需求背景:与客户端通信内容需要加密。客户端将请求参数进行加密,服务端对响应结果进行加密。
那么对于后端而言,最方便的就是在过滤器里面对请求、响应进行统一处理了。这里需要涉及到HttpServletRequestWrapper与HttpServletResponseWrapper。
【1】非json请求处理
如下所示ParameterRequestWrapper 继承自HttpServletRequestWrapper ,重写获取参数的方法。
/**
* Created by jianggc at 2022/4/5.
*/
public class ParameterRequestWrapper extends HttpServletRequestWrapper {
private Map<String , String[]> params = new HashMap<String, String[]>();
@SuppressWarnings("unchecked")
public ParameterRequestWrapper(HttpServletRequest request) {
// 将request交给父类,以便于调用对应方法的时候,将其输出
super(request);
//将参数表,赋予给当前的Map以便于持有request中的参数
this.params.putAll(request.getParameterMap());
}
//重载一个构造方法
public ParameterRequestWrapper(HttpServletRequest request , Map<String , Object> extendParams) {
this(request);
addAllParameters(extendParams);//这里将扩展参数写入参数表
}
@Override
public String getParameter(String name) {//重写getParameter,代表参数从当前类中的map获取
String[]values = params.get(name);
if(values == null || values.length == 0) {
return null;
}
return values[0];
}
@Override
public Enumeration<String> getParameterNames() {
return new Vector(params.keySet()).elements();
}
@Override
public String[] getParameterValues(String name) {
String[] values = params.get(name);
if (values == null || values.length == 0) {
return null;
}
return values;
}
public void addAllParameters(Map<String , Object>otherParams) {//增加多个参数
for(Map.Entry<String , Object>entry : otherParams.entrySet()) {
addParameter(entry.getKey() , entry.getValue());
}
}
public void addParameter(String name , Object value) {//增加参数
if(value != null) {
if(value instanceof String[]) {
params.put(name , (String[])value);
}else if(value instanceof String) {
params.put(name , new String[] {(String)value});
}else {
params.put(name , new String[] {String.valueOf(value)});
}
}
}
}
上面给了入口方法addAllParameters让你可以放入需要的数据。这个操作是在过滤器里面处理的。
由于与客户端协商了参数传递方式为params=encrypt(userName=jane&mobile=13813813800)
,所以这里我们对params进行处理,回复为springboot喜欢的格式。
/**
* Created by jianggc at 2022/4/5.
*/
@WebFilter(urlPatterns={"/*"})
public class RequestAesFilter implements Filter {
private static final Logger logger= LoggerFactory.getLogger(RequestAesFilter.class);
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse response, FilterChain chain) throws IOException, ServletException {
// 获取request
HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
String params = httpServletRequest.getParameter("params");
Map<String,Object> parmMap= new HashMap<>();
if(!StringUtils.isEmpty(params)){
try {
String decryptBase64 = AesUtils.decryptBase64(params, AesUtils.aesKey);
String[] split = decryptBase64.split("&");
for(String entry:split){
String[] strings = entry.split("=");
parmMap.put(strings[0],strings[1]);
}
} catch (Exception e) {
logger.error(e.getMessage(),e);
}
}
logger.debug("解密后的parmMap:{}",parmMap);
ParameterRequestWrapper pr = new ParameterRequestWrapper(httpServletRequest, parmMap);
chain.doFilter(pr, response);
}
}
【2】响应处理
这里ResponseWrapper继承自HttpServletResponseWrapper提供了写入和读取的方法。
public class ResponseWrapper extends HttpServletResponseWrapper {
// 真正缓存数据的流
private ByteArrayOutputStream byteArrayOutputStream = null;
private ServletOutputStream servletOutputStream = null;
private PrintWriter writer = null;
public ResponseWrapper(HttpServletResponse response) {
super(response);
// TODO Auto-generated constructor stub
byteArrayOutputStream = new ByteArrayOutputStream();
servletOutputStream = new WrapperOutputStream(byteArrayOutputStream);
writer = new PrintWriter(byteArrayOutputStream);
}
/**
* 当获取字节输出流时,实际获取的是我们自己包装的字节输出流
*/
public ServletOutputStream getOutputStream() {
return servletOutputStream;
}
/**
* 当获取字符输出流时,实际获取的是我们自己包装的字符输出流
*/
public PrintWriter getWriter() {
return writer;
}
public void flushBuffer() throws IOException {
if (servletOutputStream != null) {
servletOutputStream.flush();
}
if (writer != null) {
writer.flush();
}
}
public Map<String, String> getHeaders() {
Map<String, String> headers = new HashMap(0);
Iterator var3 = this.getHeaderNames().iterator();
while(var3.hasNext()) {
String headerName = (String)var3.next();
headers.put(headerName, this.getHeader(headerName));
}
return headers;
}
public byte[] getResponseData() throws IOException {
flushBuffer();
return byteArrayOutputStream.toByteArray();
}
public String getContent() throws IOException {
flushBuffer();
return byteArrayOutputStream.toString();
}
}
class WrapperOutputStream extends ServletOutputStream {
private ByteArrayOutputStream baos;
public WrapperOutputStream(ByteArrayOutputStream out) {
super();
this.baos = out;
}
public boolean isReady() {
return true;
}
public void write(int b) throws IOException {
this.baos.write(b);
}
public void write(byte[] b) throws IOException {
this.baos.write(b);
}
public void write(byte[] b, int off, int len) throws IOException {
this.baos.write(b, off, len);
}
public String getContent() {
return this.baos.toString();
}
public byte[] toByteArray() {
return this.baos.toByteArray();
}
@Override
public void setWriteListener(WriteListener listener) {
}
}
同样的思路,我们在过滤器里面对响应结果进行加密。
/**
* Created by jianggc at 2022/4/5.
*/
@WebFilter(urlPatterns={"/*"})
public class ResponseAesFilter implements Filter {
private static final Logger logger= LoggerFactory.getLogger(ResponseAesFilter.class);
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse response, FilterChain chain) throws IOException, ServletException {
ResponseWrapper responseWrapper = new ResponseWrapper((HttpServletResponse) response);
HttpServletRequest httpServletRequest= (HttpServletRequest) servletRequest;
String requestURI = httpServletRequest.getRequestURI();
chain.doFilter(servletRequest, responseWrapper);
String wrapperContent = responseWrapper.getContent();
logger.debug("当前请求requestURI:{}",requestURI);
logger.debug("当前请求获取的响应数据:{}",wrapperContent);
if(requestURI.startsWith("/app")){// 只对安卓端进行处理
try{
JSONObject parseObject = JSONObject.parseObject(wrapperContent);
JSONObject dataObj = parseObject.getJSONObject("data");
if(dataObj!=null&&!dataObj.isEmpty()){
String dataObjStr=JsonUtil.replaceAllBlank(dataObj.toJSONString());
String encryptBase64 = AesUtils.encryptBase64(dataObjStr, AesUtils.aesKey);
logger.debug("加密后的响应data:{}",encryptBase64);
parseObject.put("data",JsonUtil.replaceAllBlank(encryptBase64));
String decryptBase64 = AesUtils.decryptBase64(encryptBase64, AesUtils.aesKey);
logger.debug("解密后的响应data:{}",decryptBase64);
}
wrapperContent=parseObject.toJSONString();
logger.debug("当前安卓请求加密的响应数据:{}",wrapperContent);
}catch (Exception e){
logger.error(e.getMessage(),e);
}
}
ServletOutputStream out = response.getOutputStream();
out.write(wrapperContent.getBytes(Charset.forName("UTF-8")));
out.flush();
}
}
【3】JSON流替换request
【1】中有一个弊端就是不能处理json,request.getParameterMap()只能处理form-data(queryString)数据,没有办法处理application/json的数据。所以我们采用如下格式来兼容:
public class BodyReaderHttpServletRequestWrapper extends HttpServletRequestWrapper{
private static final Logger logger= LoggerFactory.getLogger(BodyReaderHttpServletRequestWrapper.class);
private final byte[] body;
public BodyReaderHttpServletRequestWrapper(HttpServletRequest request) throws IOException {
super(request);
body = getBodyString(request).getBytes(Charset.forName("UTF-8"));
}
private static String getBodyString(ServletRequest request) {
StringBuilder sb = new StringBuilder();
InputStream inputStream = null;
BufferedReader reader = null;
try {
inputStream = request.getInputStream();
reader = new BufferedReader(new InputStreamReader(inputStream, Charset.forName("UTF-8")));
String line = "";
while ((line = reader.readLine()) != null) {
sb.append(line);
}
} catch (IOException e) {
logger.error(e.getMessage(),e);
} finally {
if (inputStream != null) {
try {
inputStream.close();
} catch (IOException e) {
logger.error(e.getMessage(),e);
}
}
if (reader != null) {
try {
reader.close();
} catch (IOException e) {
logger.error(e.getMessage(),e);
}
}
}
return sb.toString();
}
@Override
public BufferedReader getReader() throws IOException {
return new BufferedReader(new InputStreamReader(getInputStream()));
}
@Override
public ServletInputStream getInputStream() throws IOException {
final ByteArrayInputStream bais = new ByteArrayInputStream(body);
return new ServletInputStream() {
@Override
public int read() throws IOException {
return bais.read();
}
public boolean isFinished() {
return false;
}
public boolean isReady() {
return false;
}
public void setReadListener(ReadListener arg0) {
// TODO Auto-generated method stub
}
};
}
}
可以看到这里我们缓存body字节流来实现request重复读取流。需要特别注意的是,当你替换request的时候,不要对上传文件请求进行处理否则就会抛出类似下面异常。
Caused by: org.springframework.web.multipart.MultipartException: Failed to parse multipart servlet request; nested exception is java.io.IOException: org.apache.tomcat.util.http.fileupload.FileUploadException: Stream closed
at org.springframework.web.multipart.support.StandardMultipartHttpServletRequest.handleParseFailure(StandardMultipartHttpServletRequest.java:124)
at org.springframework.web.multipart.support.StandardMultipartHttpServletRequest.parseRequest(StandardMultipartHttpServletRequest.java:115)
at org.springframework.web.multipart.support.StandardMultipartHttpServletRequest.<init>(StandardMultipartHttpServletRequest.java:88)
at org.springframework.web.multipart.support.StandardServletMultipartResolver.resolveMultipart(StandardServletMultipartResolver.java:87)
at org.springframework.web.servlet.DispatcherServlet.checkMultipart(DispatcherServlet.java:1178)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1012)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:943)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006)
... 48 common frames omitted
Caused by: java.io.IOException: org.apache.tomcat.util.http.fileupload.FileUploadException: Stream closed
at org.apache.catalina.connector.Request.parseParts(Request.java:2916)
at org.apache.catalina.connector.Request.getParts(Request.java:2771)
at org.apache.catalina.connector.RequestFacade.getParts(RequestFacade.java:1098)
at javax.servlet.http.HttpServletRequestWrapper.getParts(HttpServletRequestWrapper.java:359)
at javax.servlet.http.HttpServletRequestWrapper.getParts(HttpServletRequestWrapper.java:359)
at org.springframework.web.multipart.support.StandardMultipartHttpServletRequest.parseRequest(StandardMultipartHttpServletRequest.java:95)
... 54 common frames omitted
Caused by: org.apache.tomcat.util.http.fileupload.FileUploadException: Stream closed
at org.apache.tomcat.util.http.fileupload.FileUploadBase.parseRequest(FileUploadBase.java:306)
at org.apache.catalina.connector.Request.parseParts(Request.java:2869)
... 59 common frames omitted
Caused by: java.io.IOException: Stream closed
at org.apache.catalina.connector.InputBuffer.read(InputBuffer.java:359)
at org.apache.catalina.connector.CoyoteInputStream.read(CoyoteInputStream.java:132)
at java.io.FilterInputStream.read(FilterInputStream.java:133)
at org.apache.tomcat.util.http.fileupload.util.LimitedInputStream.read(LimitedInputStream.java:132)
at org.apache.tomcat.util.http.fileupload.MultipartStream$ItemInputStream.makeAvailable(MultipartStream.java:977)
at org.apache.tomcat.util.http.fileupload.MultipartStream$ItemInputStream.read(MultipartStream.java:881)
at java.io.InputStream.read(InputStream.java:101)
at org.apache.tomcat.util.http.fileupload.util.Streams.copy(Streams.java:98)
at org.apache.tomcat.util.http.fileupload.util.Streams.copy(Streams.java:68)
at org.apache.tomcat.util.http.fileupload.MultipartStream.readBodyData(MultipartStream.java:572)
at org.apache.tomcat.util.http.fileupload.MultipartStream.discardBodyData(MultipartStream.java:596)
at org.apache.tomcat.util.http.fileupload.MultipartStream.skipPreamble(MultipartStream.java:614)
at org.apache.tomcat.util.http.fileupload.impl.FileItemIteratorImpl.findNextItem(FileItemIteratorImpl.java:213)
at org.apache.tomcat.util.http.fileupload.impl.FileItemIteratorImpl.<init>(FileItemIteratorImpl.java:127)
at org.apache.tomcat.util.http.fileupload.FileUploadBase.getItemIterator(FileUploadBase.java:256)
at org.apache.tomcat.util.http.fileupload.FileUploadBase.parseRequest(FileUploadBase.java:280)
... 60 common frames omitted