记录一次接口验签功能

package com.***.app.config.filter;

import com.****.app.config.SignHttpServletRequestWrapper;
import org.apache.commons.lang3.StringUtils;
import org.springframework.http.HttpHeaders;
import org.springframework.http.MediaType;
import org.springframework.stereotype.Component;

import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;

@Component
public class SignFilter implements Filter {
    @Override
    public void init(FilterConfig filterConfig) throws ServletException {

    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        HttpServletRequest srequest = (HttpServletRequest) request;
        String header = srequest.getHeader(HttpHeaders.CONTENT_TYPE);
        //使用wrapper解决json请求参数只能取一次的问题
        if (StringUtils.isNotBlank(header) && (MediaType.APPLICATION_JSON_UTF8_VALUE.equalsIgnoreCase(header.replaceAll(" ", "")) || MediaType.APPLICATION_JSON_VALUE.equalsIgnoreCase(header.replaceAll(" ", "")))) {
            SignHttpServletRequestWrapper signHttpServletRequestWrapper = new SignHttpServletRequestWrapper(srequest);
            chain.doFilter(signHttpServletRequestWrapper, response);
        } else {
            chain.doFilter(request, response);
        }
    }

    @Override
    public void destroy() {

    }
}

首先要了解到,HttpServletRequest  接收参数的两种方式,(跟请求方式 get、post、put没有关系)

当参数形式为  application/json;charset=UTF-8 或者 application/json   JSON形式进行参数入参时,需要注意到该参数只有一次生效机会,当我们将参数 从body中取出时,那么在接口层就会接收不打参数,所以需要将参数保存起来,以便多次使用。

代码如下:

package com.****.app.config;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import javax.servlet.ReadListener;
import javax.servlet.ServletInputStream;
import javax.servlet.ServletRequest;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import java.io.*;
import java.nio.charset.Charset;

/**
 * @author 
 * @date 2018-11-15 17:35
 */
public class SignHttpServletRequestWrapper extends HttpServletRequestWrapper {

    private static Logger logger = LoggerFactory.getLogger(SignHttpServletRequestWrapper.class);

    private final byte[] body;

    public SignHttpServletRequestWrapper(HttpServletRequest request) {
        super(request);
        String sessionStream = getBodyString(request);
        body = sessionStream.getBytes(Charset.forName("UTF-8"));
    }

    /**
     * 获取请求Body
     *
     * @param request
     * @return
     */
    public String getBodyString(final ServletRequest request) {
        StringBuilder sb = new StringBuilder();
        InputStream inputStream = null;
        BufferedReader reader = null;
        try {
            inputStream = cloneInputStream(request.getInputStream());
            reader = new BufferedReader(new InputStreamReader(inputStream, Charset.forName("UTF-8")));
            String line = "";
            while ((line = reader.readLine()) != null) {
                sb.append(line);
            }
        } catch (IOException e) {
            e.printStackTrace();
        } finally {
            if (inputStream != null) {
                try {
                    inputStream.close();
                } catch (IOException e) {
                    e.printStackTrace();
                }
            }
            if (reader != null) {
                try {
                    reader.close();
                } catch (IOException e) {
                    e.printStackTrace();
                }
            }
        }
        return sb.toString();
    }

    /**
     * Description: 复制输入流
* * @param inputStream * @return
*/ public InputStream cloneInputStream(ServletInputStream inputStream) { ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream(); byte[] buffer = new byte[1024]; int len; try { while ((len = inputStream.read(buffer)) > -1) { byteArrayOutputStream.write(buffer, 0, len); } byteArrayOutputStream.flush(); } catch (IOException e) { e.printStackTrace(); } InputStream byteArrayInputStream = new ByteArrayInputStream(byteArrayOutputStream.toByteArray()); return byteArrayInputStream; } @Override public BufferedReader getReader() throws IOException { return new BufferedReader(new InputStreamReader(getInputStream())); } @Override public ServletInputStream getInputStream() throws IOException { final ByteArrayInputStream bais = new ByteArrayInputStream(body); return new ServletInputStream() { @Override public int read() throws IOException { return bais.read(); } @Override public boolean isFinished() { return false; } @Override public boolean isReady() { return false; } @Override public void setReadListener(ReadListener readListener) { } }; } }

2、使用拦截器的形式获取传值的参数,并且将参数按照指定规则排序(只是简单地按key排序),使用算法加密后转大写

最后前端也使用相同规则排序将加密后的参数传入后台,后台用加密后的字符串与前端传递过来的作比较。看是否中途参数是否被修改。不一致则不合法。

 private static SortedMap getPostJson(SignHttpServletRequestWrapper request) {
        String bodyString = request.getBodyString(request);
        JSONObject jsonObject = JSONObject.parseObject(bodyString);
        SortedMap result = new TreeMap<>();
        jsonObject.forEach((s, o) -> result.put(s, (String) o));
        return result;
    }

    /**
     * 功能描述:
     * 其他类型
     *
     * @param request
     * @return: java.util.SortedMap
     * @date: 2019/9/27 11:20
     */
    public static SortedMap getCheckSign(HttpServletRequest request) {
        Map parameterMap = request.getParameterMap();
        if (CollectionUtils.isEmpty(parameterMap)) {
            return null;
        }

        SortedMap map = new TreeMap<>();
        parameterMap.forEach((s, o) -> map.put(s, o[0]));
        return map;
    }

URL加密参数传递的时候,+号会被转义为空格,需要注意。不然一直都比对不成功,有以下两种解决方案

1、可以后台将接收到的加密字符串replaceAll所有空格替换为+

2、前端传递时将加号处理一下。

你可能感兴趣的:(记录一次接口验签功能)