SpringBoot2 API接口簽名實現(接口參數防篡改)
簡介
- 如今愈來愈多人關注接口安全,傳統的接口在傳輸的過程當中,容易被抓包而後更改裏面的參數值達到某些目的。
- 傳統的作法是用安全框架或者在代碼裏面作驗證,可是有些系統是不須要登陸的,隨時能夠調。
- 這時候咱們能夠經過對參數進行簽名驗證,若是參數與簽名值不匹配,則請求不經過,直接返回錯誤信息。
項目代碼地址:
測試
- 啓動項目
- GET請求能夠用瀏覽器直接訪問 http://localhost:8080/signTest?sign=A0161DC47118062053567CDD10FBACC6&username=admin&password=admin
- A0161DC47118062053567CDD10FBACC6 是 username=admin&password=admin MD5加密後的結果。能夠打開 md5jiami.51240.com/ 而後輸入 {"password":"admin","username":"admin"} 進行加密驗證,json字符串裏面,必須保證字段是按照 ascll碼 進行排序的,username的ascll碼 比 password的ascll碼 大,因此要放在後面。
- 打開 postman 進行POST請求測試,請求Url爲 http://localhost:8080/signTest?sign=A0161DC47118062053567CDD10FBACC6 參數爲
{ "username":"admin", "password":"admin" } 複製代碼
調用過程
涉及第三方技術
- 前端:js-md5(vue md5-npm包)、axios(vue ajax請求npm包)
- 安裝命令
npm install js-md5 npm install axios 複製代碼 - 後端: fastjson、lombok
<dependency> <groupId>org.projectlombok</groupId> <artifactId>lombok</artifactId> <optional>true</optional> </dependency> <dependency> <groupId>com.alibaba</groupId> <artifactId>fastjson</artifactId> <version>1.2.47</version> <scope>compile</scope> </dependency> 複製代碼
簽名邏輯
- 前端(客戶端): 1.無論GET Url 仍是 POST Body 的參數,都轉換成 json 對象,用 ascll碼排序 對參數排序。 2.排序後對參數進行MD5加密,存入 sign 值。 3.把 sign 值 放在 請求URL 後面或者 Head頭 裏面(該項目直接放在URL後面)。
- 後端(服務端): 1.把參數接收,轉成 json對象 ,用 ascll碼 排序 2.排序後對參數進行MD5加密,存入 paramsSign 值。 3.和 請求URL 中的 sign值 作對比,相同則請求經過。
前端代碼
- 加密工具類
import md5 from 'js-md5'
export default class signMd5Utils {
/** * json參數升序 * @param jsonObj 發送參數 */
static sortAsc(jsonObj) {
let arr = new Array();
let num = 0;
for (let i in jsonObj) {
arr[num] = i;
num++;
}
let sortArr = arr.sort();
let sortObj = {};
for (let i in sortArr) {
sortObj[sortArr[i]] = jsonObj[sortArr[i]];
}
return sortObj;
}
/** * @param url 請求的url,應該包含請求參數(url的?後面的參數) * @param requestParams 請求參數(POST的JSON參數) * @returns {string} 獲取簽名 */
static getSign(url, requestParams) {
let urlParams = this.parseQueryString(url);
let jsonObj = this.mergeObject(urlParams, requestParams);
let requestBody = this.sortAsc(jsonObj);
return md5(JSON.stringify(requestBody)).toUpperCase();
}
/** * @param url 請求的url * @returns {{}} 將url中請求參數組裝成json對象(url的?後面的參數) */
static parseQueryString(url) {
let urlReg = /^[^\?]+\?([\w\W]+)$/,
paramReg = /([^&=]+)=([\w\W]*?)(&|$|#)/g,
urlArray = urlReg.exec(url),
result = {};
if (urlArray && urlArray[1]) {
let paramString = urlArray[1], paramResult;
while ((paramResult = paramReg.exec(paramString)) != null) {
result[paramResult[1]] = paramResult[2];
}
}
return result;
}
/** * @returns {*} 將兩個對象合併成一個 */
static mergeObject(objectOne, objectTwo) {
if (Object.keys(objectTwo).length > 0) {
for (let key in objectTwo) {
if (objectTwo.hasOwnProperty(key) === true) {
objectOne[key] = objectTwo[key];
}
}
}
return objectOne;
}
static urlEncode(param, key, encode) {
if (param == null) return '';
let paramStr = '';
let t = typeof (param);
if (t == 'string' || t == 'number' || t == 'boolean') {
paramStr += '&' + key + '=' + ((encode == null || encode) ? encodeURIComponent(param) : param);
} else {
for (let i in param) {
let k = key == null ? i : key + (param instanceof Array ? '[' + i + ']' : '.' + i);
paramStr += this.urlEncode(param[i], k, encode);
}
}
return paramStr;
};
}
複製代碼
- 發送請求類
import axios from 'axios';
import signMd5Utils from "../utils/signMd5Utils"
// var config = require('../../config')
//config = process.env.NODE_ENV === 'development' ? config.dev : config.build
//let apiUrl = config.apiUrl;
//var qs = require('qs');
const instance = axios.create({
baseURL: 'http://localhost:8080/',
// timeout: 1000 * 30,
// 容許跨域帶token
xhrFields: {
withCredentials: false
},
crossDomain: true,
emulateJSON: true
});
export default instance
export function signTestPost(query) {
let url = 'signTest';
let sign = signMd5Utils.getSign(url, query);
let requestUrl = url + "?sign=" + sign; //將簽名添加在請求參數後面去請求接口
return instance({
url: requestUrl,
method: 'post',
data: query
})
}
export function signTestGet(query) {
let url = 'signTest';
let urlParams = signMd5Utils.urlEncode(query);
let sign = signMd5Utils.getSign(url, query);
let requestUrl = url + "?sign=" + sign + urlParams; //將簽名添加在請求參數後面去請求接口
return instance({
url: requestUrl,
method: 'get',
})
}
複製代碼
- 調用請求
let user = {
"username": "admin",
"password": "admin",
};
signTestPost(user).then(r => {
console.log(r)
});
signTestGet(user).then(r => {
console.log(r)
})
複製代碼
後端代碼
- 過濾器(到達 Controller 前執行)
import com.alibaba.fastjson.JSONObject;
import com.show.sign.utils.HttpUtils;
import com.show.sign.utils.SignUtil;
import lombok.extern.slf4j.Slf4j;
import org.springframework.stereotype.Component;
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;
import java.util.SortedMap;
/** * 簽名過濾器 * @author show * @date 10:03 2019/5/30 * @Component 註冊 Filter 組件 */
@Slf4j
@Component
public class SignAuthFilter implements Filter {
static final String FAVICON = "/favicon.ico";
@Override
public void init(FilterConfig filterConfig) {
log.info("初始化 SignAuthFilter");
}
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
HttpServletResponse response = (HttpServletResponse) res;
// 防止流讀取一次後就沒有了, 因此須要將流繼續寫出去
HttpServletRequest request = (HttpServletRequest) req;
HttpServletRequest requestWrapper = new BodyReaderHttpServletRequestWrapper(request);
//獲取圖標不須要驗證簽名
if (FAVICON.equals(requestWrapper.getRequestURI())) {
chain.doFilter(request, response);
} else {
//獲取所有參數(包括URL和body上的)
SortedMap<String, String> allParams = HttpUtils.getAllParams(requestWrapper);
//對參數進行簽名驗證
boolean isSigned = SignUtil.verifySign(allParams);
if (isSigned) {
log.info("簽名經過");
chain.doFilter(requestWrapper, response);
} else {
log.info("參數校驗出錯");
//校驗失敗返回前端
response.setCharacterEncoding("UTF-8");
response.setContentType("application/json; charset=utf-8");
PrintWriter out = response.getWriter();
JSONObject resParam = new JSONObject();
resParam.put("msg", "參數校驗出錯");
resParam.put("success", "false");
out.append(resParam.toJSONString());
}
}
}
@Override
public void destroy() {
log.info("銷燬 SignAuthFilter");
}
}
複製代碼
- BodyReaderHttpServletRequestWrapper 類 主要做用是複製 HttpServletRequest 的輸入流,否則你拿出 body 參數後驗籤後,到 Controller 時,接收參數會爲 null
import javax.servlet.ReadListener;
import javax.servlet.ServletInputStream;
import javax.servlet.ServletRequest;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import java.io.*;
import java.nio.charset.Charset;
/** * 保存過濾器裏面的流 * @author show * @date 10:03 2019/5/30 */
public class BodyReaderHttpServletRequestWrapper extends HttpServletRequestWrapper {
private final byte[] body;
public BodyReaderHttpServletRequestWrapper(HttpServletRequest request) {
super(request);
String sessionStream = getBodyString(request);
body = sessionStream.getBytes(Charset.forName("UTF-8"));
}
/** * 獲取請求Body * * @param request * @return */
public String getBodyString(final ServletRequest request) {
StringBuilder sb = new StringBuilder();
try (
InputStream inputStream = cloneInputStream(request.getInputStream());
BufferedReader reader = new BufferedReader(new InputStreamReader(inputStream, Charset.forName("UTF-8")))
) {
String line;
while ((line = reader.readLine()) != null) {
sb.append(line);
}
} catch (IOException e) {
e.printStackTrace();
}
return sb.toString();
}
/** * Description: 複製輸入流</br> * * @param inputStream * @return</br> */
public InputStream cloneInputStream(ServletInputStream inputStream) {
ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
byte[] buffer = new byte[1024];
int len;
try {
while ((len = inputStream.read(buffer)) > -1) {
byteArrayOutputStream.write(buffer, 0, len);
}
byteArrayOutputStream.flush();
} catch (IOException e) {
e.printStackTrace();
}
return new ByteArrayInputStream(byteArrayOutputStream.toByteArray());
}
@Override
public BufferedReader getReader() {
return new BufferedReader(new InputStreamReader(getInputStream()));
}
@Override
public ServletInputStream getInputStream() {
final ByteArrayInputStream bais = new ByteArrayInputStream(body);
return new ServletInputStream() {
@Override
public int read() {
return bais.read();
}
@Override
public boolean isFinished() {
return false;
}
@Override
public boolean isReady() {
return false;
}
@Override
public void setReadListener(ReadListener readListener) {
}
};
}
}
複製代碼
- 簽名工具類
import com.alibaba.fastjson.JSONObject;
import lombok.extern.slf4j.Slf4j;
import org.springframework.util.DigestUtils;
import org.springframework.util.StringUtils;
import java.util.SortedMap;
/** * 簽名工具類 * @author show * @date 10:01 2019/5/30 */
@Slf4j
public class SignUtil {
/** * @param params 全部的請求參數都會在這裏進行排序加密 * @return 驗證簽名結果 */
public static boolean verifySign(SortedMap<String, String> params) {
String urlSign = params.get("sign");
log.info("Url Sign : {}", urlSign);
if (params == null || StringUtils.isEmpty(urlSign)) {
return false;
}
//把參數加密
String paramsSign = getParamsSign(params);
log.info("Param Sign : {}", paramsSign);
return !StringUtils.isEmpty(paramsSign) && urlSign.equals(paramsSign);
}
/** * @param params 全部的請求參數都會在這裏進行排序加密 * @return 獲得簽名 */
public static String getParamsSign(SortedMap<String, String> params) {
//要先去掉 Url 裏的 Sign
params.remove("sign");
String paramsJsonStr = JSONObject.toJSONString(params);
return DigestUtils.md5DigestAsHex(paramsJsonStr.getBytes()).toUpperCase();
}
}
複製代碼
- http工具類 獲取 請求中 的數據
import com.alibaba.fastjson.JSONObject;
import org.springframework.http.HttpMethod;
import javax.servlet.http.HttpServletRequest;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.util.HashMap;
import java.util.Map;
import java.util.SortedMap;
import java.util.TreeMap;
/** * http 工具類 獲取請求中的參數 * @author show * @date 14:23 2019/5/29 */
public class HttpUtils {
/** * 將URL的參數和body參數合併 * @author show * @date 14:24 2019/5/29 * @param request */
public static SortedMap<String, String> getAllParams(HttpServletRequest request) throws IOException {
SortedMap<String, String> result = new TreeMap<>();
//獲取URL上的參數
Map<String, String> urlParams = getUrlParams(request);
for (Map.Entry entry : urlParams.entrySet()) {
result.put((String) entry.getKey(), (String) entry.getValue());
}
Map<String, String> allRequestParam = new HashMap<>(16);
// get請求不須要拿body參數
if (!HttpMethod.GET.name().equals(request.getMethod())) {
allRequestParam = getAllRequestParam(request);
}
//將URL的參數和body參數進行合併
if (allRequestParam != null) {
for (Map.Entry entry : allRequestParam.entrySet()) {
result.put((String) entry.getKey(), (String) entry.getValue());
}
}
return result;
}
/** * 獲取 Body 參數 * @author show * @date 15:04 2019/5/30 * @param request */
public static Map<String, String> getAllRequestParam(final HttpServletRequest request) throws IOException {
BufferedReader reader = new BufferedReader(new InputStreamReader(request.getInputStream()));
String str = "";
StringBuilder wholeStr = new StringBuilder();
//一行一行的讀取body體裏面的內容;
while ((str = reader.readLine()) != null) {
wholeStr.append(str);
}
//轉化成json對象
return JSONObject.parseObject(wholeStr.toString(), Map.class);
}
/** * 將URL請求參數轉換成Map * @author show * @param request */
public static Map<String, String> getUrlParams(HttpServletRequest request) {
String param = "";
try {
param = URLDecoder.decode(request.getQueryString(), "utf-8");
} catch (UnsupportedEncodingException e) {
e.printStackTrace();
}
Map<String, String> result = new HashMap<>(16);
String[] params = param.split("&");
for (String s : params) {
int index = s.indexOf("=");
result.put(s.substring(0, index), s.substring(index + 1));
}
return result;
}
}
複製代碼
相關文章
- 1. Java編程:API接口防篡改、簽名、驗籤原理
- 2. 接口參數防篡改處理
- 3. (轉)API接口防止參數篡改和重放攻擊
- 4. API接口防止參數篡改和重放攻擊
- 5. 【接口】用Fiddler篡改接口數據
- 6. API接口設計:防參數篡改+防二次請求(防重放)
- 7. 用數字簽名實現防篡改
- 8. php api接口數字簽名,驗籤
- 9. API接口簽名驗證
- 10. Api接口簽名規則
- 更多相關文章...
- • Kotlin 接口 - Kotlin 教程
- • C# 接口(Interface) - C#教程
- • 算法總結-滑動窗口
- • ☆基於Java Instrument的Agent實現
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. Java編程:API接口防篡改、簽名、驗籤原理
- 2. 接口參數防篡改處理
- 3. (轉)API接口防止參數篡改和重放攻擊
- 4. API接口防止參數篡改和重放攻擊
- 5. 【接口】用Fiddler篡改接口數據
- 6. API接口設計:防參數篡改+防二次請求(防重放)
- 7. 用數字簽名實現防篡改
- 8. php api接口數字簽名,驗籤
- 9. API接口簽名驗證
- 10. Api接口簽名規則