Hessian的一些基本簡介已經在上一節已經全部介紹了,上一節還介紹了Hessian是把對象序列化爲二進制流的形式在http信道中傳輸,那麼對於安全性高的應用不應該採用hessian(比如網上支付等)、可以加一些權限驗證,比如在服務器端加用戶名,密碼驗證,然後在客戶端提供用戶名和密碼,可如此一來用戶名密碼也會被捕獲,畢竟用戶名密碼都在Http請求中,如果安全級別特別高的可以加Token,也就是加一層發送前的預備,如下圖:
這樣的話,既使請求被攔截,他們得到的也只不過是一個過期的Token,無法再一次發送到服務端,當然哪個程序都一樣,安全級別一高就會添加很多的操作,就像開着防火牆網速會受一定的影響.下面我來介紹簡單的權限認證,後續再結合實踐優化程序.
修改服務端程序如下:
- public class YclHessianServiceExporter extends HessianServiceExporter {
- public static final String AUTH = "ycl";
- @Override
- public void handleRequest(HttpServletRequest request, HttpServletResponse response)
- throws ServletException, IOException {
- String auth = request.getHeader("auth");
- if(auth == null || !auth.equalsIgnoreCase(AUTH)){
- //記錄異常日誌
- return ;
- }
- super.handleRequest(request, response);
- }
- }
public class YclHessianServiceExporter extends HessianServiceExporter {
public static final String AUTH = "ycl";
@Override
public void handleRequest(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
String auth = request.getHeader("auth");
if(auth == null || !auth.equalsIgnoreCase(AUTH)){
//記錄異常日誌
return ;
}
super.handleRequest(request, response);
}
}
服務器配置修改如下:
- <bean name="/PersonManager"
- class="org.springframework.remoting.caucho.YclHessianServiceExporter">
- <!-- 需要導出的目標bean-->
- <property name="service" >
- <ref bean="personManager" />
- </property>
- <!-- Hessian服務的接口-->
- <property name="serviceInterface" value="com.module.PersonManager"/>
- </bean>
<bean name="/PersonManager"
class="org.springframework.remoting.caucho.YclHessianServiceExporter">
<!-- 需要導出的目標bean-->
<property name="service" >
<ref bean="personManager" />
</property>
<!-- Hessian服務的接口-->
<property name="serviceInterface" value="com.module.PersonManager"/>
</bean>
修改客戶端程序如下(這是一個代理工廠,每一次客戶端通過代碼連接服務器時都會先通過URL來得到服務器端的連接)
- public class YclHessianProxyFactory extends HessianProxyFactory{
- @Override
- protected URLConnection openConnection(URL url) throws IOException {
- URLConnection conn = super.openConnection(url);
- conn.setRequestProperty("AUTH", "ycl");
- return conn;
- }
- }
public class YclHessianProxyFactory extends HessianProxyFactory{
@Override
protected URLConnection openConnection(URL url) throws IOException {
URLConnection conn = super.openConnection(url);
conn.setRequestProperty("AUTH", "ycl");
return conn;
}
}
客戶端配置如下:
- <!-- PersonManager服務 -->
- <bean id="personManagerClient"
- class="org.springframework.remoting.caucho.HessianProxyFactoryBean">
- <property name="serviceUrl">
- <value>
- http://localhost/Hessian/remoting/PersonManager
- </value>
- </property>
- <property name="serviceInterface">
- <value>com.module.PersonManager</value>
- </property>
- <property name="proxyFactory">
- <bean class="com.caucho.hessian.client.YclHessianProxyFactory"/>
- </property>
- </bean>
<!-- PersonManager服務 -->
<bean id="personManagerClient"
class="org.springframework.remoting.caucho.HessianProxyFactoryBean">
<property name="serviceUrl">
<value>
http://localhost/Hessian/remoting/PersonManager
</value>
</property>
<property name="serviceInterface">
<value>com.module.PersonManager</value>
</property>
<property name="proxyFactory">
<bean class="com.caucho.hessian.client.YclHessianProxyFactory"/>
</property>
</bean>
如此一來,在服務器啓動的時候接收信息時,就會添加驗證,如果Auth驗證不通過,那麼就不會再繼續執行以下的程序.