SpringBoot学习之高并发接口优化—–秒杀接口地址隐藏(验证码)+接口限流防刷
秒杀接口地址隐藏
思路:秒杀开始之前,先去请求接口获取秒杀地址。
- 接口改造,带上PathVariable参数
- 添加生成地址的接口
- 秒杀收到请求,先验证PathVariable随机生成一个字符串,作为地址加在url上,然后生成的时候,存入 redis缓存中,根据前端请求的url获取path。 判断与缓存中的字符串是否一致,一致就认为对的。就可以执行秒杀操作,否则失败。
对于秒杀接口,不是直接去请求秒杀的这个接口了, 而是先请求下获取path。之后拼接成秒杀地址。
前端代码:
function getMiaoshaPath() {
goodsId:$("#goodsId").val(),
g_showLoading();
$.ajax({
url:"/miaosha/path",
type:"GET",
data:{
goodsId:$("#goodsId").val(),
verifyCode:$("#verifyCode").val()
},
success:function (data) {
if(data.code == 0){
var path = data.data;
doMiaosha(path);
}else {
layer.msg(data.msg);
}
},
error:function() {
layer.msg("客户端请求错误");
}
});
} 对应的后端代码:
@AccessLimit(seconds = 5,maxCount = 5, needLogin = true)
@RequestMapping(value = "/path",method = RequestMethod.GET)
@ResponseBody
public Result<String> getSecKillPath(HttpServletRequest request, SecKillUser user,
@RequestParam("goodsId") long goodsId,
@RequestParam(value = "verifyCode", defaultValue = "0") int verifyCode){
if (user == null){
return Result.error(CodeMsg.SESSION_ERROR);
}
//验证码的校验
boolean check = secKillService.checkVerifyCode(user,goodsId,verifyCode);
if (!check){
return Result.error(CodeMsg.REQUEST_ILLEGAL);
}
//生成path
String path = secKillService.createSecKillPath(user,goodsId);
return Result.success(path);
}生成path,存入redis中
public String createSecKillPath(SecKillUser user, Long goodsId) {
if (user == null || goodsId <= 0){
return null;
}
String str = MD5Util.md5(UUIDUtil.uuid() + "123456");
redisService.set(SecKillKey.getPath,user.getId()+"_"+goodsId,str);
return str;
}秒杀接口,先拿到这个path验证一下是否正确,正确再进入下面的逻辑:
//验证path
boolean check = secKillService.checkPath(user,goodsId,path);
if (!check){
return Result.error(CodeMsg.REQUEST_ILLEGAL);
}具体的验证,就是取出缓存中的path,与前端传来的path进行对比,相等,说明是这个用户发来的请求:
/**
* 验证秒杀接口参数
* @param user
* @param goodsId
* @param path
* @return
*/
public boolean checkPath(SecKillUser user, long goodsId, String path) {
if (user == null || path == null){
return false;
}
String pathOld = redisService.get(SecKillKey.getPath,""+user.getId()+"_"+goodsId,String.class);
return path.equals(pathOld);
}然后前端拼接出秒杀的地址
function doMiaosha(path){
$.ajax({
url:"/miaosha/"+path+"/do_miaosha",
type:"POST",
data:{
goodsId:$("#goodsId").val()
},
success:function(data){
if(data.code == 0){
// window.location.href="/order_detail.htm?orderId="+data.data.id;
getMiaoShaResult($("#goodsId").val());
}else{
layer.msg(data.msg);
}
},
error:function(){
layer.msg("客户端请求有误");
}
});
}公式验证码
思路:点击秒杀之前,先输入验证码,分散用户的请求
前端增加获取验证码显示验证码输入验证码上传。
<div class="row">
<div class="form-inline">
<img id="verifyCodeImg" width="80" height="32" style="display: none" onclick="refreshVerifyCode()"/>
<input id="verifyCode" class="form-control" style="display: none"/>
<button class="btn btn-primary" type="button" id="buyButton"onclick="getMiaoshaPath()">立即秒杀</button>
</div>
</div>增加返回验证码的接口
/**
* 获取验证码
* @param response
* @param user
* @param goodsId
* @return
*/
@RequestMapping(value = "/verifyCode",method = RequestMethod.GET)
@ResponseBody
public Result<String> getMiaoshaVerifyCode(HttpServletResponse response, SecKillUser user, @RequestParam("goodsId") long goodsId){
if (user == null){
return Result.error(CodeMsg.SESSION_ERROR);
}
BufferedImage image = secKillService.createSecKillVerifyCode(user,goodsId);
try{
OutputStream out = response.getOutputStream(); //输出流
ImageIO.write(image,"JPEG",out); //图片写入输出流
out.flush();
out.close();
return null;
}catch (Exception e){
e.printStackTrace();
return Result.error(CodeMsg.SECKILL_FAILED);
}
}在每次秒杀的时候,要先判断这个验证码是否正确
//验证码的校验
boolean check = secKillService.checkVerifyCode(user,goodsId,verifyCode);
if (!check){
return Result.error(CodeMsg.REQUEST_ILLEGAL);
}生成数字验证码并存入redis中,判断也是从redis中取出来判断
public BufferedImage createSecKillVerifyCode(SecKillUser user, long goodsId) {
if (user == null || goodsId <= 0){
return null;
}
int width = 80;
int height = 32;
//生成图片
BufferedImage image = new BufferedImage(width, height, BufferedImage.TYPE_INT_RGB);
Graphics g = image.getGraphics();
// 背景
g.setColor(new Color(0xDCDCDC));
g.fillRect(0, 0, width, height);
// 背景上生成矩形框
g.setColor(Color.black);
g.drawRect(0, 0, width - 1, height - 1);
// 随机数
Random rdm = new Random();
// 生成干扰点
for (int i = 0; i < 50; i++) {
int x = rdm.nextInt(width);
int y = rdm.nextInt(height);
g.drawOval(x, y, 0, 0);
}
// 生成验证码
String verifyCode = generateVerifyCode(rdm);
g.setColor(new Color(0, 100, 0));
g.setFont(new Font("Candara", Font.BOLD, 24));
g.drawString(verifyCode, 8, 24);
g.dispose();
//把验证码存到redis中
int rnd = calc(verifyCode);
redisService.set(SecKillKey.getSecKillVerifyCode, user.getId()+","+goodsId, rnd);
//输出图片
return image;
}
private static char[] ops = new char[] {'+', '-', '*'};
/**
* 生成验证码公式
* + - *
* */
private String generateVerifyCode(Random rdm) {
int num1 = rdm.nextInt(10);
int num2 = rdm.nextInt(10);
int num3 = rdm.nextInt(10);
char op1 = ops[rdm.nextInt(3)];
char op2 = ops[rdm.nextInt(3)];
String exp = ""+ num1 + op1 + num2 + op2 + num3;
return exp;
}
/**
* Java ScriptEngine 解析js计算验证码
* @param exp 验证码
* @return
*/
private static int calc(String exp) {
try {
ScriptEngineManager manager = new ScriptEngineManager();
ScriptEngine engine = manager.getEngineByName("JavaScript");
return (Integer)engine.eval(exp);
}catch(Exception e) {
e.printStackTrace();
return 0;
}
}前端在function getMiaoshaPath()这个函数中将结果传到后端,后端在这个获取真正秒杀链接的时候进行判断是否正确:
verifyCode:$("#verifyCode").val()后端接收验证码验证
@AccessLimit(seconds = 5,maxCount = 5, needLogin = true)
@RequestMapping(value = "/path",method = RequestMethod.GET)
@ResponseBody
public Result<String> getMiaoshaPath(HttpServletRequest request, SecKillUser user,
@RequestParam("goodsId") long goodsId,
@RequestParam(value = "verifyCode", defaultValue = "0") int verifyCode){
if (user == null){
return Result.error(CodeMsg.SESSION_ERROR);
}
//验证码的校验
boolean check = secKillService.checkVerifyCode(user,goodsId,verifyCode);
if (!check){
return Result.error(CodeMsg.REQUEST_ILLEGAL);
}
String path = secKillService.createSecKillPath(user,goodsId);
return Result.success(path);
}redis中取出生成时存入的验证码并与前端传进来的验证码做校验
/**
* 验证码的验证
* @param user 用户
* @param goodsId 商品id
* @param verifyCode 验证码
* @return
*/
public boolean checkVerifyCode(SecKillUser user, long goodsId, int verifyCode) {
if (user == null || goodsId <= 0){
return false;
}
Integer codeOld = redisService.get(SecKillKey.getSecKillVerifyCode, user.getId()+","+goodsId, Integer.class);
if (codeOld == null || codeOld - verifyCode != 0){
return false;
}
//把当前的验证码清除
redisService.delete(SecKillKey.getSecKillVerifyCode, user.getId()+","+goodsId);
return true;
}接口限流防刷
思路:对接口做限流
可以使用拦截器减少对业务的侵入
点击秒杀之后,首先是生成path,那假如我们对这个接口进行限制:5秒之内用户只能点击5次。
这放在redis中是非常好实现的,因为redis有个自增(自减)和缓存时间,可以很好地实现这个效果。
这里使用注解的方式来实现接口的限流防刷,使用注解的话就可以做成通用的方法,在你想使用限流防刷的接口就可以添加上该注解
假设,我想在5秒内最多请求5次,并且必须要登陆:相应的注解就是这样的:
@AccessLimit(seconds = 5,maxCount = 5,needLogin = true)首先是实现这个注解:
package com.springboot.SecKill.access;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
import static java.lang.annotation.ElementType.METHOD;
/**
* 注解
* @author WilsonSong
* @date 2018/8/9/009
*/
@Retention(RetentionPolicy.RUNTIME)
@Target(METHOD)
public @interface AccessLimit {
int seconds();
int maxCount();
boolean needLogin() default true;
}
要想这个注解能够生效,必须要配置拦截器AccessInterceptor:
package com.springboot.SecKill.access;
import com.alibaba.fastjson.JSON;
import com.springboot.SecKill.domain.SecKillUser;
import com.springboot.SecKill.redis.AccessKey;
import com.springboot.SecKill.redis.RedisService;
import com.springboot.SecKill.result.CodeMsg;
import com.springboot.SecKill.result.Result;
import com.springboot.SecKill.service.SecKillUserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import org.springframework.util.StringUtils;
import org.springframework.web.method.HandlerMethod;
import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.OutputStream;
/**
* 拦截器
* @author WilsonSong
* @date 2018/8/9/009
*/
@Service
public class AccessInterceptor extends HandlerInterceptorAdapter{
@Autowired
SecKillUserService secKillUserService;
@Autowired
RedisService redisService;
//方法执行前执行
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
if(handler instanceof HandlerMethod){
SecKillUser user = getUser(request,response);
UserContext.setUser(user); //把用户保存在本地线程变量中,并且该user与线程绑定一直执行到结束
HandlerMethod handlerMethod = (HandlerMethod)handler;
AccessLimit accessLimit = handlerMethod.getMethodAnnotation(AccessLimit.class); //取方法上的注解
if (accessLimit == null){
return true;
}
int seconds = accessLimit.seconds();
int maxCount = accessLimit.maxCount();
boolean needLogin = accessLimit.needLogin();
String key = request.getRequestURI();
if (needLogin){
if (user == null){
render(response,CodeMsg.SESSION_ERROR);
return false;
}
key +="_" + user.getId();
}else {
//da nothing
}
//访问次数限制 访问次数存入内存
AccessKey accessKey = AccessKey.withExpires(seconds);
Integer count = redisService.get(accessKey,key, Integer.class);
if (count == null){
redisService.set(accessKey,key, 1);
}else if (count < maxCount){
redisService.incr(accessKey,key);
}else {
render(response,CodeMsg.ACCESS_LIMIT_REACHED);
return false;
}
}
return true;
}
/**
* 返回客户端的错误信息
* @param response
* @param cm
* @throws Exception
*/
public void render(HttpServletResponse response,CodeMsg cm) throws Exception{
response.setContentType("application/json;charset=UTF-8"); //返回的数据的编码方式
OutputStream outputStream = response.getOutputStream();
String str = JSON.toJSONString(Result.error(cm));
outputStream.write(str.getBytes("UTF-8"));
outputStream.flush();
outputStream.close();
}
/**
* 通过cookie获取用户
* @param request
* @param response
* @return
*/
private SecKillUser getUser(HttpServletRequest request, HttpServletResponse response){
String paramToken = request.getParameter(SecKillUserService.COOKIE_NAME_TOKEN);
String cookieToken = getCookieValue(request,SecKillUserService.COOKIE_NAME_TOKEN);
if (StringUtils.isEmpty(cookieToken) && StringUtils.isEmpty(paramToken)){
return null;
}
String token = StringUtils.isEmpty(paramToken)?cookieToken:paramToken;
return secKillUserService.getByToken(response,token);
}
/**
* 获取cookie
* @param request
* @param cookieName
* @return
*/
private String getCookieValue(HttpServletRequest request,String cookieName){
Cookie[] cookies = request.getCookies();
if(cookies == null || cookies.length <= 0){
return null;
}
for (Cookie cookie : cookies){
if (cookie.getName().equals(cookieName)){
return cookie.getValue();
}
}
return null;
}
}要想这个拦截器工作,我们要重写WebMvcConfigurerAdapter中的addInterceptors方法,将我们的拦截器添加进去就可以了:
public void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(accessInterceptor);
}这样,利用注解和拦截器就实现了接口通用的限流功能。