8768/h2service/user/1
- GET AccessPasswordFilter request to http://localhost:8768/h2service/user/1
同時被請求的服務有sql輸出:
- Hibernate: select user0_.id as id1_0_0_, user0_.age as age2_0_0_, user0_.balance as balance3_0_0_, user0_.name as name4_0_0_, user0_.username as username5_0_0_ from user user0_ where user0_.id=?
4、開啓post過濾器,再跑一次
測試結果:發現post過濾器是最後執行的,儘管它的優先級爲0
關於zuul的Filter的生命週期,見下圖
注:上圖有個小錯誤,routing應該是route
5、拓展
zuul還提供了一類特殊的過濾器,分別爲:StaticResponseFilter和SurgicalDebugFilter
StaticResponseFilter:StaticResponseFilter允許從Zuul本身生成響應,而不是將請求轉發到源。
SurgicalDebugFilter:SurgicalDebugFilter允許將特定請求路由到分隔的調試集羣或主機。