• HTTP接口安全

    HTTP Header 增加字段

     @ResponseBody
    public OfflineQRCodeResp OfflineQRCode(@RequestHeader("Authorization") String token,@RequestHeader("nonce") String nonce,
    		@RequestHeader("timestamp") String timestamp,
    		@RequestHeader("signature") String signature,
    		@RequestBody OfflineQRCodeReq in){
    	GlobalVars.IncreaseApiCallCount();
    	OfflineQRCodeResp resp = new OfflineQRCodeResp();

    	//--------------------- 验证签名 ----------------------
    	VerifySignatureReturn verifySignatureReturn = nonceService.verifySignature(nonce, timestamp,  in.toString(), signature);
		if (!verifySignatureReturn.isbSuccess()) {
			resp.setCode(201);
    		resp.setMessage("签名验证失败," + verifySignatureReturn.getMessage());	
    		resp.setTimestamp(in.getTimestamp());
    		return resp;
		}

    验证签名

    @Override
	public VerifySignatureReturn verifySignature(String nonce, String timestamp, String requestParams, String strClientSignValue) {
		VerifySignatureReturn verifySignatureReturn = new VerifySignatureReturn();
		boolean ret = false;

		if (safe_enable == 0) {
			verifySignatureReturn.setbSuccess(true);
			return verifySignatureReturn;
		}
		
		// ------------- 时间戳 过期时间验证 --------------------
		long lngTimeStamp = Long.parseLong(timestamp);
		long lngCurTimeStamp = (new Date()).getTime();
		long lngOffset = 0;
		
		lngOffset = Math.abs(lngCurTimeStamp - lngTimeStamp);
		if (lngOffset > 1000 * safe_expire) {
			verifySignatureReturn.setbSuccess(false);
			
			SimpleDateFormat sdf =new SimpleDateFormat("yyyy-MM-dd HH:mm:ss.SSS");
			String strTimeString = sdf.format(new Date(Long.parseLong(String.valueOf(lngTimeStamp))));  
			verifySignatureReturn.setMessage("时间戳过期,差值=" + lngOffset + ",时间戳时间: " + strTimeString);
			return verifySignatureReturn;
		}
		
		// ---------------- 随机数 验证 ---------------------
		if (safe_nonce == 1) {
			String cacheNonceString = cacheService.get(nonce);
			if (cacheNonceString == null) {
				cacheService.put(nonce);
			}else {
				verifySignatureReturn.setbSuccess(false);
				verifySignatureReturn.setMessage("随机数失效");
				return verifySignatureReturn;
			}
		}
		
		// ---------------- 签名验证 ------------------------
		String strSignValue = SignatureUitl.getSignature(nonce, timestamp, requestParams);
		if (strClientSignValue.equalsIgnoreCase(strSignValue) == false) {
			logger.info("签名验证失败,正确的签名: " + strSignValue);
			verifySignatureReturn.setbSuccess(false);
			verifySignatureReturn.setMessage("signature invalid.");
			return verifySignatureReturn;
		}
		
		verifySignatureReturn.setbSuccess(true);
		return verifySignatureReturn;
	}
  • 相关阅读:
    临时文件服务器,配置共享文件夹
    封装扩展方法
    List.Insert
    VS 生成事件中xcopy失败
    创建型设计模式总结
    js提交图片转换为base64
    C#建造者模式
    echarts 立体柱
    k8s生产环境启用防火墙,要开启的端口
    一篇文章为你图解Kubernetes网络通信原理
  • 原文地址:https://www.cnblogs.com/jiftle/p/16410587.html
Copyright © 2020-2023  润新知