当前位置:网站首页>Three-way joint interface data security issues
Three-way joint interface data security issues
2022-08-02 16:05:00 【zhangyu】
文档说明
A reporter in the docking process of some operations with a third party
对接流程
数据传输
Each request is to check the legitimacy of the request sources and data,采取以下策略,In the details of the interface will adopt what kind of encryption mode
获取 Token
请求地址:
POST https:xxxx
接口说明:获取调用凭据,有效期 24h、After obtaining after call interface is added to the request headerAuthorization中
| 请求参数 | ||||
|---|---|---|---|---|
| 字段 | 数据类型 | 是否必传 | 说明 | 示例 |
| app_id | String | 是 | 客户端ID | thirdpartner |
| app_secret | String | 是 | 客户端密钥 | @m2!2q15^#0d&@ |
| 响应参数 | ||
|---|---|---|
| 字段 | 说明 | 示例 |
| code | 响应状态码 | 200 |
| msg | 响应描述信息 | 请求成功 |
| data | 响应体 | eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQ… |
Conventional data encryption
Conventional data encryption,Each request data add random string
once_str和时间戳timestamp并通过 MD5 Data is encrypted to all、The receiver to the school to verify,示例如下
public class EncryptSign {
public static final String APP_ID = "thirdpartner";
public static final String APP_SECRET = "@m*2!2q1*5^#0d&@";
// 生成签名
public static String createSign(SortedMap<String, String> params) {
return params.keySet().stream()
.sorted()
.map(k -> k + "=" + params.get(k) + "&")
.reduce((x, y) -> x + y)
.map(d -> d.substring(0, d.length() - 1))
.map(d -> d.concat(APP_SECRET))
.map(EncryptSign::encode)
.map(String::toUpperCase)
.get();
}
public static boolean verifySign(HttpServletRequest request) {
Map<String, String[]> params = request.getParameterMap();
SortedMap<String, String> map = new TreeMap<>();
String expSign = null;
for (Map.Entry<String, String[]> pv : params.entrySet()) {
String param = pv.getKey();
String[] value = pv.getValue();
if (!param.equals("sign")) {
map.put(param, value[0]);
} else {
expSign = value[0];
}
}
return expSign.equals(createSign(map));
}
public static String generateOnceStr() {
return UUID.randomUUID().toString().replaceAll("-", "");
}
public static String encode(String value) {
StringBuilder sb = new StringBuilder();
try {
MessageDigest md = MessageDigest.getInstance(MD5);
byte[] bs = value.getBytes();
byte[] mb = md.digest(bs);
for (int i = 0; i < mb.length; i++) {
int v = mb[i] & 0xFF;
if (v < 16) {
sb.append("0");
}
sb.append(Integer.toHexString(v));
}
} catch (Exception e) {
e.printStackTrace();
}
return sb.toString();
}
public static void main(String[] args) {
//Create a random string and time stamp
String once_str = generateOnceStr();
String timestamp = String.valueOf(System.currentTimeMillis());
//测试数据集
SortedMap<String, String> params = new TreeMap<>();
params.put("param1", "a");
params.put("param2", "b");
params.put("once_str", once_str);
params.put("timestamp", timestamp);
//Conventional data encryption
params.put("sign", createSign(params));
System.out.println(params);
}
}
调用示例
Map<String, String> map = new HashMap<>();
// 业务参数
map.put("app_id", "xxxx");
map.put("app_secret", "xxxx");
// 公共参数
map.put("once_str", EncryptSign.generateOnceStr());
map.put("timestamp", String.valueOf(System.currentTimeMillis()));
// MD5 加密
map.put("sign", EncryptSign.createSign(map));
// Http 调用
String url = "http://xxx/xx/xx";
String result = HttpClientUtil.httpPost(url, map);
System.out.println(result);
敏感数据加密
涉及敏感数据,采用 AES 进行加解密,注意妥善保管密钥,示例如下
public class EncryptAES {
private static final String secret = "@5^22&%c*9^283*@";
private static final String algorithm = "AES/ECB/PKCS5Padding";
//加密
public static String encrypt(String content) {
try {
Security.addProvider(new SunJCE());
Cipher cipher = Cipher.getInstance(algorithm);
cipher.init(ENCRYPT_MODE, new SecretKeySpec(secret.getBytes(), AES));
return Base64.getEncoder().encodeToString(cipher.doFinal(content.getBytes("UTF-8")));
} catch (Exception e) {
e.printStackTrace();
}
return null;
}
//解密
public static String decrypt(String encrypt) {
try {
Security.addProvider(new SunJCE());
Cipher cipher = Cipher.getInstance(algorithm);
cipher.init(DECRYPT_MODE, new SecretKeySpec(secret.getBytes("UTF-8"), AES));
return new String(cipher.doFinal(Base64.getDecoder().decode(encrypt)));
} catch (Exception e) {
e.printStackTrace();
}
return null;
}
public static void main(String[] args) {
//Create a random string and time stamp
String once_str = EncryptSign.generateOnceStr();
String timestamp = String.valueOf(System.currentTimeMillis());
//测试数据集
SortedMap<String, String> params = new TreeMap<>();
params.put("param1", "a");
params.put("param2", "b");
params.put("once_str", once_str);
params.put("timestamp", timestamp);
String content = JSON.toJSONString(params);
System.out.println("明文: " + content);
System.out.println("加密: " + encrypt(content));
System.out.println("解密: " + decrypt(encrypt(content)));
}
}
调用示例
Map<String, String> map = new HashMap<>();
// 业务参数
map.put("app_id", "xxxx");
map.put("app_secret", "xxxx");
// 公共参数
map.put("once_str", EncryptSign.generateOnceStr());
map.put("timestamp", String.valueOf(System.currentTimeMillis()));
// AESEncapsulation encryption parameters to sign 字段
Map<String, String> param = new HashMap<>();
param.put("sign", EncryptAES.encrypt(toJSONString(map));
// Http 调用
String url = "http://xxx/xx/xx";
String result = HttpClientUtil.httpPost(url, param);
System.out.println(result);
边栏推荐
猜你喜欢
随机推荐
Unity-存档与读档
企业的电子签名、私钥签名
mininet hosts talk to real internet
shader入门精要2
Qt | 显示网络图片 QNetworkAccessManager
如何编辑VirtualLab Fusion结果的格式
Unity中事件的3种实现方法
Oauth2.0 认证服务器添加验证码登陆方式
audio console无法连接到RPC服务
剑指offer:删除链表中重复的节点
Qt | 播放音频文件 QMediaplayer
EastWave应用:光场与石墨烯和特异介质相互作用的研究
许多代码……
Oauth2.0 自定义响应值以及异常处理
使用1D-1D EPE的光波导布局设计工具
golang内存相关文章-收集
学习笔记(01):activiti6.0从入门到精通-工作流的介绍以及插件的安装
The use of a semaphore/interprocess communication 】 【 Shared memory
Windows下mysql服务无法启动:服务没有报告任何错误。
mininet multihomed topology