最近看项目代码,发现里面用到了过滤器,拦截器等来对请求参数和返回参数做校验,加密,解密,种类太多,容易混淆,这里做一下记录.
1.Filter过滤器
- Filter是Servlet规范中规定的,只能用于WEB中, 在Servlet前后起作用
- 它可以对几乎所有请求进行过滤,但是缺点是一个过滤器实例只能在容器初始化时调用一次
- 使用场景: 修改字符编码; 对入参进行校验, 校验不通过返回错误信息.
- 原理: 基于函数回调
- 使用方式:
import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
@WebFilter(urlPatterns = "/home/*")
public class Filter1 implements Filter {
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest)servletRequest;
//GetHttpServletRequestWrapper 是自定义的,可以不用管,继承自类 HttpServletRequestWrapper, 重写了 public Map<String, String[]> getParameterMap() 方法
//request = new GetHttpServletRequestWrapper(request);
if (request.getParameterMap().size() == 0) {
servletResponse.setContentType("text/json");
servletResponse.setCharacterEncoding("UTF-8");
ServletOutputStream servletOutputStream = null;
servletOutputStream = servletResponse.getOutputStream();
servletOutputStream.write("没有入参".getBytes("UTF-8"));
servletOutputStream.flush();
servletOutputStream.close();
return;
}
//继续执行后面的过滤器,如果没有这一行,那么这个请求就被拦截了
filterChain.doFilter(servletRequest, servletResponse);
}
}
另外需要在启动类上添加 @ServletComponentScan 注解(会自动注册@WebServlet、@WebFilter、@WebListener)
2.Interceptor拦截器
- 拦截器是Spring容器内的,是Spring框架支持的,可以使用Spring内的任何资源、对象
- 可以深入到方法的调用前后、异常抛出前后等深层次的程度做处理
- 缺点是只能对 Controller 请求进行拦截,对其他的一些比如直接访问静态资源的请求则没办法进行拦截处理
- 原理: 基于Java的反射机制,属于面向切面编程(AOP)的一种运用
- 使用场景: 对入参进行校验
- 使用方式:
@Configuration
@EnableWebMvc
public class WebConfig implements WebMvcConfigurer {
@Override
public void addInterceptors(InterceptorRegistry registry) {
// 注册拦截器
registry.addInterceptor(new MyInterceptor()).addPathPatterns("/**");
}
}
public class MyInterceptor extends HandlerInterceptorAdapter {
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
String childCode = request.getParameter("child_code");
if(StringUtils.isBlank(username)) {
// 拦截请求
return false;
}
return true;
}
@Override
public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, @Nullable ModelAndView modelAndView) {
}
@Override
public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, @Nullable Exception ex) {
}
}
3.RequestBodyAdvice
- 配合 @ControllerAdvice 和 @RequestBody 注解使用, 可以拦截所有的请求. 如果不使用 @RequestBody 修饰入参对象, 不会拦截
- 原理: AOP
- 使用场景: 参数的过滤,字符的编码,第三方的解密
- 使用方式:
@ControllerAdvice(basePackages = "com.example.controller")
public class DecodeRequestBodyAdvice implements RequestBodyAdvice {
@Override
public boolean supports(MethodParameter methodParameter, Type type, Class<? extends HttpMessageConverter<?>> aClass) {
// 返回false会拦截
return true;
}
@Override
public HttpInputMessage beforeBodyRead(HttpInputMessage inputMessage, MethodParameter methodParameter, Type type, Class<? extends HttpMessageConverter<?>> aClass) throws IOException {
try {
return new MyHttpInputMessage(inputMessage);
} catch (Exception e) {
e.printStackTrace
}
}
@Override
public Object afterBodyRead(Object o, HttpInputMessage httpInputMessage, MethodParameter methodParameter, Type type, Class<? extends HttpMessageConverter<?>> aClass) {
return o;
}
@Override
public Object handleEmptyBody(Object o, HttpInputMessage httpInputMessage, MethodParameter methodParameter, Type type, Class<? extends HttpMessageConverter<?>> aClass) {
return o;
}
class MyHttpInputMessage implements HttpInputMessage {
private HttpHeaders headers;
private InputStream body;
public MyHttpInputMessage(HttpInputMessage inputMessage) throws Exception {
this.headers = inputMessage.getHeaders();
try {
String bodyStr = StringUtils.defaultString(IOUtils.toString(inputMessage.getBody(), Util.CHARSET_UTF8));
String bodyStrDe = AesUtil.decrypt(bodyStr);
this.body = IOUtils.toInputStream(bodyStrDe, Util.CHARSET_UTF8);
} catch (Exception e) {
e.printStackTrace;
}
}
@Override
public InputStream getBody() throws IOException {
return body;
}
@Override
public HttpHeaders getHeaders() {
return headers;
}
}
}
4.ResponseBodyAdvice
- 拦截Controller方法默认返回参数,统一处理返回值/响应体
- 使用场景: 对控制层的返回结果进行加密
- 原理: AOP
- 使用方式:
@ControllerAdvice(basePackages = "com.example.controller")
public class EncodeResponseBodyAdvice implements ResponseBodyAdvice {
@Override
public boolean supports(MethodParameter methodParameter, Class aClass) {
return true;
}
@Override
public Object beforeBodyWrite(Object o, MethodParameter methodParameter, MediaType mediaType, Class aClass, ServerHttpRequest serverHttpRequest, ServerHttpResponse serverHttpResponse) {
try {
String result = JSON.toJSONString(o, SerializerFeature.DisableCircularReferenceDetect);
Map<String, String> map = new HashMap<>();
map.put("result", AesUtil.encrypt(result));
// 这边不直接返回加密字符串,是因为控制层使用了@ResponseBody注解,直接返回字符串会在前后各多出一个双引号
return map;
} catch (Exception e) {
e.printStackTrace;
}
return o;
}
}
5.AOP使用
- 面向切面编程,在程序开发中主要用来解决一些系统层面上的问题,比如日志,事务,权限等
- 使用场景: 统一记录控制层请求日志以及返回结果
- 使用方式:
import com.alibaba.fastjson.JSON;
import org.aspectj.lang.ProceedingJoinPoint;
import org.aspectj.lang.Signature;
import org.aspectj.lang.annotation.Around;
import org.aspectj.lang.annotation.Aspect;
import org.aspectj.lang.reflect.MethodSignature;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.core.io.InputStreamSource;
import org.springframework.stereotype.Component;
import org.springframework.web.multipart.MultipartFile;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
@Component
@Aspect
public class ServiceAspect {
private final HttpServletRequest request;
private Logger sevicelog = LoggerFactory.getLogger("serviceLog");
@Autowired
public ServiceAspect(HttpServletRequest request) {
this.request = request;
}
@Around("execution(* com.example.controller.*.*(..))")
public Object serviceBefore(ProceedingJoinPoint pjp) throws Throwable {
Map<String, Object> logMap1 = new HashMap<>();
Signature signature = pjp.getSignature();
MethodSignature methodSignature = (MethodSignature) signature;
//2.最关键的一步:通过这获取到方法的所有参数名称的字符串数组
String[] parameterNames = methodSignature.getParameterNames();
int i = 0;
for (Object arg : pjp.getArgs()) {
String argValue="";
if(!(arg instanceof HttpServletRequest ||arg instanceof HttpServletResponse
||arg instanceof InputStreamSource ||arg instanceof MultipartFile)){
try {
if(arg instanceof List){
List b=(List) arg;
if(!b.isEmpty()){
if(b.get(0) instanceof MultipartFile){
continue;
}
}
}
argValue= JSON.toJSONString(arg);
}catch (Exception e){
e.printStackTrace();
}
}
logMap1.put(parameterNames[i++], argValue);
}
Map<String, Object> logMap = new HashMap<>();
logMap.put("msg", logMap1);
Object result = pjp.proceed();
logMap.put("result", result);
logMap.put("method", signature.getName());
logMap.put("sub_project", "interface");
logMap.put("ip", IpUtil.getIpAddr(request));
SimpleDateFormat dateformat = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
String date = dateformat.format(new Date());
logMap.put("visit_date", date);
logMap.put("project_name", "SpringBoot");
sevicelog.info(JSON.toJSONString(logMap));
return result;
}
}
6.总结
- 如果是拦截静态资源,需要使用过滤器;
- 如果是参数校验,可以使用拦截器实现;
- 如果对参数加解密,可以使用RequestBodyAdivce 和 ResponseBodyAdvice;
- 如果是记录访问日志,可以使用 AOP.
- 最后引用一张图,说明过滤器和拦截器的关系
7.参考文档
拦截器和过滤器的区别
Spring MVC中的拦截器/过滤器HandlerInterceptorAdapter的使用
spring boot使用过滤器(以session校验为例)
彻底搞清拦截器和过滤器的区别