需求

假如用户没有传递cooperatorId,那么默认等于uin。

常规做法是在interceptor或者filter或者action中判断如果没有cooperatorId参数,则设置到request的parameterMap中:

String cooperatorId = request.getParameter("cooperatorId");
if(cooperatorId == null){
    request.getParameterMap().put("cooperatorId",request.getParameter("uin")) ;
}

问题

public interface ServletRequest {
    
    ...
    
    /** Returns a java.util.Map of the parameters of this request.
     * Request parameters
     * are extra information sent with the request.  For HTTP servlets,
     * parameters are contained in the query string or posted form data.
     *
     * @return an immutable java.util.Map containing parameter names as
     * keys and parameter values as map values. The keys in the parameter
     * map are of type String. The values in the parameter map are of type
     * String array.
     *
     */
    public Map getParameterMap();

    ...
}

但是HttpServletRequest.getParameterMap()返回的是immutable的java.util.Map,所以不能直接修改parameterMap。只能另辟蹊径了。

解决方案

虽然request本身的属性是不可修改的,但是方法确是可以重载的,假如我们定义一个HttpServerRequest的子类,覆盖他的getParameter()和getParameterMap()方法,让其好像有cooperatorId这请求参数一般,也可以达到我们的目的。J2EE提供了一个HttpServletRequestWrapper可以帮我们很方便实现这个子类:

/**
 *
 * Provides a convenient implementation of the HttpServletRequest interface that
 * can be subclassed by developers wishing to adapt the request to a Servlet.
 * This class implements the Wrapper or Decorator pattern. Methods default to
 * calling through to the wrapped request object.
 *
 *
 * @see   javax.servlet.http.HttpServletRequest
  * @since    v 2.3
 *
 */
public class HttpServletRequestWrapper extends ServletRequestWrapper implements HttpServletRequest {
   ...
}

代码实现:

package me.arganzheng.study;

import java.util.Collections;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Map;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;

/**
* <pre>
* Api HttpServletRequest,主要是完成如下功能:
* 背景:现在我们所有的API都是要求传递cooperatorId,而且cooperatorId的定位是卖家QQ号。但是现在逐渐有针对买家的三方应用出现。
* 这些应用是以买家为纬度的,不需要传递cooperatorId。但是我们现在的鉴权体系包括后台的IDL都是要求传递cooperatorId,这里提出了这么一个逻辑:
* 如果没有传递cooperatorId,那么默认就是授权者,即uin。这样cooperatorId只有在和uin不同的情况下才需要传递。
* 通过这样,给买家用户造成一个不需要传递cooperatorId的假象。而且这个逻辑也是简化参数传递不错的逻辑。
*
* @author arganzheng
* @date 2012-9-10
*/
@SuppressWarnings({ "rawtypes", "unchecked" })
public class ApiHttpServletRequest extends HttpServletRequestWrapper {

    private static final String UIN = "uin";
     private static final String COOPERATOR_ID = "cooperatorId";

     public ApiHttpServletRequest(HttpServletRequest request){
        super(request);
    }

    @Override
    public String getParameter(String name) {
        String value = super.getParameter(name);
        if(value == null && COOPERATOR_ID.equals(name)){
             value = super.getParameter(UIN);
        }
        return value;
    }

     @Override
    public Map getParameterMap() {
         Map map = super.getParameterMap();
         if(!map.containsKey(COOPERATOR_ID) && map.containsKey(UIN)){
              map = new HashMap(map);
              map.put(COOPERATOR_ID, map.get(UIN));
         }
         return map;

    }

     @Override
     public Enumeration getParameterNames() {
          if(super.getParameter(COOPERATOR_ID) == null && super.getParameter(UIN) != null){
               return Collections.enumeration(getParameterMap().keySet());
          }else{
               return super.getParameterNames();
          }
     }

     @Override
     public String[] getParameterValues(String name) {
          String[] values = super.getParameterValues(name);
          if(values == null && COOPERATOR_ID.equals(name)){
               values = super.getParameterValues(UIN);
          }
          return values;
     }
}

package me.arganzheng.study.filter;

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;

import me.arganzheng.study.ApiHttpServletRequest;

/**
* 如果没有传递cooperatorId,那么默认就是授权者,即uin。这样cooperatorId只有在和uin不同的情况下才需要传递。
*
* @author arganzheng
* @date 2012-9-10
*/

public class ApiResetServletRequestFilter implements Filter {

    @Override
    public void destroy() {
    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, 
            FilterChain filterChain) throws IOException, ServletException {
        filterChain.doFilter(new ApiHttpServletRequest((HttpServletRequest) request), response);
    }

    @Override
    public void init(FilterConfig arg0) throws ServletException {
    }

}

然后在web.xml中配置一个filter:

<filter>
    <filter-name>ApiResetServletRequestFilter</filter-name>
        <filter-class>
            me.arganzheng.study.filter.ApiResetServletRequestFilter
        </filter-class>
    </filter>
<filter-mapping>
    <filter-name>ApiResetServletRequestFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

补充:关于unmodifiableMap

其实Java的unmodifiableMap,其实现原理就是利用Java的final变量的immutable特性+函数重载。final特性保证了变量引用的immutable,而将写接口重载使得内容不可更改了。具体代码如下:

public class Collections {
    // Suppresses default constructor, ensuring non-instantiability.
    private Collections() {
    }
    /**
     * Returns an unmodifiable view of the specified map.  This method
     * allows modules to provide users with "read -only" access to internal
     * maps.  Query operations on the returned map "read through"
     * to the specified map, and attempts to modify the returned
     * map, whether direct or via its collection views, result in an
     * <tt>UnsupportedOperationException</tt> .<p>
     *
     * The returned map will be serializable if the specified map
     * is serializable.
     *
     * @param  m the map for which an unmodifiable view is to be returned.
     * @return an unmodifiable view of the specified map.
     */
    public static <K,V> Map<K,V> unmodifiableMap(Map<? extends K, ? extends V> m) {
     return new UnmodifiableMap<K,V>(m);
    }


    /**
     * @serial include
     */
    private static class UnmodifiableMap <K,V> implements Map<K,V>, Serializable {
     // use serialVersionUID from JDK 1.2.2 for interoperability
     private static final long serialVersionUID = -1034234728574286014L;


     private final Map<? extends K, ? extends V> m;


     UnmodifiableMap(Map<? extends K, ? extends V> m) {
            if (m==null )
                throw new NullPointerException();
            this.m = m;
        }


     public int size()                { return m .size();}
     public boolean isEmpty()              {return m.isEmpty();}
     public boolean containsKey(Object key)   {return m.containsKey(key);}
     public boolean containsValue(Object val) {return m.containsValue(val);}
     public V get(Object key)              { return m.get(key);}


     public V put(K key, V value) {
         throw new UnsupportedOperationException();
        }
     public V remove(Object key) {
         throw new UnsupportedOperationException();
        }
     public void putAll(Map<? extends K, ? extends V> m) {
         throw new UnsupportedOperationException();
      }
     public void clear() {
         throw new UnsupportedOperationException();
      }
               ...
    }
}

也可以通过反射改变unmodifiedMap的特性。

具体例子:参见 http://vangjee.wordpress.com/2009/02/25/how-to-modify-request-headers-in-a-j2ee-web-application/

不过貌似只能通过Cache访问了。

补记:另一个实战例子 2015-07-24

最近在做一个新项目,出于对用户隐私的考虑,需要对所有提交的参数进行加密,不让用户知道我们到底提交了什么,特别是统计参数(语言、国际、版本、uid等)。原来浏览器那边也有类似的需求,于是打算直接用他们那一套加密机制。参数就约定为_p=加密后的JSON串。比如

_p=3lg62PMuu5QhfQAn8HxmjUQndEdunnPa2JjrnPHT2IEjqNVsDvin2z0UhUypPXGvif4hXibzuCbjJu6RUX9%252Bs7rq8VslqGZAr4XdsKs6XnWjnG8DXKtad3TyQlDTux9MQgESqZXlWGjvxzK0NHb5I995HzBvMmmqtZzbl0O4%252FwouMT4xZuNxelACNceoQkno6IEF%252BUIFclwDyRiNE6QqVNupOR5cYdqE75u1kEpMRePZivOlrX%252FeFBXf%252FhWC0xVHQdbFAuJGSgUr%252BzxcdC05%252BX74nufbkL8GJzNJktS47tWVJHiMArwk2ziXIcvDNDfdfJF%252F02Cq8Lt4in1oBFPR0mTZIKYariNNlv1I%252BuueZMUzjg1YFvDTvalFmkyeChWWNfAoLrQNf9vfHKRro8de7AknPTdh0UgE5kfauFq%252FAzi6b1zOIRCih9gZcCHXw477YdDw8gtrYQX0X2ACBDut%252BHliMF7CCO4STi9cdS85HCKl9L5yzZXTqBNrwlWiGr8Y6QSITvxFj5jne1sokTOkR%252FAZbOjqUnoQAhGV5G%252Bt32R3SkM4tZkO6rLMJ4j40dw7XY%252FCWfKX9JGG2Pd6ZJHwyfxCPFPXOOcdfSrgstTnFu4mbrIEXFhl9YwI%252Fd04IA%252F3%252FdFWx7sAc2vnDOfCpzQbQvPWdjQLv%252BlwVS6kn%252BAUzYME%253D

解密之后就变成了:

_p={"pt":"dl","uid":"1234556","cf":"gp","co":"us","la":"en","of":"gp","pr":"","sv":"a_22","av":"1.1.0.1002","packageNames":["com.example.android.apis","com.dianxinos.powermanager","com.android.gesture.builder","com.hexin.plat.android","com.google.android.apps.plus","com.google.android.inputmethod.pinyin"]}

然后将JSON串反序列化成Java POJO对象,进行相应的操作,实现起来大概是这个样子:

@RequestMapping(value = “/getAppCategory”)
@ResponseBody
public RestResponse<Map<String, String>> getAppCategory(HttpServletRequest request){
	String params = request.getParameter("_p");
    Assert.notEmpty(params);

    String reqString = params;
    if (ConfigurationTool.decodeParameter()) { // if need decode
        reqString = ParameterUtil.decodeParameter(params);
    }

    GetAppCategoryRequest getAppCategoryRequest = objectMapper.readValue(reqString, GetAppCategoryRequest.class);

    // do string
    ...
}

虽然,我们把加密过程封装了,但是有如下三个问题:

  1. 每个方法都要做解密,反序列化过程,麻烦
  2. 接收参数只能是通用的HttpServletRequest,无法自动使用Spring MVC的参数注入
  3. 不方便测试,即使这里用配置参数决定要不要加密,提交一个JSON串仍然没有传统的k-v方式简单友好

于是想一下能不能将这一切透明化,让服务端以为客户端提交的还是传统的k-v方式呢?一个简单的想法就是通过在filter或者interceptor中将_p参数提取出来,然后反序列化,再将参数一个个重新塞入HttpServletRequest中。

如上讨论,传统的HttpServletRequest是不可修改的,于是写了这么一个类:

package me.arganzheng.study.sever.launcher.common;

import java.io.IOException;
import java.lang.reflect.Field;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.TreeMap;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;

import org.apache.commons.lang.StringUtils;
import org.codehaus.jackson.annotate.JsonProperty;
import org.codehaus.jackson.map.ObjectMapper;
import org.codehaus.jackson.map.annotate.JsonSerialize.Inclusion;
import org.codehaus.jackson.type.TypeReference;

import me.arganzheng.study.server.launcher.request.BaseRequest;
import me.arganzheng.study.server.launcher.util.ConfigurationTool;
import me.arganzheng.study.server.launcher.util.ParameterUtil;

public class ApiHttpServletRequest extends HttpServletRequestWrapper {

    private static ObjectMapper objectMapper = new ObjectMapper();

    private static Map<String, String> baseReqKeyMap = new HashMap<String, String>();

    static {
        objectMapper.setSerializationConfig(objectMapper.getSerializationConfig().withSerializationInclusion(
                Inclusion.NON_NULL));

        Field[] fileds = BaseRequest.class.getDeclaredFields();
        for (Field f : fileds) {
            String fname = f.getName();
            JsonProperty jsonPropertyAnnotation = f.getAnnotation(JsonProperty.class);
            if (jsonPropertyAnnotation != null) {
                String shortName = jsonPropertyAnnotation.value();
                baseReqKeyMap.put(shortName, fname);
            }
        }
    }

    // modified parameters map
    private final Map<String, String[]> parameters = new TreeMap<String, String[]>();

    public ApiHttpServletRequest(HttpServletRequest request) {
        super(request);

        // 请求参数是特殊的_p=加密的JSON字符串
        String params = request.getParameter("_p");
        if (StringUtils.isBlank(params)) {
            parameters.putAll(super.getParameterMap());
            return;
        }

        // for API requests
        String reqString = params;
        if (ConfigurationTool.decodeParameter()) {
            reqString = ParameterUtil.decodeParameter(params);
        }

        // parse json and put it to request parameters map.
        try {
            Map<String, Object> req = objectMapper.readValue(reqString, new TypeReference<Map<String, Object>>() {
            });
            if (req != null) {
                addMapEntries(req);
            }
        } catch (IOException e) {
            e.printStackTrace();
        }
        // put the original param value back
        parameters.put("_p", new String[] { reqString });
    }

    private void addMapEntries(Map<String, Object> req) {
        if (req != null && !req.isEmpty()) {
            for (Map.Entry<String, Object> prop : req.entrySet()) {
                Object value = prop.getValue();
                if (value != null) {
                    if (value instanceof Collection<?>) {
                        Collection<?> a = (Collection<?>) value;
                        List<String> v = new ArrayList<String>();
                        for (Object e : a) {
                            v.add(e.toString());
                        }
                        parameters.put(getKey(prop.getKey()), v.toArray(new String[0]));
                    } else {
                        String svalue = value.toString();
                        parameters.put(getKey(prop.getKey()), new String[] { svalue });
                    }
                }
            }
        }
    }

    private String getKey(String key) {
        String v = baseReqKeyMap.get(key);
        if (v == null) {
            return key;
        }
        return v;
    }

    @Override
    public String getParameter(String name) {
        String[] strings = getParameterMap().get(name);
        if (strings != null) {
            return strings[0];
        }
        return super.getParameter(name);
    }

    @Override
    public Map<String, String[]> getParameterMap() {
        // Return an unmodifiable collection because we need to uphold the interface contract.
        return Collections.unmodifiableMap(parameters);
    }

    @Override
    public Enumeration<String> getParameterNames() {
        return Collections.enumeration(getParameterMap().keySet());
    }

    @Override
    public String[] getParameterValues(final String name) {
        return getParameterMap().get(name);
    }

}

然后写个filter偷梁换柱一下:

package me.arganzheng.study.server.launcher.filter;

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;

import me.arganzheng.study.server.launcher.common.ApiHttpServletRequest;

public class ApiResetServletRequestFilter implements Filter {

    @Override
    public void destroy() {
    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException,
            ServletException {
        filterChain.doFilter(new ApiHttpServletRequest((HttpServletRequest) request), response);
    }

    @Override
    public void init(FilterConfig arg0) throws ServletException {
    }

}

然后在web.xml中注册一下:

<filter>
	<filter-name>ApiResetServletRequestFilter</filter-name>
	<filter-class>me.arganzheng.study.server.launcher.filter.ApiResetServletRequestFilter</filter-class>
</filter>
<filter-mapping>
	<filter-name>ApiResetServletRequestFilter</filter-name>
	<url-pattern>/*</url-pattern>
</filter-mapping>

Done!现在我们可以这样子接受请求参数了:

@RequestMapping(value = "/getAppCategory")
@ResponseBody
public RestResponse<Map<String, String>> getAppCategory(GetAppCategoryRequest getAppCategoryRequest) {
	// do string
    ...
}

GetAppCategoryRequest定义如下:

package me.arganzheng.study.server.launcher.request;

import java.util.List;

public class GetAppCategoryRequest extends BaseRequest {

    private List<String> packageNames;

    public List<String> getPackageNames() {
        return packageNames;
    }

    public void setPackageNames(List<String> packageNames) {
        this.packageNames = packageNames;
    }
}

其中BaseRequest定义如下:

public class BaseRequest {

    // API版本
    private String api;

    // 产品,固定值 dl
    @JsonProperty("pt")
    private String product = "*";

    // App语言标识
    @JsonProperty("la")
    private String language = "*";

    // 当前渠道号
    @JsonProperty("cf")
    private String currentFrom = "*";

    // 原始渠道
    @JsonProperty("of")
    private String oldFrom = "*";

    // App版本
    @JsonProperty("av")
    private String appVersion = "*";

    @JsonProperty("sv")
    private String sdkVersion = "*";

    // 系统国家标识 (两位,大写字母) http://en.wikipedia.org/wiki/ISO_3166-1_alpha-2
    @JsonProperty("co")
    private String country = "*";

    // 运营商
    @JsonProperty("pr")
    private String provider = "*";

    // ...
} 

并且可以使用_p=加密的JSON串提交,也可以用打散的key-value方式提交请求了,方便测试。