最近有个需求,要对某一个资源进行权限校验,若对涉及到的接口逐一增加权限校验不太现实,所以准备用拦截器获取到当前资源id,校验用户是否有该资源权限。中间碰到了一些坑,特此记录一下,涉及到的地方若有不对,敬请指正。
1、获取请求参数可以做什么
- 前置获取参数,统计请求数据
- 做服务的接口签名校验
- 敏感接口监控日志
- 敏感接口防重复提交
2、定义拦截器
注:若为接口地址后面问号拼接的参数或表单参数可用 request.getParameter("resourceId") 去获取,但是post body参数需要使用流的方式,调用request.getInputStream()获取流,然后从流中读取参数。这样是可以成功获取到post请求的body,但是,经过拦截器后,参数经过@RequestBody注解赋值给controller中的方法的时候,会抛出了一个异常:
org.springframework.http.converter.HttpMessageNotReadableException: Required request body is missing
那是因为流对应的是数据,数据放在内存中,有的是部分放在内存中。read 一次标记一次当前位置(mark position),第二次read就从标记位置继续读(从内存中copy)数据。 所以这就是为什么读了一次第二次是空了。 怎么让它不为空呢?只要inputstream 中的pos 变成0就可以重写读取当前内存中的数据。javaAPI中有一个方法public void reset() 这个方法就是可以重置pos为起始位置,但是不是所有的IO读取流都可以调用该方法!ServletInputStream是不能调用reset方法,这就导致了只能调用一次getInputStream()。
解决方式:重写HttpServletRequestWrapper把request保存下来,然后通过过滤器把保存下来的request再填充进去,这样就可以多次读取request了。
2.1 重写HttpServletRequestWrapper方法
import javax.servlet.ReadListener;
import javax.servlet.ServletInputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import java.io.*;
public class RequestWrapper extends HttpServletRequestWrapper {
private final String body;
public RequestWrapper(HttpServletRequest request) {
super(request);
StringBuilder stringBuilder = new StringBuilder();
BufferedReader bufferedReader = null;
InputStream inputStream = null;
try {
inputStream = request.getInputStream();
if (inputStream != null) {
bufferedReader = new BufferedReader(new InputStreamReader(inputStream));
char[] charBuffer = new char[128];
int bytesRead = -1;
while ((bytesRead = bufferedReader.read(charBuffer)) > 0) {
stringBuilder.append(charBuffer, 0, bytesRead);
}
} else {
stringBuilder.append("");
}
} catch (IOException ex) {
} finally {
if (inputStream != null) {
try {
inputStream.close();
} catch (IOException e) {
e.printStackTrace();
}
}
if (bufferedReader != null) {
try {
bufferedReader.close();
} catch (IOException e) {
e.printStackTrace();
}
}
}
body = stringBuilder.toString();
}
@Override
public ServletInputStream getInputStream() throws IOException {
final ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(body.getBytes());
ServletInputStream servletInputStream = new ServletInputStream() {
@Override
public boolean isFinished() {
return false;
}
@Override
public boolean isReady() {
return false;
}
@Override
public void setReadListener(ReadListener readListener) {
}
@Override
public int read() throws IOException {
return byteArrayInputStream.read();
}
};
return servletInputStream;
}
@Override
public BufferedReader getReader() throws IOException {
return new BufferedReader(new InputStreamReader(this.getInputStream()));
}
public String getBody() {
return this.body;
}
}
2.2 定义权限拦截器AuthInterceptor
import com.alibaba.fastjson.JSONObject;
import com.demo.base.UserInfo;
import com.demo.constant.StatusCode;
import com.demo.constant.SystemConstant;
import com.demo.exception.BizException;
import com.demo.pojo.ProjectDto;
import com.demo.util.JWTUtil;
import com.demo.wrapper.RequestWrapper;
import lombok.extern.slf4j.Slf4j;
import org.apache.commons.lang3.StringUtils;
import org.springframework.http.HttpMethod;
import org.springframework.stereotype.Component;
import org.springframework.web.servlet.HandlerInterceptor;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@Slf4j
@Component
public class ProjectAuthInterceptor implements HandlerInterceptor {
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
// 这里是个坑,因为带请求带headers时,ajax会发送两次请求,
// 第一次会发送OPTIONS请求,第二次才会发生get/post请求,所以要放行OPTIONS请求
// 如果是OPTIONS请求,让其响应一个 200状态码,说明可以正常访问
if (HttpMethod.OPTIONS.toString().equals(request.getMethod())) {
response.setStatus(HttpServletResponse.SC_OK);
// 放行OPTIONS请求
return true;
}
String token = request.getHeader(SystemConstant.TOKEN_HEADER);
if (StringUtils.isBlank(token)) {
throw new BizException(StatusCode.TOKEN_ERROR, "尚未登录,请登录");
}
UserInfo userInfo = JWTUtil.getLoginUser(token);
if (userInfo == null) {
throw new BizException(StatusCode.TOKEN_ERROR, "登录信息失效,请重新登录");
}
Long resourceId = 0L;
if (HttpMethod.GET.name().equals(request.getMethod())) {
String targetId = request.getParameter("resourceId");
if (StringUtils.isNotBlank(targetId)) {
resourceId = Long.parseLong(targetId);
}
}
if (HttpMethod.POST.name().equals(request.getMethod())) {
String targetId = request.getParameter("resourceId");
if (StringUtils.isBlank(targetId)) {
ResourceDto dto = JSONObject.parseObject(new RequestWrapper(request).getBody(), ResourceDto.class);
if (dto != null && dto.getProjectId() != null) {
resourceId = dto.getProjectId();
}
}
}
if (resourceId != 0) {
// 校验权限
}
return true;
}
}
2.3 定义一个filter,将request传递下去
import com.demo.wrapper.RequestWrapper;
import lombok.extern.slf4j.Slf4j;
import org.springframework.http.HttpMethod;
import org.springframework.http.MediaType;
import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
@Slf4j
@WebFilter(urlPatterns = "/*", filterName = "channelFilter")
public class ChannelFilter implements Filter {
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
ServletRequest requestWrapper = null;
if (servletRequest instanceof HttpServletRequest) {
HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
String method = httpServletRequest.getMethod();
String contentType = httpServletRequest.getContentType() == null ? "" : httpServletRequest.getContentType();
// 如果是POST请求并且不是文件上传
if (HttpMethod.POST.name().equals(method) && !contentType.contains(MediaType.MULTIPART_FORM_DATA_VALUE)) {
requestWrapper = new RequestWrapper(httpServletRequest);
}
}
if (requestWrapper == null) {
filterChain.doFilter(servletRequest, servletResponse);
} else {
filterChain.doFilter(requestWrapper, servletResponse);
}
}
@Override
public void destroy() {
}
}
2.4 dto类
import lombok.Data;
@Data
public class ResourceDto {
private Long projectId;
}
2.5 注册拦截器
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport;
@Configuration
public class WebMvcConfig extends WebMvcConfigurationSupport {
@Autowired
private AuthInterceptor authInterceptor;
@Override
protected void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(authInterceptor).addPathPatterns("/api/**");
}
}