一、背景
笔者工作中遇到一个需求,需要开发一个注解,放在controller层的类或者方法上,用以校验请求参数中(不管是url还是body体内,都要检查,有token参数,且符合校验规则就放行)是否传了一个token的参数,并且token符合一定的生成规则,符合就不予拦截,放行请求,否则拦截请求。
用法如下图所示
可以看到 @TokenCheck 注解既可以放在类上,也可以放在方法上 ,放在类上则对该类中的所有的方法进行拦截校验。
注意:是加了注解才会校验是否拦截,不加没有影响。
整个代码都是使用的最新springboot版本开发的,所以servlet相关的类都是使用jakarta
如果你的springboot版本比较老 ,请使用javax
先引入以下依赖(javax不飘红不用引入)
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
<version>4.0.1</version>
<scope>provided</scope>
</dependency>
我用到的第三方依赖
<dependency> <groupId>org.apache.commons</groupId> <artifactId>commons-lang3</artifactId> <version>3.12.0</version> </dependency> <dependency> <groupId>cn.hutool</groupId> <artifactId>hutool-all</artifactId> <version>5.8.24</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-webmvc</artifactId> <version>6.0.11</version> </dependency>
二、TokenCheck注解
package com.example.demo.interceptorToken; import java.lang.annotation.*; /** * 是否有token */ @Documented @Target({ElementType.TYPE, ElementType.METHOD}) @Retention(RetentionPolicy.RUNTIME) public @interface TokenCheck { }
三、请求包装器RequestWrapper
主要是对request请求包装下,因为拦截器会拦截request,会读取其中的参数流,而流只能读一次,后续再用到流的读取会报错,所以用一个包装器类处理下,把流以字节形式读出来,重写了getInputStream(),后续可以重复使用。
package com.example.demo.interceptorToken; import jakarta.servlet.ReadListener; import jakarta.servlet.ServletInputStream; import jakarta.servlet.http.HttpServletRequest; import jakarta.servlet.http.HttpServletRequestWrapper; import org.apache.commons.lang3.StringUtils; import java.io.BufferedReader; import java.io.ByteArrayInputStream; import java.io.IOException; import java.io.InputStreamReader; import java.nio.charset.StandardCharsets; /** * @author hulei * @date 2024/1/11 19:48 * @Description 由于 request中getReader()和getInputStream()只能调用一次 导致在Controller @ResponseBody的时候获取不到 null 或 Stream closed * 在项目中,可能会出现需要针对接口参数进行校验等问题 * 构建可重复读取inputStream的request */ public class RequestWrapper extends HttpServletRequestWrapper { // 将流保存下来 private final byte[] requestBody; public RequestWrapper(HttpServletRequest request) throws IOException { super(request); requestBody = readBytes(request.getReader()); } @Override public ServletInputStream getInputStream() { final ByteArrayInputStream basic = new ByteArrayInputStream((requestBody != null && requestBody.length >0) ? requestBody : new byte[]{}); return new ServletInputStream() { @Override public int read() { return basic.read(); } @Override public boolean isFinished() { return false; } @Override public boolean isReady() { return false; } @Override public void setReadListener(ReadListener readListener) { } }; } @Override public BufferedReader getReader() { return new BufferedReader(new InputStreamReader(getInputStream())); } /** * 通过BufferedReader和字符编码集转换成byte数组 */ private byte[] readBytes(BufferedReader br) throws IOException { String str; StringBuilder retStr = new StringBuilder(); while ((str = br.readLine()) != null) { retStr.append(str); } if (StringUtils.isNotBlank(retStr.toString())) { return retStr.toString().getBytes(StandardCharsets.UTF_8); } return null; } }
四、过滤器RequestFilter
自定义请求过滤器,把请求用自定义的包装器RequestWrapper包装下,往调用下文传递,也是为了让request请求的流能多次读取
package com.example.demo.interceptorToken; import jakarta.servlet.*; import jakarta.servlet.http.HttpServletRequest; import jakarta.servlet.http.HttpServletResponse; import lombok.NonNull; import org.springframework.core.annotation.Order; import org.springframework.web.filter.OncePerRequestFilter; import org.springframework.web.multipart.MultipartHttpServletRequest; import org.springframework.web.multipart.support.StandardServletMultipartResolver; import java.io.IOException; /** * @author hulei * @date 2024/1/11 19:48 * 自定义请求过滤器 */ //排序优先级,最先执行的过滤器 @Order(0) public class RequestFilter extends OncePerRequestFilter { //spring6.0版本后删除了CommonsMultipartResolver,使用StandardServletMultipartResolver //如果是spring6.0版本,此行代码不报错请使用如下 // private CommonsMultipartResolver multipartResolver = new CommonsMultipartResolver(); private final StandardServletMultipartResolver multipartResolver = new StandardServletMultipartResolver(); /** * */ @Override protected void doFilterInternal(@NonNull HttpServletRequest request, @NonNull HttpServletResponse response, @NonNull FilterChain filterChain) throws ServletException, IOException { //请求参数有form_data的话,防止request.getHeaders()报已使用,单独处理 if (request.getContentType() != null && request.getContentType().contains("multipart/form-data")) { MultipartHttpServletRequest multiReq = multipartResolver.resolveMultipart(request); filterChain.doFilter(multiReq, response); }else{ ServletRequest requestWrapper; requestWrapper = new RequestWrapper(request); filterChain.doFilter(requestWrapper, response); } } }
五、请求过滤器配置类TokenFilterConfig
这个很好理解,把自定义配置类注入spring容器
package com.example.demo.interceptorToken; import jakarta.servlet.Filter; import jakarta.servlet.FilterConfig; import jakarta.servlet.ServletContext; import org.springframework.boot.web.servlet.FilterRegistrationBean; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import java.util.Enumeration; /** * @author hulei * @date 2024/1/11 19:48 * 将过滤器注入spring容器中 */ @Configuration public class TokenFilterConfig implements FilterConfig { @Bean Filter bodyFilter() { return new RequestFilter(); } @Bean public FilterRegistrationBean<RequestFilter> filters() { FilterRegistrationBean<RequestFilter> filterRegistrationBean = new FilterRegistrationBean<>(); filterRegistrationBean.setFilter((RequestFilter) bodyFilter()); filterRegistrationBean.addUrlPatterns("/*"); filterRegistrationBean.setName("requestFilter"); //多个filter的时候order的数值越小 则优先级越高 //filterRegistrationBean.setOrder(0); return filterRegistrationBean; } @Override public String getFilterName() { return null; } @Override public ServletContext getServletContext() { return null; } @Override public String getInitParameter(String s) { return null; } @Override public Enumeration<String> getInitParameterNames() { return null; } }
六、核心类RequestInterceptor拦截器
注意如果你的springboot版本也是低于3.0,请继承HandlerInterceptorAdapter类,实现其中方法,基本不用改动类中的内容,只需要 把implements HandlerInterceptor 改为extends HandlerInterceptorAdapter即可。
package com.example.demo.interceptorToken; import cn.hutool.json.JSONArray; import cn.hutool.json.JSONObject; import cn.hutool.json.JSONUtil; import jakarta.servlet.ServletInputStream; import jakarta.servlet.http.Cookie; import jakarta.servlet.http.HttpServletRequest; import jakarta.servlet.http.HttpServletResponse; import lombok.NonNull; import org.apache.commons.lang3.StringUtils; import org.springframework.util.StreamUtils; import org.springframework.web.method.HandlerMethod; import org.springframework.web.multipart.MultipartHttpServletRequest; import org.springframework.web.multipart.support.StandardServletMultipartResolver; import org.springframework.web.servlet.HandlerInterceptor; import org.springframework.web.servlet.ModelAndView; import java.io.IOException; import java.io.PrintWriter; import java.io.UnsupportedEncodingException; import java.lang.reflect.Method; import java.net.URLDecoder; import java.nio.charset.Charset; import java.util.*; import java.util.concurrent.ConcurrentHashMap; /** * @author hulei * @date 2024/1/11 19:48 * 自定义请求拦截器(spring boot 3.0以下的版本,需要继承HandlerInterceptorAdapter类,实现对应得方法) */ public class RequestInterceptor implements HandlerInterceptor { /** * 需要从请求里验证的关键字参数名 */ private static final String TOKEN_STR = "token"; /** * 进入拦截的方法前触发 * 这里主要从打了注解请求中查找有没有token关键字,并且token的值是否符合一定的生成规则,是就放行,不是就拦截 */ @Override public boolean preHandle(@NonNull HttpServletRequest request, @NonNull HttpServletResponse response, @NonNull Object handler) throws Exception { if (handler instanceof HandlerMethod handlerMethod) { //获取token注解 TokenCheck tokenCheck = getTokenCheckAnnotation(handlerMethod); //请求参数有form_data的话,防止request.getHeaders()或request.getInputStream()报已使用错误,单独处理 if (request.getContentType() != null && request.getContentType().contains("multipart/form-data")) { //判断当前注解是否存在 if (tokenCheck != null) { final StandardServletMultipartResolver multipartResolver = new StandardServletMultipartResolver(); MultipartHttpServletRequest multipartHttpServletRequest = multipartResolver.resolveMultipart(request); String urlOrBodyToken = "", tokenFromHeaders, tokenFromCookies; //获取全部参数,不管是params里的还是body(form_data)里的 urlOrBodyToken = getTokenFromUrlOrBody(multipartHttpServletRequest); //从headers获取token tokenFromHeaders = getTokenFromHeaders(multipartHttpServletRequest); //从cookies获取token tokenFromCookies = getTokenFromCookies(multipartHttpServletRequest); if (tokenRuleValidation(urlOrBodyToken) || tokenRuleValidation(tokenFromHeaders) || tokenRuleValidation(tokenFromCookies)) { return true; } else { returnJson(response, "token校验失败"); return false; } } } else { //判断当前注解是否存在 if (tokenCheck != null) { // 获取请求方式,如果需要根据请求方式做不同处理,则获取后自行判断即可 //String requestMethod = request.getMethod(); request = new RequestWrapper(request); //token关键字,分别是来自url、headers、cookies、body中的token String tokenFromUrl, tokenFromHeaders, tokenFromCookies, tokenFromBody; //url获取token请求参数 tokenFromUrl = getTokenFromUrl(request); //从headers获取token tokenFromHeaders = getTokenFromHeaders(request); //从cookies获取token tokenFromCookies = getTokenFromCookies(request); //从body体获取token参数 tokenFromBody = getTokenFromBody(request); //token校验判断 if (tokenRuleValidation(tokenFromUrl) || tokenRuleValidation(tokenFromHeaders) || tokenRuleValidation(tokenFromCookies) || tokenRuleValidation(tokenFromBody)) { return true; } else { returnJson(response, "token校验失败"); return false; } } } return true; } return true; } /** * 获取TokenCheck注解(先从类上优先获取) */ private TokenCheck getTokenCheckAnnotation(HandlerMethod handler) { Method method = handler.getMethod(); //获取方法所属的类,并获取类上的@TokenCheck注解 Class<?> clazz = method.getDeclaringClass(); TokenCheck tokenCheck = null; if (clazz.isAnnotationPresent(TokenCheck.class)) { tokenCheck = clazz.getAnnotation(TokenCheck.class); } //类上没有注解,则从方法上再获取@TokenCheck tokenCheck = tokenCheck == null ? method.getAnnotation(TokenCheck.class) : tokenCheck; return tokenCheck; } //=============================================================================================================================== /** * form_data参数形式,从url和body中获取符合生成规则条的token */ private String getTokenFromUrlOrBody(HttpServletRequest multipartHttpServletRequest) { String urlOrBodyToken = ""; Map<String, String[]> urlAndBodyParam = multipartHttpServletRequest.getParameterMap(); String[] tokenFromUrlOrBody = urlAndBodyParam.get(TOKEN_STR); for (String tokenStr : tokenFromUrlOrBody) { if (tokenRuleValidation(tokenStr)) { urlOrBodyToken = tokenStr; break; } } return urlOrBodyToken; } //=============================================================================================================================== /** * 从headers获取token */ private String getTokenFromHeaders(HttpServletRequest request) { Map<String, String> headerMap = new HashMap<>(); Enumeration<String> enumeration = request.getHeaderNames(); while (enumeration.hasMoreElements()) { String name = enumeration.nextElement(); String value = request.getHeader(name); headerMap.put(name, value); } return headerMap.get(TOKEN_STR) == null ? "" : String.valueOf(headerMap.get(TOKEN_STR)); } //=============================================================================================================================== /** * 从cookies获取token */ private String getTokenFromCookies(HttpServletRequest request) { Map<String, String> cookieMap = new ConcurrentHashMap<>(); Cookie[] cookies = request.getCookies(); if (null != cookies) { Arrays.stream(cookies).forEach(element -> cookieMap.put(element.getName(), element.getValue()) ); } return cookieMap.get(TOKEN_STR) == null ? "" : String.valueOf(cookieMap.get(TOKEN_STR)); } //=============================================================================================================================== /** * 从请求体获取token参数 */ private String getTokenFromBody(HttpServletRequest request) throws Exception { String bodyParamsStr = this.getPostParam(request); String tokenFromBody = ""; //判断是否是json数组 boolean isJsonArray = JSONUtil.isTypeJSONArray(bodyParamsStr); if (!isJsonArray) { tokenFromBody = JSONUtil.parseObj(bodyParamsStr).getStr(TOKEN_STR); } else { JSONArray jsonArray = JSONUtil.parseArray(bodyParamsStr); Set<String> tokenSet = new HashSet<>(); for (int i = 0; i < jsonArray.size(); i++) { JSONObject jsonObject = jsonArray.getJSONObject(i); if (StringUtils.isNotEmpty(jsonObject.getStr(TOKEN_STR))) { tokenSet.add(jsonObject.getStr(TOKEN_STR)); } } if (!tokenSet.isEmpty()) { tokenFromBody = tokenSet.stream().filter(this::tokenRuleValidation).findFirst().orElse(""); } } return tokenFromBody; } private String getPostParam(HttpServletRequest request) throws Exception { RequestWrapper readerWrapper = new RequestWrapper(request); return StringUtils.isEmpty(getBodyParams(readerWrapper.getInputStream(), request.getCharacterEncoding())) ? "{}" : getBodyParams(readerWrapper.getInputStream(), request.getCharacterEncoding()); } private String getBodyParams(ServletInputStream inputStream, String charset) throws Exception { String body = StreamUtils.copyToString(inputStream, Charset.forName(charset)); if (StringUtils.isEmpty(body)) { return ""; } return body; } //=============================================================================================================================== /** * 如果是get请求,则把url中的请求参数获取到,转换为map */ public String getTokenFromUrl(HttpServletRequest request) throws UnsupportedEncodingException { //获取当前请求的编码方式,用于参数value解码 String encoding = request.getCharacterEncoding(); String urlQueryString = request.getQueryString(); Map<String, String> queryMap = new HashMap<>(); String[] arrSplit; if (urlQueryString == null) { return ""; } else { //每个键值为一组 arrSplit = urlQueryString.split("&"); for (String strSplit : arrSplit) { String[] arrSplitEqual = strSplit.split("="); //解析出键值 if (arrSplitEqual.length > 1) { queryMap.put(arrSplitEqual[0], URLDecoder.decode(arrSplitEqual[1], encoding)); } else { if (!"".equals(arrSplitEqual[0])) { queryMap.put(arrSplitEqual[0], ""); } } } } return queryMap.get(TOKEN_STR) == null ? "" : String.valueOf(queryMap.get(TOKEN_STR)); } /** * token 规则校验 * * @param token token关键字 */ private boolean tokenRuleValidation(String token) { return "AAABBB".equals(token); } /** * 离开拦截的方法后触发 */ @Override public void postHandle(@NonNull HttpServletRequest request, @NonNull HttpServletResponse response, @NonNull Object handler, ModelAndView modelAndView) { } /** * 返回response的json信息 */ private void returnJson(HttpServletResponse response, String json) throws IOException { response.setCharacterEncoding("UTF-8"); response.setContentType("text/html; charset=utf-8"); try (PrintWriter writer = response.getWriter()) { writer.print(json); } } }
七、拦截器注册InterceptorRegister
一个配置类,把自定义的拦截器注入spring
package com.example.demo.interceptorToken; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.web.servlet.config.annotation.InterceptorRegistry; import org.springframework.web.servlet.config.annotation.WebMvcConfigurer; /** * @author hulei * @date 2024/1/11 19:48 * 将拦截注入spring容器 */ @Configuration public class InterceptorRegister implements WebMvcConfigurer { @Bean public RequestInterceptor tokenInterceptor() { return new RequestInterceptor(); } @Override public void addInterceptors(InterceptorRegistry registry) { registry.addInterceptor(tokenInterceptor()); } }
八、总结
本例主要是自定义注解,完成请求参数的拦截校验,实际中可根据需求进行修改,如记录日志,拦截校验其他参数,修改RequestInterceptor中的拦截前方法和拦截后方法的逻辑即可
gitee地址: Token-Check-Demo: 自定义注解拦截request请求
注: 创作不易,转载请标明原作地址