|
關(guān)注微信公眾號(hào):CodingTechWork,一起學(xué)習(xí)進(jìn)步��。
介紹
模板需求說(shuō)明
??開(kāi)發(fā)中經(jīng)常遇到前端傳遞過(guò)來(lái)的JSON串的轉(zhuǎn)換�����,后端需要解析成對(duì)象�,有解析成List的,也有解析成Map的��。
??我們對(duì)Fastjson并不陌生�����,F(xiàn)astjson 是阿里巴巴的開(kāi)源JSON解析庫(kù)���。Fastjson可以看解析JSON格式的字符串�����,支持后端將Java Bean序列化成JSON字符串供給前端使用�,也可以從前端傳遞過(guò)來(lái)的JSON字符串反序列化成Java Bean供給后端邏輯使用。
Fastjson依賴
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>fastjson</artifactId>
<version>1.2.70</version>
</dependency>
低版本漏洞
??由于低版本(version <= 1.2.68)的fastjson存在遠(yuǎn)程代碼執(zhí)行漏洞���,該bug可以被利用直接獲取服務(wù)器權(quán)限�。
漏洞修復(fù)方案
??引入高版本后(version >= 1.2.69)�,前后端交互的bean中會(huì)出現(xiàn)循環(huán)引用,因此我們需要在工程的Application類中main函數(shù)中添加以下代碼禁止循環(huán)引用檢測(cè)��。
JSON.DEFAULT_GENERATE_FEATURE |= SerializerFeature.DisableCircularReferenceDetect.getMask();
??除了引入高版本�����,我們還可以通過(guò)配置開(kāi)啟SafeMode來(lái)防護(hù)攻擊�����,完全禁用autoType���,無(wú)視白名單,這會(huì)對(duì)業(yè)務(wù)有一定影響�。
ParserConfig.getGlobalInstance.setSafeMode(true);
解析模板
Response獲取成String
public static String getResponseAsString(final HttpResponse response) {
try {
return EntityUtils.toString(response.getEntity(), "UTF-8");
} catch (final ParseException e) {
throw new RuntimeException(e);
} catch (final IOException e) {
throw new RuntimeException(e);
}
}
JSON串解析
若已通過(guò)上述的Response方法轉(zhuǎn)換成了String類型字符串為appsStr。
JSON示例
JSON轉(zhuǎn)換對(duì)象
try {
//獲取第一級(jí)對(duì)象
JSONObject appsJSONObject = JSON.parseObject(appsStr).getJSONObject("apps");
//判斷是否為空
if (appsJSONObject == null || appsJSONObject .size() <= 0) {
log.info("json has no apps");
}
//獲取第二級(jí)對(duì)象數(shù)組JSONArray
JSONArray appJSONArray = appsJSONObject .getJSONArray("app");
//轉(zhuǎn)換成二級(jí)對(duì)象字符串
String appStr = JSON.toJSONString(appJSONArray );
//字符串轉(zhuǎn)換成第二級(jí)對(duì)象數(shù)組List
List<Map> appList = new ArrayList<>();
appList = JSONObject.parseArray(appStr, Map.class);
log.info("length: {}", appList.size());
} catch (Exception e) {
log.error(e.getMessage());
}
常用三類轉(zhuǎn)換
轉(zhuǎn)換bean對(duì)象
//其他方式獲取到的Object對(duì)象
Object obj = xxx;
String responseStr = JSON.toJSONString(obj);
XXXXBean xxxxBean = JSON.parseObject(responseStr, XXXXBean.class);
轉(zhuǎn)換Map
Object obj = xxx;
String responseStr = JSON.toJSONString(obj);
Map<String, Object> map = JSONObject.parseObject(responseStr,Map.class);
轉(zhuǎn)換List
Object obj = xxx;
String responseStr = JSON.toJSONString(obj);
List<Map> mapList = JSON.parseArray(responseStr , Map.class);
List<XXXBean> xxxList = JSONObject.parseArray(responseStr, XXXBean.class);
FastJson API
序列化API
package com.alibaba.fastjson;
public abstract class JSON {
// 1���、toJSONString():將Java對(duì)象object序列化為JSON字符串���,支持各種各種Java基本類型和JavaBean
public static String toJSONString(Object object, SerializerFeature... features);
// 2、toJSONBytes():將Java對(duì)象object序列化為JSON字符串���,按UTF-8編碼返回JSON字符串bytes
public static byte[] toJSONBytes(Object object, SerializerFeature... features);
// 3��、writeJSONString():將Java對(duì)象object序列化為JSON字符串�����,寫入到Writer中
public static void writeJSONString(Writer writer,
Object object,
SerializerFeature... features);
// 4���、writeJSONString():將Java對(duì)象object序列化為JSON字符串,按UTF-8編碼寫入到OutputStream中
public static final int writeJSONString(OutputStream os, //
Object object, //
SerializerFeature... features);
}
反序列化API
package com.alibaba.fastjson;
public abstract class JSON {
// 1����、將JSON字符串jsonStr反序列化為JavaBean對(duì)象
public static <T> T parseObject(String jsonStr,
Class<T> clazz,
Feature... features);
// 2、將JSON字節(jié)反序列化為JavaBean對(duì)象
public static <T> T parseObject(byte[] jsonBytes, // UTF-8格式的JSON字符串
Class<T> clazz,
Feature... features);
// 3�、將JSON字符串反序列化為泛型類型的JavaBean對(duì)象
public static <T> T parseObject(String text,
TypeReference<T> type,
Feature... features);
// 4、將JSON字符串反序列為JSONObject
public static JSONObject parseObject(String text);
}
模板
序列化模板
JavaBean —> JSON String
import com.alibaba.fastjson.JSON;
XXXBean xxxBean = ...;
String jsonStr = JSON.toJSONString(xxxBean);
JavaBean —> JSON Bytes
import com.alibaba.fastjson.JSON;
XXXBean xxxBean = ...;
byte[] jsonBytes = JSON.toJSONBytes(xxxBean);
JavaBean —> JSON Writer
import com.alibaba.fastjson.JSON;
XXXBean xxxBean = ...;
Writer writer = ...;
JSON.writeJSONString(writer, xxxBean);
JavaBean —> JSON OutputStream
import com.alibaba.fastjson.JSON;
XXXBean xxxBean = ...;
OutputStream outputStream = ...;
JSON.writeJSONString(outputStream, xxxBean);
反序列化模板
JSON String —> JavaBean
import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.JSONObject;
String jsonStr = ...;
XXXBean xxxBean = JSON.parseObject(jsonStr, XXXBean.class);
JSON Bytes —> JavaBean
import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.JSONObject;
byte[] jsonBytes = ...;
XXXBean xxxBean = JSON.parseObject(jsonBytes, XXXBean.class);
JSON Generic Type —> JavaBean
import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.JSONObject;
String jsonStr = ...;
XXXBean xxxBean = JSON.parseObject(jsonStr, new TypeReference<XXXBean>() {});
Type type = new TypeReference<List<XXXBean>>() {}.getType();
List<XXXBean> list = JSON.parseObject(jsonStr, type);
JSON String —> JavaBean
import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.JSONObject;
String jsonStr = ...;
JSONObject jsonObj = JSON.parseObject(jsonStr);
|
