之前也写过一篇关于Spring Validation使用的文章不过自我感觉还是浮于表面本次打算彻底搞懂Spring Validation。本文会详细介绍Spring Validation各种场景下的最佳实践及其实现原理死磕到底简单使用Java API规范(JSR303)定义了Bean校验的标准validation-api但没有提供实现。hibernate validation是对这个规范的实现并增加了校验注解如Email、Length等。Spring Validation是对hibernate validation的二次封装用于支持spring mvc参数自动校验。接下来我们以spring-boot项目为例介绍Spring Validation的使用。引入依赖如果spring-boot版本小于2.3.xspring-boot-starter-web会自动传入hibernate-validator依赖。如果spring-boot版本大于2.3.x则需要手动引入依赖dependency ????groupIdorg.hibernate/groupId ????artifactIdhibernate-validator/artifactId ????version6.0.1.Final/version /dependency对于web服务来说为防止非法参数对业务造成影响在Controller层一定要做参数校验的大部分情况下请求参数分为如下两种形式POST、PUT请求使用requestBody传递参数GET请求使用requestParam/PathVariable传递参数。下面我们简单介绍下requestBody和requestParam/PathVariable的参数校验实战requestBody参数校验POST、PUT请求一般会使用requestBody传递参数这种情况下后端使用DTO对象进行接收。只要给DTO对象加上Validated注解就能实现自动参数校验。比如有一个保存User的接口要求userName长度是2-10account和password字段长度是6-20。如果校验失败会抛出MethodArgumentNotValidException异常Spring默认会将其转为400Bad Request请求。DTO表示数据传输对象Data Transfer Object用于服务器和客户端之间交互传输使用的。在spring-web项目中可以表示用于接收请求参数的Bean对象。在DTO字段上声明约束注解Datapublic?class?UserDTO?{???private?Long?userId;???NotNull???Length(min??2,?max??10)???private?String?userName;???NotNull???Length(min??6,?max??20)???private?String?account;???NotNull???Length(min??6,?max??20)???private?String?password;}在方法参数上声明校验注解PostMapping(“/save”)public?Result?saveUser(RequestBody?Validated?UserDTO?userDTO)?{???//?校验通过才会执行业务逻辑处理???return?Result.ok();}这种情况下使用Valid和Validated都可以。这或许是一个对你有用的开源项目mall项目是一套基于 SpringBoot Vue uni-app 实现的电商系统Github标星60K采用Docker容器化部署后端支持多模块和微服务架构。包括前台商城项目和后台管理系统能支持完整的订单流程涵盖商品、订单、购物车、权限、优惠券、会员、支付等功能Boot项目https://github.com/macrozheng/mallCloud项目https://github.com/macrozheng/mall-swarm视频教程https://www.macrozheng.com/video/项目演示requestParam/PathVariable参数校验GET请求一般会使用requestParam/PathVariable传参。如果参数比较多(比如超过6个)还是推荐使用DTO对象接收。否则推荐将一个个参数平铺到方法入参中。在这种情况下必须在Controller类上标注Validated注解并在入参上声明约束注解(如Min等)。如果校验失败会抛出ConstraintViolationException异常。代码示例如下RequestMapping(/api/user) RestController Validated public?class?UserController?{ ????//?路径变量 ????GetMapping({userId}) ????public?Result?detail(PathVariable(userId)?Min(10000000000000000L)?Long?userId)?{ ????????//?校验通过才会执行业务逻辑处理 ????????UserDTO?userDTO??new?UserDTO(); ????????userDTO.setUserId(userId); ????????userDTO.setAccount(11111111111111111); ????????userDTO.setUserName(xixi); ????????userDTO.setAccount(11111111111111111); ????????return?Result.ok(userDTO); ????} ????//?查询参数 ????GetMapping(getByAccount) ????public?Result?getByAccount(Length(min??6,?max??20)?NotNull?String??account)?{ ????????//?校验通过才会执行业务逻辑处理 ????????UserDTO?userDTO??new?UserDTO(); ????????userDTO.setUserId(10000000000000003L); ????????userDTO.setAccount(account); ????????userDTO.setUserName(xixi); ????????userDTO.setAccount(11111111111111111); ????????return?Result.ok(userDTO); ????} }统一异常处理前面说过如果校验失败会抛出MethodArgumentNotValidException或者ConstraintViolationException异常。在实际项目开发中通常会用统一异常处理来返回一个更友好的提示。比如我们系统要求无论发送什么异常http的状态码必须返回200由业务码去区分系统的异常情况。RestControllerAdvice public?class?CommonExceptionHandler?{ ????ExceptionHandler({MethodArgumentNotValidException.class}) ????ResponseStatus(HttpStatus.OK) ????ResponseBody ????public?Result?handleMethodArgumentNotValidException(MethodArgumentNotValidException?ex)?{ ????????BindingResult?bindingResult??ex.getBindingResult(); ????????StringBuilder?sb??new?StringBuilder(校验失败:); ????????for?(FieldError?fieldError?:?bindingResult.getFieldErrors())?{ ????????????sb.append(fieldError.getField()).append().append(fieldError.getDefaultMessage()).append(,?); ????????} ????????String?msg??sb.toString(); ???????return?Result.fail(BusinessCode.参数校验失败,?msg); ????} ????ExceptionHandler({ConstraintViolationException.class}) ????ResponseStatus(HttpStatus.OK) ????ResponseBody ????public?Result?handleConstraintViolationException(ConstraintViolationException?ex)?{ ????????return?Result.fail(BusinessCode.参数校验失败,?ex.getMessage()); ????} }进阶使用分组校验在实际项目中可能多个方法需要使用同一个DTO类来接收参数而不同方法的校验规则很可能是不一样的。这个时候简单地在DTO类的字段上加约束注解无法解决这个问题。因此spring-validation支持了分组校验的功能专门用来解决这类问题。还是上面的例子比如保存User的时候UserId是可空的但是更新User的时候UserId的值必须10000000000000000L其它字段的校验规则在两种情况下一样。这个时候使用分组校验的代码示例如下约束注解上声明适用的分组信息groupsDatapublic?class?UserDTO?{???Min(value??10000000000000000L,?groups??Update.class)???private?Long?userId;???NotNull(groups??{Save.class,?Update.class})???Length(min??2,?max??10,?groups??{Save.class,?Update.class})???private?String?userName;???NotNull(groups??{Save.class,?Update.class})???Length(min??6,?max??20,?groups??{Save.class,?Update.class})???private?String?account;???NotNull(groups??{Save.class,?Update.class})???Length(min??6,?max??20,?groups??{Save.class,?Update.class})???private?String?password;???/**????保存的时候校验分组???/???public?interface?Save?{???}???/**????更新的时候校验分组???/???public?interface?Update?{???}}Validated注解上指定校验分组PostMapping(“/save”)public?Result?saveUser(RequestBody?Validated(UserDTO.Save.class)?UserDTO?userDTO)?{???//?校验通过才会执行业务逻辑处理???return?Result.ok();}PostMapping(“/update”)public?Result?updateUser(RequestBody?Validated(UserDTO.Update.class)?UserDTO?userDTO)?{???//?校验通过才会执行业务逻辑处理???return?Result.ok();}嵌套校验前面的示例中DTO类里面的字段都是基本数据类型和String类型。但是实际场景中有可能某个字段也是一个对象这种情况先可以使用嵌套校验。比如上面保存User信息的时候同时还带有Job信息。需要注意的是此时DTO类的对应字段必须标记Valid注解。Data public?class?UserDTO?{ ????Min(value??10000000000000000L,?groups??Update.class) ????private?Long?userId; ????NotNull(groups??{Save.class,?Update.class}) ????Length(min??2,?max??10,?groups??{Save.class,?Update.class}) ????private?String?userName; ????NotNull(groups??{Save.class,?Update.class}) ????Length(min??6,?max??20,?groups??{Save.class,?Update.class}) ????private?String?account; ????NotNull(groups??{Save.class,?Update.class}) ????Length(min??6,?max??20,?groups??{Save.class,?Update.class}) ????private?String?password; ????NotNull(groups??{Save.class,?Update.class}) ????Valid ????private?Job?job; ????Data ????public?static?class?Job?{ ????????Min(value??1,?groups??Update.class) ????????private?Long?jobId; ????????NotNull(groups??{Save.class,?Update.class}) ????????Length(min??2,?max??10,?groups??{Save.class,?Update.class}) ????????private?String?jobName; ????????NotNull(groups??{Save.class,?Update.class}) ????????Length(min??2,?max??10,?groups??{Save.class,?Update.class}) ????????private?String?position; ????} ????/** ?????*?保存的时候校验分组 ?????*/ ????public?interface?Save?{ ????} ????/** ?????*?更新的时候校验分组 ?????*/ ????public?interface?Update?{ ????} }嵌套校验可以结合分组校验一起使用。还有就是嵌套集合校验会对集合里面的每一项都进行校验例如ListJob字段会对这个list里面的每一个Job对象都进行校验。集合校验如果请求体直接传递了json数组给后台并希望对数组中的每一项都进行参数校验。此时如果我们直接使用java.util.Collection下的list或者set来接收数据参数校验并不会生效我们可以使用自定义list集合来接收参数包装List类型并声明Valid注解public?class?ValidationList?implements?List?{???Delegate?//?Delegate是lombok注解???Valid?//?一定要加Valid注解???public?List?list??new?ArrayList();???//?一定要记得重写toString方法???Override???public?String?toString()?{???return?list.toString();???}}Delegate注解受lombok版本限制1.18.6以上版本可支持。如果校验不通过会抛出NotReadablePropertyException同样可以使用统一异常进行处理。比如我们需要一次性保存多个User对象Controller层的方法可以这么写PostMapping(/saveList) public?Result?saveList(RequestBody?Validated(UserDTO.Save.class)?ValidationListUserDTO?userList)?{ ????//?校验通过才会执行业务逻辑处理 ????return?Result.ok(); }自定义校验业务需求总是比框架提供的这些简单校验要复杂的多我们可以自定义校验来满足我们的需求。自定义spring validation非常简单假设我们自定义加密id由数字或者a-f的字母组成32-256长度校验主要分为两步自定义约束注解Target({METHOD,?FIELD,?ANNOTATION_TYPE,?CONSTRUCTOR,?PARAMETER})Retention(RUNTIME)DocumentedConstraint(validatedBy??{EncryptIdValidator.class})public?interface?EncryptId?{???//?默认错误消息???String?message()?default?“加密id格式错误”;???//?分组???Class?[]?groups()?default?{};???//?负载???Class??extends?Payload[]?payload()?default?{};}实现ConstraintValidator接口编写约束校验器public?class?EncryptIdValidator?implements?ConstraintValidatorEncryptId,?String?{???private?static?final?Pattern?PATTERN??Pattern.compile(“1{32,256}$”);???Override???public?boolean?isValid(String?value,?ConstraintValidatorContext?context)?{???//?不为null才进行校验???if?(value?!?null)?{???Matcher?matcher??PATTERN.matcher(value);???return?matcher.find();???}???return?true;???}}这样我们就可以使用EncryptId进行参数校验了编程式校验上面的示例都是基于注解来实现自动校验的在某些情况下我们可能希望以编程方式调用验证。这个时候可以注入javax.validation.Validator对象然后再调用其api。Autowired private?javax.validation.Validator?globalValidator; //?编程式校验 PostMapping(/saveWithCodingValidate) public?Result?saveWithCodingValidate(RequestBody?UserDTO?userDTO)?{ ????SetConstraintViolationUserDTO?validate??globalValidator.validate(userDTO,?UserDTO.Save.class); ????//?如果校验通过validate为空否则validate包含未校验通过项 ????if?(validate.isEmpty())?{ ????????//?校验通过才会执行业务逻辑处理 ????}?else?{ ????????for?(ConstraintViolationUserDTO?userDTOConstraintViolation?:?validate)?{ ????????????//?校验失败做其它逻辑 ????????????System.out.println(userDTOConstraintViolation); ????????} ????} ????return?Result.ok(); }快速失败(Fail Fast)Spring Validation默认会校验完所有字段然后才抛出异常。可以通过一些简单的配置开启Fali Fast模式一旦校验失败就立即返回。Bean public?Validator?validator()?{ ????ValidatorFactory?validatorFactory??Validation.byProvider(HibernateValidator.class) ????????????.configure() ????????????//?快速失败模式 ????????????.failFast(true) ????????????.buildValidatorFactory(); ????return?validatorFactory.getValidator(); }Valid和Validated区别区别ValidValidated提供者JSR-303规范Spring是否支持分组不支持支持标注位置METHOD, FIELD,CONSTRUCTOR, PARAMETER, TYPE_USETYPE, METHOD, PARAMETER嵌套校验支持不支持实现原理requestBody参数校验实现原理在spring-mvc中RequestResponseBodyMethodProcessor是用于解析RequestBody标注的参数以及处理ResponseBody标注方法的返回值的。显然执行参数校验的逻辑肯定就在解析参数的方法resolveArgument()中public?class?RequestResponseBodyMethodProcessor?extends?AbstractMessageConverterMethodProcessor?{ ????Override ????public?Object?resolveArgument(MethodParameter?parameter,?Nullable?ModelAndViewContainer?mavContainer, ??????????????????????????????????NativeWebRequest?webRequest,?Nullable?WebDataBinderFactory?binderFactory)?throws?Exception?{ ????????parameter??parameter.nestedIfOptional(); ????????//将请求数据封装到DTO对象中 ????????Object?arg??readWithMessageConverters(webRequest,?parameter,?parameter.getNestedGenericParameterType()); ????????String?name??Conventions.getVariableNameForParameter(parameter); ????????if?(binderFactory?!?null)?{ ????????????WebDataBinder?binder??binderFactory.createBinder(webRequest,?arg,?name); ????????????if?(arg?!?null)?{ ????????????????//?执行数据校验 ????????????????validateIfApplicable(binder,?parameter); ????????????????if?(binder.getBindingResult().hasErrors()??isBindExceptionRequired(binder,?parameter))?{ ????????????????????throw?new?MethodArgumentNotValidException(parameter,?binder.getBindingResult()); ????????????????} ????????????} ????????????if?(mavContainer?!?null)?{ ????????????????mavContainer.addAttribute(BindingResult.MODEL_KEY_PREFIX??name,?binder.getBindingResult()); ????????????} ????????} ????????return?adaptArgumentIfNecessary(arg,?parameter); ????} }可以看到resolveArgument()调用了validateIfApplicable()进行参数校验。protected?void?validateIfApplicable(WebDataBinder?binder,?MethodParameter?parameter)?{ ????//?获取参数注解比如RequestBody、Valid、Validated ????Annotation[]?annotations??parameter.getParameterAnnotations(); ????for?(Annotation?ann?:?annotations)?{ ????????//?先尝试获取Validated注解 ????????Validated?validatedAnn??AnnotationUtils.getAnnotation(ann,?Validated.class); ????????//如果直接标注了Validated那么直接开启校验。 ????????//如果没有那么判断参数前是否有Valid起头的注解。 ????????if?(validatedAnn?!?null?||?ann.annotationType().getSimpleName().startsWith(Valid))?{ ????????????Object?hints??(validatedAnn?!?null???validatedAnn.value()?:?AnnotationUtils.getValue(ann)); ????????????Object[]?validationHints??(hints?instanceof?Object[]???(Object[])?hints?:?new?Object[]?{hints}); ????????????//执行校验 ????????????binder.validate(validationHints); ????????????break; ????????} ????} }看到这里大家应该能明白为什么这种场景下Validated、Valid两个注解可以混用。我们接下来继续看WebDataBinder.validate()实现。Override public?void?validate(Object?target,?Errors?errors,?Object...?validationHints)?{ ????if?(this.targetValidator?!?null)?{ ????????processConstraintViolations( ????????????//此处调用Hibernate?Validator执行真正的校验 ????????????this.targetValidator.validate(target,?asValidationGroups(validationHints)),?errors); ????} }最终发现底层最终还是调用了Hibernate Validator进行真正的校验处理。方法级别的参数校验实现原理上面提到的将参数一个个平铺到方法参数中然后在每个参数前面声明约束注解的校验方式就是方法级别的参数校验。实际上这种方式可用于任何Spring Bean的方法上比如Controller/Service等。其底层实现原理就是AOP具体来说是通过MethodValidationPostProcessor动态注册AOP切面然后使用MethodValidationInterceptor对切点方法织入增强。public?class?MethodValidationPostProcessor?extends?AbstractBeanFactoryAwareAdvisingPostProcessorimplements?InitializingBean?{ ????Override ????public?void?afterPropertiesSet()?{ ????????//为所有Validated标注的Bean创建切面 ????????Pointcut?pointcut??new?AnnotationMatchingPointcut(this.validatedAnnotationType,?true); ????????//创建Advisor进行增强 ????????this.advisor??new?DefaultPointcutAdvisor(pointcut,?createMethodValidationAdvice(this.validator)); ????} ????//创建Advice本质就是一个方法拦截器 ????protected?Advice?createMethodValidationAdvice(Nullable?Validator?validator)?{ ????????return?(validator?!?null???new?MethodValidationInterceptor(validator)?:?new?MethodValidationInterceptor()); ????} }接着看一下MethodValidationInterceptorpublic?class?MethodValidationInterceptor?implements?MethodInterceptor?{ ????Override ????public?Object?invoke(MethodInvocation?invocation)?throws?Throwable?{ ????????//无需增强的方法直接跳过 ????????if?(isFactoryBeanMetadataMethod(invocation.getMethod()))?{ ????????????return?invocation.proceed(); ????????} ????????//获取分组信息 ????????Class?[]?groups??determineValidationGroups(invocation); ????????ExecutableValidator?execVal??this.validator.forExecutables(); ????????Method?methodToValidate??invocation.getMethod(); ????????SetConstraintViolationObject?result; ????????try?{ ????????????//方法入参校验最终还是委托给Hibernate?Validator来校验 ????????????result??execVal.validateParameters( ????????????????invocation.getThis(),?methodToValidate,?invocation.getArguments(),?groups); ????????} ????????catch?(IllegalArgumentException?ex)?{ ????????????... ????????} ????????//有异常直接抛出 ????????if?(!result.isEmpty())?{ ????????????throw?new?ConstraintViolationException(result); ????????} ????????//真正的方法调用 ????????Object?returnValue??invocation.proceed(); ????????//对返回值做校验最终还是委托给Hibernate?Validator来校验 ????????result??execVal.validateReturnValue(invocation.getThis(),?methodToValidate,?returnValue,?groups); ????????//有异常直接抛出 ????????if?(!result.isEmpty())?{ ????????????throw?new?ConstraintViolationException(result); ????????} ????????return?returnValue; ????} }实际上不管是requestBody参数校验还是方法级别的校验最终都是调用Hibernate Validator执行校验Spring Validation只是做了一层封装。项目源码地址https://github.com/chentianming11/spring-validationa-f\d ↩︎