You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
121 lines
4.5 KiB
121 lines
4.5 KiB
package com.tptj.demo.hg.parameter.decode; |
|
|
|
import com.fr.base.BaseUtils; |
|
import com.fr.data.DefaultRequestParameterHandler; |
|
import com.fr.general.data.DataModel; |
|
import com.fr.script.Calculator; |
|
import com.fr.stable.StringUtils; |
|
|
|
import javax.servlet.http.HttpServletRequest; |
|
import java.util.Set; |
|
import java.util.TreeSet; |
|
|
|
/** |
|
* @author 秃破天际 |
|
* @version 10.0 |
|
* Created by 秃破天际 on 2021/7/11 |
|
* MD5签名的参数获取方案校验,注意该代码仅仅是教学演示用! |
|
* 并非完整可靠的方案,要实际运用在项目中,要自行根据项目需要,进行相应改造! |
|
**/ |
|
public class Demo1 extends DefaultRequestParameterHandler { |
|
public static final String DS_NAME = "ProtectedParameterNames"; |
|
/** |
|
* 假设密钥固定是123456,实际开发时可用配置的方式实现 |
|
*/ |
|
public static final String SECRET = "123456"; |
|
/** |
|
* 假设有一个服务器数据集名字叫ProtectedParameterNames,数据集第一列就是一组参数名,里面所有的参数都禁止用户自己选择和传递! |
|
* @param req |
|
* @return |
|
*/ |
|
public static Set<String> getTagNames(HttpServletRequest req){ |
|
Set<String> set = (Set<String>)req.getSession(true).getAttribute(DS_NAME); |
|
if( null != set ){ |
|
return set; |
|
} |
|
//需要排序 |
|
set = new TreeSet<String>(); |
|
try{ |
|
DataModel dm = BaseUtils.getDataModelFromTableDataName(Calculator.createCalculator(), DS_NAME); |
|
for(int i=0,len=dm.getRowCount(); i<len; i++){ |
|
set.add( (String)dm.getValueAt(i,0) ); |
|
} |
|
req.getSession(true).setAttribute(DS_NAME,set); |
|
}catch(Exception e){ |
|
|
|
} |
|
return set; |
|
} |
|
|
|
/** |
|
* 获取请求原始携带的参数 |
|
* @param req |
|
* @param name |
|
* @return |
|
*/ |
|
public Object getSuperValue(HttpServletRequest req,String name){ |
|
Object val = super.getParameterFromHeader(req,name); |
|
if( null != val ){ |
|
return val; |
|
} |
|
val = super.getParameterFromRequest(req,name); |
|
if( null != val ){ |
|
return val; |
|
} |
|
return super.getParameterFromJSONParameters(req,name); |
|
} |
|
|
|
|
|
private Object getResult(HttpServletRequest req,String name, Object value ){ |
|
Set<String> pnames = getTagNames(req); |
|
if( !pnames.contains(name) ){ |
|
return value; |
|
} |
|
String sign_str = (String) getSuperValue(req, "sign"); |
|
Sign sign = Sign.parse(sign_str); |
|
//过有效期 |
|
if( sign.isTimeout() ){ |
|
return StringUtils.EMPTY; |
|
} |
|
StringBuilder sb = new StringBuilder(); |
|
for( String pname : pnames ){ |
|
Object val = getSuperValue(req,pname); |
|
if( null != val){ |
|
sb.append(pname).append(val); |
|
} |
|
} |
|
//签名不合法 |
|
if( !sign.check( sb.toString(), SECRET ) ){ |
|
return StringUtils.EMPTY; |
|
} |
|
return value; |
|
} |
|
|
|
@Override |
|
public Object getParameterFromRequest(HttpServletRequest req, String name) { |
|
Object value = super.getParameterFromRequest(req,name); |
|
return getResult(req,name,value); |
|
} |
|
|
|
@Override |
|
public Object getParameterFromHeader(HttpServletRequest req, String name) { |
|
Object value = super.getParameterFromHeader(req,name); |
|
return getResult(req,name,value); |
|
} |
|
|
|
@Override |
|
public Object getParameterFromJSONParameters(HttpServletRequest req, String name){ |
|
//FR在设计的时候,参数不仅仅可以直接在query中通过参数名直接给到,还可以通过 __parameters__ 给到一个json字符串来提个一个额外的参数表 |
|
//同一个参数名的参数优先级 header > query > attribute > json > session |
|
Object value = super.getParameterFromJSONParameters(req,name); |
|
return getResult(req,name,value); |
|
} |
|
|
|
@Override |
|
public Object getParameterFromRequestInputStream(HttpServletRequest req, String name){ |
|
//这里单独实现这个方法是强调一下,在10.0版本中,该方法已经没有用了。开发者不要考虑通过这个方法从body中抽取参数 |
|
//如果要使用这个方法,就需要使用filter先把请求的input stream 改成可重复读取的。否则平台请求会报错! |
|
//但是如果都用filter去处理参数了,我们就完全没必要使用这个接口了。 |
|
return super.getParameterFromRequestInputStream(req,name); |
|
} |
|
}
|
|
|