目前系统发送的post和put请求都是没有加密数据。客户需要将请求体加密。而系统已经基本开发完成,不可能一个一个去修改发送的请求。就需要在发送请求时候在拦截器中将body进行加密。并且在后端进行请求过滤解密,并且能通过@RequestBody继续获取对象。
1.先将前端代码进行处理。在发送请求时候判断是是否是post或者是put请求,如果是就将body进行加密(本人测试用的是base64)。然后转成json格式传递(如果不转成json,而是直接用base64,就需要修改请求headers,改成"Content-Type":"application/base64"的这种格式,不然后端获取不到body。如果是用application/base64,后端在解密后还需要将请求头改成"Content-Type", "application/json")。
2.后端创建一个过滤器并注册过滤器。这里需要注意一下,当我们获取到加密请求体后,实际的body已经被消费掉了。需要通过filterChain.doFilter(new DecryptingHttpServletRequestWrapper(request, decryptedData), response);这行代码将我们解密后的数据放回请求体
package cn.com.oceansoft.osc.ms.config;import cn.com.oceansoft.osc.ms.common.utils.StringUtils;
import com.alibaba.fastjson.JSON;
import org.springframework.web.filter.OncePerRequestFilter;import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
import java.io.*;
import java.util.Base64;/*** @author */
public class DecryptingOncePerRequestFilter extends OncePerRequestFilter {@Overrideprotected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)throws ServletException, IOException {if ("POST".equalsIgnoreCase(request.getMethod()) || "PUT".equalsIgnoreCase(request.getMethod())) {// 读取加密的请求体数据String encryptedData = readRequestBody(request);if (StringUtils.isNotBlank(encryptedData)) {//获取到加密的数据String val=(String) JSON.parseObject(encryptedData).get("encryptedData");// Base64解码String decryptedData =decrypt(val);// 使用自定义的请求包装器替换原始请求filterChain.doFilter(new DecryptingHttpServletRequestWrapper(request, decryptedData), response);}} else {// 对于非POST请求,继续过滤器链filterChain.doFilter(request, response);}}private String readRequestBody(HttpServletRequest request) throws IOException {StringBuilder stringBuilder = new StringBuilder();try (BufferedReader reader = request.getReader()) {String line;while ((line = reader.readLine()) != null) {stringBuilder.append(line);}}return stringBuilder.toString();}private String decrypt(String encryptedData) throws UnsupportedEncodingException {// 实现你的解密逻辑// 这里只是一个示例,需要替换为实际的解密方法return new String(Base64.getDecoder().decode(encryptedData), "UTF-8");}// 自定义的请求包装器static class DecryptingHttpServletRequestWrapper extends HttpServletRequestWrapper {private final String decryptedData;public DecryptingHttpServletRequestWrapper(HttpServletRequest request, String decryptedData) {super(request);this.decryptedData = decryptedData;}@Overridepublic ServletInputStream getInputStream() throws IOException {final ByteArrayInputStream bais = new ByteArrayInputStream(decryptedData.getBytes("UTF-8"));return new ServletInputStream() {@Overridepublic boolean isFinished() {return false;}@Overridepublic boolean isReady() {return false;}@Overridepublic void setReadListener(ReadListener listener) {}@Overridepublic int read() throws IOException {return bais.read();}};}@Overridepublic BufferedReader getReader() throws IOException {return new BufferedReader(new InputStreamReader(getInputStream()));}}
}package cn.com.oceansoft.osc.ms.config;import cn.com.oceansoft.osc.ms.config.DecryptingOncePerRequestFilter;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import javax.servlet.Filter;/*** @author */
@Configuration
public class FilterConfig {@Beanpublic FilterRegistrationBean decryptingFilterRegistration() {FilterRegistrationBean registrationBean =new FilterRegistrationBean();//注册过滤器registrationBean.setFilter(new DecryptingOncePerRequestFilter());registrationBean.addUrlPatterns("/*"); // 设置过滤器应用的URL模式registrationBean.setOrder(1); // 设置过滤器的顺序return registrationBean;}
}
