当前位置:网站首页>Three-way joint interface data security issues
Three-way joint interface data security issues
2022-08-02 16:05:00 【zhangyu】
文档说明
A reporter in the docking process of some operations with a third party
对接流程
数据传输
Each request is to check the legitimacy of the request sources and data,采取以下策略,In the details of the interface will adopt what kind of encryption mode
获取 Token
请求地址:
POST https:xxxx
接口说明:获取调用凭据,有效期 24h、After obtaining after call interface is added to the request headerAuthorization中
| 请求参数 | ||||
|---|---|---|---|---|
| 字段 | 数据类型 | 是否必传 | 说明 | 示例 |
| app_id | String | 是 | 客户端ID | thirdpartner |
| app_secret | String | 是 | 客户端密钥 | @m2!2q15^#0d&@ |
| 响应参数 | ||
|---|---|---|
| 字段 | 说明 | 示例 |
| code | 响应状态码 | 200 |
| msg | 响应描述信息 | 请求成功 |
| data | 响应体 | eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQ… |
Conventional data encryption
Conventional data encryption,Each request data add random string
once_str和时间戳timestamp并通过 MD5 Data is encrypted to all、The receiver to the school to verify,示例如下
public class EncryptSign {
public static final String APP_ID = "thirdpartner";
public static final String APP_SECRET = "@m*2!2q1*5^#0d&@";
// 生成签名
public static String createSign(SortedMap<String, String> params) {
return params.keySet().stream()
.sorted()
.map(k -> k + "=" + params.get(k) + "&")
.reduce((x, y) -> x + y)
.map(d -> d.substring(0, d.length() - 1))
.map(d -> d.concat(APP_SECRET))
.map(EncryptSign::encode)
.map(String::toUpperCase)
.get();
}
public static boolean verifySign(HttpServletRequest request) {
Map<String, String[]> params = request.getParameterMap();
SortedMap<String, String> map = new TreeMap<>();
String expSign = null;
for (Map.Entry<String, String[]> pv : params.entrySet()) {
String param = pv.getKey();
String[] value = pv.getValue();
if (!param.equals("sign")) {
map.put(param, value[0]);
} else {
expSign = value[0];
}
}
return expSign.equals(createSign(map));
}
public static String generateOnceStr() {
return UUID.randomUUID().toString().replaceAll("-", "");
}
public static String encode(String value) {
StringBuilder sb = new StringBuilder();
try {
MessageDigest md = MessageDigest.getInstance(MD5);
byte[] bs = value.getBytes();
byte[] mb = md.digest(bs);
for (int i = 0; i < mb.length; i++) {
int v = mb[i] & 0xFF;
if (v < 16) {
sb.append("0");
}
sb.append(Integer.toHexString(v));
}
} catch (Exception e) {
e.printStackTrace();
}
return sb.toString();
}
public static void main(String[] args) {
//Create a random string and time stamp
String once_str = generateOnceStr();
String timestamp = String.valueOf(System.currentTimeMillis());
//测试数据集
SortedMap<String, String> params = new TreeMap<>();
params.put("param1", "a");
params.put("param2", "b");
params.put("once_str", once_str);
params.put("timestamp", timestamp);
//Conventional data encryption
params.put("sign", createSign(params));
System.out.println(params);
}
}
调用示例
Map<String, String> map = new HashMap<>();
// 业务参数
map.put("app_id", "xxxx");
map.put("app_secret", "xxxx");
// 公共参数
map.put("once_str", EncryptSign.generateOnceStr());
map.put("timestamp", String.valueOf(System.currentTimeMillis()));
// MD5 加密
map.put("sign", EncryptSign.createSign(map));
// Http 调用
String url = "http://xxx/xx/xx";
String result = HttpClientUtil.httpPost(url, map);
System.out.println(result);
敏感数据加密
涉及敏感数据,采用 AES 进行加解密,注意妥善保管密钥,示例如下
public class EncryptAES {
private static final String secret = "@5^22&%c*9^283*@";
private static final String algorithm = "AES/ECB/PKCS5Padding";
//加密
public static String encrypt(String content) {
try {
Security.addProvider(new SunJCE());
Cipher cipher = Cipher.getInstance(algorithm);
cipher.init(ENCRYPT_MODE, new SecretKeySpec(secret.getBytes(), AES));
return Base64.getEncoder().encodeToString(cipher.doFinal(content.getBytes("UTF-8")));
} catch (Exception e) {
e.printStackTrace();
}
return null;
}
//解密
public static String decrypt(String encrypt) {
try {
Security.addProvider(new SunJCE());
Cipher cipher = Cipher.getInstance(algorithm);
cipher.init(DECRYPT_MODE, new SecretKeySpec(secret.getBytes("UTF-8"), AES));
return new String(cipher.doFinal(Base64.getDecoder().decode(encrypt)));
} catch (Exception e) {
e.printStackTrace();
}
return null;
}
public static void main(String[] args) {
//Create a random string and time stamp
String once_str = EncryptSign.generateOnceStr();
String timestamp = String.valueOf(System.currentTimeMillis());
//测试数据集
SortedMap<String, String> params = new TreeMap<>();
params.put("param1", "a");
params.put("param2", "b");
params.put("once_str", once_str);
params.put("timestamp", timestamp);
String content = JSON.toJSONString(params);
System.out.println("明文: " + content);
System.out.println("加密: " + encrypt(content));
System.out.println("解密: " + decrypt(encrypt(content)));
}
}
调用示例
Map<String, String> map = new HashMap<>();
// 业务参数
map.put("app_id", "xxxx");
map.put("app_secret", "xxxx");
// 公共参数
map.put("once_str", EncryptSign.generateOnceStr());
map.put("timestamp", String.valueOf(System.currentTimeMillis()));
// AESEncapsulation encryption parameters to sign 字段
Map<String, String> param = new HashMap<>();
param.put("sign", EncryptAES.encrypt(toJSONString(map));
// Http 调用
String url = "http://xxx/xx/xx";
String result = HttpClientUtil.httpPost(url, param);
System.out.println(result);
边栏推荐
猜你喜欢
随机推荐
光学好书推荐
Unity-Post Processing
Oauth2.0 补充
Optisystem应用:光电检测器灵敏度建模
2. Log out, log in state examination, verification code
Oauth2.0 custom response values and exception handling
数学工具-desmos 图形曲线
移动拷贝构造函数
【Solidity智能合约基础】-- 基础运算与底层位运算
unity 和C# 一些官方优化资料
TypeScript
关于推荐系统的随想
mininet multihomed topology
饥荒联机版Mod开发——配置代码环境(二)
EastWave:垂直腔表面激光器
【线程】线程创建 | 理解线程并发 (1)
学习笔记(01):activiti6.0从入门到精通-工作流的介绍以及插件的安装
嵌入式学习硬件篇------初识ARM
Unity-Ads广告插件
unity-shader(入门)