记录一次接口验签功能

package com.***.app.config.filter;

import com.****.app.config.SignHttpServletRequestWrapper;
import org.apache.commons.lang3.StringUtils;
import org.springframework.http.HttpHeaders;
import org.springframework.http.MediaType;
import org.springframework.stereotype.Component;

import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;

@Component
public class SignFilter implements Filter {
    @Override
    public void init(FilterConfig filterConfig) throws ServletException {

    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        HttpServletRequest srequest = (HttpServletRequest) request;
        String header = srequest.getHeader(HttpHeaders.CONTENT_TYPE);
        //使用wrapper解决json请求参数只能取一次的问题
        if (StringUtils.isNotBlank(header) && (MediaType.APPLICATION_JSON_UTF8_VALUE.equalsIgnoreCase(header.replaceAll(" ", "")) || MediaType.APPLICATION_JSON_VALUE.equalsIgnoreCase(header.replaceAll(" ", "")))) {
            SignHttpServletRequestWrapper signHttpServletRequestWrapper = new SignHttpServletRequestWrapper(srequest);
            chain.doFilter(signHttpServletRequestWrapper, response);
        } else {
            chain.doFilter(request, response);
        }
    }

    @Override
    public void destroy() {

    }
}

首先要了解到，HttpServletRequest  接收参数的两种方式，（跟请求方式 get、post、put没有关系）

当参数形式为  application/json;charset=UTF-8 或者 application/json   JSON形式进行参数入参时，需要注意到该参数只有一次生效机会，当我们将参数 从body中取出时，那么在接口层就会接收不打参数，所以需要将参数保存起来，以便多次使用。

代码如下：

package com.****.app.config;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import javax.servlet.ReadListener;
import javax.servlet.ServletInputStream;
import javax.servlet.ServletRequest;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import java.io.*;
import java.nio.charset.Charset;

/**
 * @author 
 * @date 2018-11-15 17:35
 */
public class SignHttpServletRequestWrapper extends HttpServletRequestWrapper {

    private static Logger logger = LoggerFactory.getLogger(SignHttpServletRequestWrapper.class);

    private final byte[] body;

    public SignHttpServletRequestWrapper(HttpServletRequest request) {
        super(request);
        String sessionStream = getBodyString(request);
        body = sessionStream.getBytes(Charset.forName("UTF-8"));
    }

    /**
     * 获取请求Body
     *
     * @param request
     * @return
     */
    public String getBodyString(final ServletRequest request) {
        StringBuilder sb = new StringBuilder();
        InputStream inputStream = null;
        BufferedReader reader = null;
        try {
            inputStream = cloneInputStream(request.getInputStream());
            reader = new BufferedReader(new InputStreamReader(inputStream, Charset.forName("UTF-8")));
            String line = "";
            while ((line = reader.readLine()) != null) {
                sb.append(line);
            }
        } catch (IOException e) {
            e.printStackTrace();
        } finally {
            if (inputStream != null) {
                try {
                    inputStream.close();
                } catch (IOException e) {
                    e.printStackTrace();
                }
            }
            if (reader != null) {
                try {
                    reader.close();
                } catch (IOException e) {
                    e.printStackTrace();
                }
            }
        }
        return sb.toString();
    }

    /**
     * Description: 复制输入流

     *
     * @param inputStream
     * @return

     */
    public InputStream cloneInputStream(ServletInputStream inputStream) {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        byte[] buffer = new byte[1024];
        int len;
        try {
            while ((len = inputStream.read(buffer)) > -1) {
                byteArrayOutputStream.write(buffer, 0, len);
            }
            byteArrayOutputStream.flush();
        } catch (IOException e) {
            e.printStackTrace();
        }
        InputStream byteArrayInputStream = new ByteArrayInputStream(byteArrayOutputStream.toByteArray());
        return byteArrayInputStream;
    }

    @Override
    public BufferedReader getReader() throws IOException {
        return new BufferedReader(new InputStreamReader(getInputStream()));
    }

    @Override
    public ServletInputStream getInputStream() throws IOException {

        final ByteArrayInputStream bais = new ByteArrayInputStream(body);

        return new ServletInputStream() {

            @Override
            public int read() throws IOException {
                return bais.read();
            }

            @Override
            public boolean isFinished() {
                return false;
            }

            @Override
            public boolean isReady() {
                return false;
            }

            @Override
            public void setReadListener(ReadListener readListener) {
            }
        };
    }

}

2、使用拦截器的形式获取传值的参数，并且将参数按照指定规则排序（只是简单地按key排序），使用算法加密后转大写

最后前端也使用相同规则排序将加密后的参数传入后台，后台用加密后的字符串与前端传递过来的作比较。看是否中途参数是否被修改。不一致则不合法。

 private static SortedMap getPostJson(SignHttpServletRequestWrapper request) {
        String bodyString = request.getBodyString(request);
        JSONObject jsonObject = JSONObject.parseObject(bodyString);
        SortedMap result = new TreeMap<>();
        jsonObject.forEach((s, o) -> result.put(s, (String) o));
        return result;
    }

    /**
     * 功能描述:
     * 其他类型
     *
     * @param request
     * @return: java.util.SortedMap
     * @date: 2019/9/27 11:20
     */
    public static SortedMap getCheckSign(HttpServletRequest request) {
        Map parameterMap = request.getParameterMap();
        if (CollectionUtils.isEmpty(parameterMap)) {
            return null;
        }

        SortedMap map = new TreeMap<>();
        parameterMap.forEach((s, o) -> map.put(s, o[0]));
        return map;
    }

URL加密参数传递的时候，+号会被转义为空格，需要注意。不然一直都比对不成功，有以下两种解决方案

1、可以后台将接收到的加密字符串replaceAll所有空格替换为+

2、前端传递时将加号处理一下。