| 工具 | 版本 |
|---|---|
| mule-standalone | 3.9.0 |
| Anypoint-Studio | 6.4.0 |
写在前面
例子目标,实现接受前台json参数tableName和actionType,去查询数据库对应的表数据,然后转为json返回到前台。其间需要对前台参数通过Validation元素进行校验,校验内容为判断两个参数是否为空,tableName参数是否包含非法字符--(模拟SQL注入)。
之所以可能存在sql注入问题,是因为在Database元素中的Query Type设置为了Dynamic,而不是Parameterized。
| Query Type | 优点 | 缺点 |
|---|---|---|
| Parameterized(官方推荐) | (1)有效防止SQL注入(2)多次查询效率更高(3)具有类型管理 | 相较Dynamic不够灵活 |
| Dynamic | (1)sql更为灵活(2)只执行一次比Parameterized效率更高 | 存在sql注入可能,且参数值要开发者确定类型 |
更多了解可看最后给出的官方文档介绍。
Validation支持多种形式的校验,不通过校验则会抛出异常MultipleValidationException且给出不同的异常提示(提示内容单一,可自定义异常提示),当然Validation也支持抛出另外的异常,甚至是可以自己编写代码实现自己的Validation。
Flow结构图
xml文档
<?xml version="1.0" encoding="UTF-8"?>
<mule xmlns:validation="http://www.mulesoft.org/schema/mule/validation" xmlns:db="http://www.mulesoft.org/schema/mule/db" xmlns:json="http://www.mulesoft.org/schema/mule/json" xmlns:http="http://www.mulesoft.org/schema/mule/http" xmlns="http://www.mulesoft.org/schema/mule/core" xmlns:doc="http://www.mulesoft.org/schema/mule/documentation"
xmlns:spring="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-current.xsd
http://www.mulesoft.org/schema/mule/core http://www.mulesoft.org/schema/mule/core/current/mule.xsd
http://www.mulesoft.org/schema/mule/http http://www.mulesoft.org/schema/mule/http/current/mule-http.xsd
http://www.mulesoft.org/schema/mule/db http://www.mulesoft.org/schema/mule/db/current/mule-db.xsd
http://www.mulesoft.org/schema/mule/json http://www.mulesoft.org/schema/mule/json/current/mule-json.xsd
http://www.mulesoft.org/schema/mule/validation http://www.mulesoft.org/schema/mule/validation/current/mule-validation.xsd">
<http:listener-config name="HTTP_Listener_Configuration" host="0.0.0.0" port="8081" doc:name="HTTP Listener Configuration"/>
<db:oracle-config name="Oracle_Configuration" host="localhost" port="1521" instance="orcl" user="hr" password="hr" doc:name="Oracle Configuration"/>
<flow name="MainFlow">
<http:listener config-ref="HTTP_Listener_Configuration" path="/db" allowedMethods="POST" doc:name="HTTP"/>
<expression-filter expression="#[message.inboundProperties.'http.request.path' != 'favicon.ico']" doc:name="filter favicon request"/>
<set-variable variableName="actionType" value="#[json:/'actionType']" doc:name="actionType"/>
<set-variable variableName="tableName" value="#[json:/'tableName']" doc:name="tableName"/>
<validation:all doc:name="Validation">
<validation:validations>
<validation:is-not-null value="#[flowVars.tableName]" message="表名不能为空"/>
<validation:is-not-null value="#[flowVars.actionType]" message="操作类型不能为空"/>
<validation:is-true expression="#[!flowVars.tableName.contains("--")]" message="表名参数含有非法字符"/>
</validation:validations>
</validation:all>
<db:select config-ref="Oracle_Configuration" doc:name="Database">
<db:dynamic-query><![CDATA[select * from #[flowVars.tableName]]]></db:dynamic-query>
</db:select>
<json:object-to-json-transformer doc:name="Object to JSON"/>
</flow>
</mule>Database配置
如果Query Type 选为Parameterized,则会报错
Validation配置
is true 类型validation使用MEL表达式判断是否含有字符- -,模拟防止sql注入。同时也修改了验证失败后的提示信息message,这里的Validator类型选择All来一次配置多个验证
该表达式:#[!flowVars.tableName.contains("--")]
使用postman工具发送json测试运行
AnypointStudio控制台已出现异常提示,并按照设定输出表明参数含有非法字符,这时候可以使用异常来捕捉进行下面的进一步处理,关于异常的简单使用,可以看 异常示例
(官方说明节选)
The validations module was designed following these principles:
* If the message doesn’t meet the specified criteria, the validation fails and a ValidationException is thrown.
* By default, this exception has a meaningful message attached. You can optionally customize this message and change the type of exception thrown, as long as the new exception type has a constructor that overrides Exception(String).
* In case you want to throw an Exception type that lacks this constructor, or in which its creation is not trivial, or in which you want it to contain additional information, you can build a custom validator