目前系统发送的post和put请求都是没有加密数据。客户需要将请求体加密。而系统已经基本开发完成,不可能一个一个去修改发送的请求。就需要在发送请求时候在拦截器中将body进行加密。并且在后端进行请求过滤解密,并且能通过@RequestBody继续获取对象。
1.先将前端代码进行处理。在发送请求时候判断是是否是post或者是put请求,如果是就将body进行加密(本人测试用的是base64)。然后转成json格式传递(如果不转成json,而是直接用base64,就需要修改请求headers,改成"Content-Type":"application/base64"的这种格式,不然后端获取不到body。如果是用application/base64,后端在解密后还需要将请求头改成"Content-Type", "application/json")。
2.后端创建一个过滤器并注册过滤器。这里需要注意一下,当我们获取到加密请求体后,实际的body已经被消费掉了。需要通过filterChain.doFilter(new DecryptingHttpServletRequestWrapper(request, decryptedData), response);这行代码将我们解密后的数据放回请求体
package cn.com.oceansoft.osc.ms.config;
import cn.com.oceansoft.osc.ms.common.utils.StringUtils;
import com.alibaba.fastjson.JSON;
import org.springframework.web.filter.OncePerRequestFilter;
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
import java.io.*;
import java.util.Base64;
/**
* @author
*/
public class DecryptingOncePerRequestFilter extends OncePerRequestFilter {
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
if ("POST".equalsIgnoreCase(request.getMethod()) || "PUT".equalsIgnoreCase(request.getMethod())) {
// 读取加密的请求体数据
String encryptedData = readRequestBody(request);
if (StringUtils.isNotBlank(encryptedData)) {
//获取到加密的数据
String val=(String) JSON.parseObject(encryptedData).get("encryptedData");
// Base64解码
String decryptedData =decrypt(val);
// 使用自定义的请求包装器替换原始请求
filterChain.doFilter(new DecryptingHttpServletRequestWrapper(request, decryptedData), response);
}
} else {
// 对于非POST请求,继续过滤器链
filterChain.doFilter(request, response);
}
}
private String readRequestBody(HttpServletRequest request) throws IOException {
StringBuilder stringBuilder = new StringBuilder();
try (BufferedReader reader = request.getReader()) {
String line;
while ((line = reader.readLine()) != null) {
stringBuilder.append(line);
}
}
return stringBuilder.toString();
}
private String decrypt(String encryptedData) throws UnsupportedEncodingException {
// 实现你的解密逻辑
// 这里只是一个示例,需要替换为实际的解密方法
return new String(Base64.getDecoder().decode(encryptedData), "UTF-8");
}
// 自定义的请求包装器
static class DecryptingHttpServletRequestWrapper extends HttpServletRequestWrapper {
private final String decryptedData;
public DecryptingHttpServletRequestWrapper(HttpServletRequest request, String decryptedData) {
super(request);
this.decryptedData = decryptedData;
}
@Override
public ServletInputStream getInputStream() throws IOException {
final ByteArrayInputStream bais = new ByteArrayInputStream(decryptedData.getBytes("UTF-8"));
return new ServletInputStream() {
@Override
public boolean isFinished() {
return false;
}
@Override
public boolean isReady() {
return false;
}
@Override
public void setReadListener(ReadListener listener) {
}
@Override
public int read() throws IOException {
return bais.read();
}
};
}
@Override
public BufferedReader getReader() throws IOException {
return new BufferedReader(new InputStreamReader(getInputStream()));
}
}
}
package cn.com.oceansoft.osc.ms.config;
import cn.com.oceansoft.osc.ms.config.DecryptingOncePerRequestFilter;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import javax.servlet.Filter;
/**
* @author
*/
@Configuration
public class FilterConfig {
@Bean
public FilterRegistrationBean decryptingFilterRegistration() {
FilterRegistrationBean registrationBean =
new FilterRegistrationBean();
//注册过滤器
registrationBean.setFilter(new DecryptingOncePerRequestFilter());
registrationBean.addUrlPatterns("/*"); // 设置过滤器应用的URL模式
registrationBean.setOrder(1); // 设置过滤器的顺序
return registrationBean;
}
}