老大给了一个很实际的需求:有段程序,使用Http的方式与合作商交互,而且是明文传输数据。我方的代码已经打包放在服务器上运行了很长时间,这时合作商突然要求修改数据传输的方式,要求加密后再传输,而我方的原有的代码不能改变,以防止引发其它问题。
问:如何在不修改我方现有的代码的前提下,满足合作商的要求?
可能大家都想到了,只要加上一个过滤器Filter不就可以了吗?事实就是这样的,采用Filter+HttpServletRequestWrapper就可以解决这个问题。
首先:在filter中拦截到加密后的请求,将参数解密,然后组装成一个新的明文请求串。
然后:重写HttpServletRequestWrapper中的getInputStream()方法,让其返回过滤器解析后的明文串即可。
具体代码解释如下。
首先我写了两个一摸一样的servlet,一个用来直接接收合作商的明文请求并打印;一个用来接收Filter处理后的合作商的请求并打印(Filter中将合作商加密后的参数解密再传给这个Servlet)。
@WebServlet("/SiServlet")
public class SiServlet extends HttpServlet {
private static final long serialVersionUID = 1L;
/**
* @see HttpServlet#HttpServlet()
*/
public SiServlet() {
super();
}
/**
* @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse
* response)
*/
protected void doGet(HttpServletRequest request,
HttpServletResponse response) throws ServletException, IOException {
this.doPost(request, response);
}
/**
* @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse
* response)
*
*/
protected void doPost(HttpServletRequest request,
HttpServletResponse response) throws ServletException, IOException {
String bizBindMsg = IOUtils.toString(request.getInputStream(), "UTF-8");
bizBindMsg = URLDecoder.decode(bizBindMsg.toString(), "UTF-8");
System.out.println("SiServlet接收到请求为: " + bizBindMsg);
response.getWriter().write("==========success=========");
}
}
@WebServlet("/SiServletNormal")
public class SiServletNormal extends HttpServlet {
private static final long serialVersionUID = 1L;
/**
* @see HttpServlet#HttpServlet()
*/
public SiServletNormal() {
super();
}
/**
* @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse
* response)
*/
protected void doGet(HttpServletRequest request,
HttpServletResponse response) throws ServletException, IOException {
this.doPost(request, response);
}
/**
* @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse
* response)
*
*/
protected void doPost(HttpServletRequest request,
HttpServletResponse response) throws ServletException, IOException {
String bizBindMsg = IOUtils.toString(request.getInputStream(), "UTF-8");
bizBindMsg = URLDecoder.decode(bizBindMsg.toString(), "UTF-8");
System.out.println("SiServletNormal接收到请求为: " + bizBindMsg);
response.getWriter()
.write("==========SiServletNormal Success=========");
}
}
然后我使用HttpClient模拟了一下合作商发送明文和密文请求的过程,加密使用Base64简单模拟一下。
public class AdcClient {
private HttpPost httpPost = null;
private HttpClient client = null;
private List<NameValuePair> pairs = null;
public AdcClient() {
httpPost = new HttpPost("http://localhost:8080/filtertest/SiServlet");
client = new DefaultHttpClient();
}
/**
* 发送明文消息
*
*/
public void sendMsg() {
try {
httpPost = new HttpPost(
"http://localhost:8080/filtertest/SiServletNormal");
pairs = new ArrayList<NameValuePair>();
pairs.add(new BasicNameValuePair(("param1"), "obama没加密"));
pairs.add(new BasicNameValuePair(("param2"), "男没加密"));
pairs.add(new BasicNameValuePair(("param3"), "汉没加密"));
pairs.add(new BasicNameValuePair(("param4"), "山东没加密"));
httpPost.setEntity(new UrlEncodedFormEntity(pairs, "UTF-8"));
// httpPost.setHeader("Cookie", "TOKEN=1234567890");
HttpResponse response = client.execute(httpPost);
HttpEntity entity = response.getEntity();
BufferedReader br = new BufferedReader(new InputStreamReader(
entity.getContent()));
String line = null;
StringBuffer result = new StringBuffer();
while ((line = br.readLine()) != null) {
result.append(line);
line = br.readLine();
}
System.out.println("来自SiServletNormal的响应为:" + result.toString());
} catch (UnsupportedEncodingException e) {
e.printStackTrace();
} catch (ClientProtocolException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
}
}
/**
* 发送加密后的消息
*/
public void sendEncryptMsg() {
try {
pairs = new ArrayList<NameValuePair>();
pairs.add(new BasicNameValuePair(("param1"), Base64EnDecrypt
.base64Encode("obama")));
pairs.add(new BasicNameValuePair(("param2"), Base64EnDecrypt
.base64Encode("男")));
pairs.add(new BasicNameValuePair(("param3"), Base64EnDecrypt
.base64Encode("汉")));
pairs.add(new BasicNameValuePair(("param4"), Base64EnDecrypt
.base64Encode("山东")));
HttpEntity reqEntity = new UrlEncodedFormEntity(pairs, "UTF-8");
httpPost.setEntity(reqEntity);
// httpPost.setHeader("Cookie", "TOKEN=1234567890");
HttpResponse response = client.execute(httpPost);
/**
* 获取响应信息
*/
HttpEntity entity = response.getEntity();
BufferedReader br = new BufferedReader(new InputStreamReader(
entity.getContent()));
String line = null;
StringBuffer result = new StringBuffer();
while ((line = br.readLine()) != null) {
result.append(line);
line = br.readLine();
}
System.out.println("来自SiServlet的响应为:" + result.toString());
} catch (UnsupportedEncodingException e) {
e.printStackTrace();
} catch (ClientProtocolException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
}
}
/**
* @param args
* @throws UnsupportedEncodingException
*/
public static void main(String[] args) throws UnsupportedEncodingException {
new AdcClient().sendMsg();
new AdcClient().sendEncryptMsg();
}
}
重点是下面的这个HttpServletRequestWrapper,我重写了它的getInputStream()方法,这个方法返回包含明文的ServletInputStream
public class MyRequestWrapper extends HttpServletRequestWrapper {
private HttpServletRequest request;
public MyRequestWrapper(HttpServletRequest request) {
super(request);
this.request = request;
}
/**
* 先解密,获取明文;然后将明文转化为字节数组;然后再去读取字节数组中的内容
*/
@Override
public ServletInputStream getInputStream() {
String bizBindMsg = null;
ServletInputStream stream = null;
try {
stream = request.getInputStream();
bizBindMsg = IOUtils.toString(stream, "UTF-8");
} catch (IOException e) {
e.printStackTrace();
}
try {
bizBindMsg = URLDecoder.decode(bizBindMsg.toString(), "UTF-8");
} catch (UnsupportedEncodingException e) {
e.printStackTrace();
}
System.out.println("MyRequestWrapper接收到的请求为: " + bizBindMsg);
/**
* 获取加密的值进行解密
*/
final StringBuffer reqStr = new StringBuffer();
reqStr.append("param1=").append(
Base64EnDecrypt.base64Decode(bizBindMsg.substring(
bizBindMsg.indexOf("param1=") + 7,
bizBindMsg.indexOf("param2="))));
reqStr.append("&");
reqStr.append("param2=").append(
Base64EnDecrypt.base64Decode(bizBindMsg.substring(
bizBindMsg.indexOf("param2=") + 7,
bizBindMsg.indexOf("param3="))));
reqStr.append("&");
reqStr.append("param3=").append(
Base64EnDecrypt.base64Decode(bizBindMsg.substring(
bizBindMsg.indexOf("param3=") + 7,
bizBindMsg.indexOf("param4="))));
reqStr.append("&");
reqStr.append("param4=").append(
Base64EnDecrypt.base64Decode(bizBindMsg.substring(bizBindMsg
.indexOf("param4=") + 7)));
System.out.println("********MyRequestWrapper接收到的解密后的请求为*********");
System.out.println(reqStr.toString());
/**
* 将解密后的明文串放到buffer数组中
*/
byte[] buffer = null;
try {
buffer = reqStr.toString().getBytes("UTF-8");
} catch (UnsupportedEncodingException e) {
e.printStackTrace();
}
final ByteArrayInputStream bais = new ByteArrayInputStream(buffer);
ServletInputStream newStream = new ServletInputStream() {
@Override
public int read() throws IOException {
return bais.read();
}
};
return newStream;
}
}
最后是简单的Filter,在这里将加密后的ServletRequest重新包装,交给SiServlet进行处理
public class EncryptFilter implements Filter {
@Override
public void destroy() {
}
@Override
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
chain.doFilter(new MyRequestWrapper((HttpServletRequest) request),
response);
}
@Override
public void init(FilterConfig arg0) throws ServletException {
}
}
我的web.xml中是这样配置的
<filter>
<filter-name>encryptFilter</filter-name>
<filter-class>com.test.filter.EncryptFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>encryptFilter</filter-name>
<url-pattern>/SiServlet</url-pattern>
</filter-mapping>
确保过滤器entyptFilter只拦截到SiServlet的请求即可。
运行AdcClient,可以看到下面的结果
这里的重点是MyRequestWrapper中重写的getInputStream()方法。大家可以看看API中关于HttpServletRequest的用法
http://tomcat.apache.org/tomcat-5.5-doc/servletapi/index.html。
- 描述: 运行结果
- 大小: 8.1 KB
分享到:
相关推荐
这是一个关于HttpServletRequestWrapper使用的列子,工作需要,所以传上来的。
NULL 博文链接:https://rensanning.iteye.com/blog/1706208
NULL 博文链接:https://fishhappy365.iteye.com/blog/484185
NULL 博文链接:https://jiaguwen123.iteye.com/blog/714139
通过继承HttpServletRequestWrapper,配置过滤器的方式实现签名校验 目前只支持post请求类型签名校验 只会对请求体的参数验签 对于重要业务接口,前端请求时需要加入随机字符串,当前时间戳和秘钥(盐)对业务参数...
5.4,public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper 6,服务器白名单校验的java文件: 6.1,public class ServerWhiteListUtil 7,如果不要需要使用服务器白名单功能,那么,注释...
5.4,public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper 6,服务器白名单校验的java文件: 6.1,public class ServerWhiteListUtil 7,如果不要需要使用服务器白名单功能,那么,注释...
XssHttpServletRequestWrapper.java
自定义一个Filter拦截器,使用 Filter来过滤浏览器发出的请求,检测每个请求的参数是否含有XSS攻击关键字,如果存在xss攻击关键字,转义特殊字符。 方法是实现一个自定义的 HttpServletRequestWrapper ,然后在 ...
继承HttpServletRequestWrapper实现类,重新相关方法,实现自定义增加请求参数,通常是由于需要对参数进行特殊业务处理,然而HttpServletRequest的request.getPrameterMap是不允许修改的(被锁,可查看底层源码),...
class MyRequest extends HttpServletRequestWrapper { public MyRequest(HttpServletRequest request) { super(request); } public String MyEncoding(String value) { String value1 = null; try...
Overview Package Class Tree Deprecated Index Help PREV NEXT FRAMES NO FRAMES A B C D E F G H I J L P R S U V -------------------------------------------------------------------------------- ...
对request请求进行拦截,对请求参数修改。常用于前台提交表单参数关键字的过滤。此工具可以对参数拦截并转义后提交到对应的处理类。 除了添加两个JsFilter.java和GetHttpServletRequestWrapper.java之外,需要在web....
class Request extends HttpServletRequestWrapper { public Request(HttpServletRequest request) { super(request); } public String toChi(String input) { try { byte[] bytes=...
J2EE 类库文档 ...HttpServletRequestWrapper HttpServletResponse HttpServletResponseWrapper HttpSession HttpSessionActivationListener HttpSessionAttributeListener HttpSessionBindingEvent ...
javax.servlet.http.HttpServletRequestWrapper javax.servlet.ServletContextAttributeListener javax.servlet.ServletRequestAttributeListener javax.servlet.http.HttpServletResponseWrapper javax.servlet....
对项目中的所有参数去除前后空格过滤,统一处理参数!可以基于此过滤器实现过滤跨站脚本攻击,参数的增加,...实现原理为重写HttpServletRequestWrapper,获取参数的方法。include和 Forwarded 内部转发不在过滤之内。
request 对象是 HttpServletRequestWrapper 类的实例。它的继承体系如下: _request 对象继承层次... Servlet/JSP 中大量使用了接口而不是实现类,这恰恰就是面向接口编程的最佳应用啊。 request 内置对象是由 Tomcat
import javax.servlet.http.HttpServletRequestWrapper; <br/> import org.hqq.hq.impl.AbstractPage; import org.hqq.hq.impl.ActionTypes; import org.hqq.hq.impl.WebPageUtils; <br/>...
request = new HttpServletRequestWrapper(request); nextHandler.handle(target, request, response, isHandled); } } 15.json数据请求时,返回的error信息使用json字符串 public class ...