原文地址:http://liwx2000.iteye.com/blog/1542431
原文作者:liwx2000
为了提高项目安全性,拦截非法访问,要给项目增加了一个过滤器,拦截所有的请求,校验是否有不安全因素。
这个过程就遇到了一个问题:ServletRequest的getReader()和getInputStream()两个方法只能被调用一次,而且不能两个都调用。那么如果Filter中调用了一次,在Controller里面就不能再调用了。没办法,就去网上搜罗了一通,发现了一个超赞的解决方法。为了记录备案,无耻的转了过来,原文地址在上,内容在下。
1. 查看了下ServletRequest的说明,如下:
/** * Retrieves the body of the request as binary data using * a {@link ServletInputStream}. Either this method or * {@link #getReader} may be called to read the body, not both. * * @return a {@link ServletInputStream} object containing * the body of the request * * @exception IllegalStateException if the {@link #getReader} method * has already been called for this request * * @exception IOException if an input or output exception occurred * */ public ServletInputStream getInputStream() throws IOException; /** * Retrieves the body of the request as character data using * a <code>BufferedReader</code>. The reader translates the character * data according to the character encoding used on the body. * Either this method or {@link #getInputStream} may be called to read the * body, not both. * * * @return a <code>BufferedReader</code> * containing the body of the request * * @exception UnsupportedEncodingException if the character set encoding * used is not supported and the * text cannot be decoded * * @exception IllegalStateException if {@link #getInputStream} method * has been called on this request * * @exception IOException if an input or output exception occurred * * @see #getInputStream * */ public BufferedReader getReader() throws IOException;
两个方法都注明方法只能被调用一次,由于RequestBody是流的形式读取,那么流读了一次就没有了,所以只能被调用一次。既然是因为流只能读一次的原因,那么只要将流的内容保存下来,就可以实现反复读取了。byte数组允许被多次读取,而不会丢失内容。下面使用byte数组将流的内容保存下来。
2. 工具方法:
先将RequestBody保存为一个byte数组,然后通过Servlet自带的HttpServletRequestWrapper类覆盖getReader()和getInputStream()方法,使流从保存的byte数组读取。然后再Filter中将ServletRequest替换为ServletRequestWrapper。
代码如下:
BodyReaderHttpServletRequestWrapper类包装ServletRequest,将流保存为byte[],然后将getReader()和getInputStream()方法的流的读取指向byte[]。
import java.io.BufferedReader; import java.io.ByteArrayInputStream; import java.io.IOException; import java.io.InputStreamReader; import javax.servlet.ServletInputStream; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; import jodd.JoddDefault; import jodd.io.StreamUtil; public class BodyReaderHttpServletRequestWrapper extends HttpServletRequestWrapper { private final byte[] body; public BodyReaderHttpServletRequestWrapper(HttpServletRequest request) throws IOException { super(request); // body = StreamUtil.readBytes(request.getReader(), JoddDefault.encoding);
// 因为http协议默认传输的编码就是iso-8859-1,如果使用utf-8转码乱码的话,可以尝试使用iso-8859-1
body = StreamUtil.readBytes(request.getReader(), "iso-8859-1"); } @Override public BufferedReader getReader() throws IOException { return new BufferedReader(new InputStreamReader(getInputStream())); } @Override public ServletInputStream getInputStream() throws IOException { final ByteArrayInputStream bais = new ByteArrayInputStream(body); return new ServletInputStream() { @Override public int read() throws IOException { return bais.read(); } }; } }
3. 在Filter中的使用:
在Filter中将ServletRequest替换为ServletRequestWrapper
public class HttpServletRequestReplacedFilter implements Filter { @Override public void init(FilterConfig filterConfig) throws ServletException { //Do nothing } @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { ServletRequest requestWrapper = null; if(request instanceof HttpServletRequest) { requestWrapper = new BodyReaderHttpServletRequestWrapper((HttpServletRequest) request); } if(null == requestWrapper) { chain.doFilter(request, response); } else { chain.doFilter(requestWrapper, response); } } @Override public void destroy() { //Do nothing } }