码迷,mamicode.com
首页 > 编程语言 > 详细

springcloud提供开放api接口签名验证

时间:2019-02-19 11:47:17      阅读:168      评论:0      收藏:0      [点我收藏+]

标签:1.0   spring   三方   security   span   转换   utf8   digest   org   

一、MD5参数签名的方式

我们对api查询产品接口进行优化:

1.给app分配对应的key、secret

2.Sign签名,调用API 时需要对请求参数进行签名验证,签名方式如下: 

    a. 按照请求参数名称将所有请求参数按照字母先后顺序排序得到:keyvaluekeyvalue...keyvalue  字符串如:将arong=1,mrong=2,crong=3 排序为:arong=1, crong=3,mrong=2  然后将参数名和参数值进行拼接得到参数字符串:arong1crong3mrong2。 

    b. 将secret加在参数字符串的头部后进行MD5加密 ,加密后的字符串需大写。即得到签名Sign


新api接口代码:

技术图片

app调用:http://api.test.com/getproducts?key=app_key&sign=BCC7C71CF93F9CDBDB88671B701D8A35&参数1=value1&参数2=value2.......

注:secret 仅作加密使用, 为了保证数据安全请不要在请求参数中使用。

 

如上,优化后的请求多了key和sign参数,这样请求的时候就需要合法的key和正确签名sign才可以获取产品数据。这样就解决了身份验证和防止参数篡改问题,如果请求参数被人拿走,没事,他们永远也拿不到secret,因为secret是不传递的。再也无法伪造合法的请求。


但是...这样就够了吗?细心的同学可能会发现,如果我获取了你完整的链接,一直使用你的key和sign和一样的参数不就可以正常获取数据了...-_-!是的,仅仅是如上的优化是不够的


请求的唯一性:

为了防止别人重复使用请求参数问题,我们需要保证请求的唯一性,就是对应请求只能使用一次,这样就算别人拿走了请求的完整链接也是无效的。
唯一性的实现:在如上的请求参数中,我们加入时间戳 :timestamp(yyyyMMddHHmmss),同样,时间戳作为请求参数之一,也加入sign算法中进行加密。


新的api接口:

技术图片

app调用:
http://api.test.com/getproducts?key=app_key&sign=BCC7C71CF93F9CDBDB88671B701D8A35&timestamp=201603261407&参数1=value1&参数2=value2.......


如上,我们通过timestamp时间戳用来验证请求是否过期。这样就算被人拿走完整的请求链接也是无效的。

 

下面代码包含key screct生成,zuulfilter拦截校验代码。

package com.idoipo.common.message.user;

/**
 * 数字签名签名模型
 * Create by liping on 2019/1/9
 */
public class SignModel {

    //加密key
    private String appKey;
    //加密密钥
    private String appSecret;

    public String getAppKey() {
        return appKey;
    }

    public void setAppKey(String appKey) {
        this.appKey = appKey;
    }

    public String getAppSecret() {
        return appSecret;
    }

    public void setAppSecret(String appSecret) {
        this.appSecret = appSecret;
    }

    @Override
    public String toString() {
        return "SignModel{" +
                "appKey=‘" + appKey + ‘\‘‘ +
                ", appSecret=‘" + appSecret + ‘\‘‘ +
                ‘}‘;
    }
}
package com.idoipo.common.util;

import java.util.Stack;

/**
 * Create by liping on 2019/1/9
 */
public class DecimalChange {
    /**
     * @return
     * @version 1.0.0
     * @Description 10进制转N进制
     */
    public static String getDecimal(Long num, int base) {
        StringBuffer sb = new StringBuffer();
        String all = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
        String digths = all.substring(0, base);//将要转换的进制字母对应表
        //只能装字符型的栈
        Stack s = new Stack();
        while (num != 0) {
        // digths.charAt(n % base) 返回指定索引处的值
           Long bb = num % base;
            s.push(digths.charAt(bb.intValue()));
            num = num /base;
        }
        while (!s.isEmpty()) {
            sb.append(s.pop());
        }
        return sb.toString();
    }

}
package com.idoipo.common.util;

import com.idoipo.common.exception.MD5UtilException;

import java.io.UnsupportedEncodingException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;

/**
 * Created by liping on 2018-08-10.
 */
public class MD5Util {

    public static String md5(String content) throws MD5UtilException {
        StringBuffer sb = new StringBuffer();
        try{
            MessageDigest md5 = MessageDigest.getInstance("MD5");
            md5.update(content.getBytes("UTF-8"));
            byte[] tmpFolder = md5.digest();

            for (byte aTmpFolder : tmpFolder) {
                sb.append(Integer.toString((aTmpFolder & 0xff) + 0x100, 16).substring(1));
            }

            return sb.toString();
        }catch(NoSuchAlgorithmException ex){
            throw new MD5UtilException("无法生成指定内容的MD5签名", ex);
        }catch(UnsupportedEncodingException ex){
            throw new MD5UtilException("无法生成指定内容的MD5签名", ex);
        }
    }

}
package com.idoipo.common.util;

import com.idoipo.common.message.user.SignModel;

import java.util.Date;
import java.util.Random;

/**
 * Create by liping on 2019/1/9
 */
public class AppKeyGenerate {

    private final static String product = "test_";
    private static SignModel signModel = new SignModel();
    /**
     * 随机生成产品名+时间戳+1000以内随机数+16进制表示
     * @return
     */
    private static String getAppKey() {
        Date date = new Date();
        long timestamp= date.getTime();
        Random random = new Random();
        int randomInt1 =  random.nextInt(1000);
        int randomInt2 =  random.nextInt(1000);
        long randNum = timestamp + randomInt1 + randomInt2;
        String app_key = product + DecimalChange.getDecimal(randNum,16);
        return app_key;
    }

    /**
     * 根据md5加密
     *
     * @return
     */
    public static String appSecret(String app_key) {
        String mw = product + app_key;
        String app_sign = MD5Util.md5(mw).toUpperCase();// 得到以后还要用MD5加密。
        return app_sign;
    }

    public static SignModel getKeySecret() {
        String appKey = getAppKey();
        String appSecret = appSecret(appKey);
        signModel.setAppKey(appKey);
        signModel.setAppSecret(appSecret);
        return signModel;
    }

    public static void main(String[] args) {
        SignModel signModel = AppKeyGenerate.getKeySecret();
        System.out.println(signModel);
    }

}

下面是过滤器拦截所有请求,只支持post

package com.idoipo.infras.gateway.api.filters.pre;

import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.JSONObject;
import com.alibaba.fastjson.serializer.SerializerFeature;
import com.idoipo.common.data.web.MVCResultMsg;
import com.idoipo.common.data.web.ResultCode;
import com.idoipo.common.util.AppKeyGenerate;
import com.idoipo.common.util.MD5Util;
import com.netflix.zuul.ZuulFilter;
import com.netflix.zuul.context.RequestContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.cloud.netflix.zuul.filters.support.FilterConstants;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.stereotype.Component;
import org.springframework.util.StreamUtils;
import org.springframework.util.StringUtils;


import javax.servlet.http.HttpServletRequest;
import java.io.InputStream;
import java.nio.charset.Charset;
import java.util.Date;
import java.util.Iterator;
import java.util.Map;
import java.util.TreeMap;

/**
 * 第三方调用参数非法检验
 */
@Component
@SuppressWarnings("unused")
public class IllegalCheckPreFilter extends ZuulFilter {
    private Logger logger = LoggerFactory.getLogger(IllegalCheckPreFilter.class);

    @Value("${com.idoipo.requestExpire}")
    private Long requestExpire;

    @Override
    public String filterType() {
        return FilterConstants.PRE_TYPE;
    }

    @Override
    public int filterOrder() {
        return FilterConstants.PRE_DECORATION_FILTER_ORDER - 4;
    }

    @Override
    public boolean shouldFilter() {
        return true;
    }

    //需要修正返回的http状态码,目前的设置无效,将setSendZuulResponse设置为false时,即可采用自定义的状态码
    @Override
    public Object run() {
        RequestContext ctx = RequestContext.getCurrentContext();
        HttpServletRequest request = ctx.getRequest();
        MVCResultMsg msg = new MVCResultMsg();
        InputStream in;
        try {
            in = request.getInputStream();

            String method = request.getMethod();
            String interfaceMethod = request.getServletPath();
            //logger.info("请求方法method={},url={}",method,interfaceMethod)
            String reqBody = StreamUtils.copyToString(in, Charset.forName("UTF-8"));
            if (!"POST".equals(method.toUpperCase())) {
                msg.setCode(ResultCode.NOT_SUPPORT_REQUEST.getCode());
                msg.setMsg(ResultCode.NOT_SUPPORT_REQUEST.getDesc());
                errorMessage(ctx, msg);
                return null;
            }

            //打印请求json参数
            if (!StringUtils.isEmpty(reqBody)) {
                String conType = request.getHeader("content-type");
                if (conType.toLowerCase().contains("application/json")) {
                    //默认content-type传json-->application/json
                    Object invokeUserObject;
                    JSONObject jsonObject = JSONObject.parseObject(reqBody);
                    Object appKey = jsonObject.get("appKey");
                    Object sign = jsonObject.get("sign");
                    Object timestamp = jsonObject.get("timestamp");
                    //鉴权参数为空判断
                    if (StringUtils.isEmpty(appKey) || StringUtils.isEmpty(sign) || StringUtils.isEmpty(timestamp)) {
                        msg.setCode(ResultCode.AUTHENTICATION_PARAM_MISS.getCode());
                        msg.setMsg(ResultCode.AUTHENTICATION_PARAM_MISS.getDesc());
                        errorMessage(ctx, msg);
                        return null;
                    } else {
                        long times = Long.valueOf(timestamp.toString());
                        long expireTime = times + requestExpire * 60 * 1000;
                        long nowDate = new Date().getTime();
                        //请求超过指定时间就过期,不允许调用
                        if (nowDate < expireTime) {
                            msg.setCode(ResultCode.REQUEST_REPEAT.getCode());
                            msg.setMsg(ResultCode.REQUEST_REPEAT.getDesc());
                            errorMessage(ctx, msg);
                            return null;
                        }
                        //对比签名,用treeMap,定义字段排序
                        TreeMap treeMap = new TreeMap();
                        treeMap.putAll(jsonObject);
                        Iterator iterator = treeMap.entrySet().iterator();
                        StringBuilder stringBuilder = new StringBuilder();
                        String appSecret = AppKeyGenerate.appSecret(jsonObject.get("appKey").toString());
                        stringBuilder.append(appSecret);
                        while (iterator.hasNext()) {
                            Map.Entry entry = (Map.Entry) iterator.next();
                            // 获取key
                            String key = (String) entry.getKey();
                            if (key.equals("sign")) {
                                continue;
                            }
                            // 获取value
                            String value = (String) entry.getValue();
                            if (StringUtils.isEmpty(value)) {
                                continue;
                            }
                            stringBuilder.append(key).append(value);
                        }

                        if (!sign.toString().equals(signGenerate(stringBuilder))) {
                            msg.setCode(ResultCode.SIGN_PARAM_TAMPER.getCode());
                            msg.setMsg(ResultCode.SIGN_PARAM_TAMPER.getDesc());
                            errorMessage(ctx, msg);
                        } else {
                            ctx.setSendZuulResponse(true); //将请求往后转发
                            ctx.setResponseStatusCode(200);
                        }


                    }
                } else {
                    //不支持的请求类型
                    msg.setCode(ResultCode.NOT_SUPPORT_TRANSPORT_TYPE.getCode());
                    msg.setMsg(ResultCode.NOT_SUPPORT_TRANSPORT_TYPE.getDesc());
                    errorMessage(ctx, msg);
                    return null;
                }
            }
        } catch (Exception e) {
            logger.error("参数转换流异常", e);
        }
        return null;
    }

    private void errorMessage(RequestContext ctx, MVCResultMsg msg) {
        logger.error("MVCResultMsg={}", msg);
        ctx.setResponseStatusCode(HttpStatus.UNAUTHORIZED.value());
        ctx.getResponse().setContentType(MediaType.APPLICATION_JSON_UTF8_VALUE);
        ctx.setResponseBody(new String(JSON.toJSONString(msg, SerializerFeature.WriteMapNullValue).getBytes(), Charset.forName("utf-8")));
        //将结果立即返回,不再进一步操作
        ctx.setSendZuulResponse(false);
    }

    private String signGenerate(StringBuilder stringBuilder) {
        String sign = MD5Util.md5(stringBuilder.toString()).toUpperCase();
        return sign;
    }

}

 

springcloud提供开放api接口签名验证

标签:1.0   spring   三方   security   span   转换   utf8   digest   org   

原文地址:https://www.cnblogs.com/keepMoveForevery/p/10400010.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!