其他分享
首页 > 其他分享> > HTTP接口安全

HTTP接口安全

作者:互联网

HTTP Header 增加字段

 @ResponseBody
    public OfflineQRCodeResp OfflineQRCode(@RequestHeader("Authorization") String token,@RequestHeader("nonce") String nonce,
    		@RequestHeader("timestamp") String timestamp,
    		@RequestHeader("signature") String signature,
    		@RequestBody OfflineQRCodeReq in){
    	GlobalVars.IncreaseApiCallCount();
    	OfflineQRCodeResp resp = new OfflineQRCodeResp();

    	//--------------------- 验证签名 ----------------------
    	VerifySignatureReturn verifySignatureReturn = nonceService.verifySignature(nonce, timestamp,  in.toString(), signature);
		if (!verifySignatureReturn.isbSuccess()) {
			resp.setCode(201);
    		resp.setMessage("签名验证失败," + verifySignatureReturn.getMessage());	
    		resp.setTimestamp(in.getTimestamp());
    		return resp;
		}

验证签名

@Override
	public VerifySignatureReturn verifySignature(String nonce, String timestamp, String requestParams, String strClientSignValue) {
		VerifySignatureReturn verifySignatureReturn = new VerifySignatureReturn();
		boolean ret = false;

		if (safe_enable == 0) {
			verifySignatureReturn.setbSuccess(true);
			return verifySignatureReturn;
		}
		
		// ------------- 时间戳 过期时间验证 --------------------
		long lngTimeStamp = Long.parseLong(timestamp);
		long lngCurTimeStamp = (new Date()).getTime();
		long lngOffset = 0;
		
		lngOffset = Math.abs(lngCurTimeStamp - lngTimeStamp);
		if (lngOffset > 1000 * safe_expire) {
			verifySignatureReturn.setbSuccess(false);
			
			SimpleDateFormat sdf =new SimpleDateFormat("yyyy-MM-dd HH:mm:ss.SSS");
			String strTimeString = sdf.format(new Date(Long.parseLong(String.valueOf(lngTimeStamp))));  
			verifySignatureReturn.setMessage("时间戳过期,差值=" + lngOffset + ",时间戳时间: " + strTimeString);
			return verifySignatureReturn;
		}
		
		// ---------------- 随机数 验证 ---------------------
		if (safe_nonce == 1) {
			String cacheNonceString = cacheService.get(nonce);
			if (cacheNonceString == null) {
				cacheService.put(nonce);
			}else {
				verifySignatureReturn.setbSuccess(false);
				verifySignatureReturn.setMessage("随机数失效");
				return verifySignatureReturn;
			}
		}
		
		// ---------------- 签名验证 ------------------------
		String strSignValue = SignatureUitl.getSignature(nonce, timestamp, requestParams);
		if (strClientSignValue.equalsIgnoreCase(strSignValue) == false) {
			logger.info("签名验证失败,正确的签名: " + strSignValue);
			verifySignatureReturn.setbSuccess(false);
			verifySignatureReturn.setMessage("signature invalid.");
			return verifySignatureReturn;
		}
		
		verifySignatureReturn.setbSuccess(true);
		return verifySignatureReturn;
	}

标签:verifySignatureReturn,nonce,HTTP,String,timestamp,resp,接口,安全,return
来源: https://www.cnblogs.com/jiftle/p/16410587.html