SpringBoot 接口数据加解密
xx项目有于安全问题,需要对接口整体进行加密处理,我们怎么处理呢。
和产品、前端讨论需求后,梳理了相关技术方案,主要的需求点如下:
-
尽量少改动,不影响之前的业务逻辑;
-
考虑到时间紧迫性,可采用对称性加密方式,服务需要对接安卓、IOS、H5三端,另外考虑到H5端存储密钥安全性相对来说会低一些,故分针对H5和安卓、IOS分配两套密钥;
-
要兼容低版本的接口,后面新开发的接口可不用兼容;
-
接口有GET和POST两种接口,需要都要进行加解密;
需求解析:
-
服务端、客户端和H5统一拦截加解密,网上有成熟方案,也可以按其他服务中实现的加解密流程来搞;
-
使用AES放松加密,考虑到H5端存储密钥安全性相对来说会低一些,故分针对H5和安卓、IOS分配两套密钥;
-
本次涉及客户端和服务端的整体改造,经讨论,新接口统一加 /secret/ 前缀来区分
那我们可以使用 @ControllerAdvice + RequestBodyAdvice/ResponseBodyAdvice 轻松实现
@ControllerAdvice / @RestControllerAdvice 区别?
@ControllerAdvice + @ExceptionHandler来实现全局异常捕获;陌生在于你除了copy代码时看到过外,自己似乎从来没有真正使用过它。
在前面关于@ModelAttribute和@InitBinder 的相关文章中其实和这个注解是打过照面的:在此注解标注的类上使用@InitBinder等注解可以使得它对"全局"生效实现统一的控制。本文将把@ControllerAdvice此注解作为重点进一步的去了解它的使用以及工作机制。
此类的命名是很有信息量的:Controller的Advice通知。关于Advice的含义,熟悉AOP相关概念的同学就不会陌生了,因此可以看到它整体上还是个AOP的设计思想,只是实现方式不太一样而已。
@ControllerAdvice使用AOP思想可以这么理解:此注解对目标Controller的通知是个环绕通知,织入的方式是注解方式,增强器是注解标注的方法。如此就很好理解@ControllerAdvice搭配@InitBinder/@ModelAttribute/@ExceptionHandler起到的效果喽~
官方doc说它可以和如上我指出的三个注解的一起使用。关于它的使用我总结有如下注意事项:
@ControllerAdvice只需要标注上即可,Spring MVC会在容器里自动探测到它(请确保能被扫描到,否则无效哦~)
若有多个@ControllerAdvice可以使用@Order或者Ordered接口来控制顺序
basePackageClasses属性最终也是转换为了basePackages拿去匹配的
RequestBodyAdvice/ResponseBodyAdvice
顾名思义,它们和@RequestBody和@ResponseBody有关,ResponseBodyAdvice是Spring4.1推出的,另外一个是4.2后才有。它哥俩和@ControllerAdvice一起使用会有很好的化学反应
RequestBodyAdvice
官方解释为:允许body体转换为对象之前进行自定义定制;也允许该对象作为实参传入方法之前对其处理。
public interface RequestBodyAdvice {
// 第一个调用的。判断当前的拦截器(advice是否支持)
// 注意它的入参有:方法参数、目标类型、所使用的消息转换器等等
boolean supports(MethodParameter methodParameter, Type targetType, Class> converterType);
// 如果body体木有内容就执行这个方法(后面的就不会再执行喽)
Object handleEmptyBody(Object body, HttpInputMessage inputMessage, MethodParameter parameter, Type targetType, Class> converterType);
// 重点:它在body被read读/转换**之前**进行调用的
HttpInputMessage beforeBodyRead(HttpInputMessage inputMessage, MethodParameter parameter, Type targetType, Class> converterType) throws IOException;
// 它在body体已经转换为Object后执行。so此时都不抛出IOException了嘛~
Object afterBodyRead(Object body, HttpInputMessage inputMessage, MethodParameter parameter, Type targetType, Class> converterType);
}
它的内置实现有这些:
RequestResponseBodyAdviceChain比较特殊,放在后面重点说明。RequestBodyAdviceAdapter没啥说的,因此主要看看JsonViewRequestBodyAdvice这个实现。
JsonViewRequestBodyAdvice
Spring MVC的内置实现,它支持的是Jackson的com.fasterxml.jackson.annotation.@JsonView这个注解,@JsonView一般用于标注在HttpEntity/@RequestBody上,来决定处理入参的哪些key。
该注解指定的反序列视图将传递给MappingJackson2HttpMessageConverter,然后用它来反序列化请求体(从而做对应的过滤)。
// @since 4.2
public class JsonViewRequestBodyAdvice extends RequestBodyAdviceAdapter {
// 处理使用的消息转换器是AbstractJackson2HttpMessageConverter类型
// 并且入参上标注有@JsonView注解的
@Override
public boolean supports(MethodParameter methodParameter, Type targetType, Class> converterType) {
return (AbstractJackson2HttpMessageConverter.class.isAssignableFrom(converterType) &&
methodParameter.getParameterAnnotation(JsonView.class) != null);
}
// 显然这里实现的beforeBodyRead这个方法:
// 它把body最终交给了MappingJacksonInputMessage来反序列处理消息体
// 注意:@JsonView能处理这个注解。也就是说能指定把消息体转换成指定的类型,还是比较实用的
// 可以看到当标注有@jsonView注解后 targetType就没啥卵用了
@Override
public HttpInputMessage beforeBodyRead(HttpInputMessage inputMessage, MethodParameter methodParameter, Type targetType, Class> selectedConverterType) throws IOException {
JsonView ann = methodParameter.getParameterAnnotation(JsonView.class);
Assert.state(ann != null, "No JsonView annotation");
Class[] classes = ann.value();
// 必须指定class类型,并且有且只能指定一个类型
if (classes.length != 1) {
throw new IllegalArgumentException("@JsonView only supported for request body advice with exactly 1 class argument: " + methodParameter);
}
// 它是一个InputMessage的实现
return new MappingJacksonInputMessage(inputMessage.getBody(), inputMessage.getHeaders(), classes[0]);
}
}
ResponseBodyAdvice
它允许在@ResponseBody/ResponseEntity标注的处理方法上在用HttpMessageConverter在写数据之前做些什么。
// @since 4.1 泛型T:body类型
public interface ResponseBodyAdvice {
boolean supports(MethodParameter returnType, Class> converterType);
@Nullable
T beforeBodyWrite(@Nullable T body, MethodParameter returnType, MediaType selectedContentType, Class> selectedConverterType, ServerHttpRequest request, ServerHttpResponse response);
}
@JsonView的使用:它可以放入参时接收指定的字段;也可以让返回值中敏感字段(如密码、盐值等)不予返回,可做到非常灵活的配置和管理,实现一套代码多处使用的目的,提高集成程度
需要注意的是:xxxBodyAdvice虽然使用方便,但是它的普适性还是没有HandlerInterceptor那么强的,下面我列出使用它的几点局限/限制:
xxxAdvice必须被@ControllerAdvice注解标注了才会生效,起到拦截的效果
它只能作用于基于消息转换器的请求/响应(参考注解@RequestBody/@ResponseBody)
当然,只能作用于@RequestMapping模式下的处理器模型上
用户类:
@Data
public class User {
private Integer id;
private String name;
private UserType userType = UserType.COMMON;
@JsonFormat(shape=JsonFormat.Shape.STRING,pattern = "yyyy-MM-dd HH")
private LocalDateTime registerTime;
@JsonFormat(shape=JsonFormat.Shape.STRING,pattern = "yyyy-MM-dd HH:mm:ss")
private Date registerTime1 = new Date();
public static void main(String[] args) {
System.out.println(JSON.toJSONString(UserType.COMMON, SerializerFeature.WriteEnumUsingToString));
}
}
用户类型枚举
@Getter
@JsonFormat(shape = JsonFormat.Shape.OBJECT)
public enum UserType {
VIP("VIP用户"),
COMMON("普通用户");
private String code;
private String type;
UserType(String type) {
this.code = name();
this.type = type;
}
@Override
public String toString() {
return "{" +
"\"code\":\"" + name() + '\"' +
", \"type\":\"" + type + '\"' +
'}';
}
}
构造一个简单的用户列表查询示例:
@Slf4j
@RestController
@RequestMapping(value = {"/user", PREFIX + "/user"})
public class UserController {
@RequestMapping("/list")
ResponseBasic> listUser() {
List users = new ArrayList<>();
User u = new User();
u.setId(1);
u.setName("boyka");
u.setRegisterTime(LocalDateTime.now());
u.setUserType(UserType.COMMON);
users.add(u);
ResponseBasic> response = new ResponseBasic<>();
response.setCode(200);
response.setData(users);
response.setMsg("用户列表查询成功");
return response;
}
@RequestMapping("/save")
ResponseBasic saveUser(@RequestBody User user) {
// ... 新建用户
log.info("save user ok: {}", JSON.toJSON(user));
ResponseBasic response = new ResponseBasic<>();
response.setCode(200);
response.setData(Boolean.TRUE);
response.setMsg("用户创建成功");
return response;
}
}
调用:localhost:8080/user/list
查询结果如下,没毛病
{
"code": 200,
"data": [{
"id": 1,
"name": "boyka",
"userType": {
"code": "COMMON",
"type": "普通用户"
},
"registerTime": "2022-03-24 23:58:39"
}],
"msg": "用户列表查询成功"
}目前主要是利用ControllerAdvice来对请求和响应体进行拦截,主要定义SecretRequestAdvice对请求进行加密和SecretResponseAdvice对响应进行加密(实际情况会稍微复杂一点,项目中又GET类型请求,自定义了一个Filter进行不同的请求解密处理)。
SecretRequestAdvice请求解密:
@ControllerAdvice
@Order(Ordered.HIGHEST_PRECEDENCE)
@Slf4j
public class SecretRequestAdvice extends RequestBodyAdviceAdapter {
@Override
public boolean supports(MethodParameter methodParameter, Type type, Class> aClass) {
return true;
}
@Override
public HttpInputMessage beforeBodyRead(HttpInputMessage inputMessage, MethodParameter parameter, Type targetType, Class> converterType) throws IOException {
//如果支持加密消息,进行消息解密。
String httpBody;
if (Boolean.TRUE.equals(SecretFilter.secretThreadLocal.get())) {
httpBody = decryptBody(inputMessage);
} else {
httpBody = StreamUtils.copyToString(inputMessage.getBody(), Charset.defaultCharset());
}
//返回处理后的消息体给messageConvert
return new SecretHttpMessage(new ByteArrayInputStream(httpBody.getBytes()), inputMessage.getHeaders());
}
/**
* 解密消息体
*
* @param inputMessage 消息体
* @return 明文
*/
private String decryptBody(HttpInputMessage inputMessage) throws IOException {
InputStream encryptStream = inputMessage.getBody();
String requestBody = StreamUtils.copyToString(encryptStream, Charset.defaultCharset());
// 验签过程
HttpHeaders headers = inputMessage.getHeaders();
if (CollectionUtils.isEmpty(headers.get("clientType"))
|| CollectionUtils.isEmpty(headers.get("timestamp"))
|| CollectionUtils.isEmpty(headers.get("salt"))
|| CollectionUtils.isEmpty(headers.get("signature"))) {
throw new ResultException(SECRET_API_ERROR, "请求解密参数错误,clientType、timestamp、salt、signature等参数传递是否正确传递");
}
String timestamp = String.valueOf(Objects.requireNonNull(headers.get("timestamp")).get(0));
String salt = String.valueOf(Objects.requireNonNull(headers.get("salt")).get(0));
String signature = String.valueOf(Objects.requireNonNull(headers.get("signature")).get(0));
String privateKey = SecretFilter.clientPrivateKeyThreadLocal.get();
ReqSecret reqSecret = JSON.parseObject(requestBody, ReqSecret.class);
String data = reqSecret.getData();
String newSignature = "";
if (!StringUtils.isEmpty(privateKey)) {
newSignature = Md5Utils.genSignature(timestamp + salt + data + privateKey);
}
if (!newSignature.equals(signature)) {
// 验签失败
throw new ResultException(SECRET_API_ERROR, "验签失败,请确认加密方式是否正确");
}
try {
String decrypt = EncryptUtils.aesDecrypt(data, privateKey);
if (StringUtils.isEmpty(decrypt)) {
decrypt = "{}";
}
return decrypt;
} catch (Exception e) {
log.error("error: ", e);
}
throw new ResultException(SECRET_API_ERROR, "解密失败");
}
}
SecretResponseAdvice响应加密:
@ControllerAdvice
public class SecretResponseAdvice implements ResponseBodyAdvice {
private Logger logger = LoggerFactory.getLogger(SecretResponseAdvice.class);
@Autowired
private ObjectMapper objectMapper;
@Override
public boolean supports(MethodParameter methodParameter, Class aClass) {
return true;
}
@Override
public Object beforeBodyWrite(Object o, MethodParameter methodParameter, MediaType mediaType, Class aClass, ServerHttpRequest serverHttpRequest, ServerHttpResponse serverHttpResponse) {
// 判断是否需要加密
Boolean respSecret = SecretFilter.secretThreadLocal.get();
String secretKey = SecretFilter.clientPrivateKeyThreadLocal.get();
// 清理本地缓存
SecretFilter.secretThreadLocal.remove();
SecretFilter.clientPrivateKeyThreadLocal.remove();
if (null != respSecret && respSecret) {
if (o instanceof ResponseBasic) {
// 外层加密级异常
if (SECRET_API_ERROR == ((ResponseBasic) o).getCode()) {
return SecretResponseBasic.fail(((ResponseBasic) o).getCode(), ((ResponseBasic) o).getData(), ((ResponseBasic) o).getMsg());
}
// 业务逻辑
try {
// 使用FastJson序列号会导致和之前的接口响应参数不一致,后面会重点讲到
String data = EncryptUtils.aesEncrypt(objectMapper.writeValueAsString(o), secretKey);
// 增加签名
long timestamp = System.currentTimeMillis() / 1000;
int salt = EncryptUtils.genSalt();
String dataNew = timestamp + "" + salt + "" + data + secretKey;
String newSignature = Md5Utils.genSignature(dataNew);
return SecretResponseBasic.success(data, timestamp, salt, newSignature);
} catch (Exception e) {
logger.error("beforeBodyWrite error:", e);
return SecretResponseBasic.fail(SECRET_API_ERROR, "", "服务端处理结果数据异常");
}
}
}
return o;
}
}
请求方法:
localhost:8080/secret/user/list
header:
Content-Type:application/json
signature:55efb04a83ca083dd1e6003cde127c45
timestamp:1648308048
salt:123456
clientType:ANDORIDbody体:
// 原始请求体
{
"page": 1,
"size": 10
}
// 加密后的请求体
{
"data": "1ZBecdnDuMocxAiW9UtBrJzlvVbueP9K0MsIxQccmU3OPG92oRinVm0GxBwdlXXJ"
}
// 加密响应体:
{
"data": "fxHYvnIE54eAXDbErdrDryEsIYNvsOOkyEKYB1iBcre/QU1wMowHE2BNX/je6OP3NlsCtAeDqcp7J1N332el8q2FokixLvdxAPyW5Un9JiT0LQ3MB8p+nN23pTSIvh9VS92lCA8KULWg2nViSFL5X1VwKrF0K/dcVVZnpw5h227UywP6ezSHjHdA+Q0eKZFGTEv3IzNXWqq/otx5fl1gKQ==",
"code": 200,
"signature": "aa61f19da0eb5d99f13c145a40a7746b",
"msg": "",
"timestamp": 1648480034,
"salt": 632648
}
// 解密后的响应体:
{
"code": 200,
"data": [{
"id": 1,
"name": "boyka",
"registerTime": "2022-03-27T00:19:43.699",
"userType": "COMMON"
}],
"msg": "用户列表查询成功",
"salt": 0
}OK,客户端请求加密->发起请求->服务端解密->业务处理->服务端响应加密->客户端解密展示,看起来没啥问题,实际是头天下午花了2小时碰需求,差不多花1小时写好demo测试,然后对所有接口统一进行了处理,整体一下午赶脚应该行了吧,告诉H5和安卓端同学明儿上午联调(不小的大家到这个时候发现猫腻没有,当时确实疏忽了,翻了大车......)
次日,安卓端反馈,你这个加解密有问题,解密后的数据格式和之前不一样,仔细一看,擦,这个userType和registerTime是不对劲,开始思考:这个能是哪儿的问题呢?1s之后,初步定位,应该是响应体的JSON.toJSONString的问题:
String data = EncryptUtils.aesEncrypt(JSON.toJSONString(o)),
Debug断点调试,果然,是JSON.toJSONString(o)这一步骤转换出了问题,那JSON转换时是不是有高级属性可以配置生成想要的序列化格式呢?
FastJson在序列化时提供重载方法,找到其中一个"SerializerFeature"参数可以琢磨一下,这个参数是可以对序列化进行配置的,它提供了很多配置类型,其中感觉这几个比较沾边:
WriteEnumUsingToString,
WriteEnumUsingName,
UseISO8601DateFormat
对枚举类型来说,默认是使用的WriteEnumUsingName(枚举的Name), 另一种WriteEnumUsingToString是重新toString方法,理论上可以转换成想要的样子,即这个样子:
@Getter
@JsonFormat(shape = JsonFormat.Shape.OBJECT)
public enum UserType {
VIP("VIP用户"),
COMMON("普通用户");
private String code;
private String type;
UserType(String type) {
this.code = name();
this.type = type;
}
@Override
public String toString() {
return "{" +
"\"code\":\"" + name() + '\"' +
", \"type\":\"" + type + '\"' +
'}';
}
}结果转换出来的数据是字符串类型"{"code":"COMMON", "type":"普通用户"}",这个方法好像行不通,还有什么好办法呢?
思前想后,看文章开始定义的User和UserType类,标记数据序列化格式@JsonFormat,再突然想起之前看到过的一些文章,SpringMVC底层默认是使用Jackson进行序列化的,那好了,就用Jacksong实施呗,将SecretResponseAdvice中的序列化方法替换一下:
String data = EncryptUtils.aesEncrypt(JSON.toJSONString(o), secretKey);
换为:
String data =EncryptUtils.aesEncrypt(new ObjectMapper().writeValueAsString(o), secretKey);
重新运行一波,走起:
{
"code": 200,
"data": [{
"id": 1,
"name": "boyka",
"userType": {
"code": "COMMON",
"type": "普通用户"
},
"registerTime": {
"month": "MARCH",
"year": 2022,
"dayOfMonth": 29,
"dayOfWeek": "TUESDAY",
"dayOfYear": 88,
"monthValue": 3,
"hour": 22,
"minute": 30,
"nano": 453000000,
"second": 36,
"chronology": {
"id": "ISO",
"calendarType": "iso8601"
}
}
}],
"msg": "用户列表查询成功"
}解密后的userType枚举类型和非加密版本一样了,舒服了,== 好像还不对,registerTime怎么变成这个样子了?原本是"2022-03-24 23:58:39"这种格式的,Jackson之LocalDateTime转换,无需改实体类这篇文章讲到了这个问题,并提出了一种解决方案。
不过用在我们目前这个需求里面,就是有损改装了啊,不太可取,遂去Jackson官网上查找一下相关文档,当然Jackson也提供了ObjectMapper的序列化配置,重新再初始化配置ObjectMpper对象:
String DATE_TIME_FORMATTER = "yyyy-MM-dd HH:mm:ss";
ObjectMapper objectMapper = new Jackson2ObjectMapperBuilder()
.findModulesViaServiceLoader(true)
.serializerByType(LocalDateTime.class, new LocalDateTimeSerializer(
DateTimeFormatter.ofPattern(DATE_TIME_FORMATTER)))
.deserializerByType(LocalDateTime.class, new LocalDateTimeDeserializer(
DateTimeFormatter.ofPattern(DATE_TIME_FORMATTER)))
.build();转换结果:
{
"code": 200,
"data": [{
"id": 1,
"name": "boyka",
"userType": {
"code": "COMMON",
"type": "普通用户"
},
"registerTime": "2022-03-29 22:57:33"
}],
"msg": "用户列表查询成功"
}OK,和非加密版的终于一致了,完了吗?感觉还是可能存在些什么问题,首先业务代码的时间序列化需求不一样,有"yyyy-MM-dd hh:mm:ss"的,也有"yyyy-MM-dd"的,还可能其他配置思考不到位的,导致和之前非加密版返回数据不一致的问题,到时候联调测出来了也麻烦,有没有一劳永逸的办法呢?
同事一句话点亮我,看一下spring框架自身是怎么序列化的,照着配置应该就行嘛,好像有点道理。
跟着执行链路,找到具体的响应序列化,重点就是RequestResponseBodyMethodProcessor,
protected void writeWithMessageConverters(@Nullable T value, MethodParameter returnType, ServletServerHttpRequest inputMessage, ServletServerHttpResponse outputMessage) throws IOException, HttpMediaTypeNotAcceptableException, HttpMessageNotWritableException {
// 获取响应的拦截器链并执行beforeBodyWrite方法,也就是执行了我们自定义的SecretResponseAdvice中的beforeBodyWrite啦
body = this.getAdvice().beforeBodyWrite(body, returnType, selectedMediaType, converter.getClass(), inputMessage, outputMessage);
if (body != null) {
// 执行响应体序列化工作
if (genericConverter != null) {
genericConverter.write(body, (Type)targetType, selectedMediaType, outputMessage);
} else {
converter.write(body, selectedMediaType, outputMessage);
}
} 进而通过实例化的AbstractJackson2HttpMessageConverter对象找到执行序列化的核心方法
-> AbstractGenericHttpMessageConverter:
public final void write(T t, @Nullable Type type, @Nullable MediaType contentType, HttpOutputMessage outputMessage) throws IOException, HttpMessageNotWritableException {
...
this.writeInternal(t, type, outputMessage);
outputMessage.getBody().flush();
}
-> 找到Jackson序列化 AbstractJackson2HttpMessageConverter:
// 从spring容器中获取并设置的ObjectMapper实例
protected ObjectMapper objectMapper;
protected void writeInternal(Object object, @Nullable Type type, HttpOutputMessage outputMessage) throws IOException, HttpMessageNotWritableException {
MediaType contentType = outputMessage.getHeaders().getContentType();
JsonEncoding encoding = this.getJsonEncoding(contentType);
JsonGenerator generator = this.objectMapper.getFactory().createGenerator(outputMessage.getBody(), encoding);
this.writePrefix(generator, object);
Object value = object;
Class serializationView = null;
FilterProvider filters = null;
JavaType javaType = null;
if (object instanceof MappingJacksonValue) {
MappingJacksonValue container = (MappingJacksonValue)object;
value = container.getValue();
serializationView = container.getSerializationView();
filters = container.getFilters();
}
if (type != null && TypeUtils.isAssignable(type, value.getClass())) {
javaType = this.getJavaType(type, (Class)null);
}
ObjectWriter objectWriter = serializationView != null ? this.objectMapper.writerWithView(serializationView) : this.objectMapper.writer();
if (filters != null) {
objectWriter = objectWriter.with(filters);
}
if (javaType != null && javaType.isContainerType()) {
objectWriter = objectWriter.forType(javaType);
}
SerializationConfig config = objectWriter.getConfig();
if (contentType != null && contentType.isCompatibleWith(MediaType.TEXT_EVENT_STREAM) && config.isEnabled(SerializationFeature.INDENT_OUTPUT)) {
objectWriter = objectWriter.with(this.ssePrettyPrinter);
}
// 重点进行序列化
objectWriter.writeValue(generator, value);
this.writeSuffix(generator, object);
generator.flush();
}那么,可以看出SpringMVC在进行响应序列化的时候是从容器中获取的ObjectMapper实例对象,并会根据不同的默认配置条件进行序列化,那处理方法就简单了,我也可以从Spring容器拿数据进行序列化啊。SecretResponseAdvice进行如下进一步改造:
@ControllerAdvice
public class SecretResponseAdvice implements ResponseBodyAdvice {
@Autowired
private ObjectMapper objectMapper;
@Override
public Object beforeBodyWrite(....) {
.....
String dataStr =objectMapper.writeValueAsString(o);
String data = EncryptUtils.aesEncrypt(dataStr, secretKey);
.....
}
}经测试,响应数据和非加密版万全一致啦,还有GET部分的请求加密,.
1.遇到中的问题:
代码一直跑着都没问题,但是最近发现入参特别长的时候,inputMessage.getBody() 这段代码拿不到完整的入参,会被截断。看了下源码,好像默认它转换的时候就截断了。
、解决方法
看了下源码,RequestBodyAdviceAdapter 这个静态类除了 beforeBodyRead 这个方法外,还有个 afterBodyRead 方法,原来我一直以为 beforeBodyRead 是controller 层之前执行,afterBodyRead 是在controller层之后执行,后来我发现我理解错了,它们都是在controller层之前执行。
并且,beforeBodyRead 方法是在 afterBodyRead 方法之前执行,走这两个方法之前都会走一次 supports 方法来判断是否执行。
于是我就把解密逻辑挪到了 afterBodyRead 方法里,就不存在入参超长被截断的问题了。
import cn.hutool.core.codec.Base64;
import com.alibaba.fastjson.JSONObject;
import com.alibaba.nacos.client.utils.JSONUtils;
import com.google.common.base.Throwables;
import lombok.extern.slf4j.Slf4j;
import org.apache.commons.lang3.StringUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.core.MethodParameter;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpInputMessage;
import org.springframework.http.converter.HttpMessageConverter;
import org.springframework.web.bind.annotation.ControllerAdvice;
import org.springframework.web.servlet.mvc.method.annotation.RequestBodyAdviceAdapter;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.lang.reflect.Type;
import java.nio.charset.StandardCharsets;
@ControllerAdvice
@Slf4j
public class DecryptRequestAdvice extends RequestBodyAdviceAdapter {
@Override
public boolean supports(MethodParameter methodParameter, Type targetType, Class> converterType) {
return methodParameter.hasMethodAnnotation(Decrypt.class) || methodParameter.hasParameterAnnotation(Decrypt.class);
}
@Override
public Object afterBodyRead(Object body, HttpInputMessage inputMessage, MethodParameter parameter, Type targetType, Class> converterType) {
try {
String requestBody = JSONUtils.serializeObject(body);
if (JSONObject.isValid(requestBody)) {
JSONObject jsonObject = JSONObject.parseObject(requestBody);
// 结合自己业务针对获取到的requestBody内容进行修改解密等操作
String decryptData = aesUtil.decrypt(requestBody , "www.cnblogs.com/shamo89");
log.info("接口解密后的入参:{}", decryptData);
body = JSONObject.parseObject(decryptData, targetType);
} else {
throw new IllegalArgumentException("获取到的入参不是合法的json格式!");
}
} catch (Exception e) {
log.error("接口入参解密出错:{}", Throwables.getStackTraceAsString(e));
}
return super.afterBodyRead(body, inputMessage, parameter, targetType, converterType);
}
}2RequestBodyAdviceAdapter 中重复读取body
package com.wenge.operational.interceptor;
import com.wenge.operational.constants.UserValid;
import com.wenge.operational.model.MonitorClassifiedStorage;
import com.wenge.operational.service.MonitorClassifiedStorageService;
import com.wenge.operational.util.SystemManageUtils;
import lombok.extern.java.Log;
import org.apache.commons.io.IOUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.core.MethodParameter;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpInputMessage;
import org.springframework.http.converter.HttpMessageConverter;
import org.springframework.web.bind.annotation.ControllerAdvice;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;
import org.springframework.web.servlet.mvc.method.annotation.RequestBodyAdviceAdapter;
import javax.servlet.http.HttpServletRequest;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.lang.reflect.Type;
import java.nio.charset.StandardCharsets;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
@Log
@ControllerAdvice
public class MonitorClassifiedRequestBodyAdviceAdapter extends RequestBodyAdviceAdapter {
@Override
public boolean supports(MethodParameter methodParameter, Type type, Class> aClass) {
return true;
}
@Override
public HttpInputMessage beforeBodyRead(HttpInputMessage httpInputMessage, MethodParameter methodParameter, Type type, Class> aClass) throws IOException {
HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest();
String url = request.getRequestURI();
if(url.startsWith("aaa")){
// 不需要读body的情况 直接返回
return super.beforeBodyRead(httpInputMessage, methodParameter, type, aClass);
}
// 第一次 读取body
String bodyStr = IOUtils.toString(httpInputMessage.getBody(), StandardCharsets.UTF_8);
// 重新new 一个 HttpInputMessage
return new HttpInputMessage() {
@Override
public InputStream getBody() throws IOException {
String body = bodyStr;
// 重新写入 body
return new ByteArrayInputStream(body.getBytes(StandardCharsets.UTF_8));
}
@Override
public HttpHeaders getHeaders() {
return httpInputMessage.getHeaders();
}
};
}
}
基于RequestBodyAdvice和ResponseBodyAdvice来实现spring中参数的加密和解密_51CTO博客_RequestBodyAdvice