在spring开发中,对入参进行校验是一种常见且必须的需求,下面对springboot中引入validation组件实现校验进行简单的分析一下。
Java API 规范 JSR303 定义了 Bean 校验的标准,但没提供实现,而常用的hibernate validation则是对这个规范的实现,提供了校验注解@Min、@Max等。spring validation是对hibernate validation的二次封装,用于spirng中参数的校验。
若springboot版本低于2.3.时,spring-boot-starter-web会自动传入hibernate-validation依赖,若是版本高于2.3.,则需要手动引入hibernate-validation依赖。
示例如下图
对于web服务,为防止非法参数对业务造成影响,在controller层对http请求传递的参数进行校验分析。requestBody以json形式接收参数。
在http请求中,POST类型请求主要使用requestBody传递参数,后端使用*DTO对象接收参数,此时只须给DTO对象添加@Validated或@Valid注解,在DTO对象的字段上添加声明式约束注解,就能实现自动参数校验。其中Valid是java提供的javax.validation.Valid;,Validated是spring提供的org.springframework.validation.annotation.Validated;。
实例1
@PostMapping("add")
public Object addUser(@RequestBody @Valid UserDTO param){
System.out.printf("save user id is %s", param.getUserId());
return param;
}
@PostMapping("update")
public Object updateUser(@RequestBody @Validated UserDTO param){
System.out.printf("update user is %s", param.getUserId());
return param;
}
@Data
public class UserDTO {
private Long userId;
@NotNull
@Length(min = 2, max = 10)
private String userName;
@NotNull
@Length(min = 6, max = 20)
private String account;
@NotNull
@Length(min = 6, max = 20)
private String password;
}
返回
在http请求中,GET类型请求主要使用requestParam/PathVariable传递参数,此时必须在controller类上标注@validated注解,在DTO对象的字段上添加声明式约束注解或在入参上添加声明式约束注解,完成参数校验。
实例2
返回
如果校验失败,会抛出MethodArgumentNotValidException或ConstraintViolationException异常,在实际工程中,通常通过统一异常处理来返回一个更友好的提示。
实例3
@RestControllerAdvice
public class CommonExceptionHandler {
@ExceptionHandler({MethodArgumentNotValidException.class})
public Object handleMethodArgumentNotValidException(MethodArgumentNotValidException ex) {
BindingResult bindingResult = ex.getBindingResult();
StringBuilder sb = new StringBuilder("校验失败,");
for (FieldError fieldError : bindingResult.getFieldErrors()) {
sb.append(fieldError.getField()).append(":").append(fieldError.getDefaultMessage()).append(", ");
}
String msg = sb.toString();
return ResponseData.fail(msg,400);
}
@ExceptionHandler({ConstraintViolationException.class})
public Object handleConstraintViolationException(ConstraintViolationException ex) {
return ResponseData.fail(ex.getMessage(), 400);
}
}
返回
如果有多个接口需要使用同一个DTO对象来接收参数,而不同的接口的校验规则是不一样的,通常通过分组校验来实现。
实例4
@Data
public class UserDTO {
@NotNull(groups = Update.class)
@Min(value = 1000L, groups = Update.class)
private Long userId;
@NotNull(groups = {Insert.class, Update.class})
@Length(min = 2, max = 10, groups = {Insert.class, Update.class})
private String userName;
@NotNull(groups = {Insert.class, Update.class})
@Length(min = 6, max = 20, groups = {Insert.class, Update.class})
private String account;
@NotNull(groups = {Insert.class, Update.class})
@Length(min = 6, max = 20, groups = {Insert.class, Update.class})
private String password;
}
public interface Insert {
}
public interface Update {
}
@PostMapping("add3")
public Object addUser3(@RequestBody @Validated(Insert.class) UserDTO param){
System.out.printf("save user id is %s", param.getUserId());
return param;
}
@PostMapping("update3")
public Object updateUser3(@RequestBody @Validated(Update.class) UserDTO param){
System.out.printf("update user is %s", param.getUserId());
return param;
}
返回
如果DTO对象里面的字段有基本数据类型,也出现了某个字段是一个对象,这时通过嵌套校验来实现。需要注意的是,此时DTO类的对应字段必须标记@Valid注解。
实例5
@Data
public class UserDTO {
@NotNull(groups = Update.class)
@Min(value = 1000L, groups = Update.class)
private Long userId;
@NotNull(groups = {Insert.class, Update.class})
@Length(min = 2, max = 10, groups = {Insert.class, Update.class})
private String userName;
@NotNull(groups = {Insert.class, Update.class})
@Length(min = 6, max = 20, groups = {Insert.class, Update.class})
private String account;
@NotNull(groups = {Insert.class, Update.class})
@Length(min = 6, max = 20, groups = {Insert.class, Update.class})
private String password;
@NotNull(groups = {Insert.class, Update.class})
@Valid
private Job job;
@Data
public static class Job {
@NotNull(groups = Update.class)
@Min(value = 1, groups = Update.class)
private Long jobId;
@NotNull(groups = {Insert.class, Update.class})
@Length(min = 2, max = 10, groups = {Insert.class, Update.class})
private String jobName;
@NotNull(groups = {Insert.class, Update.class})
@Length(min = 2, max = 10, groups = {Insert.class, Update.class})
private String position;
}
}
返回
如果请求体直接传递了json数组到后端,并希望对数组中的每一项都进行参数校验,此时使用java.util.Collection下的list或set来接收数据,参数校验并不会生效,需要使用自定义的list集合来实现。
实例6
public class ValidationList<E> implements List<E> {
@Delegate
@Valid
public List<E> list = new ArrayList<>();
@Override
public String toString() {
return list.toString();
}
public List<E> getList() {
return list;
}
public void setList(List<E> list) {
this.list = list;
}
}
@PostMapping("/addList")
public Object addList(@RequestBody @Validated(Insert.class) ValidationList<UserDTO> userList) {
return ResponseData.ok(userList);
}
返回
如果出现一些特殊的业务需求,此时可以通过自定义校验来实现。假设自定义加密字段校验(由数字或者a-f的字母组成,32-256长度)。
实例7
@Data
public class UserDTO implements Serializable {
private static final long serialVersionUID = 1L;
@NotNull(groups = Update.class)
@Min(value = 1000L, groups = Update.class)
private Long userId;
@NotNull(groups = {Insert.class, Update.class})
@Length(min = 2, max = 10, groups = {Insert.class, Update.class})
private String userName;
@NotNull(groups = {Insert.class, Update.class})
@Length(min = 6, max = 20, groups = {Insert.class, Update.class})
private String account;
@Encrypt(groups = {Insert.class, Update.class})
@NotNull(groups = {Insert.class, Update.class})
@Length(min = 6, max = 20, groups = {Insert.class, Update.class})
private String password;
@NotNull(groups = {Insert.class, Update.class})
@Valid
private Job job;
@Data
public static class Job {
@NotNull(groups = Update.class)
@Min(value = 1, groups = Update.class)
private Long jobId;
@NotNull(groups = {Insert.class, Update.class})
@Length(min = 2, max = 10, groups = {Insert.class, Update.class})
private String jobName;
@NotNull(groups = {Insert.class, Update.class})
@Length(min = 2, max = 10, groups = {Insert.class, Update.class})
private String position;
}
}
@Target({METHOD, FIELD, ANNOTATION_TYPE, CONSTRUCTOR, PARAMETER})
@Retention(RUNTIME)
@Documented
@Constraint(validatedBy = {EncryptValidator.class})
public @interface Encrypt {
String message() default "加密格式错误";
Class<?>[] groups() default {};
Class<? extends Payload>[] payload() default {};
}
public class EncryptValidator implements ConstraintValidator<Encrypt, String> {
private static final Pattern PATTERN = Pattern.compile("^[a-f\\d]{32,256}$");
@Override
public boolean isValid(String value, ConstraintValidatorContext context) {
if (value != null) {
Matcher matcher = PATTERN.matcher(value);
return matcher.find();
}
return true;
}
}
@PostMapping("update5")
public Object updateUser(@RequestBody @Validated(Update.class) UserDTO param){
System.out.printf("save user id is %s", param.getUserId());
return param;
}
返回
在spring-mvc中,RequestResponseBodyMethodProcessor是用于解析@RequestBody标注的参数以及处理@ResponseBody标注方法的返回值的。源码如下
参数校验还需不断的深入应用并理解其底层原理。
