WebApi与手机客户端通讯安全机制
最近公司有几个项目须要开发手机客户端,服务器端选用WebApi,那么如何保证手机客户端在请求服务器端时数据不被篡改,如何保证一个http请求的失效机制,下面总结一下咱们在项目中针对这两个问题的解决方案。json
基本思路以下:api
用户在成功登录app客户端以后,手机客户端向服务器端发出的全部的http请求在请求头(HttpHeader)上都会带上下面三个参数:一、Uid(用户ID),二、Ts(时间戳),三、Sign(签名)。其中Ts是当前时间减去1970-1-1获得的10位的时间时间戳数字,Sign是接口中全部http请求参数与Uid、Ts通过MD5加密后获得的一个字符串。服务器
具体实现以下(客户端的实现,手机客户端生成下面两个参数的思路是同样的):app
一、Ts时间戳ide
Ts参数能够保证请求的时效性,在手机客户端生成的Ts,在服务器端验证一下,保证请求是在咱们规定的时间段内,具体代码以下:post
(1)、生成Ts(C#)代码以下,Andriod和IOS能够同理生成测试
/// <summary> /// 获取十位的时间戳 /// </summary> /// <param name="dt"></param> /// <returns></returns> public string GenerateTimeStamp(DateTime dt) { // Default implementation of UNIX time of the current UTC time TimeSpan ts = dt.ToUniversalTime() - new DateTime(1970, 1, 1, 0, 0, 0, 0); return Convert.ToInt64(ts.TotalSeconds).ToString(); }
(2)、服务器端端验证Ts代码以下,咱们规定从手机客户端发到服务器端的请求有效期为5分钟,时间戳参数是跟在Http请求头中ui
//获取请求头信息 var requestHeader = HttpContext.Current.Request.Headers; //10位时间戳 var Ts = requestHeader.Get("Ts"); //验证Ts是否合法(请求时间有效时间为:加减5分钟) var ts = Ts;//10位时间戳 if (ts.Length != 10) { var resp = Request.CreateResponse<string>(HttpStatusCode.OK, "请求已过时", "application/json"); ; throw new HttpResponseException(resp); } var tsDate = ComHelper.ConvertIntDateTime(ts.ToString()); if (tsDate > DateTime.Now.AddMinutes(5) || tsDate < DateTime.Now.AddMinutes(-5)) { var resp = Request.CreateResponse<string>(HttpStatusCode.OK, "请求已过时", "application/json"); ; throw new HttpResponseException(resp); }
(3)、ComHelper公共类代码以下加密
using System; using System.Collections.Generic; using System.Collections.Specialized; using System.Linq; using System.Text; using System.Web; using System.Web.Security; namespace OpenAPITest.App_Start { public class ComHelper { /// <summary> /// 获取post/get集合 /// </summary> /// <param name="ignoreCase">true 不区分大小写,统一返回小写 false 区分大小写</param> /// <returns></returns> public static SortedDictionary<string, string> GetRequestSortDic(bool ignoreCase) { int i = 0; SortedDictionary<string, string> sArray = new SortedDictionary<string, string>(); NameValueCollection coll; //Load Form variables into NameValueCollection variable. coll = HttpContext.Current.Request.Form; //coll = HttpContext.Current.Request.Params; // Get names of all forms into a string array. String[] requestItem = coll.AllKeys; for (i = 0; i < requestItem.Length; i++) { if (ignoreCase) sArray.Add(requestItem[i].ToLower(), GetString(requestItem[i])); else sArray.Add(requestItem[i], GetString(requestItem[i])); } coll = HttpContext.Current.Request.QueryString; requestItem = coll.AllKeys; for (i = 0; i < requestItem.Length; i++) { if (ignoreCase) sArray.Add(requestItem[i].ToLower(), GetString(requestItem[i])); else sArray.Add(requestItem[i], GetString(requestItem[i])); } return sArray; } /// <summary> /// 从当前环境中获取 /// </summary> /// <param name="name"></param> /// <param name="defValue"></param> /// <returns></returns> public static string GetString(string name) { string res = ""; var v = HttpContext.Current.Request[name]; if (v != null) { res = v.ToString(); } return res; } /// <summary> /// 时间戳转为C#格式时间 /// </summary> /// <param name="timeStamp"></param> /// <returns></returns> public static DateTime ConvertIntDateTime(string timeStamp) { DateTime dtStart = TimeZone.CurrentTimeZone.ToLocalTime(new DateTime(1970, 1, 1)); long lTime = long.Parse(timeStamp + "0000000"); TimeSpan toNow = new TimeSpan(lTime); return dtStart.Add(toNow); } /// <summary> /// MD5加密 /// </summary> /// <param name="str">原串</param> /// <param name="code">加密位</param> /// <returns></returns> public static string ToMD5(string str) { return FormsAuthentication.HashPasswordForStoringInConfigFile(str, "MD5").ToLower(); } /// <summary> /// 获取Sign /// </summary> /// <param name="inputPara"></param> /// <param name="privateKey"></param> /// <returns></returns> public static string GetResponseMysign(SortedDictionary<string, string> inputPara, string privateKey) { string fullstring = GetPostStrings(inputPara, "_sign") + privateKey; return ToMD5(fullstring); } private static string GetPostStrings(SortedDictionary<string, string> inputPara, string excepted) { Dictionary<string, string> sPara = new Dictionary<string, string>(); //过滤空值、sign与sign_type参数 foreach (KeyValuePair<string, string> temp in inputPara) { if (temp.Key.ToLower() != excepted && temp.Value != "" && temp.Value != null) { sPara.Add(temp.Key.ToLower(), temp.Value); } } //得到签名结果 StringBuilder prestr = new StringBuilder(); foreach (KeyValuePair<string, string> temp in sPara) { prestr.Append(temp.Key + "=" + temp.Value + "&"); } //去掉最後一個&字符 int nLen = prestr.Length; if (nLen > 1) prestr.Remove(nLen - 1, 1); return prestr.ToString(); } /// <summary> /// 获取十位的时间戳 /// </summary> /// <param name="dt"></param> /// <returns></returns> public static string GenerateTimeStamp(DateTime dt) { // Default implementation of UNIX time of the current UTC time TimeSpan ts = dt.ToUniversalTime() - new DateTime(1970, 1, 1, 0, 0, 0, 0); return Convert.ToInt64(ts.TotalSeconds).ToString(); } } }
二、Sign签名url
(1)、sign的生成规则:服务器端接口中的全部参数+Uid+Ts,去除掉参数中值为空的参数后, 按照参数key值排序,用&连接,并所有转化为小写,而后用MD5加密,经过HttpHeader发送到服务器端接口。
生成Sign大代码以下(C#),Android和IOS能够同理生成
假如手机客户端请求的一个API接口为:http://weapi.com/order/getlist?StatusID=1&CarID=2&CityID=3&name=&key=222 sign=md5(carid=2&cityid=3&key=222&statusid=1&ts=0123456789&uid=110)
(2)、验证客户端的Sign,防止参数被修改
//请求签名,客户端生成的签名 var Sign = requestHeader.Get("Sign"); //排序字典,按照key排序 SortedDictionary<string, string> postValue = null; //获取请求中全部的参数 postValue = ComHelper.GetRequestSortDic(true); postValue.Add("Uid", Uid);//API帐户名称 postValue.Add("Ts", Ts);//10位时间戳 string APIPrivateKey = "2D7E7C96-DAC5-4526-96C3-C60CDEC4B120";//客户端和手机端保持一致 //服务器端生成的Sign string mysign = ComHelper.GetResponseMysign(postValue, APIPrivateKey); if (!Sign.Equals(mysign, StringComparison.InvariantCultureIgnoreCase)) { var resp = Request.CreateResponse<string>(HttpStatusCode.OK, "签名错误", "application/json"); ; throw new HttpResponseException(resp); }
三、模拟测试
(1)C#模拟Http请求,代码以下
//请求的API地址 string url = "http://localhost:51942/api/Values/Get?StatusID=1&CarID=2&CityID=3&name=&key=1233"; //生成Ts string Ts = ComHelper.GenerateTimeStamp(DateTime.Now); //SortedDictionary会自动按照key值排序 SortedDictionary<string, string> sortDic = new SortedDictionary<string, string>(); sortDic.Add("StatusID", "1"); sortDic.Add("CarID", "2"); sortDic.Add("CityID", "3"); sortDic.Add("name", ""); sortDic.Add("key", "1233"); sortDic.Add("Uid","110"); sortDic.Add("Ts", Ts); string APIPrivateKey = "2D7E7C96-DAC5-4526-96C3-C60CDEC4B120";//客户端和手机端保持一致,md5加密多使用了一个参数 //获取Sign签名 string Sign = ComHelper.GetResponseMysign(sortDic, APIPrivateKey); //发送请求 System.Net.WebRequest wReq = System.Net.WebRequest.Create(url); wReq.Headers.Add("Uid", "110"); wReq.Headers.Add("Ts", Ts); wReq.Headers.Add("Sign", Sign); System.Net.WebResponse wResp = wReq.GetResponse(); System.IO.Stream respStream = wResp.GetResponseStream(); using (System.IO.StreamReader reader = new System.IO.StreamReader(respStream, Encoding.UTF8)) { string res= reader.ReadToEnd(); }
(2)服务器端验证参数,参数验证写在BaseApiController.cs文件中,只要继承该类的均可以验证客户端传过来的参数
public class ValuesController : BaseApiController { // GET api/values public IEnumerable<string> Get(string StatusID,string CarID,string CityID,string name, string key) { return new string[] { "value1", "value2" }; }
using System; using System.Collections.Generic; using System.Linq; using System.Web; using System.Web.Http; using System.Web.Http.Controllers; using System.Net.Http; using System.Net; namespace OpenAPITest.App_Start { public class BaseApiController : ApiController { /// <summary> /// 初始化方法 /// </summary> /// <param name="controllerContext"></param> protected override void Initialize(HttpControllerContext controllerContext) { base.Initialize(controllerContext); //获取请求头信息 var requestHeader = HttpContext.Current.Request.Headers; //登陆用户的ID var Uid = requestHeader.Get("Uid"); //请求签名 var Sign = requestHeader.Get("Sign"); //10位时间戳 var Ts = requestHeader.Get("Ts"); //验证请求头信息是否合法 string errorMsg = CheckRequestHeader(Sign, Ts, Uid); //抛出错误信息 if (!string.IsNullOrWhiteSpace(errorMsg)) { var resp = Request.CreateResponse<string>(HttpStatusCode.OK, "认证失败", "application/json"); ; throw new HttpResponseException(resp); } //验证Ts是否合法(请求时间有效时间为:加减5分钟) var ts = Ts;//10位时间戳 if (ts.Length != 10) { var resp = Request.CreateResponse<string>(HttpStatusCode.OK, "请求已过时", "application/json"); ; throw new HttpResponseException(resp); } var tsDate = ComHelper.ConvertIntDateTime(ts.ToString()); if (tsDate > DateTime.Now.AddMinutes(5) || tsDate < DateTime.Now.AddMinutes(-5)) { var resp = Request.CreateResponse<string>(HttpStatusCode.OK, "请求已过时", "application/json"); ; throw new HttpResponseException(resp); } //排序字典,按照key排序 SortedDictionary<string, string> postValue = null; //获取请求中全部的参数 postValue = ComHelper.GetRequestSortDic(true); postValue.Add("Uid", Uid);//API帐户名称 postValue.Add("Ts", Ts);//10位时间戳 string APIPrivateKey = "2D7E7C96-DAC5-4526-96C3-C60CDEC4B120";//客户端和手机端保持一致 //服务器端生成的Sign string mysign = ComHelper.GetResponseMysign(postValue, APIPrivateKey); if (!Sign.Equals(mysign, StringComparison.InvariantCultureIgnoreCase)) { var resp = Request.CreateResponse<string>(HttpStatusCode.OK, "签名错误", "application/json"); ; throw new HttpResponseException(resp); } //验证经过 } /// <summary> /// 验证请求头 /// </summary> /// <param name="Sign"></param> /// <param name="Ts"></param> /// <param name="Pid"></param> /// <returns></returns> private string CheckRequestHeader(string Sign, string Ts, string Uid) { string ErrorMsg = ""; //请求签名 if (string.IsNullOrWhiteSpace(Sign)) { ErrorMsg = "认证失败"; } //10位时间戳 else if (string.IsNullOrWhiteSpace(Ts)) { ErrorMsg = "认证失败"; } //API帐户名称 else if (string.IsNullOrWhiteSpace(Uid)) { ErrorMsg = "认证失败"; } return ErrorMsg; } } }
做者:
Eric.Chen
出处: https://www.cnblogs.com/lc-chenlong
若是喜欢做者的文章,请关注“写代码的猿”订阅号以便第一时间得到最新内容。本文版权归做者全部,欢迎转载
出处: https://www.cnblogs.com/lc-chenlong
若是喜欢做者的文章,请关注“写代码的猿”订阅号以便第一时间得到最新内容。本文版权归做者全部,欢迎转载
相关文章
- 1. android手机客户端与pc机进行socket通讯
- 2. Socket实现手机客户端和PC机服务端通讯
- 3. 实现Android手机(服务端)与PC(客户端)实现通讯
- 4. socket实现客户端与服务端通讯(二)客户端
- 5. 烂泥:open***双网卡客户端与内网机器通讯
- 6. HTTPS的安全通讯机制
- 7. 客户端识别与 Cookie 机制
- 8. 云主机与外网主机、Android手机端的socket通讯
- 9. Unity客户端与后台通讯
- 10. mysql与客户端通讯协议
- 更多相关文章...
- • XSLT - 在客户端 - XSLT 教程
- • MySQL客户端和服务器端工具集 - MySQL教程
- • 漫谈MySQL的锁机制
- • Composer 安装与使用
相关标签/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
- 1. 在windows下的虚拟机中,安装华为电脑的deepin操作系统
- 2. 强烈推荐款下载不限速解析神器
- 3. 【区块链技术】孙宇晨:区块链技术带来金融服务的信任变革
- 4. 搜索引起的链接分析-计算网页的重要性
- 5. TiDB x 微众银行 | 耗时降低 58%,分布式架构助力实现普惠金融
- 6. 《数字孪生体技术白皮书》重磅发布(附完整版下载)
- 7. 双十一“避坑”指南:区块链电子合同为电商交易保驾护航!
- 8. 区块链产业,怎样“链”住未来?
- 9. OpenglRipper使用教程
- 10. springcloud请求一次好用一次不好用zuul Name or service not known
欢迎关注本站公众号,获取更多信息
