Skip to content

Commit d566e8a

Browse files
TommyLemonTommyLemon
committed
新增POST_GET方法,对应安全schema;AcceessVerifier新增verifyUserId方法
1 parent 6870389 commit d566e8a

8 files changed

Lines changed: 176 additions & 55 deletions

File tree

APIJSON(Server)/APIJSON(Eclipse_JEE)/src/main/java/zuo/biao/apijson/RequestMethod.java

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
/*Copyright ©2016 TommyLemon(https://github.com/TommyLemon/APIJSON)
2+
3+
Licensed under the Apache License, Version 2.0 (the "License");
4+
you may not use this file except in compliance with the License.
5+
You may obtain a copy of the License at
6+
7+
http://www.apache.org/licenses/LICENSE-2.0
8+
9+
Unless required by applicable law or agreed to in writing, software
10+
distributed under the License is distributed on an "AS IS" BASIS,
11+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12+
See the License for the specific language governing permissions and
13+
limitations under the License.*/
14+
15+
package zuo.biao.apijson;
16+
17+
/**请求方法,对应org.springframework.web.bind.annotation.RequestMethod,多出一个POST_GET方法
18+
* @author Lemon
19+
*/
20+
public enum RequestMethod {
21+
22+
GET, HEAD, POST, PUT, PATCH, DELETE, OPTIONS, TRACE, POST_GET
23+
}

APIJSON(Server)/APIJSON(Eclipse_JEE)/src/main/java/zuo/biao/apijson/Table.java

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@
33
public class Table {
44

55
public static final String ID = "id";
6+
public static final String USER_ID = "userId";
67
public static final String NAME = "name";
78
public static final String SEX = "sex";
89
public static final String PHONE = "phone";

APIJSON(Server)/APIJSON(Eclipse_JEE)/src/main/java/zuo/biao/apijson/server/ClientTest.java

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@
1414

1515
package zuo.biao.apijson.server;
1616

17-
import org.springframework.web.bind.annotation.RequestMethod;
17+
import zuo.biao.apijson.RequestMethod;
1818

1919
/**mock test of client
2020
* @author Lemon

APIJSON(Server)/APIJSON(Eclipse_JEE)/src/main/java/zuo/biao/apijson/server/Controller.java

Lines changed: 4 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -29,12 +29,12 @@ public class Controller {
2929

3030
@RequestMapping("get/{request}")
3131
public String get(@PathVariable String request) {
32-
return new RequestParser(RequestMethod.GET).parse(request);
32+
return new RequestParser(zuo.biao.apijson.RequestMethod.GET).parse(request);
3333
}
3434

3535
@RequestMapping(value="post", method = RequestMethod.POST)
3636
public String post(@RequestBody String request) {
37-
return new RequestParser(RequestMethod.POST).parse(request);
37+
return new RequestParser(zuo.biao.apijson.RequestMethod.POST).parse(request);
3838
}
3939

4040
/**用POST方法GET数据,request和response都非明文,浏览器看不到,用于对安全性要求高的GET请求
@@ -43,20 +43,19 @@ public String post(@RequestBody String request) {
4343
*/
4444
@RequestMapping(value="post_get", method = RequestMethod.POST)
4545
public String post_get(@RequestBody String request) {
46-
return new RequestParser(RequestMethod.GET).parse(request);
4746
}
4847

4948
/**以下接口继续用POST接口是为了客户端方便,只需要做get,post请求。也可以改用实际对应的方法。
5049
* post,put方法名可以改为add,update等更客户端容易懂的名称
5150
*/
5251
@RequestMapping(value="delete", method = RequestMethod.POST)
5352
public String delete(@RequestBody String request) {
54-
return new RequestParser(RequestMethod.DELETE).parse(request);
53+
return new RequestParser(zuo.biao.apijson.RequestMethod.DELETE).parse(request);
5554
}
5655

5756
@RequestMapping(value="put", method = RequestMethod.POST)
5857
public String put(@RequestBody String request) {
59-
return new RequestParser(RequestMethod.PUT).parse(request);
58+
return new RequestParser(zuo.biao.apijson.RequestMethod.PUT).parse(request);
6059
}
6160

6261
}

APIJSON(Server)/APIJSON(Eclipse_JEE)/src/main/java/zuo/biao/apijson/server/QueryConfig.java

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -19,11 +19,10 @@
1919
import java.util.Map;
2020
import java.util.Set;
2121

22-
import org.springframework.web.bind.annotation.RequestMethod;
23-
2422
import com.alibaba.fastjson.JSONObject;
2523

2624
import zuo.biao.apijson.JSON;
25+
import zuo.biao.apijson.RequestMethod;
2726
import zuo.biao.apijson.StringUtil;
2827
import zuo.biao.apijson.Table;
2928

APIJSON(Server)/APIJSON(Eclipse_JEE)/src/main/java/zuo/biao/apijson/server/RequestParser.java

Lines changed: 8 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -24,11 +24,10 @@
2424
import java.util.Set;
2525
import java.util.regex.Pattern;
2626

27-
import org.springframework.web.bind.annotation.RequestMethod;
28-
2927
import com.alibaba.fastjson.JSONObject;
3028

3129
import zuo.biao.apijson.JSON;
30+
import zuo.biao.apijson.RequestMethod;
3231
import zuo.biao.apijson.StringUtil;
3332
import zuo.biao.apijson.Table;
3433
import zuo.biao.apijson.server.sql.AccessVerifier;
@@ -80,7 +79,7 @@ public JSONObject parseResponse(String request) {
8079
return newErrorResult(e);
8180
}
8281
System.out.println("\n\n\n\n<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n " + TAG + requestMethod.name()
83-
+ "/parseResponse request = " + request);
82+
+ "/parseResponse request = " + request);
8483

8584
relationMap = new HashMap<String, String>();
8685
parseRelation = false;
@@ -106,7 +105,7 @@ public JSONObject parseResponse(String request) {
106105

107106

108107
requestObject = AccessVerifier.removeAccessInfo(requestObject);
109-
if (isGetMethod(requestMethod)) {
108+
if (isGetMethod(requestMethod) || requestMethod == RequestMethod.POST_GET) {
110109
requestObject = error == null ? extendSuccessResult(requestObject)
111110
: extendResult(requestObject, 206, "未完成全部请求:\n" + error.getMessage());
112111
}
@@ -706,7 +705,7 @@ public static JSONObject getJSONObject(JSONObject object, String key) {
706705
*/
707706
private synchronized JSONObject getSQLObject(QueryConfig config) throws Exception {
708707
System.out.println("getSQLObject config = " + JSON.toJSONString(config));
709-
AccessVerifier.verify(requestMethod, requestObject, config == null ? null : config.getTable());
708+
AccessVerifier.verify(requestObject, config);
710709
return QueryHelper.getInstance().select(config);//QueryHelper2.getInstance().select(config);//
711710
}
712711

@@ -721,12 +720,12 @@ private QueryConfig newQueryConfig(String table, JSONObject request) {
721720

722721

723722
private static final Pattern bigAlphaPattern = Pattern.compile("[A-Z]");
723+
private static final Pattern namePattern = Pattern.compile("^[0-9a-zA-Z_]+$");//已用55个中英字符测试通过
724724

725725
public static boolean isTableKey(String key) {
726-
key = StringUtil.getString(key);
727-
728-
return StringUtil.isNotEmpty(key, false) && isArrayKey(key) == false
729-
&& bigAlphaPattern.matcher(key.substring(0, 1)).matches();
726+
return StringUtil.isNotEmpty(key, false)
727+
&& bigAlphaPattern.matcher(key.substring(0, 1)).matches()
728+
&& namePattern.matcher(key.substring(1)).matches();
730729
}
731730
public static boolean isArrayKey(String key) {
732731
return key != null && key.endsWith("[]");

APIJSON(Server)/APIJSON(Eclipse_JEE)/src/main/java/zuo/biao/apijson/server/sql/AccessVerifier.java

Lines changed: 89 additions & 28 deletions
Original file line numberDiff line numberDiff line change
@@ -2,11 +2,11 @@
22

33
import java.rmi.AccessException;
44

5-
import org.springframework.web.bind.annotation.RequestMethod;
6-
75
import com.alibaba.fastjson.JSONObject;
86

7+
import zuo.biao.apijson.RequestMethod;
98
import zuo.biao.apijson.StringUtil;
9+
import zuo.biao.apijson.server.QueryConfig;
1010

1111
/**权限验证类
1212
* @author Lemon
@@ -21,39 +21,65 @@ public class AccessVerifier {
2121
public static final String KEY_LOGIN_PASSWORD = "loginPassword";
2222
public static final String KEY_PAY_PASSWORD = "payPassword";
2323

24-
// public static final String[] LOGIN_ACCESS_TABLE_NAMES = {"Work", "Comment"};
25-
public static final String[] PAY_ACCESS_TABLE_NAMES = {"Wallet"};
24+
public static final String[] LOGIN_ACCESS_TABLE_NAMES = {"Wallet"};
25+
public static final String[] PAY_ACCESS_TABLE_NAMES = {};
2626

2727
/**验证权限是否通过
28-
* @param method
2928
* @param request
30-
* @param tableName
29+
* @param config
3130
* @return
31+
* @throws Exception
3232
*/
33-
public static boolean verify(RequestMethod method, JSONObject request, String tableName) throws AccessException {
34-
return verify(method, request, getAccessId(tableName));
35-
}
33+
public static boolean verify(JSONObject request, QueryConfig config) throws Exception {
34+
String table = config == null ? null : config.getTable();
35+
if (table == null) {
36+
return true;
37+
}
38+
if (request == null) {
39+
return false;
40+
}
3641

42+
long currentUserId = request.getLongValue(KEY_CURRENT_USER_ID);
3743

38-
/**验证权限是否通过
39-
* @param method
44+
switch (config.getMethod()) {
45+
case GET:
46+
case POST_GET:
47+
if ("Wallet".equals(table) || "Password".equals(table)) {
48+
verifyUserId(currentUserId, config);
49+
}
50+
break;
51+
case POST:
52+
case PUT:
53+
case PATCH:
54+
case DELETE:
55+
verifyUserId(currentUserId, config);
56+
break;
57+
default:
58+
break;
59+
}
60+
61+
return verifyAccess(request, table, config.getMethod(), currentUserId);
62+
}
63+
64+
/**
4065
* @param request
41-
* @param accessId 可以直接在代码里写ACCESS_LOGIN等,或者建一个Access表,包括id和需要改权限的table的tableName列表
42-
* @return
66+
* @param table
67+
* @param method
68+
* @param currentUserId
69+
* @return
4370
* @throws AccessException
4471
*/
45-
public static boolean verify(RequestMethod method, JSONObject request, int accessId) throws AccessException {
46-
if (accessId < 0 || request == null) {
72+
private static boolean verifyAccess(JSONObject request, String table, RequestMethod method, long currentUserId) throws AccessException {
73+
int accessId = getAccessId(method, table);
74+
if (accessId < 0) {
4775
return true;
4876
}
49-
long currentUserId = request.getLongValue(KEY_CURRENT_USER_ID);
5077
if (currentUserId <= 0) {
5178
System.out.println(TAG + "verify accessId = " + accessId
5279
+ " >> currentUserId <= 0, currentUserId = " + currentUserId);
5380
throw new AccessException("请设置"+ KEY_CURRENT_USER_ID + "和对应的password!");
5481
}
5582
String password;
56-
5783
switch (accessId) {
5884
case ACCESS_LOGIN:
5985
password = StringUtil.getString(request.getString(KEY_LOGIN_PASSWORD));
@@ -63,6 +89,7 @@ public static boolean verify(RequestMethod method, JSONObject request, int acces
6389
+ " currentUserId = " + currentUserId + ", loginPassword = " + password);
6490
throw new AccessException(KEY_CURRENT_USER_ID + "或" + KEY_LOGIN_PASSWORD + "错误!");
6591
}
92+
break;
6693
case ACCESS_PAY:
6794
password = StringUtil.getString(request.getString(KEY_PAY_PASSWORD));
6895
if (password.equals(StringUtil.getString(getPayPassword(currentUserId))) == false) {
@@ -71,9 +98,36 @@ public static boolean verify(RequestMethod method, JSONObject request, int acces
7198
+ " currentUserId = " + currentUserId + ", payPassword = " + password);
7299
throw new AccessException(KEY_CURRENT_USER_ID + "或" + KEY_PAY_PASSWORD + "错误!");
73100
}
74-
default:
75-
return true;
101+
break;
76102
}
103+
return true;
104+
}
105+
/**
106+
* @param currentUserId
107+
* @param config
108+
* @return
109+
* @throws Exception
110+
*/
111+
private static boolean verifyUserId(long currentUserId, QueryConfig config) throws Exception {
112+
// if (currentUserId <= 0 || config == null) {
113+
// return true;
114+
// }
115+
// Map<String, Object> where = config.getWhere();
116+
// long userId = 0;
117+
// String table = StringUtil.getString(config.getTable());
118+
// if (where != null) {
119+
// try {
120+
// String key = "User".equals(table) ? Table.ID : Table.USER_ID;
121+
// userId = (long) where.get(key);
122+
// } catch (Exception e) {
123+
// // TODO: handle exception
124+
// }
125+
// }
126+
// if (userId != currentUserId) {
127+
// throw new IllegalArgumentException(table + "的userId和currentUserId不一致!");
128+
// }
129+
130+
return true;
77131
}
78132

79133

@@ -82,17 +136,17 @@ public static boolean verify(RequestMethod method, JSONObject request, int acces
82136
* @param tableName
83137
* @return
84138
*/
85-
public static int getAccessId(String tableName) {
86-
if (StringUtil.isNotEmpty(tableName, true) == false) {
139+
public static int getAccessId(RequestMethod method, String table) {
140+
if (StringUtil.isNotEmpty(table, true) == false) {
87141
return -1;
88142
}
89-
// for (int i = 0; i < LOGIN_ACCESS_TABLE_NAMES.length; i++) {
90-
// if (tableName.equals(LOGIN_ACCESS_TABLE_NAMES[i])) {
91-
// return ACCESS_LOGIN;
92-
// }
93-
// }
143+
for (int i = 0; i < LOGIN_ACCESS_TABLE_NAMES.length; i++) {
144+
if (table.equals(LOGIN_ACCESS_TABLE_NAMES[i])) {
145+
return ACCESS_LOGIN;
146+
}
147+
}
94148
for (int i = 0; i < PAY_ACCESS_TABLE_NAMES.length; i++) {
95-
if (tableName.equals(PAY_ACCESS_TABLE_NAMES[i])) {
149+
if (table.equals(PAY_ACCESS_TABLE_NAMES[i])) {
96150
return ACCESS_PAY;
97151
}
98152
}
@@ -105,7 +159,7 @@ public static int getAccessId(String tableName) {
105159
*/
106160
public static String getLoginPassword(long userId) {
107161
// TODO 查询并返回对应userId的登录密码
108-
return "123456";//仅测试用
162+
return "apijson123";//仅测试用
109163
}
110164

111165
/**获取支付密码
@@ -130,4 +184,11 @@ public static JSONObject removeAccessInfo(JSONObject requestObject) {
130184
return requestObject;
131185
}
132186

187+
188+
// public static class Access {
189+
// public static class Get {
190+
// public static final String[] LOGIN_ACCESS_TABLE_NAMES = {"Wallet"};
191+
// }
192+
// }
193+
133194
}

0 commit comments

Comments
 (0)