API接口如何防止参数被篡改和重放攻击?
基于timestamp和nonce的方案
timestamp的作用
nonce的作用
防篡改、防重放攻击 拦截器(用到了redis)
public class SignAuthInterceptor implements HandlerInterceptor { private RedisTemplate<String, String> redisTemplate; private String key; public SignAuthInterceptor(RedisTemplate<String, String> redisTemplate, String key) { this.redisTemplate = redisTemplate; this.key = key; } @Override public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception { // 获取时间戳 String timestamp = request.getHeader("timestamp"); // 获取随机字符串 String nonceStr = request.getHeader("nonceStr"); // 获取签名 String signature = request.getHeader("signature"); // 判断时间是否大于xx秒(防止重放攻击) long NONCE_STR_TIMEOUT_SECONDS = 60L; if (StrUtil.isEmpty(timestamp) || DateUtil.between(DateUtil.date(Long.parseLong(timestamp) * 1000), DateUtil.date(), DateUnit.SECOND) > NONCE_STR_TIMEOUT_SECONDS) { throw new BusinessException("invalid timestamp"); } // 判断该用户的nonceStr参数是否已经在redis中(防止短时间内的重放攻击) Boolean haveNonceStr = redisTemplate.hasKey(nonceStr); if (StrUtil.isEmpty(nonceStr) || Objects.isNull(haveNonceStr) || haveNonceStr) { throw new BusinessException("invalid nonceStr"); } // 对请求头参数进行签名 if (StrUtil.isEmpty(signature) || !Objects.equals(signature, this.signature(timestamp, nonceStr, request))) { throw new BusinessException("invalid signature"); } // 将本次用户请求的nonceStr参数存到redis中设置xx秒后自动删除 redisTemplate.opsForValue().set(nonceStr, nonceStr, NONCE_STR_TIMEOUT_SECONDS, TimeUnit.SECONDS); return true; } private String signature(String timestamp, String nonceStr, HttpServletRequest request) throws UnsupportedEncodingException { Map<String, Object> params = new HashMap<>(16); Enumeration<String> enumeration = request.getParameterNames(); if (enumeration.hasMoreElements()) { String name = enumeration.nextElement(); String value = request.getParameter(name); params.put(name, URLEncoder.encode(value, CommonConstants.UTF_8)); } String qs = String.format("%s×tamp=%s&nonceStr=%s&key=%s", this.sortQueryParamString(params), timestamp, nonceStr, key); log.info("qs:{}", qs); String sign = SecureUtil.md5(qs).toLowerCase(); log.info("sign:{}", sign); return sign; } /** * 按照字母顺序进行升序排序 * * @param params 请求参数 。注意请求参数中不能包含key * @return 排序后结果 */ private String sortQueryParamString(Map<String, Object> params) { List<String> listKeys = Lists.newArrayList(params.keySet()); Collections.sort(listKeys); StrBuilder content = StrBuilder.create(); for (String param : listKeys) { content.append(param).append("=").append(params.get(param).toString()).append("&"); } if (content.length() > 0) { return content.subString(0, content.length() - 1); } return content.toString(); } }
声明:本站所有文章资源内容,如无特殊说明或标注,均为采集网络资源。如若本站内容侵犯了原著者的合法权益,可联系本站删除。