SpringBoot2 API接口簽名實(shí)現(xiàn)(接口參數(shù)防篡改)

簡(jiǎn)介

  • 現(xiàn)在越來越多人關(guān)注接口安全,傳統(tǒng)的接口在傳輸?shù)倪^程中,容易被抓包然后更改里面的參數(shù)值達(dá)到某些目的。
  • 傳統(tǒng)的做法是用安全框架或者在代碼里面做驗(yàn)證,但是有些系統(tǒng)是不需要登錄的,隨時(shí)可以調(diào)。
  • 這時(shí)候我們可以通過對(duì)參數(shù)進(jìn)行簽名驗(yàn)證,如果參數(shù)與簽名值不匹配,則請(qǐng)求不通過,直接返回錯(cuò)誤信息。

項(xiàng)目代碼地址:

測(cè)試

  1. 啟動(dòng)項(xiàng)目
  2. GET請(qǐng)求可以用瀏覽器直接訪問 http://localhost:8080/signTest?sign=A0161DC47118062053567CDD10FBACC6&username=admin&password=admin
    • A0161DC47118062053567CDD10FBACC6 是 username=admin&password=admin MD5加密后的結(jié)果??梢源蜷_ https://md5jiami.51240.com/ 然后輸入 {"password":"admin","username":"admin"} 進(jìn)行加密驗(yàn)證,json字符串里面,必須保證字段是按照 ascll碼
      進(jìn)行排序的,username的ascll碼 比 password的ascll碼 大,所以要放在后面。
  3. 打開 postman 進(jìn)行POST請(qǐng)求測(cè)試,請(qǐng)求Url為 http://localhost:8080/signTest?sign=A0161DC47118062053567CDD10FBACC6 參數(shù)為 
      {
      "username":"admin",
      "password":"admin"
  }
成功示例圖

失敗示例圖

調(diào)用過程

涉及第三方技術(shù)

  • 前端:js-md5(vue md5-npm包)、axios(vue ajax請(qǐng)求npm包)
    • 安裝命令
     npm install js-md5
 npm install axios
  • 后端: fastjson、lombok 
         <dependency>
         <groupId>org.projectlombok</groupId>
         <artifactId>lombok</artifactId>
         <optional>true</optional>
     </dependency>
     <dependency>
         <groupId>com.alibaba</groupId>
         <artifactId>fastjson</artifactId>
         <version>1.2.47</version>
         <scope>compile</scope>
     </dependency>

簽名邏輯

  • 前端(客戶端):
    1.不管GET Url 還是 POST Body 的參數(shù),都轉(zhuǎn)換成 json 對(duì)象,用 ascll碼排序 對(duì)參數(shù)排序。
    2.排序后對(duì)參數(shù)進(jìn)行MD5加密,存入 sign 值。
    3.把 sign 值 放在 請(qǐng)求URL 后面或者 Head頭 里面(該項(xiàng)目直接放在URL后面)。
  • 后端(服務(wù)端):
    1.把參數(shù)接收,轉(zhuǎn)成 json對(duì)象 ,用 ascll碼 排序
    2.排序后對(duì)參數(shù)進(jìn)行MD5加密,存入 paramsSign 值。
    3.和 請(qǐng)求URL 中的 sign值 做對(duì)比,相同則請(qǐng)求通過。

前端代碼

  • 加密工具類
import md5 from 'js-md5'

export default class signMd5Utils {
    /**
     * json參數(shù)升序
     * @param jsonObj 發(fā)送參數(shù)
     */

    static sortAsc(jsonObj) {
        let arr = new Array();
        let num = 0;
        for (let i in jsonObj) {
            arr[num] = i;
            num++;
        }
        let sortArr = arr.sort();
        let sortObj = {};
        for (let i in sortArr) {
            sortObj[sortArr[i]] = jsonObj[sortArr[i]];
        }
        return sortObj;
    }


    /**
     * @param url 請(qǐng)求的url,應(yīng)該包含請(qǐng)求參數(shù)(url的?后面的參數(shù))
     * @param requestParams 請(qǐng)求參數(shù)(POST的JSON參數(shù))
     * @returns {string} 獲取簽名
     */
    static getSign(url, requestParams) {
        let urlParams = this.parseQueryString(url);
        let jsonObj = this.mergeObject(urlParams, requestParams);
        let requestBody = this.sortAsc(jsonObj);
        return md5(JSON.stringify(requestBody)).toUpperCase();
    }

    /**
     * @param url 請(qǐng)求的url
     * @returns {{}} 將url中請(qǐng)求參數(shù)組裝成json對(duì)象(url的?后面的參數(shù))
     */
    static parseQueryString(url) {
        let urlReg = /^[^\?]+\?([\w\W]+)$/,
            paramReg = /([^&=]+)=([\w\W]*?)(&|$|#)/g,
            urlArray = urlReg.exec(url),
            result = {};
        if (urlArray && urlArray[1]) {
            let paramString = urlArray[1], paramResult;
            while ((paramResult = paramReg.exec(paramString)) != null) {
                result[paramResult[1]] = paramResult[2];
            }
        }
        return result;
    }

    /**
     * @returns {*} 將兩個(gè)對(duì)象合并成一個(gè)
     */
    static mergeObject(objectOne, objectTwo) {
        if (Object.keys(objectTwo).length > 0) {
            for (let key in objectTwo) {
                if (objectTwo.hasOwnProperty(key) === true) {
                    objectOne[key] = objectTwo[key];
                }
            }
        }
        return objectOne;
    }

    static urlEncode(param, key, encode) {
        if (param == null) return '';
        let paramStr = '';
        let t = typeof (param);
        if (t == 'string' || t == 'number' || t == 'boolean') {
            paramStr += '&' + key + '=' + ((encode == null || encode) ? encodeURIComponent(param) : param);
        } else {
            for (let i in param) {
                let k = key == null ? i : key + (param instanceof Array ? '[' + i + ']' : '.' + i);
                paramStr += this.urlEncode(param[i], k, encode);
            }
        }
        return paramStr;
    };
}
  • 發(fā)送請(qǐng)求類
import axios from 'axios';
import signMd5Utils from "../utils/signMd5Utils"
// var config = require('../../config')
//config = process.env.NODE_ENV === 'development' ? config.dev : config.build
//let apiUrl = config.apiUrl;
//var qs = require('qs');
const instance = axios.create({
    baseURL: 'http://localhost:8080/',
    // timeout: 1000 * 30,
    // 允許跨域帶token
    xhrFields: {
        withCredentials: false
    },
    crossDomain: true,
    emulateJSON: true
});
export default instance
export function signTestPost(query) {

    let url = 'signTest';
    let sign = signMd5Utils.getSign(url, query);
    let requestUrl = url + "?sign=" + sign;  //將簽名添加在請(qǐng)求參數(shù)后面去請(qǐng)求接口
    return instance({
        url: requestUrl,
        method: 'post',
        data: query
    })
}
export function signTestGet(query) {

    let url = 'signTest';
    let urlParams = signMd5Utils.urlEncode(query);
    let sign = signMd5Utils.getSign(url, query);
    let requestUrl = url + "?sign=" + sign + urlParams;  //將簽名添加在請(qǐng)求參數(shù)后面去請(qǐng)求接口
    return instance({
        url: requestUrl,
        method: 'get',
    })
}
  • 調(diào)用請(qǐng)求
let user = {
    "username": "admin",
    "password": "admin",
};
signTestPost(user).then(r => {
    console.log(r)
});

signTestGet(user).then(r => {
    console.log(r)
})

后端代碼

  • 過濾器(到達(dá) Controller 前執(zhí)行)
import com.alibaba.fastjson.JSONObject;
import com.show.sign.utils.HttpUtils;
import com.show.sign.utils.SignUtil;
import lombok.extern.slf4j.Slf4j;
import org.springframework.stereotype.Component;

import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;
import java.util.SortedMap;

/**
 * 簽名過濾器
 * @author show
 * @date 10:03 2019/5/30
 * @Component 注冊(cè) Filter 組件
 */
@Slf4j
@Component 
public class SignAuthFilter implements Filter {
    static final String FAVICON = "/favicon.ico";

    @Override
    public void init(FilterConfig filterConfig) {

        log.info("初始化 SignAuthFilter");
    }

    @Override
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {

        HttpServletResponse response = (HttpServletResponse) res;
        // 防止流讀取一次后就沒有了, 所以需要將流繼續(xù)寫出去
        HttpServletRequest request = (HttpServletRequest) req;
        HttpServletRequest requestWrapper = new BodyReaderHttpServletRequestWrapper(request);
        //獲取圖標(biāo)不需要驗(yàn)證簽名
        if (FAVICON.equals(requestWrapper.getRequestURI())) {
            chain.doFilter(request, response);
        } else {
            //獲取全部參數(shù)(包括URL和body上的)
            SortedMap<String, String> allParams = HttpUtils.getAllParams(requestWrapper);
            //對(duì)參數(shù)進(jìn)行簽名驗(yàn)證
            boolean isSigned = SignUtil.verifySign(allParams);
            if (isSigned) {
                log.info("簽名通過");
                chain.doFilter(requestWrapper, response);
            } else {
                log.info("參數(shù)校驗(yàn)出錯(cuò)");
                //校驗(yàn)失敗返回前端
                response.setCharacterEncoding("UTF-8");
                response.setContentType("application/json; charset=utf-8");
                PrintWriter out = response.getWriter();
               JSONObject resParam = new JSONObject();
                resParam.put("msg", "參數(shù)校驗(yàn)出錯(cuò)");
                resParam.put("success", "false");
                out.append(resParam.toJSONString());
            }
        }
    }

    @Override
    public void destroy() {

        log.info("銷毀 SignAuthFilter");
    }
}
  • BodyReaderHttpServletRequestWrapper 類 主要作用是復(fù)制 HttpServletRequest 的輸入流,不然你拿出 body 參數(shù)后驗(yàn)簽后,到 Controller 時(shí),接收參數(shù)會(huì)為 null
import javax.servlet.ReadListener;
import javax.servlet.ServletInputStream;
import javax.servlet.ServletRequest;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import java.io.*;
import java.nio.charset.Charset;

/**
 * 保存過濾器里面的流
 * @author show
 * @date 10:03 2019/5/30
 */
public class BodyReaderHttpServletRequestWrapper extends HttpServletRequestWrapper {

    private final byte[] body;

    public BodyReaderHttpServletRequestWrapper(HttpServletRequest request) {

        super(request);
        String sessionStream = getBodyString(request);
        body = sessionStream.getBytes(Charset.forName("UTF-8"));
    }

    /**
     * 獲取請(qǐng)求Body
     *
     * @param request
     * @return
     */
    public String getBodyString(final ServletRequest request) {

        StringBuilder sb = new StringBuilder();
        try (
            InputStream inputStream = cloneInputStream(request.getInputStream());
            BufferedReader reader = new BufferedReader(new InputStreamReader(inputStream, Charset.forName("UTF-8")))
        ) {
            String line;
            while ((line = reader.readLine()) != null) {
                sb.append(line);
            }
        } catch (IOException e) {
            e.printStackTrace();
        }
        return sb.toString();
    }

    /**
     * Description: 復(fù)制輸入流</br>
     *
     * @param inputStream
     * @return</br>
     */
    public InputStream cloneInputStream(ServletInputStream inputStream) {

        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        byte[] buffer = new byte[1024];
        int len;
        try {
            while ((len = inputStream.read(buffer)) > -1) {
                byteArrayOutputStream.write(buffer, 0, len);
            }
            byteArrayOutputStream.flush();
        } catch (IOException e) {
            e.printStackTrace();
        }
        return new ByteArrayInputStream(byteArrayOutputStream.toByteArray());
    }

    @Override
    public BufferedReader getReader() {

        return new BufferedReader(new InputStreamReader(getInputStream()));
    }

    @Override
    public ServletInputStream getInputStream() {

        final ByteArrayInputStream bais = new ByteArrayInputStream(body);
        return new ServletInputStream() {

            @Override
            public int read() {

                return bais.read();
            }

            @Override
            public boolean isFinished() {

                return false;
            }

            @Override
            public boolean isReady() {

                return false;
            }

            @Override
            public void setReadListener(ReadListener readListener) {

            }
        };
    }
}
  • 簽名工具類
import com.alibaba.fastjson.JSONObject;
import lombok.extern.slf4j.Slf4j;
import org.springframework.util.DigestUtils;
import org.springframework.util.StringUtils;

import java.util.SortedMap;

/**
 * 簽名工具類
 * @author show
 * @date 10:01 2019/5/30
 */
@Slf4j
public class SignUtil {

    /**
     * @param params 所有的請(qǐng)求參數(shù)都會(huì)在這里進(jìn)行排序加密
     * @return 驗(yàn)證簽名結(jié)果
     */
    public static boolean verifySign(SortedMap<String, String> params) {

        String urlSign = params.get("sign");
        log.info("Url Sign : {}", urlSign);
        if (params == null || StringUtils.isEmpty(urlSign)) {
            return false;
        }
        //把參數(shù)加密
        String paramsSign = getParamsSign(params);
        log.info("Param Sign : {}", paramsSign);
        return !StringUtils.isEmpty(paramsSign) && urlSign.equals(paramsSign);
    }

    /**
     * @param params 所有的請(qǐng)求參數(shù)都會(huì)在這里進(jìn)行排序加密
     * @return 得到簽名
     */
    public static String getParamsSign(SortedMap<String, String> params) {
        //要先去掉 Url 里的 Sign
        params.remove("sign");
        String paramsJsonStr = JSONObject.toJSONString(params);
        return DigestUtils.md5DigestAsHex(paramsJsonStr.getBytes()).toUpperCase();
    }
}
  • http工具類 獲取 請(qǐng)求中 的數(shù)據(jù)
import com.alibaba.fastjson.JSONObject;
import org.springframework.http.HttpMethod;

import javax.servlet.http.HttpServletRequest;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.util.HashMap;
import java.util.Map;
import java.util.SortedMap;
import java.util.TreeMap;

/**
 * http 工具類 獲取請(qǐng)求中的參數(shù)
 * @author show
 * @date 14:23 2019/5/29
 */
public class HttpUtils {
    /**
     * 將URL的參數(shù)和body參數(shù)合并
     * @author show
     * @date 14:24 2019/5/29
     * @param request
     */
    public static SortedMap<String, String> getAllParams(HttpServletRequest request) throws IOException {

        SortedMap<String, String> result = new TreeMap<>();
        //獲取URL上的參數(shù)
        Map<String, String> urlParams = getUrlParams(request);
        for (Map.Entry entry : urlParams.entrySet()) {
            result.put((String) entry.getKey(), (String) entry.getValue());
        }
        Map<String, String> allRequestParam = new HashMap<>(16);
        // get請(qǐng)求不需要拿body參數(shù)
        if (!HttpMethod.GET.name().equals(request.getMethod())) {
            allRequestParam = getAllRequestParam(request);
        }
        //將URL的參數(shù)和body參數(shù)進(jìn)行合并
        if (allRequestParam != null) {
            for (Map.Entry entry : allRequestParam.entrySet()) {
                result.put((String) entry.getKey(), (String) entry.getValue());
            }
        }
        return result;
    }

    /**
     * 獲取 Body 參數(shù)
     * @author show
     * @date 15:04 2019/5/30
     * @param request
     */
    public static Map<String, String> getAllRequestParam(final HttpServletRequest request) throws IOException {

        BufferedReader reader = new BufferedReader(new InputStreamReader(request.getInputStream()));
        String str = "";
        StringBuilder wholeStr = new StringBuilder();
        //一行一行的讀取body體里面的內(nèi)容;
        while ((str = reader.readLine()) != null) {
            wholeStr.append(str);
        }
        //轉(zhuǎn)化成json對(duì)象
        return JSONObject.parseObject(wholeStr.toString(), Map.class);
    }

    /**
     * 將URL請(qǐng)求參數(shù)轉(zhuǎn)換成Map
     * @author show
     * @param request
     */
    public static Map<String, String> getUrlParams(HttpServletRequest request) {

        String param = "";
        try {
            param = URLDecoder.decode(request.getQueryString(), "utf-8");
        } catch (UnsupportedEncodingException e) {
            e.printStackTrace();
        }
        Map<String, String> result = new HashMap<>(16);
        String[] params = param.split("&");
        for (String s : params) {
            int index = s.indexOf("=");
            result.put(s.substring(0, index), s.substring(index + 1));
        }
        return result;
    }
}
最后編輯于
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時(shí)請(qǐng)結(jié)合常識(shí)與多方信息審慎甄別。
平臺(tái)聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡(jiǎn)書系信息發(fā)布平臺(tái),僅提供信息存儲(chǔ)服務(wù)。

友情鏈接更多精彩內(nèi)容