我们来编写一个非常非常简单的黑名单用户的案例。

编写一个方法，通过用户编号获取用户信息，但是在黑名单内的用户访问的话，会抛出一个异常:用户鉴定没有权限!，非黑名单的用户则可以访问用户信息。

构建一个客户端demo

首先我们构建一个springboot的demo,具体环境就搭建了,直接上主流程代码:

/**
 * 获取用户信息
 * @author liukaixiong
 * @Email liukx@elab-plus.com
 * @date 2021/11/5 - 13:38
 */
public class User {

    public String getUser(String userId) {
        System.out.println("获取用户编号: " + userId);
        return userId;
    }

}

然后我们通过HTTP接口暴露一个服务接口，通过参数传递userid：

@GetMapping(value = "/user", produces = "application/json;charset=UTF-8")
public Map<String, Object> user(@RequestParam("body") String body) {
    new User().getUser(body);
    return trues();
}

正常情况的话，无论谁访问都不会抛出异常。

编写黑名单插件

通过写死一个标记520、1314标识参数的用户抛出异常

import com.alibaba.jvm.sandbox.api.Information;
import com.alibaba.jvm.sandbox.api.LoadCompleted;
import com.alibaba.jvm.sandbox.api.Module;
import com.alibaba.jvm.sandbox.api.ProcessController;
import com.alibaba.jvm.sandbox.api.listener.ext.Advice;
import com.alibaba.jvm.sandbox.api.listener.ext.AdviceListener;
import com.alibaba.jvm.sandbox.api.listener.ext.EventWatchBuilder;
import com.alibaba.jvm.sandbox.api.resource.ModuleEventWatcher;
import com.google.common.collect.Sets;
import org.kohsuke.MetaInfServices;

import javax.annotation.Resource;
import java.util.Set;

/**
 * 用戶黑名单
 *
 * @author liukaixiong
 * @Email liukx@elab-plus.com
 * @date 2021/11/5 - 13:35
 */
@MetaInfServices(Module.class)
@Information(id = "debug-user-black-demo", version = "0.0.1", author = "liukaixiong")
public class BlackListModule implements Module, LoadCompleted {
    
    @Resource
    private ModuleEventWatcher moduleEventWatcher;

    /**
     * 黑名单用户，正常来说是从数据库读取,这么先模拟
     */
    private Set<String> userBlackList = Sets.newHashSet("520", "1314");

    @Override
    public void loadCompleted() {
        
        new EventWatchBuilder(moduleEventWatcher)
                .onClass("com.sandbox.demo.example.User") // 拦截User类
                .includeBootstrap()
                .onBehavior("getUser") // 并观察getUser方法
                .onWatch(new AdviceListener() {
                    /**
                     * 调用方法之前，我需要判断参数
                     * @param advice 通知信息
                     * @throws Throwable
                     */
                    @Override
                    protected void before(Advice advice) throws Throwable {

                        if (advice.getParameterArray().length == 0) {
                            System.out.println("没有参数，不处理！");
                            return;
                        }

                        Object userId = advice.getParameterArray()[0];
                        System.out.println("进入判断用户流程");
                        if (userId != null && userBlackList.contains(userId.toString())) {
                            ProcessController.throwsImmediately(new UserTokenException("用户鉴定没有权限!"));
                        }
                    }
                });
    }

    class UserTokenException extends Exception {

        public UserTokenException(String message) {
            super(message);
        }
    }
}

插件已经编写完毕了，这个时候我们将插件和案例结合运行。

另外再提一句:

通过@Comand("")命令代表的是以插件的形式加载比如通过命令行指定参数开启，而通过*LoadCompleted*则是沙箱启动的时候，默认就会启动。

启动并且访问接口

启动

先上传插件模块到沙箱的sandbox-module目录下，随着sandbox沙箱的启动，会自动加载这个目录下的所有包。

源码放在下篇重点说说。

然后启动客户端demo服务

java -javaagent:/elab/tools/sandbox/lib/sandbox-agent.jar -Djavax.net.debug=ssl -Xdebug  -Djava.compiler=NONE -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5050 -jar z-demo-1.3.3.jar

参数稍微解释下:

# 1. 这里是远程调试参数，开启一个5050端口，可以在IDEA中源码调试
-Djavax.net.debug=ssl -Xdebug  -Djava.compiler=NONE -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5050
# 这里是代理的agent参数
-javaagent:/elab/tools/sandbox/lib/sandbox-agent.jar
# SpringBoot的启动方式。
java -jar z-demo-1.3.3.jar

需要注意的是-javaagent参数不需要加-D，之前也是这里卡了一会。

如何看代理是否成功？

# 查看java进程的pid，比如7695
jps -l
# 查看端口进程
netstat -ntpl

# 查看7695是否是有两个进程，一个是agent的，一个是应用端口的

访问远程

通过访问

http://xxxx:5505/user?body=520

查看后台日志是否出现异常:

com.alibaba.jvm.sandbox.module.debug.BlackListModule$UserTokenException: 用户鉴定没有权限!
    at com.alibaba.jvm.sandbox.module.debug.BlackListModule$1.before(BlackListModule.java:59) ~[na:na]
    at com.alibaba.jvm.sandbox.api.listener.ext.AdviceAdapterListener.switchEvent(AdviceAdapterListener.java:99) ~[na:na]
    at com.alibaba.jvm.sandbox.api.listener.ext.AdviceAdapterListener.onEvent(AdviceAdapterListener.java:39) ~[na:na]
    at com.alibaba.jvm.sandbox.core.enhance.weaver.EventListenerHandler.handleEvent(EventListenerHandler.java:117) ~[na:na]
    at com.alibaba.jvm.sandbox.core.enhance.weaver.EventListenerHandler.handleOnBefore(EventListenerHandler.java:353) ~[na:na]
    at java.com.alibaba.jvm.sandbox.spy.Spy.spyMethodOnBefore(Spy.java:164) ~[na:na]
    at com.sandbox.demo.example.User.getUser(User.java) ~[classes!/:na]
    at com.sandbox.demo.controller.DemoController.user(DemoController.java:43) ~[classes!/:na]
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_302]
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_302]
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_302]
    at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_302]
    at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:190) ~[spring-web-5.2.10.RELEASE.jar!/:5.2.10.RELEASE]
    at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:138) ~[spring-web-5.2.10.RELEASE.jar!/:5.2.10.RELEASE]
    at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:105) ~[spring-webmvc-5.2.10.RELEASE.jar!/:5.2.10.RELEASE]
    at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:878) ~[spring-webmvc-5.2.10.RELEASE.jar!/:5.2.10.RELEASE]
    at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:792) ~[spring-webmvc-5.2.10.RELEASE.jar!/:5.2.10.RELEASE]
    at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87) ~[spring-webmvc-5.2.10.RELEASE.jar!/:5.2.10.RELEASE]
    at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1040) ~[spring-webmvc-5.2.10.RELEASE.jar!/:5.2.10.RELEASE]
    at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:943) ~[spring-webmvc-5.2.10.RELEASE.jar!/:5.2.10.RELEASE]
    at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006) ~[spring-webmvc-5.2.10.RELEASE.jar!/:5.2.10.RELEASE]
    at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:898) ~[spring-webmvc-5.2.10.RELEASE.jar!/:5.2.10.RELEASE]
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:626) ~[tomcat-embed-core-9.0.39.jar!/:4.0.FR]
    at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883) ~[spring-webmvc-5.2.10.RELEASE.jar!/:5.2.10.RELEASE]
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:733) ~[tomcat-embed-core-9.0.39.jar!/:4.0.FR]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) ~[tomcat-embed-core-9.0.39.jar!/:9.0.39]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-9.0.39.jar!/:9.0.39]
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) ~[tomcat-embed-websocket-9.0.39.jar!/:9.0.39]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-9.0.39.jar!/:9.0.39]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-9.0.39.jar!/:9.0.39]
    at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) ~[spring-web-5.2.10.RELEASE.jar!/:5.2.10.RELEASE]
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.2.10.RELEASE.jar!/:5.2.10.RELEASE]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-9.0.39.jar!/:9.0.39]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-9.0.39.jar!/:9.0.39]
    at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) ~[spring-web-5.2.10.RELEASE.jar!/:5.2.10.RELEASE]
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.2.10.RELEASE.jar!/:5.2.10.RELEASE]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-9.0.39.jar!/:9.0.39]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-9.0.39.jar!/:9.0.39]
    at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) ~[spring-web-5.2.10.RELEASE.jar!/:5.2.10.RELEASE]
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.2.10.RELEASE.jar!/:5.2.10.RELEASE]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-9.0.39.jar!/:9.0.39]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-9.0.39.jar!/:9.0.39]
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) ~[tomcat-embed-core-9.0.39.jar!/:9.0.39]
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97) [tomcat-embed-core-9.0.39.jar!/:9.0.39]
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542) [tomcat-embed-core-9.0.39.jar!/:9.0.39]
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143) [tomcat-embed-core-9.0.39.jar!/:9.0.39]
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) [tomcat-embed-core-9.0.39.jar!/:9.0.39]
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) [tomcat-embed-core-9.0.39.jar!/:9.0.39]
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) [tomcat-embed-core-9.0.39.jar!/:9.0.39]
    at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:374) [tomcat-embed-core-9.0.39.jar!/:9.0.39]
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) [tomcat-embed-core-9.0.39.jar!/:9.0.39]
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868) [tomcat-embed-core-9.0.39.jar!/:9.0.39]
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1590) [tomcat-embed-core-9.0.39.jar!/:9.0.39]
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-embed-core-9.0.39.jar!/:9.0.39]
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [na:1.8.0_302]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [na:1.8.0_302]
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-9.0.39.jar!/:9.0.39]
    at java.lang.Thread.run(Thread.java:748) [na:1.8.0_302]

换成其他的参数，又可以正常访问，说明代理成功了。

插件已经生效了!

至此，我们可以思考一些更有价值的骚操作啦~

容我好好想想，然后再出一些更高级的demo。