springboot+validation参数校验浅入浅出

在spring开发中，对入参进行校验是一种常见且必须的需求，下面对springboot中引入validation组件实现校验进行简单的分析一下。
Java API 规范 JSR303 定义了 Bean 校验的标准，但没提供实现，而常用的hibernate validation则是对这个规范的实现，提供了校验注解@Min、@Max等。spring validation是对hibernate validation的二次封装，用于spirng中参数的校验。
若springboot版本低于2.3.时，spring-boot-starter-web会自动传入hibernate-validation依赖，若是版本高于2.3.，则需要手动引入hibernate-validation依赖。
示例如下图

对于web服务，为防止非法参数对业务造成影响，在controller层对http请求传递的参数进行校验分析。requestBody以json形式接收参数。
在http请求中，POST类型请求主要使用requestBody传递参数，后端使用*DTO对象接收参数，此时只须给DTO对象添加@Validated或@Valid注解，在DTO对象的字段上添加声明式约束注解，就能实现自动参数校验。其中Valid是java提供的javax.validation.Valid;，Validated是spring提供的org.springframework.validation.annotation.Validated;。
实例1

	@PostMapping("add")
    public Object addUser(@RequestBody @Valid UserDTO param){
        System.out.printf("save user id is %s", param.getUserId());
        return param;
    }

    @PostMapping("update")
    public Object updateUser(@RequestBody @Validated UserDTO param){
        System.out.printf("update user is %s", param.getUserId());
        return param;
    }

@Data
public class UserDTO {

    private Long userId;

    @NotNull
    @Length(min = 2, max = 10)
    private String userName;

    @NotNull
    @Length(min = 6, max = 20)
    private String account;

    @NotNull
    @Length(min = 6, max = 20)
    private String password;

}

在http请求中，GET类型请求主要使用requestParam/PathVariable传递参数，此时必须在controller类上标注@validated注解，在DTO对象的字段上添加声明式约束注解或在入参上添加声明式约束注解，完成参数校验。
实例2

返回

如果校验失败，会抛出MethodArgumentNotValidException或ConstraintViolationException异常，在实际工程中，通常通过统一异常处理来返回一个更友好的提示。
实例3

@RestControllerAdvice
public class CommonExceptionHandler {

    @ExceptionHandler({MethodArgumentNotValidException.class})
    public Object handleMethodArgumentNotValidException(MethodArgumentNotValidException ex) {
        BindingResult bindingResult = ex.getBindingResult();
        StringBuilder sb = new StringBuilder("校验失败，");
        for (FieldError fieldError : bindingResult.getFieldErrors()) {
            sb.append(fieldError.getField()).append("：").append(fieldError.getDefaultMessage()).append(", ");
        }
        String msg = sb.toString();
        return ResponseData.fail(msg,400);
    }

    @ExceptionHandler({ConstraintViolationException.class})
    public Object handleConstraintViolationException(ConstraintViolationException ex) {
        return ResponseData.fail(ex.getMessage(), 400);
    }
}

如果有多个接口需要使用同一个DTO对象来接收参数，而不同的接口的校验规则是不一样的，通常通过分组校验来实现。
实例4

@Data
public class UserDTO {

    @NotNull(groups = Update.class)
    @Min(value = 1000L, groups = Update.class)
    private Long userId;

    @NotNull(groups = {Insert.class, Update.class})
    @Length(min = 2, max = 10, groups = {Insert.class, Update.class})
    private String userName;

    @NotNull(groups = {Insert.class, Update.class})
    @Length(min = 6, max = 20, groups = {Insert.class, Update.class})
    private String account;

    @NotNull(groups = {Insert.class, Update.class})
    @Length(min = 6, max = 20, groups = {Insert.class, Update.class})
    private String password;

}
public interface Insert {
}
public interface Update {
}

	@PostMapping("add3")
    public Object addUser3(@RequestBody @Validated(Insert.class) UserDTO param){
        System.out.printf("save user id is %s", param.getUserId());
        return param;
    }

    @PostMapping("update3")
    public Object updateUser3(@RequestBody @Validated(Update.class) UserDTO param){
        System.out.printf("update user is %s", param.getUserId());
        return param;
    }

返回

如果DTO对象里面的字段有基本数据类型，也出现了某个字段是一个对象，这时通过嵌套校验来实现。需要注意的是，此时DTO类的对应字段必须标记@Valid注解。
实例5

@Data
public class UserDTO {

    @NotNull(groups = Update.class)
    @Min(value = 1000L, groups = Update.class)
    private Long userId;

    @NotNull(groups = {Insert.class, Update.class})
    @Length(min = 2, max = 10, groups = {Insert.class, Update.class})
    private String userName;

    @NotNull(groups = {Insert.class, Update.class})
    @Length(min = 6, max = 20, groups = {Insert.class, Update.class})
    private String account;

    @NotNull(groups = {Insert.class, Update.class})
    @Length(min = 6, max = 20, groups = {Insert.class, Update.class})
    private String password;

    @NotNull(groups = {Insert.class, Update.class})
    @Valid
    private Job job;

    @Data
    public static class Job {

        @NotNull(groups = Update.class)
        @Min(value = 1, groups = Update.class)
        private Long jobId;

        @NotNull(groups = {Insert.class, Update.class})
        @Length(min = 2, max = 10, groups = {Insert.class, Update.class})
        private String jobName;

        @NotNull(groups = {Insert.class, Update.class})
        @Length(min = 2, max = 10, groups = {Insert.class, Update.class})
        private String position;
    }

}

返回

如果请求体直接传递了json数组到后端，并希望对数组中的每一项都进行参数校验，此时使用java.util.Collection下的list或set来接收数据，参数校验并不会生效，需要使用自定义的list集合来实现。
实例6

public class ValidationList implements List {

    @Delegate
    @Valid
    public List list = new ArrayList<>();

    @Override
    public String toString() {
        return list.toString();
    }

    public List getList() {
        return list;
    }

    public void setList(List list) {
        this.list = list;
    }
}

@PostMapping("/addList")
    public Object addList(@RequestBody @Validated(Insert.class) ValidationList userList) {
        return ResponseData.ok(userList);
    }

返回

如果出现一些特殊的业务需求，此时可以通过自定义校验来实现。假设自定义加密字段校验（由数字或者a-f的字母组成，32-256长度）。
实例7

@Data
public class UserDTO implements Serializable {

    private static final long serialVersionUID = 1L;

    @NotNull(groups = Update.class)
    @Min(value = 1000L, groups = Update.class)
    private Long userId;

    @NotNull(groups = {Insert.class, Update.class})
    @Length(min = 2, max = 10, groups = {Insert.class, Update.class})
    private String userName;

    @NotNull(groups = {Insert.class, Update.class})
    @Length(min = 6, max = 20, groups = {Insert.class, Update.class})
    private String account;

    @Encrypt(groups = {Insert.class, Update.class})
    @NotNull(groups = {Insert.class, Update.class})
    @Length(min = 6, max = 20, groups = {Insert.class, Update.class})
    private String password;

    @NotNull(groups = {Insert.class, Update.class})
    @Valid
    private Job job;

    @Data
    public static class Job {

        @NotNull(groups = Update.class)
        @Min(value = 1, groups = Update.class)
        private Long jobId;

        @NotNull(groups = {Insert.class, Update.class})
        @Length(min = 2, max = 10, groups = {Insert.class, Update.class})
        private String jobName;

        @NotNull(groups = {Insert.class, Update.class})
        @Length(min = 2, max = 10, groups = {Insert.class, Update.class})
        private String position;
    }

}

@Target({METHOD, FIELD, ANNOTATION_TYPE, CONSTRUCTOR, PARAMETER})
@Retention(RUNTIME)
@Documented
@Constraint(validatedBy = {EncryptValidator.class})
public @interface Encrypt {
    String message() default "加密格式错误";

    Class[] groups() default {};

    Class[] payload() default {};
}

public class EncryptValidator implements ConstraintValidator {

    private static final Pattern PATTERN = Pattern.compile("^[a-f\d]{32,256}$");

    @Override
    public boolean isValid(String value, ConstraintValidatorContext context) {
        if (value != null) {
            Matcher matcher = PATTERN.matcher(value);
            return matcher.find();
        }
        return true;
    }
}

	@PostMapping("update5")
    public Object updateUser(@RequestBody @Validated(Update.class) UserDTO param){
        System.out.printf("save user id is %s", param.getUserId());
        return param;
    }

返回

在spring-mvc中，RequestResponseBodyMethodProcessor是用于解析@RequestBody标注的参数以及处理@ResponseBody标注方法的返回值的。源码如下

参数校验还需不断的深入应用并理解其底层原理。

springboot+validation参数校验浅入浅出

Java相关栏目本月热门文章