Api接口Sign签名和验签
呼延运恒
采用Sign =MD5(app_id , app_secret+timestamp+api排序参数)
请求必带参数 version+app_id+timestamp+sign
前端请求为Json体
package com.hero.common.utils.signature;
import javax.servlet.ReadListener;
import javax.servlet.ServletInputStream;
import javax.servlet.ServletRequest;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import java.io.*;
import java.nio.charset.Charset;
/**
* 保存过滤器里面的流
*/
public class BodyReaderHttpServletRequestWrapper extends HttpServletRequestWrapper {
private final byte[] body;
public BodyReaderHttpServletRequestWrapper(HttpServletRequest request) {
super(request);
String sessionStream = getBodyString(request);
body = sessionStream.getBytes(Charset.forName("UTF-8"));
}
/**
* 获取请求Body
*
* @param request
* @return
*/
public String getBodyString(final ServletRequest request) {
StringBuilder sb = new StringBuilder();
try (
InputStream inputStream = cloneInputStream(request.getInputStream());
BufferedReader reader = new BufferedReader(new InputStreamReader(inputStream, Charset.forName("UTF-8")))
) {
String line;
while ((line = reader.readLine()) != null) {
sb.append(line);
}
} catch (IOException e) {
e.printStackTrace();
}
return sb.toString();
}
/**
* Description: 复制输入流</br>
*
* @param inputStream
* @return</br>
*/
public InputStream cloneInputStream(ServletInputStream inputStream) {
ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
byte[] buffer = new byte[1024];
int len;
try {
while ((len = inputStream.read(buffer)) > -1) {
byteArrayOutputStream.write(buffer, 0, len);
}
byteArrayOutputStream.flush();
} catch (IOException e) {
e.printStackTrace();
}
return new ByteArrayInputStream(byteArrayOutputStream.toByteArray());
}
@Override
public BufferedReader getReader() {
return new BufferedReader(new InputStreamReader(getInputStream()));
}
@Override
public ServletInputStream getInputStream() {
final ByteArrayInputStream bais = new ByteArrayInputStream(body);
return new ServletInputStream() {
@Override
public int read() {
return bais.read();
}
@Override
public boolean isFinished() {
return false;
}
@Override
public boolean isReady() {
return false;
}
@Override
public void setReadListener(ReadListener readListener) {
}
};
}
}package com.hero.common.utils.signature;
import com.alibaba.fastjson.JSONObject;
import org.springframework.http.HttpMethod;
import javax.servlet.http.HttpServletRequest;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.util.HashMap;
import java.util.Map;
import java.util.SortedMap;
import java.util.TreeMap;
/**
* http 工具类 获取请求中的参数
*/
public class HttpUtils {
/**
* 将URL的参数和body参数合并
* @author show
* @date 14:24 2019/5/29
* @param request
*/
public static SortedMap<String, String> getAllParams(HttpServletRequest request) throws IOException {
SortedMap<String, String> result = new TreeMap<>();
//获取URL上的参数
Map<String, String> urlParams = getUrlParams(request);
for (Map.Entry entry : urlParams.entrySet()) {
result.put((String) entry.getKey(), (String) entry.getValue());
}
Map<String, String> allRequestParam = new HashMap<>(16);
// get请求不需要拿body参数
if (!HttpMethod.GET.name().equals(request.getMethod())) {
allRequestParam = getAllRequestParam(request);
}
//将URL的参数和body参数进行合并
if (allRequestParam != null) {
for (Map.Entry entry : allRequestParam.entrySet()) {
result.put(String.valueOf(entry.getKey()) , String.valueOf(entry.getValue()));
}
}
return result;
}
/**
* 获取 Body 参数
* @author show
* @date 15:04 2019/5/30
* @param request
*/
public static Map<String, String> getAllRequestParam(final HttpServletRequest request) throws IOException {
BufferedReader reader = new BufferedReader(new InputStreamReader(request.getInputStream()));
String str = "";
StringBuilder wholeStr = new StringBuilder();
//一行一行的读取body体里面的内容;
while ((str = reader.readLine()) != null) {
wholeStr.append(str);
}
//转化成json对象
return JSONObject.parseObject(wholeStr.toString(), Map.class);
}
/**
* 将URL请求参数转换成Map
* @author show
* @param request
*/
public static Map<String, String> getUrlParams(HttpServletRequest request) {
String param = "";
try {
param = URLDecoder.decode(request.getQueryString(), "utf-8");
} catch (UnsupportedEncodingException e) {
e.printStackTrace();
}
Map<String, String> result = new HashMap<>(16);
String[] params = param.split("&");
for (String s : params) {
int index = s.indexOf("=");
result.put(s.substring(0, index), s.substring(index + 1));
}
return result;
}
}package com.hero.common.utils.signature;
import com.alibaba.fastjson.JSONObject;
import lombok.extern.slf4j.Slf4j;
import org.springframework.stereotype.Component;
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;
import java.util.SortedMap;
/**
* 签名过滤器
*/
@Slf4j
@Component
public class SignAuthFilter implements Filter {
static final String FAVICON = "/favicon.ico";
@Override
public void init(FilterConfig filterConfig) {
log.info("初始化 SignAuthFilter");
}
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
HttpServletResponse response = (HttpServletResponse) res;
// 防止流读取一次后就没有了, 所以需要将流继续写出去
HttpServletRequest request = (HttpServletRequest) req;
HttpServletRequest requestWrapper = new BodyReaderHttpServletRequestWrapper(request);
//获取图标不需要验证签名
if (FAVICON.equals(requestWrapper.getRequestURI())) {
chain.doFilter(request, response);
} else {
//获取全部参数(包括URL和body上的)
SortedMap<String, String> allParams = HttpUtils.getAllParams(requestWrapper);
//对参数进行签名验证
boolean isSigned = SignUtil.verifySign(allParams);
if (isSigned) {
log.info("签名通过");
chain.doFilter(request, response);
} else {
log.info("参数校验出错");
//校验失败返回前端
response.setCharacterEncoding("UTF-8");
response.setContentType("application/json; charset=utf-8");
PrintWriter out = response.getWriter();
JSONObject resParam = new JSONObject();
resParam.put("msg", "参数校验出错");
resParam.put("success", "false");
out.append(resParam.toJSONString());
}
}
}
@Override
public void destroy() {
log.info("销毁 SignAuthFilter");
}
}package com.hero.common.utils.signature;
import com.alibaba.fastjson.JSONObject;
import lombok.extern.slf4j.Slf4j;
import org.springframework.util.DigestUtils;
import org.springframework.util.StringUtils;
import java.util.SortedMap;
/**
* 签名工具类
*/
@Slf4j
public class SignUtil {
static final String app_id="hero";
static final String app_secret="ceshi";
/**
* @param params 所有的请求参数都会在这里进行排序加密
* @return 验证签名结果
*/
public static boolean verifySign(SortedMap<String, String> params) {
String urlSign = params.get("sign");
String urlTimestamp=params.get("timestamp");//获取时间戳
log.info("Url Sign : {}", urlSign);
if (params == null || StringUtils.isEmpty(urlSign)) {
return false;
}
//把参数加密
String paramsSign = getParamsSign(params,urlTimestamp,app_id,app_secret);
log.info("Param Sign : {}", paramsSign);
return !StringUtils.isEmpty(paramsSign) && urlSign.equals(paramsSign);
}
/**
* @param params 所有的请求参数都会在这里进行排序加密
* @return 得到签名
*/
public static String getParamsSign(SortedMap<String, String> params,String urlTimestamp,String app_id,String app_secret) {
//要先去掉 Url 里的 Sign
params.remove("sign");
Set<Map.Entry<String, String>> entries = params.entrySet();
Iterator<Map.Entry<String, String>> iterator = entries.iterator();
StringBuilder valueStr = new StringBuilder();
valueStr.append(app_id);
valueStr.append(urlTimestamp);
valueStr.append(app_secret);
while (iterator.hasNext()) {
Map.Entry<String, String> entry = iterator.next();
// 签名结果字段不处理
if (org.apache.commons.lang3.StringUtils.equalsAnyIgnoreCase(entry.getKey(), new String[]{"sign", "appId", "timestamp"})) {
continue;
}
String value = org.apache.commons.lang3.StringUtils.trimToEmpty(entry.getValue());
log.info("value={}", value);
if (value == null) {
value = "";
}
if (org.apache.commons.lang3.StringUtils.isNotEmpty(value)) {
valueStr.append(value);
}
}
String md5Result = md5FromString(valueStr.toString()).toUpperCase();
log.info("MD5结果数据={}, 待MD5源数据={},待加密对象={}", md5Result, valueStr, JSON.toJSONString(params));
return md5Result;
}
}package com.hero.common.utils.signature;
import com.alibaba.fastjson.JSON;
import org.apache.commons.beanutils.BeanUtils;
import org.apache.commons.codec.digest.DigestUtils;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import java.io.UnsupportedEncodingException;
import java.util.*;
/**
*
*
* @author yaotao
*/
public class MD5Utils {
private final static Logger LOG = LoggerFactory.getLogger(MD5Utils.class);
/**
* MD5签名
*
* @param data
* @return
*/
public static String md5FromString(final String data) {
try {
return DigestUtils.md5Hex(data.getBytes("UTF-8"));
} catch (UnsupportedEncodingException e) {
LOG.error("Md5Util exception: data=" + data, e);
throw new RuntimeException("Md5Util exception: data=" + data);
}
}
}Spring拦截器配置
在filter拦截器添加注解
@WebFilter(urlPatterns={"/api/*"})对指定url进行拦截 @Component是对所有请求进行拦截
在启动类添加注解
@ServletComponentScan
类似资料: