package com.***.app.config.filter;
import com.****.app.config.SignHttpServletRequestWrapper;
import org.apache.commons.lang3.StringUtils;
import org.springframework.http.HttpHeaders;
import org.springframework.http.MediaType;
import org.springframework.stereotype.Component;
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
@Component
public class SignFilter implements Filter {
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletRequest srequest = (HttpServletRequest) request;
String header = srequest.getHeader(HttpHeaders.CONTENT_TYPE);
//使用wrapper解决json请求参数只能取一次的问题
if (StringUtils.isNotBlank(header) && (MediaType.APPLICATION_JSON_UTF8_VALUE.equalsIgnoreCase(header.replaceAll(" ", "")) || MediaType.APPLICATION_JSON_VALUE.equalsIgnoreCase(header.replaceAll(" ", "")))) {
SignHttpServletRequestWrapper signHttpServletRequestWrapper = new SignHttpServletRequestWrapper(srequest);
chain.doFilter(signHttpServletRequestWrapper, response);
} else {
chain.doFilter(request, response);
}
}
@Override
public void destroy() {
}
}
首先要了解到,HttpServletRequest 接收参数的两种方式,(跟请求方式 get、post、put没有关系)
当参数形式为 application/json;charset=UTF-8 或者 application/json JSON形式进行参数入参时,需要注意到该参数只有一次生效机会,当我们将参数 从body中取出时,那么在接口层就会接收不打参数,所以需要将参数保存起来,以便多次使用。
代码如下:
package com.****.app.config;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import javax.servlet.ReadListener;
import javax.servlet.ServletInputStream;
import javax.servlet.ServletRequest;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import java.io.*;
import java.nio.charset.Charset;
/**
* @author
* @date 2018-11-15 17:35
*/
public class SignHttpServletRequestWrapper extends HttpServletRequestWrapper {
private static Logger logger = LoggerFactory.getLogger(SignHttpServletRequestWrapper.class);
private final byte[] body;
public SignHttpServletRequestWrapper(HttpServletRequest request) {
super(request);
String sessionStream = getBodyString(request);
body = sessionStream.getBytes(Charset.forName("UTF-8"));
}
/**
* 获取请求Body
*
* @param request
* @return
*/
public String getBodyString(final ServletRequest request) {
StringBuilder sb = new StringBuilder();
InputStream inputStream = null;
BufferedReader reader = null;
try {
inputStream = cloneInputStream(request.getInputStream());
reader = new BufferedReader(new InputStreamReader(inputStream, Charset.forName("UTF-8")));
String line = "";
while ((line = reader.readLine()) != null) {
sb.append(line);
}
} catch (IOException e) {
e.printStackTrace();
} finally {
if (inputStream != null) {
try {
inputStream.close();
} catch (IOException e) {
e.printStackTrace();
}
}
if (reader != null) {
try {
reader.close();
} catch (IOException e) {
e.printStackTrace();
}
}
}
return sb.toString();
}
/**
* Description: 复制输入流</br>
*
* @param inputStream
* @return</br>
*/
public InputStream cloneInputStream(ServletInputStream inputStream) {
ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
byte[] buffer = new byte[1024];
int len;
try {
while ((len = inputStream.read(buffer)) > -1) {
byteArrayOutputStream.write(buffer, 0, len);
}
byteArrayOutputStream.flush();
} catch (IOException e) {
e.printStackTrace();
}
InputStream byteArrayInputStream = new ByteArrayInputStream(byteArrayOutputStream.toByteArray());
return byteArrayInputStream;
}
@Override
public BufferedReader getReader() throws IOException {
return new BufferedReader(new InputStreamReader(getInputStream()));
}
@Override
public ServletInputStream getInputStream() throws IOException {
final ByteArrayInputStream bais = new ByteArrayInputStream(body);
return new ServletInputStream() {
@Override
public int read() throws IOException {
return bais.read();
}
@Override
public boolean isFinished() {
return false;
}
@Override
public boolean isReady() {
return false;
}
@Override
public void setReadListener(ReadListener readListener) {
}
};
}
}
2、使用拦截器的形式获取传值的参数,并且将参数按照指定规则排序(只是简单地按key排序),使用算法加密后转大写
最后前端也使用相同规则排序将加密后的参数传入后台,后台用加密后的字符串与前端传递过来的作比较。看是否中途参数是否被修改。不一致则不合法。
private static SortedMap<String, String> getPostJson(SignHttpServletRequestWrapper request) {
String bodyString = request.getBodyString(request);
JSONObject jsonObject = JSONObject.parseObject(bodyString);
SortedMap<String, String> result = new TreeMap<>();
jsonObject.forEach((s, o) -> result.put(s, (String) o));
return result;
}
/**
* 功能描述:
* 其他类型
*
* @param request
* @return: java.util.SortedMap<java.lang.String , java.lang.String>
* @date: 2019/9/27 11:20
*/
public static SortedMap<String, String> getCheckSign(HttpServletRequest request) {
Map<String, String[]> parameterMap = request.getParameterMap();
if (CollectionUtils.isEmpty(parameterMap)) {
return null;
}
SortedMap<String, String> map = new TreeMap<>();
parameterMap.forEach((s, o) -> map.put(s, o[0]));
return map;
}
URL加密参数传递的时候,+号会被转义为空格,需要注意。不然一直都比对不成功,有以下两种解决方案
1、可以后台将接收到的加密字符串replaceAll所有空格替换为+
2、前端传递时将加号处理一下。