巧谈数据接口安全-具体实现
巧谈数据接口安全-具体实现
上一节针对数据接口的安全性提出了解决方式, 这节经过具体的代码来实现web
巧谈数据接口安全-理论篇redis
项目环境
项目接口采用SSM的框架, 基于SpringMVC拦截器来实现。 固然, 也能够采用Spring的AOP来实现, 这种方式更通用一些spring
上代码
本项目采用 SpringMVC拦截器的方式来实现json
获取参数
目前接口最通用的提交方式是application/json, 这种方式在拦截器中若是要获取POST方式的参数, 须要就其进行处理。后端
工具类 对获得的参数进行处理spring-mvc
public class ParamUtils {
private static final WeakHashMap<String, String> PARAMS = new WeakHashMap<>();
public static final String KEY = "params";
private ParamUtils() {
}
public static ParamUtils getInstance() {
return ParamUtils.Holder.INSTANCE;
}
static class Holder {
private static final ParamUtils INSTANCE = new ParamUtils();
}
/**
* 将从post中获取到的传递 存放到map中
* @param params
*/
public void set(String params) {
PARAMS.put(KEY, params);
}
/**
* 获得json字符串
* @return
*/
public String get() {
return PARAMS.get(KEY);
}
/**
* 将json字符串转换成map对象
* @param json
* @return
*/
public Map<String, Object> json2Map(String json) {
return (Map<String, Object>) JSON.parse(json);
}
/**
* 签名验证
* @param map
* @return
*/
public String getSign(Map<String, Object> map) {
return getSign2Map(map);
}
private String getSign2Map(Map<String, Object> map) {
StringBuffer sb = new StringBuffer();
ArrayList<String> list = new ArrayList<String>(map.keySet());
Collections.sort(list);
for(String key:list) {
Object value = map.get(key);
if(!key.equalsIgnoreCase("sign"))
sb.append(key).append("=").append(map.get(key)).append("&");
}
sb.deleteCharAt(sb.length() - 1);
return DigestUtil.getInstance().md5(sb.toString());
}
public String getSign(String json){
Map<String, Object> map = json2Map(json);
return getSign2Map(map);
}
/**
* 从get请求中获取到参数 封装成Map对象
* @param request
* @return
*/
public Map<String, Object> getParam2Get(HttpServletRequest request) {
Map<String, Object> map = new HashMap<>();
Map<String, String[]> parameterMap = request.getParameterMap();
if(parameterMap != null && !parameterMap.isEmpty()) {
for(Map.Entry<String, String[]> entry : parameterMap.entrySet()) {
String[] value = entry.getValue();
if(value != null && value.length > 0) {
map.put(entry.getKey(), value[0]);
}
}
}
return map;
}
}
复制代码
Filter 获取非GET方式传递的数据安全
经过实现Filter的方式, 对非GET的request进行重写, 获得提交参数bash
public class SecurityFilter implements Filter {
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
SecurityHttpServletRequestWrapper wrap = null;
if (request instanceof HttpServletRequest) {
HttpServletRequest httpServletRequest = (HttpServletRequest) request;
if (!"get".equals(httpServletRequest.getMethod().toUpperCase())
&& httpServletRequest.getHeader("Accept").contains("application/json")) {
wrap = new SecurityHttpServletRequestWrapper(httpServletRequest);
ParamUtils.getInstance().set(wrap.getJson());
}
}
if (null != wrap) {
chain.doFilter(wrap, response);
} else {
chain.doFilter(request, response);
}
}
@Override
public void destroy() {
}
}
class SecurityHttpServletRequestWrapper extends HttpServletRequestWrapper {
private String json;
public SecurityHttpServletRequestWrapper(HttpServletRequest request) throws IOException {
super(request);
ServletInputStream stream = this.getRequest().getInputStream();
json = IOUtils.toString(stream, "UTF-8");
}
@Override
public ServletInputStream getInputStream() {
byte[] buffer = null;
try {
buffer = json.toString().getBytes("UTF-8");
} catch (UnsupportedEncodingException e) {
e.printStackTrace();
}
final ByteArrayInputStream bais = new ByteArrayInputStream(buffer);
ServletInputStream newStream = new ServletInputStream() {
@Override
public boolean isFinished() {
return false;
}
@Override
public boolean isReady() {
return false;
}
@Override
public void setReadListener(ReadListener readListener) {
}
@Override
public int read() throws IOException {
return bais.read();
}
};
return newStream;
}
public String getJson() {
return json;
}
public void setJson(String json) {
this.json = json;
}
}
复制代码
web.xml中配置mvc
<filter>
<filter-name>securityFilter</filter-name>
<filter-class>com.sanq.product.security.filters.SecurityFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>securityFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
复制代码
自定义过滤注解
在项目中 并非全部的接口都须要进行所有验证的, 好比 登陆注册这种的就不须要验证Token, 这里就须要将验证过滤掉app
@IgnoreSecurity 过滤掉Token验证
@Target(ElementType.METHOD)
@Retention(RetentionPolicy.RUNTIME)
@Documented
public @interface IgnoreSecurity {
}
复制代码
@Security 过滤掉全部的验证 (这里名称起的不是很好, 你们随意替换)
@Target(ElementType.METHOD)
@Retention(RetentionPolicy.RUNTIME)
@Documented
public @interface Security {
}
复制代码
拦截匹配
到这里, 咱们就应该在拦截器中开始咱们的拦截验证了, 咱们在这里须要验证一下几点:
- IP
- Token
- TimeStamp
- Sign
- Client 客户端
首先咱们先将须要验证的参数名称写入一个枚举类中, 方便咱们查看
SecurityFieldEnum
public enum SecurityFieldEnum {
//须要验证的参数
TOKEN("token"),
TIMESTAMP("timestamp"),
SIGN("sign"),
CLIENT("client"),
APP("APP");
private String mName;
SecurityFieldEnum(String name) {
this.mName = name;
}
public String getName() {
return mName;
}
}
复制代码
开始写拦截器的代码, 为了能够实现通用, 这里定义为abstract
SecurityInterceptor
public abstract class SecurityInterceptor implements HandlerInterceptor {
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
if(handler instanceof HandlerMethod) {
//验证ip是否在黑名单中
if(checkIp(request, GlobalUtil.getIpAddr(request))) {
return false;
}
HandlerMethod hm = (HandlerMethod) handler;
Security security = hm.getMethodAnnotation(Security.class);
if (security != null) {
return true;
}
IgnoreSecurity s = hm.getMethodAnnotation(IgnoreSecurity.class);
Map<String, Object> objectMap;
if (request.getMethod().equalsIgnoreCase("get"))
objectMap = ParamUtils.getInstance().getParam2Get(request);
else
objectMap = ParamUtils.getInstance().json2Map(ParamUtils.getInstance().get());
if (objectMap != null && !objectMap.isEmpty()) {
Object o = null;
if (s == null) {
o = objectMap.get(SecurityFieldEnum.TOKEN.getName());
if (o == null)
throw new NoParamsException(String.format("参数%s不存在", SecurityFieldEnum.TOKEN.getName()));
if (!checkToken(request, (String) o)) {
throw new TokenException(String.format("%s已过时,请从新登陆", SecurityFieldEnum.TOKEN.getName()));
}
}
o = objectMap.get(SecurityFieldEnum.TIMESTAMP.getName());
if (o == null)
throw new NoParamsException(String.format("参数%s不存在", SecurityFieldEnum.TIMESTAMP.getName()));
Long timestamp = StringUtil.toLong(o);
if (LocalDateUtils.nowTime().getTime() - timestamp >= 60 * 1000)
throw new NoParamsException(String.format("参数%s已过时", SecurityFieldEnum.TIMESTAMP.getName()));
o = objectMap.get(SecurityFieldEnum.CLIENT.getName());
if (o == null || SecurityFieldEnum.APP.getName().equals((String) o)) { //这里获取CLIENT是为了防止有些项目没法进行sign验证, 也能够去掉该验证
o = objectMap.get(SecurityFieldEnum.SIGN.getName());
if (o == null)
throw new NoParamsException(String.format("参数%s不存在", SecurityFieldEnum.SIGN.getName()));
String sign = (String) o;
String paramsSign = ParamUtils.getInstance().getSign(objectMap);
if (!sign.equals(paramsSign)) {
throw new NoParamsException(String.format("参数%s验证不正确", SecurityFieldEnum.SIGN.getName()));
}
}
return true;
}
}
return false;
}
public abstract boolean checkToken(HttpServletRequest request, String token);
public abstract boolean checkIp(HttpServletRequest request, String ip);
@Override
public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception {
}
@Override
public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception {
}
}
复制代码
这一大串的判断, 谁来给我优化下啊 -_-~~
错误信息引导
在拦截器中咱们throw了一些异常, 在这里咱们须要包装错误返回给用户
这里使用@ControllerAdvice配合@ExceptionHandler来实现
ExceptionAspect
@ControllerAdvice
@ResponseBody
public class ExceptionAspect {
/**
* 500 - Token is invaild
*/
@ResponseStatus(HttpStatus.INTERNAL_SERVER_ERROR)
@ExceptionHandler(TokenException.class)
public Response handleTokenException(TokenException e) {
e.printStackTrace();
return new Response().failure(e.getMsg(), ResultCode.NO_TOKEN);
}
/***
* 参数有误
*/
@ResponseStatus(HttpStatus.INTERNAL_SERVER_ERROR)
@ExceptionHandler(NoParamsException.class)
public Response handleTokenException(NoParamsException e) {
e.printStackTrace();
return new Response().failure(e.getMsg(), ResultCode.PARAM_ERROR);
}
}
复制代码
结合个人小说项目运行 查看效果
正式编码已经完成 咱们来看下效果
配置
maven引入
<dependency>
<groupId>com.sanq.product.x_utils</groupId>
<artifactId>util_security</artifactId>
<version>1.0-SNAPSHOT</version>
</dependency>
复制代码
web.xml配置
<filter>
<filter-name>securityFilter</filter-name>
<filter-class>com.sanq.product.security.filters.SecurityFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>securityFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
复制代码
spring-mvc.xml配置
// 加载扫描错误信息的包
<context:component-scan base-package="com.sanq.product.books.controller, com.sanq.product.redis.service.impl.single, com.sanq.product.security.aspect" />
//配置拦截器
<mvc:interceptors>
<bean class="com.sanq.product.books.interceptors.SecurityInterceptor" />
</mvc:interceptors>
复制代码
SecurityInterceptor
public class SecurityInterceptor extends com.sanq.product.security.interceptors.SecurityInterceptor {
@Resource
private JedisPoolService jedisPoolService;
private static final int MAX = 60;
@Override
public boolean checkToken(HttpServletRequest request, String token) {
return jedisPoolService.exists(Redis.ReplaceKey.getTokenUser(token));
}
@Override
public boolean checkIp(HttpServletRequest request, String ip) {
//统计ip访问次数的key
String ipKey = Redis.ReplaceKey.getCheckIpKey(ip);
//BLOCK_IP_SET: 黑名单的key
if (jedisPoolService.zrank(Redis.RedisKey.BLOCK_IP_SET, ip)) {
LogUtil.getInstance(SecurityInterceptor.class).i("ip进入了黑名单");
return true;
}
String ipCountTmp = jedisPoolService.get(ipKey);
int ipCount = StringUtil.toInteger(ipCountTmp != null ? ipCountTmp : 0);
if (ipCount > MAX) {
jedisPoolService.putSet(Redis.RedisKey.BLOCK_IP_SET, 1, ip);
jedisPoolService.delete(ipKey);
return true;
}
jedisPoolService.incrAtTime(ipKey, MAX);
return false;
}
}
复制代码
完结
到此咱们关于接口安全的拦截就已经所有实现完成。 也欢迎大胆的尝试更改。
但愿你们均可以写出更加优雅,健壮的程序
扩展
关于js端MD5的加密, 你们可使用js-md5, 亲测和后端加密后获得的数据是一直的
md5("引入js,调用md5()方法");
复制代码
相关文章
- 1. 巧谈数据接口安全性
- 2. 【ActiveX】实现安全接口
- 3. 数据库Connection接口的具体实现方法
- 4. 谈谈序列化—实体bean必定要实现Serializable接口?
- 5. php接口安全设计及实现
- 6. h5+api接口安全和增强接口接收数据的安全性
- 7. h5+api接口安全和加强接口接收数据的安全性
- 8. ConcurrentHashMap线程安全的具体实现⽅式/底层具体实现
- 9. 漫谈数据安全
- 10. QT5.5与MYSQL5.6数据库连接的具体方法与实现
- 更多相关文章...
- • ASP.NET MVC - 安全 - ASP.NET 教程
- • DTD - 实体 - DTD 教程
- • Flink 数据传输及反压详解
- • TiDB 在摩拜单车在线数据业务的应用和实践
相关标签/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
欢迎关注本站公众号,获取更多信息
