第三方调用安全校验

1. 拦截器代码

/**
 * @Description 添加请求是否合法验证拦截器
 * @author 田林([email protected])
 * @date 2017年12月1日 下午4:20:38
 */
@Component("signature")
public class SignatureFilter implements Filter {
    
    private Logger logger = LoggerFactory.getLogger(SignatureFilter.class);
    
    @Value("${rsaKey}")
    private String rsaKey;
    
    public final static String JSON_PARAMS_TYPE="application/json";
    
    public final static String FORM_PARAMS_TYPE="application/x-www-form-urlencoded";

    @Override 
    public void init(FilterConfig filterConfig) throws ServletException {
    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        
        Map singleValueMap = Maps.newHashMap();
        
        HttpServletRequest httpRequest=(HttpServletRequest)request;
        
        String password = httpRequest.getHeader("password");
        
        // 是否通过验证
        boolean flag = false;
        
        //时间戳
        String timestamp = httpRequest.getHeader("timestamp");
        String serverPath = httpRequest.getServletPath();
        
        if("/".equals(serverPath)||serverPath.contains("/fe-che-union/static")){
            chain.doFilter(request,response);
        }else{
            HttpServletResponse httpResponse= (HttpServletResponse) response;
            String contentType = httpRequest.getContentType();
            if(!StringUtils.isEmpty(contentType)&&contentType.contains(JSON_PARAMS_TYPE)){//如果是json请求方式
                SignatureRequestWrapper requestWrapper = new SignatureRequestWrapper(httpRequest);
                String body = HttpHelper.getBodyString(requestWrapper);
                if (StringUtils.isEmpty(body)) {
                    logger.error("非法请求, 无参数");
                    OutWriterUtil.write(httpResponse, JSONObject.toJSONString(RespDTO.fail("无参数")));
                    return;
                }
                Map parameters = JSONObject.parseObject(body);
                
                Set keySet = parameters.keySet();
                for(String key:keySet){
                    singleValueMap.put(key, JSONObject.toJSONString(parameters.get(key)));
                }

                request=requestWrapper;
            }else if(!StringUtils.isEmpty(contentType)&&contentType.contains(FORM_PARAMS_TYPE)){
               Map parameterMap = request.getParameterMap();
               for(String key : parameterMap.keySet()){
                   String[] valueArray = parameterMap.get(key);
     
                   if(valueArray!=null&&valueArray.length>0){
                       singleValueMap.put(key, valueArray[0]);
                   }
               }
            } else {
                flag = true;
            }
            
            if(flag){
                chain.doFilter(request,response);
            }else{
                
                // 校验参数合法性
                flag = SignatureUtils.checkSign(singleValueMap, rsaKey,password,timestamp);
                
                if(flag){
                    chain.doFilter(request,response);
                }else{
                    OutWriterUtil.write(httpResponse, JSONObject.toJSONString(RespDTO.fail("签名错误必须存在")));
                    return;
                }
            }
        }
    }

    private boolean checkSign(Map parameters) {
        Map requestParams=new HashMap<>();
        SimpleDateFormat dateFormat = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
        for (String key : parameters.keySet()) {
            String valueStr="";
            Object value = parameters.get(key);
            if (value ==null){
                continue;
            }
            if(BeanUtils.isSimpleValueType(value.getClass())){ //如果是简单类型
                if(Date.class.isAssignableFrom(value.getClass())){//如果是时间类型
                    valueStr = dateFormat.format(value);
                }else{
                    valueStr=value.toString();
                }
            }else {
                //如果是复杂类型
                valueStr=JSONObject.toJSONString(value);
            }
            requestParams.put(key,valueStr);
        }
        return SignUtils.checkSign(requestParams,rsaKey);
    }

    private boolean checkParamIsExist(Map parameters, String... keys) {
        for (String key: keys) {
            if(parameters.get(key)==null){return false;}
        }

        return true;
    }

    @Override
    public void destroy() {

    }
    

}

 

2. 对输入流进行封装：

public class SignatureRequestWrapper extends HttpServletRequestWrapper {

    private HttpServletRequest original;
    private byte[] reqBytes;
    private boolean firstTime = true;

    public SignatureRequestWrapper(HttpServletRequest request) {
        super(request);
        reqBytes = HttpHelper.getBodyString(request).getBytes(Charset.forName("UTF-8"));
    }

    @Override
    public BufferedReader getReader() throws IOException{
        InputStreamReader isr = new InputStreamReader(new ByteArrayInputStream(reqBytes));
        return new BufferedReader(isr);
    }

    @Override
    public ServletInputStream getInputStream() throws IOException {


        ServletInputStream sis = new ServletInputStream() {
            @Override public boolean isFinished() {
                return false;
            }

            @Override public boolean isReady() {
                return false;
            }

            @Override public void setReadListener(ReadListener readListener) {

            }

            private int i;

            @Override
            public int read() throws IOException {
                byte b;
                if(reqBytes.length > i){
                    b = reqBytes[i++];
                }else{
                    b = -1;
                }
                return b;
            }
        };

        return sis;
    }


}

 

3. 校验代码

public class SignUtils {

    /**
     * 拼接键值对
     *
     * @param key
     * @param value
     * @param isEncode
     * @return
     */
    private static String buildKeyValue(String key, String value, boolean isEncode) {
        StringBuilder sb = new StringBuilder();
        sb.append(key);
        sb.append("=");
        if (isEncode) {
            try {
                sb.append(URLEncoder.encode(value, "UTF-8"));
            } catch (UnsupportedEncodingException e) {
                sb.append(value);
            }
        } else {
            sb.append(value);
        }
        return sb.toString();
    }

    /**
     * 对支付参数信息进行签名
     *
     * @param map
     *            待签名授权信息
     *
     * @return
     */
    public static String sign(Map map, String rsaKey) {
        StringBuilder sortStr = getSortStr(map);

        StringBuilder authInfo = getAuthInfo(rsaKey, sortStr);
        String sign = EncryptUtil.MD5(authInfo.toString());
        return  sign;
    }

    private static StringBuilder getAuthInfo(String rsaKey, StringBuilder sortStr) {
        StringBuilder authInfo=new StringBuilder();
        authInfo.append(rsaKey);
        authInfo.append(sortStr);
        authInfo.append(rsaKey);
        return authInfo;
    }

    private static StringBuilder getSortStr(Map map) {
        List keys = new ArrayList(map.keySet());
        // key排序
        Collections.sort(keys);

        StringBuilder authInfo = new StringBuilder();
        for (int i = 0; i < keys.size() - 1; i++) {
            String key = keys.get(i);
            String value = map.get(key);
            authInfo.append(buildKeyValue(key, value, false));
            authInfo.append("&");
        }

        String tailKey = keys.get(keys.size() - 1);
        String tailValue = map.get(tailKey);
        authInfo.append(buildKeyValue(tailKey, tailValue, false));
        return authInfo;
    }

    /**
     * 要求外部订单号必须唯一。
     * @return
     */
    public static boolean checkSign(Map map, String rsaKey) {

        String password=map.remove("password");

        StringBuilder sortStr = getSortStr(map);

        StringBuilder authInfo = getAuthInfo(rsaKey, sortStr);

        return EncryptUtil.checkPassWord(authInfo.toString(),password);



    }

 

4. Filter 无法直接通过 @Value 注入properties属性 ，可以通过 DelegatingFilterProxy 来处理，将Filter 交给spring来管理。web.xml 配置：

        signature
        class>org.springframework.web.filter.DelegatingFilterProxyclass>
    
    
        signature
        /*
    

 

转载于:https://www.cnblogs.com/Jtianlin/p/7922732.html