springboot开发,api接⼝统⼀签名校验实践本⽂实现了接⼝请求签名校验,时间戳判断,响应数据返回签名等内容。
这个签名校验,和返回签名可以⽤多种⽅法实现。
第⼀种aop 实现
⾃定义注解体
/**
* @author xxx
*/
@Retention(value = RetentionPolicy.RUNTIME)
public @interface SignatureValidation {
}
aop实现
/**
* @author xxx
*/
@Aspect
@Component
public class SignatureValidation {
/**
* 时间戳请求最⼩限制(600s)
* 设置的越⼩,安全系数越⾼,但是要注意⼀定的容错性
*/
private static final long MAX_REQUEST = 10 * 60 * 1000L;
/**
* 秘钥
*/
private static final String SECRET= "test";
/**
* 验签切点(完整的到设置的⽂件地址)
*/
@Pointcut("execution(@xxx.aop.SignatureValidation * *(..))")
private void verifyUserKey() {
}
/**
* 获取请求数据,并校验签名数据
*/
@Before("verifyUserKey()")
public void doBasicProfiling(JoinPoint point) {
ServletRequestAttributes attributes = (ServletRequestAttributes) RequestAttributes();
HttpServletRequest request = quireNonNull(attributes).getRequest();
String sign = "" ;
String timestamp = "" ;
String version = "";
SortedMap<String,String> sortedMap = new TreeMap<String,String>();
for ( Object obj  :Args()) {
JSONObject jsonObject =JSONUtil.parseObj(obj);
if( !StrUtil.("sign"))){
("sign").toString();
}
if(!StrUtil.("timestamp"))){
("timestamp").toString();
sortedMap.put("timestamp", timestamp);
}
if(!StrUtil.("version"))){
("version").toString();
sortedMap.put("version", version);
}
if(!StrUtil.("data"))){
String dataStr= ("data").toString();
if(!JSONUtil.isJsonObj(dataStr)) {
if(JSONUtil.isJsonArray(dataStr)){
sortedMap.put("data", JSONUtil.parseArray(dataStr).toString());
}
sortedMap.put("data", dataStr);
}
else
{
JSONObject dataJson= JSONUtil.parseObj(dataStr);
@SuppressWarnings("unchecked")
Set<String> keySet = dataJson.keySet();
String key = "";
Object value = null;
// 遍历json数据,添加到SortedMap对象
for (Iterator<String> iterator = keySet.iterator(); iterator.hasNext();) {
key = ();
value = (key);
String  valueStr="";
if(!StrUtil.isEmptyIfStr(value)){
String();
}
sortedMap.put(key, valueStr);
}
}
}
}
if (StrUtil.isEmptyIfStr(sign)) {
throw new CustomException(BaseResultInfoEnum.ERROR_MISSING_Msg(),BaseResultInfoEnum.ERROR_MISSING_Code());        }
//新的签名
String newSign = createSign(sortedMap,SECRET);
if (!newSign.UpperCase())) {
throw new CustomException(BaseResultInfoEnum.ERROR_Msg(),BaseResultInfoEnum.ERROR_Code());
}
}
/**
*
* @param point
* @param responseObject 返回参数
*/
@AfterReturning(pointcut="verifyUserKey()",returning="responseObject")
public void afterReturning(JoinPoint point,Object responseObject) {
HttpServletResponse response=((ServletRequestAttributes) RequestAttributes()).getResponse();
if(responseObject instanceof ResponseModel){
ResponseModel responseModel= (ResponseModel) responseObject;
responseModel.setTimestamp(System.currentTimeMillis());
responseModel.setVersion(0);
String sign= ateParameters(responseModel),SECRET);
responseModel.setSign(sign);
}
}
}
md5签名
/**
* @author xxx
*/
public class Md5Utils {
/**
* ⽣成签名
* @param parameters
* @param key 商户ID
* @return
*/
public static String createSign(SortedMap<String,String> parameters, String key){
StringBuffer sb = new StringBuffer();
Set es = Set();
Iterator it = es.iterator();
while(it.hasNext()) {
Map.Entry entry = (Map.();
String k = (Key();
Object v = Value();
if(null != v && !"".equals(v)
&& !"sign".equals(k) && !"key".equals(k)) {
sb.append(k + "=" + v + "&");
}
}
sb.append("key=" + key);
String sign = SecureUtil.String()).toUpperCase();
return sign;
}
/**
* 签名参数
* @param responseModel 响应数据签名返回给调⽤者
* @return
*/
public static SortedMap<String,String> createParameters(ResponseModel responseModel){
SortedMap<String,String> sortedMap = new TreeMap<String,String>();
if(responseModel!=null) {
sortedMap.put("timestamp", Timestamp()) );
sortedMap.put("version", Version()));
JSONObject json = JSONUtil.parseObj(responseModel, false);
Data()!=null) {
sortedMap.put("data", ("data").toString());
}
}
return sortedMap;
}
}
使⽤,在控制中的⽅法上⽅注解即可
第⼆种这⾥只做了时间判断,签名校验可以根据需要修改即可实现。
过滤器
import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
/**
* @author xx
*/
@WebFilter(urlPatterns = "/*",filterName = "channelFilter")
public class ChannelFilter implements Filter {
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {        ServletRequest requestWrapper = null;
if(servletRequest instanceof HttpServletRequest) {
requestWrapper = new RequestWrapper((HttpServletRequest) servletRequest);
}
if(requestWrapper == null) {
filterChain.doFilter(servletRequest, servletResponse);
} else {
filterChain.doFilter(requestWrapper, servletResponse);
}
}
@Override
public void destroy() {
}
}
配置
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import t.annotation.Bean;
import t.annotation.Configuration;
import org.springframework.web.servlet.HandlerInterceptor;
import org.springframework.fig.annotation.CorsRegistry;
import org.springframework.fig.annotation.InterceptorRegistry;
import org.springframework.fig.annotation.WebMvcConfigurer;
/**
* @author xxxx
*/
@Configuration
public class InterceptorConfig implements WebMvcConfigurer{
@Override
public void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(getHandlerInterceptor());
}
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**")
.allowedHeaders("Content-Type", "x-requested-with", "X-Custom-Header")
.allowedMethods("PUT", "POST", "GET", "DELETE", "OPTIONS")
.allowedOrigins("*")
.allowCredentials(true);
}
@Bean
public FilterRegistrationBean repeatedlyReadFilter() {
FilterRegistrationBean registration = new FilterRegistrationBean();
ChannelFilter repeatedlyReadFilter = new ChannelFilter();
registration.setFilter(repeatedlyReadFilter);
registration.addUrlPatterns("/*");
return registration;
}
@Bean
public HandlerInterceptor getHandlerInterceptor() {
return new TimestampInterceptor();
}
}
RequestWrapper 请求流重写处理
import javax.servlet.ReadListener;
import javax.servlet.ServletInputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import java.io.*;
/**
*/
public class RequestWrapper extends HttpServletRequestWrapper {
private final String body;
public RequestWrapper(HttpServletRequest request) {
super(request);
StringBuilder stringBuilder = new StringBuilder();
BufferedReader bufferedReader = null;
InputStream inputStream = null;
try {
inputStream = InputStream();
if (inputStream != null) {
bufferedReader = new BufferedReader(new InputStreamReader(inputStream));
char[] charBuffer = new char[128];
int bytesRead = -1;
while ((bytesRead = ad(charBuffer)) > 0) {
stringBuilder.append(charBuffer, 0, bytesRead);
}
} else {
stringBuilder.append("");
}
} catch (IOException ex) {
} finally {
if (inputStream != null) {
try {
inputStream.close();
}
catch (IOException e) {
e.printStackTrace();
}
}
if (bufferedReader != null) {
try {
bufferedReader.close();
}
catch (IOException e) {
e.printStackTrace();
}
}
}
body = String();
}
@Override
public ServletInputStream getInputStream() throws IOException {
final ByteArrayInputStream byteArrayInputStream = new Bytes());        ServletInputStream servletInputStream = new ServletInputStream() {
@Override
public boolean isFinished() {
return false;
}
@Override
public boolean isReady() {
return false;
}
@Override
public void setReadListener(ReadListener readListener) {
}
@Override
public int read() throws IOException {
ad();
}
};
return servletInputStream;
}
@Override
public BufferedReader getReader() throws IOException {
return new BufferedReader(new InputStream()));
}
public String getBody() {
return this.body;
}
}
这⾥可以实现请求来的签名处理,这⾥只处理时间了
import util.StrUtil;
import cn.hutool.json.JSONObject;
import cn.hutool.json.JSONUtil;
sult.BaseResultInfoEnum;
xception.CustomException;
import org.springframework.boot.autoconfigure.BasicErrorController;
import org.hod.HandlerMethod;
import org.springframework.web.servlet.HandlerInterceptor;
import org.springframework.web.servlet.ModelAndView;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
/**
* @author xxx
*/
public class TimestampInterceptor implements HandlerInterceptor {
/**
* 时间戳请求最⼩限制(600s)
* 设置的越⼩,安全系数越⾼,但是要注意⼀定的容错性
*/
private static final long MAX_REQUEST = 10 * 60 * 1000L;
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
if (handler instanceof HandlerMethod) {
HandlerMethod handlerMethod = (HandlerMethod) handler;
if (Bean() instanceof BasicErrorController) {
return true;
}
//            if ("GET".Method())) {
//                return true;
//            }
ValidateResponse validateResponse = new ValidateResponse(true, null);
RequestWrapper myRequestWrapper = new RequestWrapper((HttpServletRequest) request);
validateResponse= Body());
if (!validateResponse.isValidate()) {
Exception();
}
}
return true;
}
@Override
public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) {
}
@Override
public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) {
}
private  ValidateResponse  checkTimestamp(String requestBody) {
try {
JSONObject jsonObject = JSONUtil.parseObj(requestBody);
String timestamp = "" ;
if(!StrUtil.("timestamp"))) {
("timestamp").toString();
}
if (StrUtil.isEmptyIfStr(timestamp)) {
return new ValidateResponse(false, new CustomException(BaseResultInfoEnum.ERROR_MISSING_Msg(), BaseResultInfoEnum.ERROR_MISSING_Code()));            }
long now = System.currentTimeMillis();
long time = Long.parseLong(timestamp);
if (now - time > MAX_REQUEST) {
return new ValidateResponse(false, new CustomException(BaseResultInfoEnum.ERROR_TIMESTAMP_Msg(), BaseResultInfoEnum.ERROR_TIMESTAMP_Code()));            }
} catch (Exception e) {
e.printStackTrace();
}
return new ValidateResponse(true, null);
}
/**
* 校验返回对象
*/
private static class ValidateResponse {
private boolean validate;
private CustomException exception;
public ValidateResponse(boolean validate, CustomException exception) {
this.validate = validate;
}
public boolean isValidate() {
return validate;
}
public Exception getException() {
return exception;
}
}
}
返回给前端(或其他平台的)处理类
pojo.PageResponseModel;
xxmon.pojo.ResponseModel;
springboot和过滤器
import MethodParameter;
import org.springframework.http.MediaType;
import org.springframework.http.server.ServerHttpRequest;
import org.springframework.http.server.ServerHttpResponse;
import org.springframework.web.bind.annotation.ControllerAdvice;
import org.springframework.web.hod.annotation.ResponseBodyAdvice;
/**
* @author sunrh
*/
@ControllerAdvice
public class ResponseBodyTimestamp implements ResponseBodyAdvice {
@Override
public boolean supports(MethodParameter methodParameter, Class aClass) {
return true;
}
@Override
public Object beforeBodyWrite(Object o, MethodParameter methodParameter, MediaType mediaType, Class aClass, ServerHttpRequest serverHttpRequest, ServerHttpResponse serverHttpResponse) {
//就是这⾥处理返回签名数据
if(o instanceof ResponseModel){
ResponseModel responseModel= (ResponseModel) o;
responseModel.setTimestamp(System.currentTimeMillis());
return responseModel;
}
if(o instanceof PageResponseModel){
PageResponseModel responseModel= (PageResponseModel) o;
responseModel.setTimestamp(System.currentTimeMillis());
return responseModel;