我們來編寫一個非常非常簡單的黑名單用戶的案例。

編寫一個方法，通過用戶編號獲取用戶信息，但是在黑名單內的用戶訪問的話，會拋出一個異常:用戶鑒定沒有權限!，非黑名單的用戶則可以訪問用戶信息。

構建一個客戶端demo

首先我們構建一個springboot的demo,具體環境就搭建了,直接上主流程代碼:

/**
 * 獲取用戶信息
 * @author liukaixiong
 * @Email liukx@elab-plus.com
 * @date 2021/11/5 - 13:38
 */
public class User {

    public String getUser(String userId) {
        System.out.println("獲取用戶編號: " + userId);
        return userId;
    }

}

然后我們通過HTTP接口暴露一個服務接口，通過參數傳遞userid：

@GetMapping(value = "/user", produces = "application/json;charset=UTF-8")
public Map<String, Object> user(@RequestParam("body") String body) {
    new User().getUser(body);
    return trues();
}

正常情況的話，無論誰訪問都不會拋出異常。

編寫黑名單插件

通過寫死一個標記520、1314標識參數的用戶拋出異常

import com.alibaba.jvm.sandbox.api.Information;
import com.alibaba.jvm.sandbox.api.LoadCompleted;
import com.alibaba.jvm.sandbox.api.Module;
import com.alibaba.jvm.sandbox.api.ProcessController;
import com.alibaba.jvm.sandbox.api.listener.ext.Advice;
import com.alibaba.jvm.sandbox.api.listener.ext.AdviceListener;
import com.alibaba.jvm.sandbox.api.listener.ext.EventWatchBuilder;
import com.alibaba.jvm.sandbox.api.resource.ModuleEventWatcher;
import com.google.common.collect.Sets;
import org.kohsuke.MetaInfServices;

import javax.annotation.Resource;
import java.util.Set;

/**
 * 用戶黑名單
 *
 * @author liukaixiong
 * @Email liukx@elab-plus.com
 * @date 2021/11/5 - 13:35
 */
@MetaInfServices(Module.class)
@Information(id = "debug-user-black-demo", version = "0.0.1", author = "liukaixiong")
public class BlackListModule implements Module, LoadCompleted {
    
    @Resource
    private ModuleEventWatcher moduleEventWatcher;

    /**
     * 黑名單用戶，正常來說是從數據庫讀取,這么先模擬
     */
    private Set<String> userBlackList = Sets.newHashSet("520", "1314");

    @Override
    public void loadCompleted() {
        
        new EventWatchBuilder(moduleEventWatcher)
                .onClass("com.sandbox.demo.example.User") // 攔截User類
                .includeBootstrap()
                .onBehavior("getUser") // 并觀察getUser方法
                .onWatch(new AdviceListener() {
                    /**
                     * 調用方法之前，我需要判斷參數
                     * @param advice 通知信息
                     * @throws Throwable
                     */
                    @Override
                    protected void before(Advice advice) throws Throwable {

                        if (advice.getParameterArray().length == 0) {
                            System.out.println("沒有參數，不處理！");
                            return;
                        }

                        Object userId = advice.getParameterArray()[0];
                        System.out.println("進入判斷用戶流程");
                        if (userId != null && userBlackList.contains(userId.toString())) {
                            ProcessController.throwsImmediately(new UserTokenException("用戶鑒定沒有權限!"));
                        }
                    }
                });
    }

    class UserTokenException extends Exception {

        public UserTokenException(String message) {
            super(message);
        }
    }
}

插件已經編寫完畢了，這個時候我們將插件和案例結合運行。

另外再提一句:

通過@Comand("")命令代表的是以插件的形式加載比如通過命令行指定參數開啟，而通過*LoadCompleted*則是沙箱啟動的時候，默認就會啟動。

啟動并且訪問接口

啟動

先上傳插件模塊到沙箱的sandbox-module目錄下，隨著sandbox沙箱的啟動，會自動加載這個目錄下的所有包。

源碼放在下篇重點說說。

然后啟動客戶端demo服務

java -javaagent:/elab/tools/sandbox/lib/sandbox-agent.jar -Djavax.net.debug=ssl -Xdebug  -Djava.compiler=NONE -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5050 -jar z-demo-1.3.3.jar

參數稍微解釋下:

# 1. 這里是遠程調試參數，開啟一個5050端口，可以在IDEA中源碼調試
-Djavax.net.debug=ssl -Xdebug  -Djava.compiler=NONE -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5050
# 這里是代理的agent參數
-javaagent:/elab/tools/sandbox/lib/sandbox-agent.jar
# SpringBoot的啟動方式。
java -jar z-demo-1.3.3.jar

需要注意的是-javaagent參數不需要加-D，之前也是這里卡了一會。

如何看代理是否成功？

# 查看java進程的pid，比如7695
jps -l
# 查看端口進程
netstat -ntpl

# 查看7695是否是有兩個進程，一個是agent的，一個是應用端口的

訪問遠程

通過訪問

http://xxxx:5505/user?body=520

查看后臺日志是否出現異常:

com.alibaba.jvm.sandbox.module.debug.BlackListModule$UserTokenException: 用戶鑒定沒有權限!
    at com.alibaba.jvm.sandbox.module.debug.BlackListModule$1.before(BlackListModule.java:59) ~[na:na]
    at com.alibaba.jvm.sandbox.api.listener.ext.AdviceAdapterListener.switchEvent(AdviceAdapterListener.java:99) ~[na:na]
    at com.alibaba.jvm.sandbox.api.listener.ext.AdviceAdapterListener.onEvent(AdviceAdapterListener.java:39) ~[na:na]
    at com.alibaba.jvm.sandbox.core.enhance.weaver.EventListenerHandler.handleEvent(EventListenerHandler.java:117) ~[na:na]
    at com.alibaba.jvm.sandbox.core.enhance.weaver.EventListenerHandler.handleOnBefore(EventListenerHandler.java:353) ~[na:na]
    at java.com.alibaba.jvm.sandbox.spy.Spy.spyMethodOnBefore(Spy.java:164) ~[na:na]
    at com.sandbox.demo.example.User.getUser(User.java) ~[classes!/:na]
    at com.sandbox.demo.controller.DemoController.user(DemoController.java:43) ~[classes!/:na]
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_302]
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_302]
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_302]
    at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_302]
    at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:190) ~[spring-web-5.2.10.RELEASE.jar!/:5.2.10.RELEASE]
    at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:138) ~[spring-web-5.2.10.RELEASE.jar!/:5.2.10.RELEASE]
    at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:105) ~[spring-webmvc-5.2.10.RELEASE.jar!/:5.2.10.RELEASE]
    at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:878) ~[spring-webmvc-5.2.10.RELEASE.jar!/:5.2.10.RELEASE]
    at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:792) ~[spring-webmvc-5.2.10.RELEASE.jar!/:5.2.10.RELEASE]
    at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87) ~[spring-webmvc-5.2.10.RELEASE.jar!/:5.2.10.RELEASE]
    at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1040) ~[spring-webmvc-5.2.10.RELEASE.jar!/:5.2.10.RELEASE]
    at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:943) ~[spring-webmvc-5.2.10.RELEASE.jar!/:5.2.10.RELEASE]
    at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006) ~[spring-webmvc-5.2.10.RELEASE.jar!/:5.2.10.RELEASE]
    at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:898) ~[spring-webmvc-5.2.10.RELEASE.jar!/:5.2.10.RELEASE]
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:626) ~[tomcat-embed-core-9.0.39.jar!/:4.0.FR]
    at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883) ~[spring-webmvc-5.2.10.RELEASE.jar!/:5.2.10.RELEASE]
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:733) ~[tomcat-embed-core-9.0.39.jar!/:4.0.FR]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) ~[tomcat-embed-core-9.0.39.jar!/:9.0.39]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-9.0.39.jar!/:9.0.39]
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) ~[tomcat-embed-websocket-9.0.39.jar!/:9.0.39]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-9.0.39.jar!/:9.0.39]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-9.0.39.jar!/:9.0.39]
    at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) ~[spring-web-5.2.10.RELEASE.jar!/:5.2.10.RELEASE]
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.2.10.RELEASE.jar!/:5.2.10.RELEASE]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-9.0.39.jar!/:9.0.39]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-9.0.39.jar!/:9.0.39]
    at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) ~[spring-web-5.2.10.RELEASE.jar!/:5.2.10.RELEASE]
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.2.10.RELEASE.jar!/:5.2.10.RELEASE]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-9.0.39.jar!/:9.0.39]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-9.0.39.jar!/:9.0.39]
    at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) ~[spring-web-5.2.10.RELEASE.jar!/:5.2.10.RELEASE]
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.2.10.RELEASE.jar!/:5.2.10.RELEASE]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-9.0.39.jar!/:9.0.39]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-9.0.39.jar!/:9.0.39]
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) ~[tomcat-embed-core-9.0.39.jar!/:9.0.39]
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97) [tomcat-embed-core-9.0.39.jar!/:9.0.39]
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542) [tomcat-embed-core-9.0.39.jar!/:9.0.39]
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143) [tomcat-embed-core-9.0.39.jar!/:9.0.39]
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) [tomcat-embed-core-9.0.39.jar!/:9.0.39]
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) [tomcat-embed-core-9.0.39.jar!/:9.0.39]
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) [tomcat-embed-core-9.0.39.jar!/:9.0.39]
    at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:374) [tomcat-embed-core-9.0.39.jar!/:9.0.39]
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) [tomcat-embed-core-9.0.39.jar!/:9.0.39]
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868) [tomcat-embed-core-9.0.39.jar!/:9.0.39]
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1590) [tomcat-embed-core-9.0.39.jar!/:9.0.39]
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-embed-core-9.0.39.jar!/:9.0.39]
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [na:1.8.0_302]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [na:1.8.0_302]
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-9.0.39.jar!/:9.0.39]
    at java.lang.Thread.run(Thread.java:748) [na:1.8.0_302]

換成其他的參數，又可以正常訪問，說明代理成功了。

插件已經生效了!

至此，我們可以思考一些更有價值的騷操作啦~

容我好好想想，然后再出一些更高級的demo。