背景:在一些对数据安全要求比较高的系统中,因为业务的需要,我们需要对mybatis中delete语句进行一些业务拦截或者校验。
实现:通过Mybatis-Plus的Interceptor接口实现,拦截StatementHandler,判断sql语句的前缀是否是delete关键字,从而实现拦截逻辑
package com.example.demo.mybatisplus;
import com.baomidou.mybatisplus.core.toolkit.CollectionUtils;
import com.google.common.base.Joiner;
import lombok.extern.slf4j.Slf4j;
import net.sf.jsqlparser.parser.CCJSqlParserUtil;
import net.sf.jsqlparser.statement.Statement;
import net.sf.jsqlparser.statement.Statements;
import net.sf.jsqlparser.statement.delete.Delete;
import org.apache.ibatis.executor.parameter.ParameterHandler;
import org.apache.ibatis.executor.statement.StatementHandler;
import org.apache.ibatis.mapping.BoundSql;
import org.apache.ibatis.mapping.MappedStatement;
import org.apache.ibatis.plugin.*;
import org.apache.ibatis.reflection.DefaultReflectorFactory;
import org.apache.ibatis.reflection.MetaObject;
import org.apache.ibatis.reflection.ReflectorFactory;
import org.apache.ibatis.reflection.factory.DefaultObjectFactory;
import org.apache.ibatis.reflection.factory.ObjectFactory;
import org.apache.ibatis.reflection.wrapper.DefaultObjectWrapperFactory;
import org.apache.ibatis.reflection.wrapper.ObjectWrapperFactory;
import org.apache.ibatis.scripting.defaults.DefaultParameterHandler;
import java.sql.*;
import java.util.*;
@Intercepts({@Signature(type = StatementHandler.class, method = "prepare",
args = {Connection.class, Integer.class})})
@Slf4j
public class DeleteEventInterceptor implements Interceptor {
private static final ReflectorFactory REFLECTOR_FACTORY = new DefaultReflectorFactory();
private static final DefaultObjectFactory OBJECT_FACTORY = new DefaultObjectFactory();
private static final DefaultObjectWrapperFactory OBJECT_WRAPPER_FACTORY = new DefaultObjectWrapperFactory();
private final static String ADDITIONAL_PARAMETERS = "additionalParameters";
/**
* 不需要拦截的表
*/
private final HashSet<String> tableExcluded = new HashSet<>();
public DeleteEventInterceptor(Collection<String> tableExcluded) {
if (CollectionUtils.isNotEmpty(tableExcluded)) {
tableExcluded.forEach(tableName -> this.tableExcluded.add(tableName.toLowerCase()));
}
}
/**
* 删掉特殊符号`
*/
private String trimSpecificSymbol(String str) {
return str.replaceAll("`", "");
}
/**
*1、intercept()方法是Interceptor的核心业务逻辑
**/
@Override
public Object intercept(Invocation invocation) throws Throwable {
//获取代理对象
final Object target = invocation.getTarget();
if (target instanceof StatementHandler) {
StatementHandler delegate = (StatementHandler) target;
//StatementHandler对象可以回去我们需要运行的sql以及sql的参数
BoundSql boundSql = delegate.getBoundSql();
String sql = boundSql.getSql().trim();
//判断sql是不是delete类型的sql
if ("delete".equalsIgnoreCase(sql.substring(0, 6))) {
Statements statements = CCJSqlParserUtil.parseStatements(sql);
Statement statement = statements.getStatements().get(0);
//获取删掉特殊符号`后的表名
String tableName = trimSpecificSymbol(((Delete) statement).getTable().getName());
//判断当前表是否配置允许删除
if (tableExcluded.contains(tableName.toLowerCase())) {
return invocation.proceed();
}
//Invocation居然还可以获取到当前mybatis同数据库的连接
Connection conn = (Connection) invocation.getArgs()[0];
//我们的业务逻辑,把需要删除的数据插入到另一个表保存
insertToDeletedTable(conn, delegate, (Delete) statement, tableName);
}
}
return invocation.proceed();
}
/**
*1、plugin()方法是Inteceptor接口实现类的逻辑入口,
*2、Plugin.wrap(target, this)返回的是target的动态代理对象
*3、StatementHandler的方法调用时会先调用其对应的拦截器,也就是上面@Intercepts里面的信息,调用拦截器时,会调用intercept()方法的逻辑
**/
@Override
public Object plugin(Object target) {
if (target instanceof StatementHandler && "delete"
.equalsIgnoreCase(((StatementHandler) target).getBoundSql().getSql().substring(0, 6))) {
return Plugin.wrap(target, this);
} else {
return target;
}
}
@Override
public void setProperties(Properties properties) {
}
private void insertToDeletedTable(Connection conn, StatementHandler delegate,
Delete statement, String tableName) throws SQLException {
final MetaObject metaStatementHandler = getMetaObject(delegate);
MappedStatement mappedStatement = (MappedStatement) metaStatementHandler
.getValue("delegate.mappedStatement");
//可以通过这个判断拦截我们的delete是否有写where条件
if (statement.getWhere() == null) {
throw new IllegalArgumentException("删除操作必须填写WHERE条件");
}
List<String> columns = getTableColumns(conn, tableName);
if (columns.isEmpty()) {
return;
}
//拼接 `column1`,`column2` 串
String insertColumns = "`" + Joiner.on("`,`").join(columns) + "`";
String where = statement.getWhere().toString();
String limit = statement.getLimit() != null ? statement.getLimit().toString() : "";
// 获取相关delete表名
String deletedTable = "d" + tableName.substring(1);
// 生成插入delete表的sql
String insertSql = String
.format("INSERT INTO %s (%s) SELECT %s FROM %s WHERE %s %s",
deletedTable, insertColumns, insertColumns, tableName, where, limit);
BoundSql boundSql = delegate.getBoundSql();
// 构造插入delete表的mybatis sql
BoundSql insertBoundSql = new BoundSql(mappedStatement.getConfiguration(), insertSql,
boundSql.getParameterMappings(), boundSql.getParameterObject());
Map<String, Object> additionalParameters = (Map<String, Object>) getMetaObject(boundSql)
.getValue(ADDITIONAL_PARAMETERS);
for (Map.Entry<String, Object> entry : additionalParameters.entrySet()) {
insertBoundSql.setAdditionalParameter(entry.getKey(), entry.getValue());
}
// 构造mybatis的参数处理器
ParameterHandler parameterHandler = new DefaultParameterHandler(mappedStatement,
boundSql.getParameterObject(), insertBoundSql);
//log.info("insertSql:{}", formatSql(insertBoundSql.getSql(), mappedStatement.getConfiguration(), insertBoundSql));
try (PreparedStatement stmt = conn.prepareStatement(insertSql)) {
// mybatis填充查询参数
parameterHandler.setParameters(stmt);
stmt.executeUpdate();
}
}
private List<String> getTableColumns(Connection conn, String tableName) throws SQLException {
List<String> columns = new LinkedList<>();
try (PreparedStatement structStmt =
conn.prepareStatement(String.format("SELECT * FROM %s LIMIT 1", tableName))) {
//居然可以通过ResultSet获取到表的所有列表字段名
try (ResultSet rs = structStmt.executeQuery()) {
ResultSetMetaData metaData = rs.getMetaData();
for (int i = 0; i < metaData.getColumnCount(); i++) {
columns.add(metaData.getColumnName(i + 1)); // 从第一个取
}
}
}
return columns;
}
/**
*1、MetaObject是mybatis的反射工具类
*2、通过该工具类可以很方便的知道某个类是否有什么方法,
*什么属性以及给属性赋值、还可以获取类属性的属性(比如:*School.student.name)等等,反正MetaObject很强大
*/
private MetaObject getMetaObject(Object obj) {
ObjectFactory objectFactory = OBJECT_FACTORY;
ObjectWrapperFactory objectWrapperFactory = OBJECT_WRAPPER_FACTORY;
MetaObject metaStatementHandler = MetaObject
.forObject(obj, objectFactory, objectWrapperFactory, REFLECTOR_FACTORY);
//如果是object是代理对象获取目标对象
while (metaStatementHandler.hasGetter("h")) {
Object object = metaStatementHandler.getValue("h");
metaStatementHandler = MetaObject
.forObject(object, objectFactory, objectWrapperFactory, REFLECTOR_FACTORY);
}
if (metaStatementHandler.hasGetter("target")) {
Object object = metaStatementHandler.getValue("target");
metaStatementHandler = MetaObject
.forObject(object, objectFactory, objectWrapperFactory, REFLECTOR_FACTORY);
}
return metaStatementHandler;
}
}
