springboot情操陶冶-web配置(七)

摘要： 引數校驗通常是OpenApi必做的操作，其會對不合法的輸入做統一的校驗以防止惡意的請求。本文則對引數校驗這方面作下簡單的分析 spring.factories 讀者應該對此檔案加以深刻的印象，很多springboot整合第三方外掛的方式均是從此配置檔案去讀取的，本文關注下檢驗方面的東...

引數校驗通常是OpenApi必做的操作，其會對不合法的輸入做統一的校驗以防止惡意的請求。本文則對引數校驗這方面作下簡單的分析

spring.factories

讀者應該對此檔案加以深刻的印象，很多springboot整合第三方外掛的方式均是從此配置檔案去讀取的，本文關注下檢驗方面的東西。在相應的檔案搜尋validation 關鍵字，最終定位至ValidationAutoConfiguration 類，筆者這就針對此類作主要的分析

ValidationAutoConfiguration

優先看下其頭上的註解

@Configuration
@ConditionalOnClass(ExecutableValidator.class)
@ConditionalOnResource(resources = "classpath:META-INF/services/javax.validation.spi.ValidationProvider")
@Import(PrimaryDefaultValidatorPostProcessor.class)

使此類成功被註冊的條件有兩個，第一是當前環境下存在ExecutableValidator 類，第二是當前類環境存在META-INF/services/javax.validation.spi.ValidationProvider 檔案。

通過檢視maven依賴得知，其實springboot在引入starter-web 板塊便引入了hibernate-validator 包，此包便滿足了上述的兩個要求。

筆者發現其也引入了PrimaryDefaultValidatorPostProcessor 類，主要是判斷當前的bean工廠是否已經包含了LocalValidatorFactoryBean 和Validator 物件，不影響大局。即使沒有配置，下述的程式碼也是會註冊的

@Bean
@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
@ConditionalOnMissingBean(Validator.class)
public static LocalValidatorFactoryBean defaultValidator() {
LocalValidatorFactoryBean factoryBean = new LocalValidatorFactoryBean();
MessageInterpolatorFactory interpolatorFactory = new MessageInterpolatorFactory();
factoryBean.setMessageInterpolator(interpolatorFactory.getObject());
return factoryBean;
}

@Bean
@ConditionalOnMissingBean
public static MethodValidationPostProcessor methodValidationPostProcessor(
Environment environment, @Lazy Validator validator) {
MethodValidationPostProcessor processor = new MethodValidationPostProcessor();
boolean proxyTargetClass = environment
.getProperty("spring.aop.proxy-target-class", Boolean.class, true);
processor.setProxyTargetClass(proxyTargetClass);
processor.setValidator(validator);
return processor;
}

通過查閱程式碼得知，使用註解式的校驗方式是通過新增@Validated 註解來實現的，但是其作用於引數上還是類上是有不同的操作邏輯的。筆者將之區分開，方便後續查閱。先附上@Validated 註解原始碼

@Target({ElementType.TYPE, ElementType.METHOD, ElementType.PARAMETER})
@Retention(RetentionPolicy.RUNTIME)
@Documented
public @interface Validated {

/**
* Specify one or more validation groups to apply to the validation step
* kicked off by this annotation.
* <p>JSR-303 defines validation groups as custom annotations which an application declares
* for the sole purpose of using them as type-safe group arguments, as implemented in
* {@link org.springframework.validation.beanvalidation.SpringValidatorAdapter}.
* <p>Other {@link org.springframework.validation.SmartValidator} implementations may
* support class arguments in other ways as well.
*/
Class<?>[] value() default {};

}

類級別的校驗

即@Validated 作用於類上，其相關的處理邏輯便是由MethodValidationPostProcessor 來實現的，筆者稍微看下關鍵原始碼方法afterPropertiesSet()

@Override
public void afterPropertiesSet() {
// 查詢對應的類以及祖先類上是否含有@Validated註解
Pointcut pointcut = new AnnotationMatchingPointcut(this.validatedAnnotationType, true);
// 建立MethodValidationInterceptor處理類來處理具體的邏輯
this.advisor = new DefaultPointcutAdvisor(pointcut, createMethodValidationAdvice(this.validator));
}

上述的配置表明只要某個類上使用了@Validated 註解，其相應的方法就會被校驗相關的引數。筆者緊接著看下MethodValidationInterceptor#invoke() 方法

@Override
@SuppressWarnings("unchecked")
public Object invoke(MethodInvocation invocation) throws Throwable {
// 讀取相應方法上的@Validated的value屬性，為空也是沒問題的
Class<?>[] groups = determineValidationGroups(invocation);

// Standard Bean Validation 1.1 API
ExecutableValidator execVal = this.validator.forExecutables();
Method methodToValidate = invocation.getMethod();
Set<ConstraintViolation<Object>> result;

try {
// ①校驗引數
result = execVal.validateParameters(
invocation.getThis(), methodToValidate, invocation.getArguments(), groups);
}
catch (IllegalArgumentException ex) {
// ②校驗對應的橋接方法(相容jdk1.5+後的泛型用法)的引數
methodToValidate = BridgeMethodResolver.findBridgedMethod(
ClassUtils.getMostSpecificMethod(invocation.getMethod(), invocation.getThis().getClass()));
result = execVal.validateParameters(
invocation.getThis(), methodToValidate, invocation.getArguments(), groups);
}
if (!result.isEmpty()) {
throw new ConstraintViolationException(result);
}
// ③校驗對應的返回值
Object returnValue = invocation.proceed();

result = execVal.validateReturnValue(invocation.getThis(), methodToValidate, returnValue, groups);
if (!result.isEmpty()) {
throw new ConstraintViolationException(result);
}

return returnValue;
}

只要類上使用了@Validated 註解，則其下的所有方法都會被校驗。

檢驗規則如下：引數 和返回值 都會被校驗，只要某一個沒有通過，則會丟擲ConstraintViolationException 異常以示警告。

具體的引數校驗屬於hibernate-validator 的範疇了，感興趣的讀者可自行分析~

引數級別的校驗

即@Validated 註解作用於方法的引數上，其有關的校驗則是被springmvc的引數校驗器處理的。筆者在ModelAttributeMethodProcessor#resolveArgument() 方法中查詢到了相應的蛛絲馬跡，列出關鍵的程式碼

@Override
@Nullable
public final Object resolveArgument(MethodParameter parameter, @Nullable ModelAndViewContainer mavContainer,
NativeWebRequest webRequest, @Nullable WebDataBinderFactory binderFactory) throws Exception {

....
Object attribute = null;
BindingResult bindingResult = null;

if (mavContainer.containsAttribute(name)) {
attribute = mavContainer.getModel().get(name);
}
else {
// Create attribute instance
try {
attribute = createAttribute(name, parameter, binderFactory, webRequest);
}
catch (BindException ex) {
.....
}
}

if (bindingResult == null) {
WebDataBinder binder = binderFactory.createBinder(webRequest, attribute, name);
if (binder.getTarget() != null) {
if (!mavContainer.isBindingDisabled(name)) {
bindRequestParameters(binder, webRequest);
}
// 就是這裡
validateIfApplicable(binder, parameter);
if (binder.getBindingResult().hasErrors() && isBindExceptionRequired(binder, parameter)) {
throw new BindException(binder.getBindingResult());
}
}
// Value type adaptation, also covering java.util.Optional
if (!parameter.getParameterType().isInstance(attribute)) {
attribute = binder.convertIfNecessary(binder.getTarget(), parameter.getParameterType(), parameter);
}
bindingResult = binder.getBindingResult();
}

....

return attribute;
}

我們繼續看下其下的validateIfApplicable() 方法

protected void validateIfApplicable(WebDataBinder binder, MethodParameter parameter) {
// 對引數上含有@Validated註解的進行校驗器解析
Annotation[] annotations = parameter.getParameterAnnotations();
for (Annotation ann : annotations) {
Validated validatedAnn = AnnotationUtils.getAnnotation(ann, Validated.class);
if (validatedAnn != null || ann.annotationType().getSimpleName().startsWith("Valid")) {
Object hints = (validatedAnn != null ? validatedAnn.value() : AnnotationUtils.getValue(ann));
Object[] validationHints = (hints instanceof Object[] ? (Object[]) hints : new Object[] {hints});
binder.validate(validationHints);
break;
}
}
}

上述的程式碼已經很簡明概要了，筆者就不展開了。當然如果使用者想要在出現異常的時候進行友好的返回，建議參考ofollow,noindex" target="_blank">springboot情操陶冶-web配置(五) 的異常機制文章便可迎刃而解

小結

引數的校驗一般都是結合spring-context 板塊內的@Validated 註解搭配hibernate的校驗器便完成了相應的檢測功能。邏輯還是很簡單的，希望對大家有所幫助