我发现
another post显示了我们如何创建自己的已检查异常,这些异常也返回不同于500的HTTP状态代码.但是,我需要它是RuntimeException.
然后,我发现
WebApplicationException是一个未经检查的异常,返回HTTP状态代码但不允许我像常规异常中那样设置消息.
Java EE 6中是否存在任何未经检查的异常,允许我像常规异常一样设置错误消息,并返回我可以设置的HTTP状态代码?
编辑:包括John为什么要这样做的解释.
我创建了一个过滤器来捕获我的请求参数中的HTML和XSS攻击.而不是每次在Filter.doFilter中检查它都太慢,我扩展了HttpServletRequestWrapper并像这样使用它.
HttpFilterRequest implements Filter
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
try {
chain.doFilter(new SafeHttpRequest((HttpServletRequest) request), response);
} catch (SecurityViolationException e) {
log.warn(format("A security violation was detected. Please enable debug for further details: %s]", e.getMessage()));
HttpServletResponse resp = (HttpServletResponse) response;
resp.sendError(e.getStatusCode());
}response);
}
SafeHttpRequest extends HttpServletRequestWrapper (supressing parts to shorten code)
@Override
public String getParameter(String parameter) {
return xssAndHtmlValidation(super.getParameter(parameter));
}
@Override
public String getHeader(String name) {
return xssAndHtmlValidation(super.getHeader(name));
}
xssAndHtmlValidation()抛出SecurityViolationException,这是一个RuntimeException,但doFilter的catch块不起作用,因为我的异常是作为包含SecurityViolationException的ServletException抛出的.