前言
最近做项目,以前有filter,需要移植到spring boot(filter是servlet时代的产物,不是Spring的)上去,发现一些坑。filter设置次序没用,以前web.xml文件配置的,另外还有多次dofilter的问题,导致某些情况下,返回2份数据。比如下面的
{"name":"tom","age":18}{"name":"tom","age":18}
1. demo
pom
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<version>2.2.4.RELEASE</version>
</dependency>
main
package com.feng.demo;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.boot.web.servlet.ServletComponentScan;
//@ServletComponentScan
@SpringBootApplication
public class FilterMain {
public static void main(String[] args) {
SpringApplication.run(FilterMain.class, args);
}
}
filter,名称与匹配路径按需设置,注意注入filter最常用有2种方式,
1、@ServletComponentScan扫描(自定义拦截路径,但不支持ordered注解与实现);
2、filter作为bean注入spring(这种方式支持ordered注解或者ordered实现,但不能自定义拦截路径)
package com.feng.demo.filter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.core.Ordered;
import org.springframework.core.annotation.Order;
import org.springframework.stereotype.Component;
import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
import java.io.IOException;
@Component
@WebFilter(urlPatterns = "/*", filterName = "firstFilter")
@Order(998)
public class DemoFilter implements Filter {
private static final Logger LOGGER = LoggerFactory.getLogger(DemoFilter.class);
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
public void doFilter(ServletRequest servletRequest,
ServletResponse servletResponse,
FilterChain filterChain) throws IOException, ServletException {
LOGGER.info("=============firstFilter============");
filterChain.doFilter(servletRequest, servletResponse);
}
@Override
public void destroy() {
}
// public int getOrder() {
// return 888;
// }
}
随意写一个controller
package com.feng.demo.controller;
import com.feng.demo.bean.User;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
import java.util.HashMap;
import java.util.Map;
@RestController
public class HelloController {
@RequestMapping("/hello")
public User sayHello(){
// Map<String, Object> map = new HashMap<String, Object>();
// map.put("hello", "filter");
// return map;
//return "{\"hello\":\"filter\"}";
User user = new User("tom", 18);
return user;
}
}
启动main,访问localhost:8080/hello
笔者这里写了2个filter,打印日志,说明filter拦截成功
2. filter顺序
笔者在写了一个filter
package com.feng.demo.filter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.core.Ordered;
import org.springframework.core.annotation.Order;
import org.springframework.stereotype.Component;
import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
import java.io.IOException;
@Component
@WebFilter(urlPatterns = "/*", filterName = "secondFilter")
@Order(999)
public class SecFilter implements Filter {
private static final Logger LOGGER = LoggerFactory.getLogger(SecFilter.class);
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
public void doFilter(ServletRequest servletRequest,
ServletResponse servletResponse,
FilterChain filterChain) throws IOException, ServletException {
try {
LOGGER.info("=============secondFilter============");
//模拟异常
throw new RuntimeException("xxx");
} catch (Exception e) {
filterChain.doFilter(servletRequest, servletResponse);
//e.printStackTrace();
}
filterChain.doFilter(servletRequest, servletResponse);
}
@Override
public void destroy() {
}
// public int getOrder() {
// return 999;
// }
}
这里注意,笔者是故意写错的,当时的情况
当笔者使用Bean注入方式filter,其实走的是系统级filter,默认拦截所有,ordered注解与实现接口生效;
当笔者使用ServletComponentScan扫描时,怎么调节Order注解的值或者实现Ordered接口,所设置的顺序都不会生效,但是拦截路径可配置,可以配置相同的filter名称
要2者同时起作用,最后笔者只能自己注入spring boot的servlet容器才生效
package com.feng.demo;
import com.feng.demo.filter.SecFilter;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.boot.web.servlet.ServletComponentScan;
import org.springframework.context.annotation.Bean;
import javax.servlet.Filter;
import java.util.ArrayList;
import java.util.Collection;
//@ServletComponentScan
@SpringBootApplication
public class FilterMain {
@Bean
public FilterRegistrationBean<Filter> secFilter() {
FilterRegistrationBean<Filter> filter = new FilterRegistrationBean<>();
filter.setName("orderFilter");
filter.setFilter(new SecFilter());
Collection<String> urlPatterns = new ArrayList<>();
urlPatterns.add("/*");
filter.setUrlPatterns(urlPatterns);
filter.setOrder(99);
return filter;
}
public static void main(String[] args) {
SpringApplication.run(FilterMain.class, args);
}
}
当然,注解要取消掉
package com.feng.demo.filter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.core.Ordered;
import org.springframework.core.annotation.Order;
import org.springframework.stereotype.Component;
import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
import java.io.IOException;
//@Component
//@WebFilter(urlPatterns = "/*", filterName = "secondFilter")
//@Order(999)
public class SecFilter implements Filter {
private static final Logger LOGGER = LoggerFactory.getLogger(SecFilter.class);
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
public void doFilter(ServletRequest servletRequest,
ServletResponse servletResponse,
FilterChain filterChain) throws IOException, ServletException {
try {
LOGGER.info("=============secondFilter============");
//模拟异常
throw new RuntimeException("xxx");
} catch (Exception e) {
filterChain.doFilter(servletRequest, servletResponse);
//e.printStackTrace();
}
filterChain.doFilter(servletRequest, servletResponse);
}
@Override
public void destroy() {
}
// public int getOrder() {
// return 999;
// }
}
试过多个filter设置顺序,验证了笔者的观念是没问题的。
3. bug解决
笔者写了一个错误的filter示例,实际代码也存在这样的问题,看不注意真看不出来;而且不是必现,只有特定情况才会出现
public void doFilter(ServletRequest servletRequest,
ServletResponse servletResponse,
FilterChain filterChain) throws IOException, ServletException {
try {
LOGGER.info("=============secondFilter============");
//模拟异常
throw new RuntimeException("xxx");
} catch (Exception e) {
filterChain.doFilter(servletRequest, servletResponse);
//e.printStackTrace();
}
filterChain.doFilter(servletRequest, servletResponse);
}
表现为返回2个相同的值
{"name":"tom","age":18}{"name":"tom","age":18}
这就很诡异了,最后还是日志发现了猫腻,感谢多打日志
dofilter做了2次,而且上面的demo只有异常才会出现问题,平时正常😓。笔者测试了,只有Controller返回非String时才会出现问题,如果返回String毫无异常
Controller返回String,no problem。诡异,修复filter的bug,返回终于正常了。
当然安全扫描也可能会出现调用2次的现象,但表现为时间相差较大,页面不会感知异常。安全扫描一般扫描GET请求,扫描敏感数据。当然用GET来做insert update操作就悲剧了。因此建议遵循restful风格API,或者加入白名单。
总结
filter是servlet时代的产物,如果spring boot,建议使用拦截器,当然如果为了兼容其他servlet项目也可以使用,只是没有web.xml文件比较麻烦。笔者这次填了不少坑,以上是笔者经验,希望对大家有所帮助。