目录

前言

分析


前言

【Web】浅浅地聊JDBC java.sql.Driver的SPI后门-CSDN博客

上篇文章我们做到了知其然,知道了JDBC有SPI机制,并且可以利用其Driver后门

这篇文章希望可以做到知其所以然,对JDBC的SPI机制的来源做到心里有数

分析

先是回顾一下JDBC的代码

package com.spi;import java.sql.Connection;import java.sql.DriverManager;import java.sql.ResultSet;import java.sql.Statement;public class Jdbc_Demo {public static void main(String[] args) throws Exception {// 注册驱动(可以删去)//Class.forName("java.sql.Driver");// 获取数据库连接对象Connection con = DriverManager.getConnection("jdbc:mysql://localhost:3306/security","root", "root");//定义sql语句String sql = "select * from users";// 获取执行sql的对象StatementStatement stmt = con.createStatement();// 执行sqlResultSet res = stmt.executeQuery(sql);// 处理对象while(res.next()) {System.out.println(res.getString("username"));}// 释放资源res.close();stmt.close();con.close();}}

我们可以看到

Connection con = DriverManager.getConnection(“jdbc:mysql://localhost:3306/security”,”root”, “root”);

因此JVM会尝试去加载DriverManager类,进而执行DriverManager的静态代码,调用类中的loadInitialDrivers方法(稍微精简了一下代码)

static {loadInitialDrivers();println("JDBC DriverManager initialized");}private static void loadInitialDrivers() {String drivers;try {drivers = AccessController.doPrivileged(new PrivilegedAction() {public String run() {return System.getProperty("jdbc.drivers"); // 也可以通过设置系统属性来加载驱动}});} //...AccessController.doPrivileged(new PrivilegedAction() {public Void run() {ServiceLoader loadedDrivers = ServiceLoader.load(Driver.class);Iterator driversIterator = loadedDrivers.iterator();try{while(driversIterator.hasNext()) {driversIterator.next();}}// ....String[] driversList = drivers.split(":");for (String aDriver : driversList) {try {Class.forName(aDriver, true,ClassLoader.getSystemClassLoader());} // ...}}

重点关注ServiceLoader.load(Driver.class)进行了类加载

public static ServiceLoader load(Class service) {
ClassLoader cl = Thread.currentThread().getContextClassLoader();
return ServiceLoader.load(service, cl);
}

跟进ServiceLoader.load(service, cl);

public static  ServiceLoader load(Class service, ClassLoader loader) { return new ServiceLoader(service, loader); }

service是Driver.class,loader是 Thread.currentThread().getContextClassLoader()

这里其实还有双亲委派机制的打破可以讲,但强行塞有点过于臃肿了,略去

跟进ServiceLoader(service, loader);

private ServiceLoader(Class svc, ClassLoader cl) {service = Objects.requireNonNull(svc, "Service interface cannot be null");loader = (cl == null) ? ClassLoader.getSystemClassLoader() : cl;acc = (System.getSecurityManager() != null) ? AccessController.getContext() : null;reload();}

跟进reload();

public void reload() {providers.clear();lookupIterator = new LazyIterator(service, loader);}

最后得到的driversIterator就是LazyIterator

OK我们再看下上面代码的这段局部

 while(driversIterator.hasNext()) {driversIterator.next();}

在这段代码中调用driversIterator.next()之时,便是调用LazyIterator#next

 public S next() {if (acc == null) {return nextService();} else {PrivilegedAction action = new PrivilegedAction() {public S run() { return nextService(); }};return AccessController.doPrivileged(action, acc);}}

跟进LazyIterator#nextService

 private S nextService() {if (!hasNextService())throw new NoSuchElementException();String cn = nextName;nextName = null;Class c = null;try {c = Class.forName(cn, false, loader);} 

这段代码的作用是根据存储的类名动态加载一个类(Class.forName)

要注意一点:将 initialize 参数设置为 false,可以实现延迟类的静态初始化,静态初始化块和静态变量的赋值是在类第一次被加载时执行的,如果将 initialize 参数设置为 false,则这些静态操作将被延迟到后续使用该类的过程中才被执行

类名是哪来的?张口就来吗?我知道你很急,但你先别急,下面就讲。

String cn = nextName;

看到nextName直接就懂了哇,回头看driversIterator.hasNext(),即LazyIterator#hasNext

public boolean hasNext() {if (acc == null) {return hasNextService();} else {PrivilegedAction action = new PrivilegedAction() {public Boolean run() { return hasNextService(); }};return AccessController.doPrivileged(action, acc);}}

跟进LazyIterator#hasNextService

 private boolean hasNextService() {if (nextName != null) {return true;}if (configs == null) {try {String fullName = PREFIX + service.getName();if (loader == null)configs = ClassLoader.getSystemResources(fullName);elseconfigs = loader.getResources(fullName);} catch (IOException x) {fail(service, "Error locating configuration files", x);}}while ((pending == null) || !pending.hasNext()) {if (!configs.hasMoreElements()) {return false;}pending = parse(service, configs.nextElement());}nextName = pending.next();return true;}

ServiceLoader类有常量属性PREFIX = “META-INF/services/”

service是传入的Driver.class,service.getName()获取Driver接口全类名,拼接得到SPI文件名,给后续读取得到实现类的类名,最后赋值给nextName,再交给LazyIterator#nextService去进行类的动态加载

while ((pending == null) || !pending.hasNext()) {if (!configs.hasMoreElements()) {return false;}pending = parse(service, configs.nextElement());}nextName = pending.next();return true;

上面这段话,白话来讲就是,JVM去META-INF/services/下去找Driver接口名的文件,把文件中的内容读出来,也就是我们所要加载的类名,并交由Class.forName来进行动态类的加载。

至此,SPI大成!