背景
项目中的xxl-job-admin版本为2.1.1,一直运行的很好,但是有一天被扫出安全漏洞,然后,我就把xxl-job-admin的springboot版本由1.5升级为2.2.1版本,作了一翻修改,但是上线后会有如下报错:
2023-03-29 12:19:14,937 ERROR [http-nio-8484-exec-5] c.x.j.a.controller.JobApiController [JobApiController.java : 61] 回调接口出错
java.lang.RuntimeException: com.fasterxml.jackson.databind.JsonMappingException: Unexpected character ('o' (code 111)): was expecting comma to separate Object entries
at [Source: (String)"[{"logId":15334691,"logDateTim":1678951367134,"executeResult":{"code":500,"msg":"org.springframework.data.mongodb.UncategorizedMongoDbException: Command failed with error 2 (BadValue): '$and/$or/$nor must be a nonempty array' on server . The full response is {"ok": 0.0, "errmsg": "$and/$or/$nor must be a nonempty array", "code": 2, "codeName": "BadValue", "operationTime": {"$timestamp": {"t": 1678951363, "i": 1}}, "$clusterTime": {"clusterTime": {"$timestamp": {"t": 1678951365, ""[truncated 4835 chars]; line: 1, column: 81] (through reference chain: java.util.ArrayList[0]->com.xxl.job.core.biz.model.HandleCallbackParam["executeResult"])
at com.xxl.job.admin.core.util.JacksonUtil.readValue(JacksonUtil.java:84)
at com.xxl.job.admin.controller.JobApiController.callback(JobApiController.java:57)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:190)
at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:138)
at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:106)
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:888)
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:793)
at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1040)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:943)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006)
at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:909)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:660)
at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.doFilterInternal(WebMvcMetricsFilter.java:108)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:367)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1639)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
Caused by: com.fasterxml.jackson.databind.JsonMappingException: Unexpected character ('o' (code 111)): was expecting comma to separate Object entries
at [Source: (String)"[{"logId":15334691,"logDateTim":1678951367134,"executeResult":{"code":500,"msg":"org.springframework.data.mongodb.UncategorizedMongoDbException: Command failed with error 2 (BadValue): '$and/$or/$nor must be a nonempty array' on server :20000. The full response is {"ok": 0.0, "errmsg": "$and/$or/$nor must be a nonempty array", "code": 2, "codeName": "BadValue", "operationTime": {"$timestamp": {"t": 1678951363, "i": 1}}, "$clusterTime": {"clusterTime": {"$timestamp": {"t": 1678951365, ""[truncated 4835 chars]; line: 1, column: 81] (through reference chain: java.util.ArrayList[0]->com.xxl.job.core.biz.model.HandleCallbackParam["executeResult"])
at com.fasterxml.jackson.databind.JsonMappingException.wrapWithPath(JsonMappingException.java:394)
at com.fasterxml.jackson.databind.JsonMappingException.wrapWithPath(JsonMappingException.java:353)
at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.wrapAndThrow(BeanDeserializerBase.java:1714)
at com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:290)
at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:151)
at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:286)
at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:245)
at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:27)
at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4202)
at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3205)
at com.xxl.job.admin.core.util.JacksonUtil.readValue(JacksonUtil.java:82)
... 55 common frames omitted
Caused by: com.fasterxml.jackson.core.JsonParseException: Unexpected character ('o' (code 111)): was expecting comma to separate Object entries
at [Source: (String)"[{"logId":15334691,"logDateTim":1678951367134,"executeResult":{"code":500,"msg":"org.springframework.data.mongodb.UncategorizedMongoDbException: Command failed with error 2 (BadValue): '$and/$or/$nor must be a nonempty array' on server :20000. The full response is {"ok": 0.0, "errmsg": "$and/$or/$nor must be a nonempty array", "code": 2, "codeName": "BadValue", "operationTime": {"$timestamp": {"t": 1678951363, "i": 1}}, "$clusterTime": {"clusterTime": {"$timestamp": {"t": 1678951365, ""[truncated 4835 chars]; line: 1, column: 279]
at com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:1840)
at com.fasterxml.jackson.core.base.ParserMinimalBase._reportError(ParserMinimalBase.java:712)
at com.fasterxml.jackson.core.base.ParserMinimalBase._reportUnexpectedChar(ParserMinimalBase.java:637)
at com.fasterxml.jackson.core.json.ReaderBasedJsonParser._skipComma(ReaderBasedJsonParser.java:2293)
at com.fasterxml.jackson.core.json.ReaderBasedJsonParser.nextFieldName(ReaderBasedJsonParser.java:917)
at com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:295)
at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:151)
at com.fasterxml.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:129)
at com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:288)
... 62 common frames omitted
问题分析
通过以上报错,可以看到报错的位置为xxl-job-admin回调接口报错导致,该回调接口接收到的字符串无法转换为Java对象;
为了查看该错误json的真实格式,在回调接口增加了对错误json字符串打印日志:
@RequestMapping("/callback")
@ResponseBody
@PermissionLimit(limit=false)
public ReturnT<String> callback(HttpServletRequest request, @RequestBody(required = false) String data) {
// valid
if (XxlJobAdminConfig.getAdminConfig().getAccessToken()!=null
&& XxlJobAdminConfig.getAdminConfig().getAccessToken().trim().length()>0
&& !XxlJobAdminConfig.getAdminConfig().getAccessToken().equals(request.getHeader(XxlJobRemotingUtil.XXL_RPC_ACCESS_TOKEN))) {
return new ReturnT<String>(ReturnT.FAIL_CODE, "The access token is wrong.");
}
// param
List<HandleCallbackParam> callbackParamList = null;
try {
data = new String(data.getBytes(), "utf-8");
callbackParamList = JacksonUtil.readValue(data, List.class, HandleCallbackParam.class);
} catch (Exception e) {
//回调错误参数打印
logger.info(data);
logger.error("回调接口出错", e);
return ReturnT.SUCCESS;
}
if (callbackParamList==null || callbackParamList.size()==0) {
return new ReturnT<String>(ReturnT.FAIL_CODE, "The request data invalid.");
}
// invoke
return adminBiz.callback(callbackParamList);
//return ReturnT.SUCCESS;
}
部署后,在日志上可以看出,引起错误的json字符串内容的双引号没有被转义:
结论
springboot版本升级后,导致接收到复杂的json字符串无法解析
解决方法
使用fastjson替换jackson来解析json参数:
在xxl-job-admin这个类WebMvcConfig.class添加如下方法
@Bean
public HttpMessageConverters fastJsonHttpMessageConverters() {
// 1.定义一个converters转换消息的对象
FastJsonHttpMessageConverter fastConverter = new FastJsonHttpMessageConverterExtension();
// 2.添加fastjson的配置信息,比如: 是否需要格式化返回的json数据
FastJsonConfig fastJsonConfig = new FastJsonConfig();
fastJsonConfig.setSerializerFeatures(SerializerFeature.PrettyFormat);
// 3.在converter中添加配置信息
fastConverter.setFastJsonConfig(fastJsonConfig);
// 4.将converter赋值给HttpMessageConverter
HttpMessageConverter<?> converter = fastConverter;
// 5.返回HttpMessageConverters对象
return new HttpMessageConverters(converter);
}
public class FastJsonHttpMessageConverterExtension extends FastJsonHttpMessageConverter {
FastJsonHttpMessageConverterExtension() {
List<MediaType> mediaTypes = new ArrayList<>();
mediaTypes.add(MediaType.valueOf(MediaType.TEXT_HTML_VALUE + ";charset=UTF-8"));
mediaTypes.add(MediaType.valueOf(MediaType.APPLICATION_JSON_VALUE + ";charset=UTF-8"));
setSupportedMediaTypes(mediaTypes);
}
}
最终问题解决