发表于 | 分类于

背景

当SaaS平台发展到一定规模后,读写分离是必然的架构。尝试了目前流行的MyCat框架,但这个框架会损失不少性能。杀鸡焉用牛刀,于是就结合Spring自定义实现了读写分离功能,实现要点记录如下:

  1. 先实现一个读写分离Aspect,在事务拦截前执行,路由到读库还是写库。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72

package com.kingdee.re.common.dataSource;

import org.apache.log4j.Logger;
import org.aspectj.lang.JoinPoint;
import org.aspectj.lang.reflect.MethodSignature;
import org.springframework.core.Ordered;
import org.springframework.transaction.annotation.Transactional;

import java.lang.reflect.Method;

/**
* 读写分离切面拦截,使用读数据源的2种情况:<p>
* 1)发现service中的方法有Transactional注解修饰时,且readOnly()==true时;<br>
* 2)当service的方法以get, select, query, find, export, fetch, is, page, search, count开头时,启用读数据源;<br>
* 不满足以上两种条件时,启用写数据源。
*
* <p>
* <b>注意:</b>实现Ordered接口是用来做切面拦截排序用的,当getOrder()越小越早执行,spring-mybatis.xml里定义<tx:annotation-driven>有用到,
* </p>
* @author fuqiang_wen 2018/7/17
*/

public class DataSourceAspect implements Ordered {
	private final Logger logger = Logger.getLogger(DataSourceAspect.class);

	public void before(JoinPoint point) {
		Object target = point.getTarget();
		String method = point.getSignature().getName();
		
		Class<?>[] classz = target.getClass().getInterfaces();
		
		Class<?>[] parameterTypes = ((MethodSignature) point.getSignature()).getMethod().getParameterTypes();
		try {
			Method m = classz[0].getMethod(method, parameterTypes);
			if (m != null && m.isAnnotationPresent(Transactional.class)) {
			Transactional annotation = m.getAnnotation(Transactional.class);
			if(annotation.readOnly()){
				DynamicDataSourceHolder.putDataSource(DynamicDataSourceHolder.DATA_SOURCE_READ);
			}else{
				DynamicDataSourceHolder.putDataSource(DynamicDataSourceHolder.DATA_SOURCE_WRITE);
			}
			}else if(guessIsReadMethod(m)){
				DynamicDataSourceHolder.putDataSource(DynamicDataSourceHolder.DATA_SOURCE_READ);
			} else {
				DynamicDataSourceHolder.putDataSource(DynamicDataSourceHolder.DATA_SOURCE_WRITE);
			}
		} catch (Exception e) {
			logger.error(e.getMessage());
			logger.error("set dynamic datasource arise error", e);
		}
	}

	/**
	* 推测是否是只读方法,以方法名的第一个单词推测是,目前包含范围有:get, select, query, find, export, fetch, is, page, search, count
	* @author fuqiang_wen 2018/7/26
	* @param method
	* @return
	*/
	private boolean guessIsReadMethod(Method method) {
		String methodName = method.getName();
		return methodName.startsWith("get") || methodName.startsWith("select") || methodName.startsWith("query")
			|| methodName.startsWith("find") || methodName.startsWith("export") || methodName.startsWith("fetch")
			|| methodName.startsWith("is") || methodName.startsWith("page") || methodName.startsWith("search")
			|| methodName.startsWith("count");
	}

	@Override
	public int getOrder() {
		return 0;
	}
}
  1. 添加一个动态数据源类DynamicDataSource, 从DynamicDataSourceHolder取对应的数据源,DynamicDataSourceHolder实现利用了ThreadLocal类。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
package com.kingdee.re.common.dataSource;

import org.apache.log4j.Logger;
import org.springframework.jdbc.datasource.lookup.AbstractRoutingDataSource;


/**
* 动态数据源,用来做读写分离
* @author fuqiang_wen 2018/7/17
*/
public class DynamicDataSource extends AbstractRoutingDataSource {
	private final Logger logger = Logger.getLogger(DynamicDataSource.class);

	@Override
	protected Object determineCurrentLookupKey() {
		logger.debug("DynamicDataSource determineCurrentLookupKey");
		return DynamicDataSourceHolder.getDataSource();
	}
}
  1. 当前线程读库还是写库保持类DynamicDataSourceHolder, 动态数据源Holder, master是主库(写库),slave是从库(读库)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
package com.kingdee.re.common.dataSource;

import org.apache.log4j.Logger;

/**
* 动态数据源Holder, 在DynamicDataSource引用到, 在DataSourceAspect设置值
* @author fuqiang_wen 2018/7/17
*/
public class DynamicDataSourceHolder {
	private final static Logger logger = Logger.getLogger(DynamicDataSourceHolder.class);
	public static final String DATA_SOURCE_WRITE = "master";
	public static final String DATA_SOURCE_READ = "slave";

	public static final ThreadLocal<String> holder = new ThreadLocal<String>();

	public static void putDataSource(String name) {
		holder.set(name);
	}

	public static String getDataSource() {
		return holder.get();
	}
}
  1. Spring配置好对应的Aspect,如下
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    <!-- service切入 配置数据库注解aop -->
    <bean id="manyDataSourceAspect" class="com.kingdee.re.common.dataSource.DataSourceAspect" />

    <aop:config>
    	<aop:pointcut id="service" expression="execution(* com.kingdee.re.*.service.impl.*.*(..))" /><!--声明所有包含Service的类的所有方法使用事务-->

    	<aop:advisor advice-ref="txAdvice" pointcut-ref="service" />

    	<aop:aspect id="c" ref="manyDataSourceAspect">
    		<aop:before pointcut-ref="service" method="before"/>
    	</aop:aspect>
    </aop:config>

发表于 | 分类于

背景

随便公司研发规模扩大,分工逐步细化,后端同学专注后台实现,前端同学专门负责前端的实现,并且开发环境在虚拟云桌面代码受控,前后端不能联调,这样导致一个问题,前端开发同学在启动前端IDE时,还额外要启动后台开发环境IDE和后台服务器,本来云桌面硬件资源配置就不好,双IDE会导致开发环境更卡顿,严重影响效率。

在这种情况下,考虑之前用ant可以做自动化编译和部署,所以就用ant改造出了这么一个自动化部署工具。可以做到手工更新svn代码,然后ant编译输出,启动tomcat服务。

注意: ant的target只能运行一次,所以多个target依赖某个target时,被依赖的target也只会运行一次。

以下是ant构建脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
<?xml version="1.0" encoding="UTF-8"?>
<project name="OwnerCloud.wy" default="deploy" basedir="D:/myHomeFile/workcode">

	<input message="请输入你要编译的工程,如wy, sj, admin:" validargs="wy,sj,admin"  addproperty="web_name"/>
	
	<property name="webapp.name" value="OwnerCloud.${web_name}" />
	<property name="catalina.home" value="D:/Program Files/Apache Software Foundation/Tomcat 7.0" />
	<property name="dist.dir" value="${basedir}/dist" />
	<property name="ant.dir" value="D:/apache-ant-1.10.4" />
	<property name="webRoot.dir" value="${basedir}/${webapp.name}/src/main/webapp" />
	<property name="src.dir" value="${basedir}/src/main/java" />
	<property name="lib.dir" value="D:/myHomeFile/lib_all" />
	<property name="build.dir" value="${basedir}/build" />

	<!-- 初始化classpath -->
	<path id="project.classpath">
		<fileset dir="${lib.dir}">
			<include name="*.jar" />
		</fileset>
		<!-- 添加tomcat类路径 -->
		<fileset dir="${catalina.home}/lib">
			<include name="*.jar" />
		</fileset>
		<!-- ant lib包  -->
		<fileset dir="${ant.dir}">
			<include name="**/*.jar" />
		</fileset>
	</path>
 
	<!-- get the source compile classpath in a printable form -->
	<pathconvert pathsep="|   |-- "
             property="echo.path.compile"
             refid="project.classpath">
	</pathconvert>
	
	<!-- show classpath jars -->
	<target name="print_classpath">
		<echo message="|-- compile classpath"/>
		<echo message="|   |"/>
		<echo message="|   |-- ${echo.path.compile}"/>
	</target>
	
	
	<!-- 删除之前的目录结构 -->
	<target name="clear" description="清理旧文件">
		<delete dir="${build.dir}" />
		<delete dir="${dist.dir}" />
		
		<delete dir="${basedir}/${webapp.name}/src/main/webapp/WEB-INF/classes/" />
		
		<delete file="${catalina.home}/webapps/${webapp.name}.war" />
		<delete dir="${catalina.home}/webapps/${webapp.name}" />
	</target>
 
	<!-- 创建目录结构 -->
	<target name="init" depends="clear" description="创建初始化目录结构">
		<mkdir dir="${build.dir}/classes" />
		<mkdir dir="${dist.dir}" />
		<mkdir dir="${basedir}/${webapp.name}/src/main/webapp/WEB-INF/classes/" />
	</target>
	
	<!-- 编译 mybatis 工程 -->
	<target name="compile_mybatis" depends="init" description="编译mybatis java文件">
		<echo message="begin compile 'mybatis' project..." />
		<javac srcdir="${basedir}/OwnerCloud.mybatis/src/main/java" destdir="${build.dir}/classes" 
			includeantruntime="false" nowarn="on" 
			source="1.7" target="1.7" deprecation="true" debug="true" verbose="off"
			encoding="UTF-8" classpathref="project.classpath">
			<compilerarg line="-Xlint:unchecked" />
		</javac>
		<copy todir="${build.dir}/classes">
			<fileset dir="${basedir}/OwnerCloud.mybatis/src/main/resources">
			</fileset>
		</copy>
		<jar jarfile="${dist.dir}/OwnerCloud.mybatis.1.0.0.jar"> 
			<fileset dir="${build.dir}/classes"> 
				<include name="**/*.class"/> 
				<include name="**/*.xml" />
				<include name="**/*.properties" />
			</fileset> 
		</jar> 	
		<copy todir="${lib.dir}" file="${dist.dir}/OwnerCloud.mybatis.1.0.0.jar" />
		<echo message="end compile 'mybatis' project..." />
	</target>
	
	
	<!-- 编译 domain 工程 -->
	<target name="compile_domain" depends="init" description="编译domain java文件">
		<echo message="begin compile 'domain' project..." />
				
		<javac srcdir="${basedir}/OwnerCloud.domain/src/main/java" destdir="${build.dir}/classes" 
			includeantruntime="false" nowarn="on" 
			source="1.7" target="1.7" deprecation="true" debug="true" verbose="off"
			encoding="UTF-8" classpathref="project.classpath">
			<compilerarg line="-Xlint:unchecked" />
		</javac>
		<copy todir="${build.dir}/classes">
			<fileset dir="${basedir}/OwnerCloud.domain/src/main/resources">
			</fileset>
		</copy>
		<jar jarfile="${dist.dir}/OwnerCloud.domain.1.0-SNAPSHOT.jar"> 
			<fileset dir="${build.dir}/classes"> 
				<include name="**/*.class"/> 
				<include name="**/*.xml" />
				<include name="**/*.properties" />
			</fileset> 
		</jar> 	
		<copy todir="${lib.dir}" file="${dist.dir}/OwnerCloud.domain.1.0-SNAPSHOT.jar">
		</copy>
		<echo message="end compile 'domain' project..." />
	</target>
	
	<!-- 编译 core 工程,该工程有多个源目录 -->
	<target name="compile_core" description="编译core java文件">
		<echo message="begin compile 'core' project..." />
				
		<javac destdir="${build.dir}/classes" 
			includeantruntime="false" nowarn="on" 
			source="1.7" target="1.7" deprecation="true" debug="true" verbose="off"
			encoding="UTF-8" classpathref="project.classpath">
			<compilerarg line="-Xlint:unchecked" />

			<src path="${basedir}/OwnerCloud.Core/src/main/java/re_cost_cloud/src"/>
			<src path="${basedir}/OwnerCloud.Core/src/main/java/re_cd_cloud/src"/>
			<src path="${basedir}/OwnerCloud.Core/src/main/java/re_mem_cloud/src"/>
			<src path="${basedir}/OwnerCloud.Core/src/main/java/re_rpt_cloud/src"/>
			<src path="${basedir}/OwnerCloud.Core/src/main/java/re_pl_cloud/src"/>
			<src path="${basedir}/OwnerCloud.Core/src/main/java/re_qy_cloud/src"/>
			<src path="${basedir}/OwnerCloud.Core/src/main/java/re_rent_cloud/src"/>
			<src path="${basedir}/OwnerCloud.Core/src/main/java/re_chk_cloud/src"/>
			<src path="${basedir}/OwnerCloud.Core/src/main/java/re_decoration_cloud/src"/>
			<src path="${basedir}/OwnerCloud.Core/src/main/java/re_crm_cloud/src"/>
			<src path="${basedir}/OwnerCloud.Core/src/main/java/re_commerce_cloud/src"/>
			<src path="${basedir}/OwnerCloud.Core/src/main/java/re_ac_cloud/src"/>
			<src path="${basedir}/OwnerCloud.Core/src/main/java/re_equipment_cloud/src"/>
			<src path="${basedir}/OwnerCloud.Core/src/main/java/re_charge_cloud/src"/>
			<src path="${basedir}/OwnerCloud.Core/src/main/java/re_customerservice_cloud/src"/>
			<src path="${basedir}/OwnerCloud.Core/src/main/java/re_common/src"/>
			<src path="${basedir}/OwnerCloud.Core/src/main/java/re_basedata_cloud/src"/>
			<src path="${basedir}/OwnerCloud.Core/src/main/java/re_property_cloud/src"/>
		</javac>
		<copy todir="${build.dir}/classes">
			<fileset dir="${basedir}/OwnerCloud.Core/src/main/resources">
				
			</fileset>
			
			<fileset dir="${basedir}/OwnerCloud.Core/src/main/java/re_cost_cloud/src">
				<include name="**/*.xml" />
				<include name="**/*.properties" />
				<include name="**/*.sql" />
			</fileset>
			<fileset dir="${basedir}/OwnerCloud.Core/src/main/java/re_cd_cloud/src">
				<include name="**/*.xml" />
				<include name="**/*.properties" />
				<include name="**/*.sql" />
			</fileset>
			<fileset dir="${basedir}/OwnerCloud.Core/src/main/java/re_mem_cloud/src">
				<include name="**/*.xml" />
				<include name="**/*.properties" />
				<include name="**/*.sql" />
			</fileset>
			<fileset dir="${basedir}/OwnerCloud.Core/src/main/java/re_rpt_cloud/src">
				<include name="**/*.xml" />
				<include name="**/*.properties" />
				<include name="**/*.sql" />
			</fileset>
			<fileset dir="${basedir}/OwnerCloud.Core/src/main/java/re_pl_cloud/src">
				<include name="**/*.xml" />
				<include name="**/*.properties" />
				<include name="**/*.sql" />
			</fileset>
			<fileset dir="${basedir}/OwnerCloud.Core/src/main/java/re_qy_cloud/src">
				<include name="**/*.xml" />
				<include name="**/*.properties" />
				<include name="**/*.sql" />
			</fileset>
			<fileset dir="${basedir}/OwnerCloud.Core/src/main/java/re_rent_cloud/src">
				<include name="**/*.xml" />
				<include name="**/*.properties" />
				<include name="**/*.sql" />
			</fileset>
			<fileset dir="${basedir}/OwnerCloud.Core/src/main/java/re_chk_cloud/src">
				<include name="**/*.xml" />
				<include name="**/*.properties" />
				<include name="**/*.sql" />
			</fileset>
			<fileset dir="${basedir}/OwnerCloud.Core/src/main/java/re_decoration_cloud/src">
				<include name="**/*.xml" />
				<include name="**/*.properties" />
				<include name="**/*.sql" />
			</fileset>
			<fileset dir="${basedir}/OwnerCloud.Core/src/main/java/re_crm_cloud/src">
				<include name="**/*.xml" />
				<include name="**/*.properties" />
				<include name="**/*.sql" />
			</fileset>
			<fileset dir="${basedir}/OwnerCloud.Core/src/main/java/re_commerce_cloud/src">
				<include name="**/*.xml" />
				<include name="**/*.properties" />
				<include name="**/*.sql" />
			</fileset>
			<fileset dir="${basedir}/OwnerCloud.Core/src/main/java/re_ac_cloud/src">
				<include name="**/*.xml" />
				<include name="**/*.properties" />
				<include name="**/*.sql" />
			</fileset>
			<fileset dir="${basedir}/OwnerCloud.Core/src/main/java/re_equipment_cloud/src">
				<include name="**/*.xml" />
				<include name="**/*.properties" />
				<include name="**/*.sql" />
			</fileset>
			<fileset dir="${basedir}/OwnerCloud.Core/src/main/java/re_charge_cloud/src">
				<include name="**/*.xml" />
				<include name="**/*.properties" />
				<include name="**/*.sql" />
			</fileset>
			<fileset dir="${basedir}/OwnerCloud.Core/src/main/java/re_customerservice_cloud/src">
				<include name="**/*.xml" />
				<include name="**/*.properties" />
				<include name="**/*.sql" />
			</fileset>
			<fileset dir="${basedir}/OwnerCloud.Core/src/main/java/re_common/src">
				<include name="**/*.xml" />
				<include name="**/*.properties" />
				<include name="**/*.sql" />
			</fileset>
			<fileset dir="${basedir}/OwnerCloud.Core/src/main/java/re_basedata_cloud/src">
				<include name="**/*.xml" />
				<include name="**/*.properties" />
				<include name="**/*.sql" />
			</fileset>
			<fileset dir="${basedir}/OwnerCloud.Core/src/main/java/re_property_cloud/src">
				<include name="**/*.xml" />
				<include name="**/*.properties" />
				<include name="**/*.sql" />
			</fileset>
		</copy>
		
		<jar jarfile="${dist.dir}/OwnerCloud.Core.2.1.1.jar"> 
			<fileset dir="${build.dir}/classes"> 
				<include name="**/*.class"/> 
				<include name="**/*.xml" />
				<include name="**/*.properties" />
			</fileset> 
		</jar> 	
		<copy todir="${lib.dir}" file="${dist.dir}/OwnerCloud.Core.2.1.1.jar">
		</copy>
		<echo message="end compile 'core' project..." />
	</target>
	
	<!-- 编译 common 工程 -->
	<target name="compile_common" depends="init" description="编译common java文件">
		<echo message="begin compile 'common' project..." />
				
		<javac srcdir="${basedir}/OwnerCloud.common/src/main/java" destdir="${build.dir}/classes" 
			includeantruntime="false" nowarn="on" 
			source="1.7" target="1.7" deprecation="true" debug="true" verbose="off"
			encoding="UTF-8" classpathref="project.classpath">
			<compilerarg line="-Xlint:unchecked" />
		</javac>	
		<jar jarfile="${dist.dir}/OwnerCloud.common.jar"> 
			<fileset dir="${build.dir}/classes"> 
				<include name="**/*.class"/> 
				<include name="**/*.xml" />
				<include name="**/*.properties" />
			</fileset> 
		</jar> 	
		<copy todir="${lib.dir}" file="${dist.dir}/OwnerCloud.common.jar">
		</copy>
		<echo message="end compile 'common' project..." />
	</target>	
	
	<!-- 编译 OwnerCloud.Core.commerce 工程 -->
	<target name="compile_OwnerCloud.Core.commerce" depends="init" description="编译common java文件">
		<echo message="begin compile 'OwnerCloud.Core.commerce' project..." />
				
		<javac srcdir="${basedir}/OwnerCloud.Core.commerce/src/main/java" destdir="${build.dir}/classes" 
			includeantruntime="false" nowarn="on" 
			source="1.7" target="1.7" deprecation="true" debug="true" verbose="off"
			encoding="UTF-8" classpathref="project.classpath">
			<compilerarg line="-Xlint:unchecked" />
		</javac>	
		<jar jarfile="${dist.dir}/OwnerCloud.Core.commerce.jar"> 
			<fileset dir="${build.dir}/classes"> 
				<include name="**/*.class"/> 
				<include name="**/*.xml" />
				<include name="**/*.properties" />
			</fileset> 
		</jar> 	
		<copy todir="${lib.dir}" file="${dist.dir}/OwnerCloud.common.jar">
		</copy>
		<echo message="end compile 'OwnerCloud.Core.commerce' project..." />
	</target>
	
	<target name="compile_web" depends="compile_mybatis,compile_domain,compile_common, compile_core, compile_OwnerCloud.Core.commerce" description="编译web工程的java文件">
		<echo message="begin compile 'wy' ..." />
		
		<javac srcdir="${basedir}/${webapp.name}/src/main/java" destdir="${build.dir}/classes" 
			includeantruntime="false" nowarn="on" 
			source="1.7" target="1.7" deprecation="true" debug="true" verbose="off"
			encoding="UTF-8" classpathref="project.classpath">
			<compilerarg line="-Xlint:unchecked" />
		</javac>
		<copy todir="${build.dir}/classes">
			<fileset dir="${basedir}/${webapp.name}/src/main/resources">
				<include name="**/*.*" />
			</fileset>
		</copy>
		
		<echo message="end compile 'wy' ..." />
	</target>
 
	<!-- 打成war包, 名称默认为 项目名 -->
	<target name="war" depends="compile_web" description="将web工程打成war包">
		<echo message="begin war..." />
		<war destfile="${dist.dir}/${webapp.name}.war" basedir="${webRoot.dir}" 
			webxml="${webRoot.dir}/WEB-INF/web.xml">
			<lib dir="${lib.dir}" />
			<classes dir="${build.dir}/classes" />
			<fileset dir="${webRoot.dir}">
				<include name="***.*" />
			</fileset>
		</war>
		<echo message="end war..." />
	</target>
 
	<!-- copy war包 tomcat的deploy目录 -->
	<target name="deploy" depends="compile_web" description="部署项目">
		<echo message="begin deploy..." />
		<copy todir="${basedir}/${webapp.name}/src/main/webapp/WEB-INF/classes">
			<fileset dir="${build.dir}/classes">
			</fileset>
		</copy>
		
		<!-- <copy todir="${basedir}/${webapp.name}/src/main/webapp/WEB-INF/lib" overwrite="true"> -->
			<!-- <fileset dir="${lib.dir}"> -->
				<!-- <include name="OwnerCloud**.jar" /> -->
			<!-- </fileset> -->
		<!-- </copy> -->
		
		<!-- <copy file="${dist.dir}/${webapp.name}.war" todir="${catalina.home}/webapps" /> -->
		<echo message="end deploy..." />
	</target>
 
</project>

发表于 | 分类于

在java的开源包中,jdom算是比较著名的XML文件解析包,7月2日有人报出微信支付回调的XXE漏洞,本质上就是解析xml文件时,访问了外部网站。

所以修复办法也很简单,对XML文件解析要禁用访问外部网站的功能,微信给出的解决方案请戳 这里 。代码片断如下:

1
2
3
4
5
6
7
8
9
10
11
12
public static DocumentBuilder newDocumentBuilder() throws ParserConfigurationException {
    DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
    documentBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
    documentBuilderFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
    documentBuilderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
    documentBuilderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
    documentBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
    documentBuilderFactory.setXIncludeAware(false);
    documentBuilderFactory.setExpandEntityReferences(false);

    return documentBuilderFactory.newDocumentBuilder();
}

不过这个办法,在jdom中是无用的,也就是说jdom一直都存在这个漏洞。废话不多说,请看如下源代码片段。

类org.jdom.input.SAXBuilder的createParser方法

1
2
3
4
Class factoryClass = Class.forName("org.jdom.input.JAXPParserFactory");
Method createParser = factoryClass.getMethod("createParser", Boolean.TYPE, class$java$util$Map == null ? (class$java$util$Map = class$("java.util.Map")) : class$java$util$Map, class$java$util$Map == null ? (class$java$util$Map = class$("java.util.Map")) : class$java$util$Map);
parser = (XMLReader)createParser.invoke((Object)null, new Boolean(this.validate), this.features, this.properties);
this.setFeaturesAndProperties(parser, false);

再看JAXPParserFactory的createParser,坑爹的是这个方法传了参数features后,居然没有用到。。。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
public static XMLReader createParser(boolean validating, Map features, Map properties) throws JDOMException {
    try {
        SAXParser parser = null;
        SAXParserFactory factory = SAXParserFactory.newInstance();
        factory.setValidating(validating);
        factory.setNamespaceAware(true);

        try {
            parser = factory.newSAXParser();
        } catch (ParserConfigurationException var6) {
            throw new JDOMException("Could not allocate JAXP SAX Parser", var6);
        }

        setProperty(parser, properties, "http://java.sun.com/xml/jaxp/properties/schemaLanguage");
        setProperty(parser, properties, "http://java.sun.com/xml/jaxp/properties/schemaSource");
        return parser.getXMLReader();
    } catch (SAXException var7) {
        throw new JDOMException("Could not allocate JAXP SAX Parser", var7);
    }
}

参考资料:

https://www.jianshu.com/p/960f0b4629b3
http://www.cnblogs.com/kismetv/archive/2018/07/05/9266224.html
https://pay.weixin.qq.com/wiki/doc/api/jsapi.php?chapter=23_5

发表于 | 分类于

在公司项目中的UserContent.getUser()方法中有一段很“神奇”的代码,通过SecurityContextHolder.getContext().getAuthentication().getPrincipal()可得到当前用户的登录信息。

一直很非常好奇,为何一个静态方法可以得到当前登录用户信息呢,它是怎么知道的从浏览器传过来的请求是属于哪个用户?

阅读全文 »

发表于 | 分类于
  1. 先将Excel中数据导入到POJO List中
  2. 在上一步中顺便校验相应的输入列是否合法,不合法直接返回具体信息;
  3. 将POJO List与数据库做对比,校验数据合法性,不合法直接返回具体信息
  4. 将POJO List与数据做对比,将某些列绑定到具体数据库中的数据,即有id信息
  5. 逻辑处理部分,将逻辑处理后的数据导入到数据库中,返回成功条数;
阅读全文 »