Spring Boot 在request裏解密返回參數到控制器
前言
有個業務需求,一個請求來源web,一個請求來源APP,web需求驗證簽名,APP的參數是經過加密,所以出現了兩個Controller,除了解密獲取參數方式不一樣,其他內容一模一樣,這樣不太合理,所以我決定重構。
思路:既然只是解密不一樣,獲取到的參數是一樣的,那可以寫一個過濾器,在裏面就把參數解密好,然後返回
Spring Boot在請求的時候是不允許直接修改HttpServletRequest裏的paramsMap參數的,但是提供了一個HttpServletRequestWrapper類,繼承這個類重寫兩個方法就可以了。
代碼塊
重寫HttpServletRequestWrapper
import javax.servlet.ReadListener;
import javax.servlet.ServletInputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import java.io.*;
import java.nio.charset.Charset;
import java.util.HashMap;
import java.util.Map;
public class ParameterRequest extends HttpServletRequestWrapper {
private Map<String, String[]> params = new HashMap<>(16);
public ParameterRequest(HttpServletRequest request) throws IOException {
super(request);
this.params.putAll(request.getParameterMap());
}
/**
* 重載一個構造方法
*
* @param request
* @param extendParams
*/
public ParameterRequest(HttpServletRequest request, Map<String, String[]> extendParams) throws IOException {
this(request);
addAllParameters(extendParams);
}
@Override
public String getParameter(String name) {
String[] values = params.get(name);
if (values == null || values.length == 0) {
return null;
}
return values[0];
}
@Override
public String[] getParameterValues(String name) {
return params.get(name);
}
public void addAllParameters(Map<String, String[]> otherParams) {
for (Map.Entry<String, String[]> entry : otherParams.entrySet()) {
addParameter(entry.getKey(), entry.getValue());
}
}
public void addParameter(String name, Object value) {
if (value != null) {
if (value instanceof String[]) {
params.put(name, (String[]) value);
} else if (value instanceof String) {
params.put(name, new String[]{(String) value});
} else {
params.put(name, new String[]{String.valueOf(value)});
}
}
}
}
思路是重寫自定義一個Map存入參數,將解密後需要的參數放入,然後在過濾器中執行這個新的request
過濾器
import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.JSONObject;
import com.fasterxml.jackson.databind.ObjectMapper;
import lombok.extern.slf4j.Slf4j;
import org.apache.commons.lang3.StringUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.data.redis.core.StringRedisTemplate;
import org.springframework.web.context.support.SpringBeanAutowiringSupport;
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.nio.charset.Charset;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
@Slf4j
public class WebParamFilter implements Filter {
private static final String OPTIONS = "OPTIONS";
@Value("${jwt.info.urlPatterns}")
private List<String> urlPatterns;
@Override
public void init(FilterConfig filterConfig) throws ServletException {
SpringBeanAutowiringSupport.processInjectionBasedOnServletContext(this, filterConfig.getServletContext());
}
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) servletRequest;
HttpServletResponse response = (HttpServletResponse) servletResponse;
log.info("開始過濾器===============");
if (!isFilter(request)) {
writerError(response, RetEnum.RET_TOKEN_ERROR);
return;
}
// 從請求頭從獲取請求類型,1是WEB,2是APP
String requestType = request.getHeader("requestType");
if (StringUtils.isEmpty(requestType)) {
writerError(response, RetEnum.RET_NOT_HEADER_ERROR);
return;
}
Map<String, String[]> paramsMap = new HashMap<>();
if ("1".equals(requestType)) {
// 驗證簽名,簽名錯誤直接返回
if (!compareSign(request)) {
writerError(response, "簽名錯誤", 500);
return;
}
// 將請求的參數從request中取出,轉換成JSON,放入自定義的Map中帶給控制器
paramsMap.put("params", new String[]{JSONUtil.getJSONParam(request).toJSONString()});
ParameterRequest req = new ParameterRequest(request, paramsMap);
filterChain.doFilter(req, response);
} else if ("2".equals(requestType)) {
// APP請求方式比較特殊,所以要從requestBody裏讀出JSON加密數據
String bodyStr = RequestBodyUtil.read(request.getReader());
// 然後再解密,拿到真正的參數轉換成JSON,放入自定義的Map中帶給控制器
JSONObject jsonParam = getJsonParam(bodyStr);
paramsMap.put("params", new String[]{jsonParam.toJSONString()});
ParameterRequest req = new ParameterRequest(request, paramsMap);
filterChain.doFilter(req, response);
} else {
writerError(response, "無效的請求來源", 500);
}
}
@Override
public void destroy() {
}
/**
* 篩選
*
* @param request
* @return
*/
private boolean isFilter(HttpServletRequest request) {
if (OPTIONS.equals(request.getMethod())) {
return true;
}
if (isInclude(request)) {
//如果是屬於排除的URL,比如登錄,註冊,驗證碼等URL,則直接通行
log.info("直接通過");
return true;
}
return tokenCheck(request);
}
/**
* 排除不需要過濾的URL
*
* @param request
* @return
*/
private boolean isInclude(HttpServletRequest request) {
String url = request.getRequestURI().substring(request.getContextPath().length());
log.info("請求url:{}", url);
for (String patternUrl : urlPatterns) {
Pattern p = Pattern.compile(patternUrl);
Matcher m = p.matcher(url);
if (m.find()) {
return true;
}
}
return false;
}
/**
* 效驗token是否有效
*
* @param request
* @return
*/
private boolean tokenCheck(HttpServletRequest request) {
String authToken = request.getHeader("accessToken");
log.info("請求頭中令牌token:{}", authToken);
// ...業務代碼
return false;
}
/**
* 錯誤寫出
*
* @param response
* @param retEnum
* @throws IOException
*/
private void writerError(HttpServletResponse response, String msg, int code) throws IOException {
//驗證不通過
response.setCharacterEncoding("UTF-8");
response.setContentType("application/json; charset=utf-8");
response.setStatus(HttpServletResponse.SC_OK);
//將驗證不通過的錯誤返回
ObjectMapper mapper = new ObjectMapper();
Map<String, Object> resultMap = new HashMap<>(3);
resultMap.put("code", code);
resultMap.put("msg", msg);
resultMap.put("data", null);
response.getWriter().write(mapper.writeValueAsString(resultMap));
}
/**
* web效驗簽名
*
* @param request
* @return
*/
public boolean compareSign(HttpServletRequest request) {
JSONObject param = JSONUtil.getJSONParam(request);
String sign = JSONUtil.getParamRequired(param, String.class, "sign");
// ...業務代碼
return s.equals(sign);
}
/**
* APP解密參數
*
* @param json
* @return
*/
public JSONObject getJsonParam(String json) {
JSONObject jsonParam = JSON.parseObject(json);
String aos = jsonParam.getString("aos");
String params = jsonParam.getString("params");
String param = null;
if (jsonParam != null && !StringUtils.isEmpty(aos) && !StringUtils.isEmpty(params)) {
String key = RSA.rsaDecrypt(aos, "自定義的私鑰");
if (StringUtils.isBlank(key)) {
return null;
}
try {
param = AES256.decrypt(params, key);
} catch (Exception e) {
e.printStackTrace();
}
if (StringUtils.isBlank(param)) {
return null;
}
}
if (StringUtils.isBlank(param)) {
return null;
}
return JSONObject.parseObject(param);
}
}
思路都在代碼中備註了,就是在過濾器中,一層層解析,比如token等,然後再分別解析兩種請求的參數,放入params裏,其中用到的兩個工具類如下
JSONUtil
import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.JSONObject;
import org.apache.commons.lang3.StringUtils;
import org.springframework.web.bind.MissingServletRequestParameterException;
import javax.servlet.http.HttpServletRequest;
import java.util.Map;
public class JSONUtil {
public static JSONObject getJSONParam(HttpServletRequest request){
Map<String, String[]> parameterMap = request.getParameterMap();
JSONObject returnObject = new JSONObject();
for (Map.Entry<String, String[]> entry : parameterMap.entrySet()) {
String value = "";
String[] values = entry.getValue();
if (values != null){
for (String s : values) {
value = s + ",";
}
value = value.substring(0, value.length() - 1);
}
returnObject.put(entry.getKey(), value);
}
return returnObject;
}
public static<T> T getParam(JSONObject param, Class<T> tClass, String key){
if (param == null) {
return null;
}
return param.getObject(key, tClass);
}
public static<T> T getParamRequired(JSONObject param, Class<T> tClass, String key){
if (param == null) {
throw new RuntimeException(getErrMsg(key));
}
T object = param.getObject(key, tClass);
if (object == null){
throw new RuntimeException(getErrMsg(key));
}
return object;
}
private static String getErrMsg(String key) {
return "參數" + key + "必填";
}
}
RequestBodyUtil
import java.io.IOException;
import java.io.Reader;
import java.io.StringWriter;
import java.io.Writer;
/**
* 解析Body數據
*/
public class RequestBodyUtil {
private static final int BUFFER_SIZE = 1024 * 8;
private RequestBodyUtil(){}
public static String read(Reader reader) throws IOException {
StringWriter writer = new StringWriter();
try {
write(reader, writer);
return writer.getBuffer().toString();
} finally {
writer.close();
}
}
public static long write(Reader reader, Writer writer) throws IOException {
return write(reader, writer, BUFFER_SIZE);
}
public static long write(Reader reader, Writer writer, int bufferSize) throws IOException {
int read;
long total = 0;
char[] buf = new char[BUFFER_SIZE];
while ((read = reader.read(buf)) != -1) {
writer.write(buf, 0, read);
total += read;
}
return total;
}
}
最後
註冊過濾器我就不說了,SpringBoot註冊過濾器方式很多,看如何在控制器中接收參數
@PostMapping("/test")
public Result test(@RequestParam String params){
System.out.println("解密後的參數:" + params);
return ResponseMsgUtil.success(params);
}
名字只要和過濾器中自定義的Map裏的Key對應,就會被拿到參數