springboot 实现限流控制

package com.jinw.cms.config;

import com.jinw.cms.aspectj.RateLimiterAspect;
import lombok.RequiredArgsConstructor;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.data.redis.core.RedisTemplate;
import org.springframework.data.redis.core.script.DefaultRedisScript;

@RequiredArgsConstructor
@Configuration
public class RateLimiterConfig {

    private final RedisTemplate<String, Object> redisTempate;

    @Bean
    @ConditionalOnProperty(name = "jw.rate-limiter.enable", havingValue = "true")
    public RateLimiterAspect rateLimitAspect() {
        return new RateLimiterAspect(redisTempate, limitScript());
    }

    /**
     * Lua限流脚本
     */
    public DefaultRedisScript<Boolean> limitScript() {
        DefaultRedisScript<Boolean> redisScript = new DefaultRedisScript<>();
        redisScript.setScriptText(" local key = KEYS[1] --限流KEY\n" +
                "                local limit = tonumber(ARGV[1]) --限流大小\n" +
                "                local expireTime = tonumber(ARGV[2]) --过期时间 单位/s\n" +
                "\n" +
                "                local current = tonumber(redis.call('get', key) or \"0\")\n" +
                "                if current + 1 > limit then\n" +
                "                    return false --当前值超过限流大小阈值\n" +
                "                end\n" +
                "                current = tonumber(redis.call('incr', key)) --请求数+1\n" +
                "                if current == 1 then\n" +
                "                    redis.call('expire', key, expireTime) --设置过期时间\n" +
                "                end\n" +
                "                return true;");
        redisScript.setResultType(Boolean.class);
        return redisScript;
    }
}
package com.jinw.cms.aspectj;

/**
 * 限流类型
 *
 * @author ruoyi
 */

public enum LimitType {
    /**
     * 默认策略全局限流
     */
    DEFAULT,

    /**
     * 根据请求者IP进行限流
     */
    IP
}
package com.jinw.cms.aspectj.annotation;

import com.jinw.cms.aspectj.LimitType;
import com.jinw.cms.constants.ExtendConstants;

import java.lang.annotation.*;

/**
 * 限流注解
 *
 * @author ruoyi
 */
@Target(ElementType.METHOD)
@Retention(RetentionPolicy.RUNTIME)
@Documented
public @interface RateLimiter {

    /**
     * 限流缓存key前缀
     */
    public String prefix() default ExtendConstants.RATE_LIMIT_KEY;

    /**
     * 限流时间,单位秒
     */
    public int expire() default 60;

    /**
     * 限流阈值,单位时间内的请求上限
     */
    public int limit() default 100;

    /**
     * 限流类型
     */
    public LimitType limitType() default LimitType.DEFAULT;
}
package com.jinw.cms.config;

import com.jinw.cms.aspectj.RateLimiterAspect;
import lombok.RequiredArgsConstructor;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.data.redis.core.RedisTemplate;
import org.springframework.data.redis.core.script.DefaultRedisScript;

@RequiredArgsConstructor
@Configuration
public class RateLimiterConfig {

    private final RedisTemplate<String, Object> redisTempate;

    @Bean
    @ConditionalOnProperty(name = "jw.rate-limiter.enable", havingValue = "true")
    public RateLimiterAspect rateLimitAspect() {
        return new RateLimiterAspect(redisTempate, limitScript());
    }

    /**
     * Lua限流脚本
     */
    public DefaultRedisScript<Boolean> limitScript() {
        DefaultRedisScript<Boolean> redisScript = new DefaultRedisScript<>();
        redisScript.setScriptText(" local key = KEYS[1] --限流KEY\n" +
                "                local limit = tonumber(ARGV[1]) --限流大小\n" +
                "                local expireTime = tonumber(ARGV[2]) --过期时间 单位/s\n" +
                "\n" +
                "                local current = tonumber(redis.call('get', key) or \"0\")\n" +
                "                if current + 1 > limit then\n" +
                "                    return false --当前值超过限流大小阈值\n" +
                "                end\n" +
                "                current = tonumber(redis.call('incr', key)) --请求数+1\n" +
                "                if current == 1 then\n" +
                "                    redis.call('expire', key, expireTime) --设置过期时间\n" +
                "                end\n" +
                "                return true;");
        redisScript.setResultType(Boolean.class);
        return redisScript;
    }
}
package com.ruoyi.common.extend.aspectj;

import java.lang.reflect.Method;
import java.util.List;

import org.aspectj.lang.JoinPoint;
import org.aspectj.lang.annotation.Aspect;
import org.aspectj.lang.annotation.Before;
import org.aspectj.lang.reflect.MethodSignature;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.data.redis.core.RedisTemplate;
import org.springframework.data.redis.core.script.RedisScript;

import com.ruoyi.common.exception.GlobalException;
import com.ruoyi.common.extend.annotation.RateLimiter;
import com.ruoyi.common.extend.enums.LimitType;
import com.ruoyi.common.extend.exception.RateLimiterErrorCode;
import com.ruoyi.common.utils.ServletUtils;

import lombok.RequiredArgsConstructor;

/**
 * 限流处理
 */
@Aspect
@RequiredArgsConstructor
public class RateLimiterAspect {
    
    private static final Logger log = LoggerFactory.getLogger(RateLimiterAspect.class);

    private final RedisTemplate<String, Object> redisTemplate;

    private final RedisScript<Boolean> limitScript;

    @Before("@annotation(rateLimiter)")
    public void doBefore(JoinPoint point, RateLimiter rateLimiter) throws Throwable {
        int limit = rateLimiter.limit();
        int expire = rateLimiter.expire();

        try {
            String combineKey = this.getCombineKey(rateLimiter, point);
            List<String> keys = List.of(combineKey);
            if (!redisTemplate.execute(this.limitScript, keys, limit, expire)) {
                log.warn("限制请求'{}',缓存key'{}'", limit, combineKey);
                throw RateLimiterErrorCode.RATE_LIMIT.exception();
            }
        } catch (GlobalException e) {
            throw e;
        } catch (Exception e) {
            throw RateLimiterErrorCode.RATE_LIMIT_ERR.exception();
        }
    }

    public String getCombineKey(RateLimiter rateLimiter, JoinPoint point) {
        StringBuffer stringBuffer = new StringBuffer(rateLimiter.prefix());
        if (rateLimiter.limitType() == LimitType.IP) {
            stringBuffer.append(ServletUtils.getIpAddr(ServletUtils.getRequest())).append(".");
        }
        MethodSignature signature = (MethodSignature) point.getSignature();
        Method method = signature.getMethod();
        Class<?> targetClass = method.getDeclaringClass();
        stringBuffer.append(targetClass.getName()).append(".").append(method.getName());
        return stringBuffer.toString();
    }
}

springboot 实现xss过滤

package com.jinw.cms.aspectj;

import com.jinw.cms.aspectj.annotation.XssIgnore;
import org.springframework.web.method.HandlerMethod;
import org.springframework.web.servlet.AsyncHandlerInterceptor;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.util.Objects;

public class XssInterceptor implements AsyncHandlerInterceptor {

    @Override
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
            throws Exception {
        if (handler instanceof HandlerMethod) {
            HandlerMethod handlerMethod = (HandlerMethod) handler;
            XssIgnore xssIgnore = handlerMethod.getMethodAnnotation(XssIgnore.class);
            if (Objects.nonNull(xssIgnore)) {
                XssContextHolder.ignore();
            }
        }
        return true;
    }

    @Override
    public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex)
            throws Exception {
        XssContextHolder.remove();
    }

    /**
     * 如果返回一个current类型的变量,会启用一个新的线程。执行完preHandle方法之后立即会调用afterConcurrentHandlingStarted
     * 然后新线程再以次执行preHandle,postHandle,afterCompletion**
     */
    @Override
    public void afterConcurrentHandlingStarted(HttpServletRequest request, HttpServletResponse response, Object handler)
            throws Exception {
        XssContextHolder.remove();
    }
}
package com.jinw.cms.aspectj;

import com.fasterxml.jackson.core.JacksonException;
import com.fasterxml.jackson.core.JsonParser;
import com.fasterxml.jackson.core.JsonToken;
import com.fasterxml.jackson.databind.DeserializationContext;
import com.fasterxml.jackson.databind.JsonDeserializer;
import com.fasterxml.jackson.databind.JsonMappingException;
import com.fasterxml.jackson.databind.type.LogicalType;
import com.jinw.cms.entity.XssMode;
import com.jinw.utils.cms.HtmlUtils;
import com.jinw.utils.cms.StringUtils;
import lombok.RequiredArgsConstructor;

import java.io.IOException;
import java.util.Objects;

@RequiredArgsConstructor
public class XssDeserializer extends JsonDeserializer<String> {

    private final XssMode mode;

    @Override
    public LogicalType logicalType() {
        return LogicalType.Textual;
    }

    @Override
    public String getNullValue(DeserializationContext ctxt) throws JsonMappingException {
        return StringUtils.EMPTY;
    }

    @Override
    public String deserialize(JsonParser p, DeserializationContext ctxt) throws IOException, JacksonException {
        if (p.hasToken(JsonToken.VALUE_STRING)) {
            return deal(p.getText());
        }
        JsonToken token = p.getCurrentToken();
        if (token.isScalarValue()) {
            String text = p.getValueAsString();
            if (text != null) {
                return text;
            }
        }
        return (String) ctxt.handleUnexpectedToken(String.class, p);
    }

    private String deal(String text) {
        if (Objects.nonNull(text) && !XssContextHolder.isIgnore()) {
            if (mode == XssMode.CLEAN) {
                text = HtmlUtils.clean(text);
            } else {
                text = HtmlUtils.escape(text);
            }
        }
        return text;
    }
}
package com.jinw.cms.aspectj;

import java.util.Objects;

public class XssContextHolder {

    private static final ThreadLocal<Boolean> CONTEXT = new ThreadLocal<>();

    /**
     * 默认为true
     */
    public static boolean isIgnore() {
        return Objects.isNull(CONTEXT.get()) ? true : CONTEXT.get();
    }

    public static void ignore() {
        CONTEXT.set(true);
    }

    public static void remove() {
        CONTEXT.remove();
    }
}
package com.jinw.cms.config.properties;

import com.jinw.cms.entity.XssMode;
import lombok.Getter;
import lombok.Setter;
import org.springframework.boot.context.properties.ConfigurationProperties;

import java.util.List;

@Setter
@Getter
@ConfigurationProperties(prefix = "xss")
public class XssProperties {

    /**
     * 是否开启XSS过滤
     */
    private boolean enabled;

    /**
     * 处理方式
     */
    private XssMode mode;

    /**
     * 不进行处理的路径
     */
    private List<String> excludes;

    /**
     * 处理指定路径
     */
    private List<String> urlPatterns;
}
package com.jinw.cms.config;

import com.google.common.collect.Lists;
import com.jinw.cms.aspectj.XssDeserializer;
import com.jinw.cms.aspectj.XssInterceptor;
import com.jinw.cms.config.properties.XssProperties;
import com.jinw.utils.cms.StringUtils;
import lombok.RequiredArgsConstructor;
import org.springframework.boot.autoconfigure.jackson.Jackson2ObjectMapperBuilderCustomizer;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.Ordered;
import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;

import java.util.Collections;
import java.util.List;

@RequiredArgsConstructor
@Configuration
@EnableConfigurationProperties(XssProperties.class)
public class XssConfig implements WebMvcConfigurer {

    private final XssProperties xssProperties;

    @Override
    public void addInterceptors(InterceptorRegistry registry) {
        if (xssProperties.isEnabled()) {
            List<String> urlPatterns = xssProperties.getUrlPatterns();
            if (StringUtils.isEmpty(urlPatterns)) {
                urlPatterns = Lists.newArrayList();
                urlPatterns.add("/**");
            }
            List<String> excludes = xssProperties.getExcludes();
            if (StringUtils.isEmpty(excludes)) {
                excludes = Collections.emptyList();
            }
            //addPathPatterns(urlPatterns) 对所有请求都拦截,但是排除了 excludePathPatterns(excludes) 请求的拦截。
            registry.addInterceptor(new XssInterceptor()).
                    addPathPatterns(urlPatterns)
                    .excludePathPatterns(excludes).order(Ordered.LOWEST_PRECEDENCE);
        }
    }

    @Bean
    public Jackson2ObjectMapperBuilderCustomizer xssCustomizer() {
        return jacksonObjectMapperBuilder -> jacksonObjectMapperBuilder.deserializerByType(String.class,
                new XssDeserializer(xssProperties.getMode()));
    }
}
package com.jinw.cms.aspectj.annotation;

import java.lang.annotation.*;

@Documented
@Retention(RetentionPolicy.RUNTIME)
@Target(ElementType.METHOD)
public @interface XssIgnore {

}
# 防止XSS攻击
xss:
  # 过滤开关
  enabled: true
  mode: clean

其实我不太喜欢宁波这个地方

原因是

1、本人开车 公路旁停车位 发现一个车位 正在后倒车入库了 咔嚓一辆车直着开进去 车位被抢

2、租房时遇到房东歧视人 当时租房时 看好房子了 需要押一付三 但是身上钱不够 钱在老婆那里 我就说要不我先加你微信我晚点把钱打给你 然后就听到:一大小伙身上竟然拿不出...

哎,对宁波无感啊!!

springboot配置了 addResourceHandler 但是不能直接访问zip包

  @Override
    public void addResourceHandlers(ResourceHandlerRegistry registry) {
    
        /** cms静态资源预览文件路径 */
        registry.addResourceHandler(ContentCoreConsts.RESOURCE_PREVIEW_PREFIX + "**")
                .addResourceLocations("file:" + getResourceRoot());
     
    }
    

springboot 配置了 addResourceHandler 但是不能通过连接 直接直接访问zip包

因为我的访问被拦截了 所以还要放一下

CHATGPT回答:

解决springboot整合es8.6.2抛出ClassNotFoundException: jakarta.json.spi.JsonProvider

解决依赖版本问题和冲突:

<dependency>
    <groupId>co.elastic.clients</groupId>
    <artifactId>elasticsearch-java</artifactId>
    <version>8.6.2</version>
    <exclusions>
        <exclusion>
            <artifactId>jakarta.json-api</artifactId>
            <groupId>jakarta.json</groupId>
        </exclusion>
        <exclusion>
            <artifactId>elasticsearch-rest-client</artifactId>
            <groupId>org.elasticsearch.client</groupId>
        </exclusion>
    </exclusions>
</dependency>
<dependency>
    <groupId>org.elasticsearch.client</groupId>
    <artifactId>elasticsearch-rest-client</artifactId>
    <version>8.6.2</version>
</dependency>
<dependency>
    <groupId>jakarta.json</groupId>
    <artifactId>jakarta.json-api</artifactId>
    <version>2.1.2</version>
</dependency>
<dependency>
    <groupId>jakarta.json.bind</groupId>
    <artifactId>jakarta.json.bind-api</artifactId>
    <version>3.0.0</version>
</dependency>
<dependency>
    <groupId>org.eclipse</groupId>
    <artifactId>yasson</artifactId>
    <version>3.0.3</version>
    <exclusions>
        <exclusion>
            <artifactId>jakarta.json-api</artifactId>
            <groupId>jakarta.json</groupId>
        </exclusion>
        <exclusion>
            <artifactId>jakarta.json.bind-api</artifactId>
            <groupId>jakarta.json.bind</groupId>
        </exclusion>
        <exclusion>
            <artifactId>parsson</artifactId>
            <groupId>org.eclipse.parsson</groupId>
        </exclusion>
    </exclusions>
</dependency>