目录
1、设计一个HttpServletRequestWrapper
一、背景介绍
spring mvc的接口设计,对json数据进行统一的签名验证设计
二、遇到的问题
spring mvc 的接口设计中,如果每个接口都要做一次参数签名验证的话就觉得有点不够优雅了。虽然可以封装出一个方法,把request对象作为参数传进去来做判断,但是每个接口都要调用一下来验证签名也是非常麻烦的。
正确的方式是设计一个spring mvc的拦截器,重写preHandle方法,在这个方法里面来做验证。验证失败就返回false并且写入返回的错误信息。
那么问题来了,如果是json数据的话,就只能从request的流中读取数据,读完之后,后面的业务逻辑中就不能通过@RequestBody读取数据了,因为这个流只能读取一次,也不能通过mark和reset来标记流的位置和重置流的位置。
三、解决方案
解决办法可能有多个,但是我认为这个比较好。
1、设计一个HttpServletRequestWrapper
设计一个HttpServletRequestWrapper,先把数据缓存到内存。
public class RequestWrapper extends HttpServletRequestWrapper {
private final String body; // 报文
public RequestWrapper(HttpServletRequest request) throws IOException {
super(request);
BufferedReader streamReader = new BufferedReader(
new InputStreamReader(request.getInputStream(), "UTF-8"));
StringBuilder responseStrBuilder = new StringBuilder();
String inputStr;
while ((inputStr = streamReader.readLine()) != null) {
responseStrBuilder.append(inputStr);
}
body = responseStrBuilder.toString();
}
public String getBody() {
return body;
}
@Override
public BufferedReader getReader() throws IOException {
return new BufferedReader(new InputStreamReader(getInputStream()));
}
@Override
public ServletInputStream getInputStream() throws IOException {
final ByteArrayInputStream bais = new ByteArrayInputStream(body.getBytes("utf-8"));
return new ServletInputStream() {
@Override
public int read() throws IOException {
return bais.read();
}
};
}
}
2、设计一个filter
设计一个filter,在这个filter的doFilter中把刚才的HttpServletRequestWrapper放进过滤链(chain)中,这样后面的过滤器就能重复使用流了。
public class HttpServletFilter implements Filter {
public void init(FilterConfig filterConfig) throws ServletException {
}
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
ServletRequest requestWrapper = null;
System.out.println("我是过滤器");
if(request instanceof HttpServletRequest) {
requestWrapper = new RequestWrapper((HttpServletRequest) request);
}
if(requestWrapper == null) {
chain.doFilter(request, response);
} else {
chain.doFilter(requestWrapper, response);
}
}
public void destroy() {
}
}
然后在web.xml中添加配置
<filter>
<filter-name>requestFilter</filter-name>
<filter-class>com.xxx.common.filter.HttpServletFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>requestFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
四、其他辅助设计
前三步解决了json重复读的问题,后面的一些接口的其他设计。
1、定义一个注解
定义一个注解,这个注解告诉springmvc的拦截器哪些接口需要验证签名。起到一个标识作用。
@Documented
@Target(ElementType.METHOD)
@Retention(RetentionPolicy.RUNTIME)
public @interface BcApi {
}
2、定义一个拦截器
定一个拦截器,这个拦截器是验证签名的主要逻辑
public class ApiInterceptor implements HandlerInterceptor {
@Autowired
private BcApiSettingService bcApiSettingService;
@Override
public boolean preHandle(HttpServletRequest request,
HttpServletResponse response, Object handler) throws Exception {
if (handler instanceof HandlerMethod) {
HandlerMethod handlermethod = (HandlerMethod) handler;
BcApi api = handlermethod.getMethodAnnotation(BcApi.class);
if (api == null) {
return true;
}
// 验证token
String sign = request.getHeader("sign");
String appid = request.getHeader("appid");
String timestamp = request.getHeader("timestamp");
if (StringUtils.isBlank(appid)) {
YssApiResponse res = new YssApiResponse();
res.setErrcode(ErrorCode.ERR0);
res.setErrmsg("appid不能为空");
HttpServletResponseUtil.writeJson(response, res);
return false;
}
if (StringUtils.isBlank(sign)) {
YssApiResponse res = new YssApiResponse();
res.setErrcode(ErrorCode.ERR0);
res.setErrmsg("签名不能为空");
HttpServletResponseUtil.writeJson(response, res);
return false;
}
if (StringUtils.isBlank(timestamp)) {
YssApiResponse res = new YssApiResponse();
res.setErrcode(ErrorCode.ERR0);
res.setErrmsg("timestamp不能为空");
HttpServletResponseUtil.writeJson(response, res);
return false;
}
BcApiSetting setting = bcApiSettingService.get(appid);
if (setting == null) {
YssApiResponse res = new YssApiResponse();
res.setErrcode(ErrorCode.ERR0);
res.setErrmsg("appid错误");
HttpServletResponseUtil.writeJson(response, res);
return false;
}
RequestWrapper myRequestWrapper = new RequestWrapper(
(HttpServletRequest) request);
String body = myRequestWrapper.getBody();
StringBuilder responseStrBuilder = new StringBuilder();
responseStrBuilder.append(timestamp)
.append(setting.getAppsecret());
String ret = responseStrBuilder.toString();
//ret = ret.replaceAll("\\s*", "");
String md5 = MD5Utils.getMD5String(responseStrBuilder.toString());
System.out.println(md5);
if (!sign.equals(md5)) {
YssApiResponse res = new YssApiResponse();
res.setErrcode(ErrorCode.ERR3);
res.setErrmsg("签名错误");
HttpServletResponseUtil.writeJson(response, res);
return false;
}
return true;
}
return true;
}
@Override
public void postHandle(HttpServletRequest request,
HttpServletResponse response, Object handler,
ModelAndView modelAndView) throws Exception {
// TODO Auto-generated method stub
}
@Override
public void afterCompletion(HttpServletRequest request,
HttpServletResponse response, Object handler, Exception ex)
throws Exception {
// TODO Auto-generated method stub
}
}