如何Spring项目中接口请求参数名称正确性校验？

一般情况下，接口参数校验只会校验参数值是否正确，例如值不能为空，字符串长度，数值范围等，可以通过javax.validation.constraints包下提供的注解类实现。但是在特殊场景下，尤其是接口对公网提供访问时，为了确保接口安全，我们会加强校验。也就是不只是校验参数值是否符合规范，也会对调用方传入的参数名称进行校验，如果传入的参数不在接口文档约定的范围内，进行拦截，并提示调用方参数名不被服务端接受。

实现本需求需要借助Spring中的两个类RequestBodyAdvice，ResponseBodyAdvice。

一、使用场景

参数过滤，数据加解密，日志打印等和业务逻辑无关的全局统一处理场景

二、作用范围

RequestBodyAdvice仅对使用了@RequestBody注解的方法生效 , 因为它原理上还是AOP , 所以GET方法是不会操作的。

三、实现代码

1、定义一个注解类，指明哪些接口方法需要做参数名称的强校验，方法上不加该注解，Spring做请求报文装配时，会自动把不被识别的参数过滤掉

@Target(ElementType.METHOD)
@Retention(RetentionPolicy.RUNTIME)
@Documented
public @interface ParamCheckJson {

}

2、测试的controller类

@RestController
@RequestMapping("jackson/test")
public class JacksonTestController {

    @PostMapping("complexTest")
    public RpcResponse<BookRpcBean> complexTest(@RequestBody RpcRequest<ComplexRequest> request) {

        return new RpcResponse("0000", "success");
    }

    @PostMapping("complexTestUnknown")
    @ParamCheckJson
    public RpcResponse<BookRpcBean> complexTestUnknown(@RequestBody RpcRequest<ComplexRequest> request) {

        try {
            return new RpcResponse("0000", "success");
        } catch (VerifyRequestBodyException e) {
            return new RpcResponse("9999", e.getMessage());
        } catch (Exception e) {
            return new RpcResponse("9999", "系统异常");
        }
    }

}

3、请求参数校验切面VerifyRequestBodyAdvice类

注意supports方法，这里很关键，supports返回true开启，采用调用下面的beforeBodyRead，afterBodyRead方法，返回false不开启。

通过methodParameter.getMethod().isAnnotationPresent(ParamCheckJson.class)判断controller里的方法是否加了ParamCheckJson注解，是的话执行强校验逻辑。

第34行代码是最关键的地方，我们利用jackson强校验机制来完成参数名称校验，下面列出了JsonTestUtil的关键代码。

@RestControllerAdvice
public class VerifyRequestBodyAdvice implements RequestBodyAdvice {
    @Override
    public boolean supports(MethodParameter methodParameter, Type targetType, Class<? extends HttpMessageConverter<?>> converterType) {
        return methodParameter.getMethod().isAnnotationPresent(ParamCheckJson.class);
    }

    @Override
    public HttpInputMessage beforeBodyRead(HttpInputMessage inputMessage, MethodParameter parameter, Type targetType, Class<? extends HttpMessageConverter<?>> converterType) throws IOException {
        return new VerifyHttpInputMessage(inputMessage, targetType);
    }

    @Override
    public Object afterBodyRead(Object body, HttpInputMessage inputMessage, MethodParameter parameter, Type targetType, Class<? extends HttpMessageConverter<?>> converterType) {
        return body;
    }

    @Override
    public Object handleEmptyBody(Object body, HttpInputMessage inputMessage, MethodParameter parameter, Type targetType, Class<? extends HttpMessageConverter<?>> converterType) {
        return body;
    }

    class VerifyHttpInputMessage implements HttpInputMessage {
        private HttpHeaders headers;
        private InputStream body;

        public VerifyHttpInputMessage(HttpInputMessage inputMessage, Type targetType) throws IOException {
            inputMessage.getHeaders().setContentType(MediaType.valueOf("application/json;charset=UTF-8"));
            String data = IOUtils.toString(inputMessage.getBody());

            JavaType javaType = JsonTestUtil.getJavaType(targetType);

            try {
                Object object = JsonTestUtil.readValue(data, javaType);
            } catch (Exception e) {
                throw new VerifyRequestBodyException(ExceptionCode.SYS_ERROR, "非法参数名称"+e.getMessage());
            }


            this.headers = inputMessage.getHeaders();
            this.body = IOUtils.toInputStream(data, "UTF-8");
        }

        @Override
        public InputStream getBody() throws IOException {
            return body;
        }

        @Override
        public HttpHeaders getHeaders() {
            return headers;
        }
    }
}

4、JsonTestUtil关键代码

public class JsonTestUtil {
    private static final ObjectMapper mapper = new ObjectMapper();

    static {
        // 忽略大小写
        mapper.configure(MapperFeature.ACCEPT_CASE_INSENSITIVE_PROPERTIES, true);
        // 该特性决定了当遇到未知属性，是否应该抛出一个JsonMappingException异常。
        mapper.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, true);
        mapper.setSerializationInclusion(JsonInclude.Include.NON_NULL);
    }

    public static JavaType getJavaType(Type type) {
        return mapper.getTypeFactory().constructType(type);
    }

    public static <T> T readValue(String json, JavaType valueType)
            throws IOException, JsonParseException, JsonMappingException {
        if (null == json || json.isEmpty()) {
            return null;
        }
        return mapper.readValue(json, valueType);
    }
}

 

5、返回统一异常处理ExceptionResponseBodyAdvice类，为什么要在这里做异常处理，因为在VerifyRequestBodyAdvice中抛出的自定义异常在controller里面是无法捕获的，因为抛出VerifyRequestBodyException后，请求无法到达complexTestUnknown方法里面。

@RestControllerAdvice
public class ExceptionResponseBodyAdvice implements ResponseBodyAdvice {
    @Override
    public boolean supports(MethodParameter returnType, Class converterType) {
        return false;
    }

    @Override
    public Object beforeBodyWrite(Object body, MethodParameter returnType, MediaType selectedContentType, Class selectedConverterType, ServerHttpRequest request, ServerHttpResponse response) {
        return null;
    }

    @ExceptionHandler(value = VerifyRequestBodyException.class)
    @ResponseBody
    public RpcResponse handlerGlobeException(HttpServletRequest request, VerifyRequestBodyException exception) {
        return new RpcResponse<>(exception.getCode().value(), exception.getMessage());
    }
}

6、测试

最后通过postman发起调用，返回结果如下

{
    "code": "9999",
    "message": "非法参数名称Unrecognized field \"aaa\",...... not marked as ignorable ......)",
}