我们来编写一个非常非常简单的黑名单用户的案例。
编写一个方法,通过用户编号获取用户信息,但是在黑名单内的用户访问的话,会抛出一个异常:用户鉴定没有权限!
,非黑名单的用户则可以访问用户信息。
构建一个客户端demo
首先我们构建一个springboot的demo,具体环境就搭建了,直接上主流程代码:
/**
* 获取用户信息
* @author liukaixiong
* @Email liukx@elab-plus.com
* @date 2021/11/5 - 13:38
*/
public class User {
public String getUser(String userId) {
System.out.println("获取用户编号: " + userId);
return userId;
}
}
然后我们通过HTTP接口暴露一个服务接口,通过参数传递userid:
@GetMapping(value = "/user", produces = "application/json;charset=UTF-8")
public Map<String, Object> user(@RequestParam("body") String body) {
new User().getUser(body);
return trues();
}
正常情况的话,无论谁访问都不会抛出异常。
编写黑名单插件
通过写死一个标记520、1314
标识参数的用户抛出异常
import com.alibaba.jvm.sandbox.api.Information;
import com.alibaba.jvm.sandbox.api.LoadCompleted;
import com.alibaba.jvm.sandbox.api.Module;
import com.alibaba.jvm.sandbox.api.ProcessController;
import com.alibaba.jvm.sandbox.api.listener.ext.Advice;
import com.alibaba.jvm.sandbox.api.listener.ext.AdviceListener;
import com.alibaba.jvm.sandbox.api.listener.ext.EventWatchBuilder;
import com.alibaba.jvm.sandbox.api.resource.ModuleEventWatcher;
import com.google.common.collect.Sets;
import org.kohsuke.MetaInfServices;
import javax.annotation.Resource;
import java.util.Set;
/**
* 用戶黑名单
*
* @author liukaixiong
* @Email liukx@elab-plus.com
* @date 2021/11/5 - 13:35
*/
@MetaInfServices(Module.class)
@Information(id = "debug-user-black-demo", version = "0.0.1", author = "liukaixiong")
public class BlackListModule implements Module, LoadCompleted {
@Resource
private ModuleEventWatcher moduleEventWatcher;
/**
* 黑名单用户,正常来说是从数据库读取,这么先模拟
*/
private Set<String> userBlackList = Sets.newHashSet("520", "1314");
@Override
public void loadCompleted() {
new EventWatchBuilder(moduleEventWatcher)
.onClass("com.sandbox.demo.example.User") // 拦截User类
.includeBootstrap()
.onBehavior("getUser") // 并观察getUser方法
.onWatch(new AdviceListener() {
/**
* 调用方法之前,我需要判断参数
* @param advice 通知信息
* @throws Throwable
*/
@Override
protected void before(Advice advice) throws Throwable {
if (advice.getParameterArray().length == 0) {
System.out.println("没有参数,不处理!");
return;
}
Object userId = advice.getParameterArray()[0];
System.out.println("进入判断用户流程");
if (userId != null && userBlackList.contains(userId.toString())) {
ProcessController.throwsImmediately(new UserTokenException("用户鉴定没有权限!"));
}
}
});
}
class UserTokenException extends Exception {
public UserTokenException(String message) {
super(message);
}
}
}
插件已经编写完毕了,这个时候我们将插件和案例结合运行。
另外再提一句:
通过@Comand("")命令代表的是以插件的形式加载比如通过命令行指定参数开启,而通过*LoadCompleted*
则是沙箱启动的时候,默认就会启动。
启动并且访问接口
启动
先上传插件模块到沙箱的sandbox-module
目录下,随着sandbox沙箱的启动,会自动加载这个目录下的所有包。
源码放在下篇重点说说。
然后启动客户端demo服务
java -javaagent:/elab/tools/sandbox/lib/sandbox-agent.jar -Djavax.net.debug=ssl -Xdebug -Djava.compiler=NONE -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5050 -jar z-demo-1.3.3.jar
参数稍微解释下:
# 1. 这里是远程调试参数,开启一个5050端口,可以在IDEA中源码调试
-Djavax.net.debug=ssl -Xdebug -Djava.compiler=NONE -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5050
# 这里是代理的agent参数
-javaagent:/elab/tools/sandbox/lib/sandbox-agent.jar
# SpringBoot的启动方式。
java -jar z-demo-1.3.3.jar
需要注意的是-javaagent参数不需要加-D,之前也是这里卡了一会。
如何看代理是否成功?
# 查看java进程的pid,比如7695
jps -l
# 查看端口进程
netstat -ntpl
# 查看7695是否是有两个进程,一个是agent的,一个是应用端口的
访问远程
通过访问
http://xxxx:5505/user?body=520
查看后台日志是否出现异常:
com.alibaba.jvm.sandbox.module.debug.BlackListModule$UserTokenException: 用户鉴定没有权限!
at com.alibaba.jvm.sandbox.module.debug.BlackListModule$1.before(BlackListModule.java:59) ~[na:na]
at com.alibaba.jvm.sandbox.api.listener.ext.AdviceAdapterListener.switchEvent(AdviceAdapterListener.java:99) ~[na:na]
at com.alibaba.jvm.sandbox.api.listener.ext.AdviceAdapterListener.onEvent(AdviceAdapterListener.java:39) ~[na:na]
at com.alibaba.jvm.sandbox.core.enhance.weaver.EventListenerHandler.handleEvent(EventListenerHandler.java:117) ~[na:na]
at com.alibaba.jvm.sandbox.core.enhance.weaver.EventListenerHandler.handleOnBefore(EventListenerHandler.java:353) ~[na:na]
at java.com.alibaba.jvm.sandbox.spy.Spy.spyMethodOnBefore(Spy.java:164) ~[na:na]
at com.sandbox.demo.example.User.getUser(User.java) ~[classes!/:na]
at com.sandbox.demo.controller.DemoController.user(DemoController.java:43) ~[classes!/:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_302]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_302]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_302]
at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_302]
at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:190) ~[spring-web-5.2.10.RELEASE.jar!/:5.2.10.RELEASE]
at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:138) ~[spring-web-5.2.10.RELEASE.jar!/:5.2.10.RELEASE]
at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:105) ~[spring-webmvc-5.2.10.RELEASE.jar!/:5.2.10.RELEASE]
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:878) ~[spring-webmvc-5.2.10.RELEASE.jar!/:5.2.10.RELEASE]
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:792) ~[spring-webmvc-5.2.10.RELEASE.jar!/:5.2.10.RELEASE]
at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87) ~[spring-webmvc-5.2.10.RELEASE.jar!/:5.2.10.RELEASE]
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1040) ~[spring-webmvc-5.2.10.RELEASE.jar!/:5.2.10.RELEASE]
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:943) ~[spring-webmvc-5.2.10.RELEASE.jar!/:5.2.10.RELEASE]
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006) ~[spring-webmvc-5.2.10.RELEASE.jar!/:5.2.10.RELEASE]
at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:898) ~[spring-webmvc-5.2.10.RELEASE.jar!/:5.2.10.RELEASE]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:626) ~[tomcat-embed-core-9.0.39.jar!/:4.0.FR]
at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883) ~[spring-webmvc-5.2.10.RELEASE.jar!/:5.2.10.RELEASE]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:733) ~[tomcat-embed-core-9.0.39.jar!/:4.0.FR]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) ~[tomcat-embed-core-9.0.39.jar!/:9.0.39]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-9.0.39.jar!/:9.0.39]
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) ~[tomcat-embed-websocket-9.0.39.jar!/:9.0.39]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-9.0.39.jar!/:9.0.39]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-9.0.39.jar!/:9.0.39]
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) ~[spring-web-5.2.10.RELEASE.jar!/:5.2.10.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.2.10.RELEASE.jar!/:5.2.10.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-9.0.39.jar!/:9.0.39]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-9.0.39.jar!/:9.0.39]
at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) ~[spring-web-5.2.10.RELEASE.jar!/:5.2.10.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.2.10.RELEASE.jar!/:5.2.10.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-9.0.39.jar!/:9.0.39]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-9.0.39.jar!/:9.0.39]
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) ~[spring-web-5.2.10.RELEASE.jar!/:5.2.10.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.2.10.RELEASE.jar!/:5.2.10.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-9.0.39.jar!/:9.0.39]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-9.0.39.jar!/:9.0.39]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) ~[tomcat-embed-core-9.0.39.jar!/:9.0.39]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97) [tomcat-embed-core-9.0.39.jar!/:9.0.39]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542) [tomcat-embed-core-9.0.39.jar!/:9.0.39]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143) [tomcat-embed-core-9.0.39.jar!/:9.0.39]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) [tomcat-embed-core-9.0.39.jar!/:9.0.39]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) [tomcat-embed-core-9.0.39.jar!/:9.0.39]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) [tomcat-embed-core-9.0.39.jar!/:9.0.39]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:374) [tomcat-embed-core-9.0.39.jar!/:9.0.39]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) [tomcat-embed-core-9.0.39.jar!/:9.0.39]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868) [tomcat-embed-core-9.0.39.jar!/:9.0.39]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1590) [tomcat-embed-core-9.0.39.jar!/:9.0.39]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-embed-core-9.0.39.jar!/:9.0.39]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [na:1.8.0_302]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [na:1.8.0_302]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-9.0.39.jar!/:9.0.39]
at java.lang.Thread.run(Thread.java:748) [na:1.8.0_302]
换成其他的参数,又可以正常访问,说明代理成功了。
插件已经生效了!
至此,我们可以思考一些更有价值的骚操作啦~
容我好好想想,然后再出一些更高级的demo。