背景介绍:最近发觉公司的注册短信发送异常,一天发送了好几千条,如果是真有这么多用户注册的话那老板真的要笑了,明显是接口被别人调用了,每天这样搞也是很大的成本,所以有必要进行限制机器自动刷短信行为,目测之前别人从js代码里面找到了短信发送的接口,然后用一大批手机号那就可以任意调用短信接口了。
限制思路:在调用短信接口之前先用图形验证码进行对比(也有考虑主流的拖动滑块方式,但是据说这是收费的API,老板们肯定不会同意,也没有深究了,所以先用简单的数字验证码,毕竟对方估计也不会专门楸着这个来进行破解吧,其实也不是用户量非常巨大的网站),只有验证通过才下发短信,以下是生成验证码方法
@RequestMapping(value = { "code" })
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
//通知浏览器不要缓存
response.setHeader("Expires", "-1");
response.setHeader("Cache-Control", "no-cache");
response.setHeader("Pragma", "no-cache");
int width = 110;
int height = 30;
BufferedImage bi = new BufferedImage(width, height, BufferedImage.TYPE_INT_RGB);
Graphics g = bi.getGraphics();
g.setColor(Color.BLACK);
g.drawRect(0, 0, width, height);
g.setColor(Color.LIGHT_GRAY);
g.fillRect(1, 1, width - 2, height - 2);
//画随机干扰线
g.setColor(Color.GREEN);
Random r = new Random();
for(int i = 0; i < 5; i++){
g.drawLine(r.nextInt(width), r.nextInt(height), r.nextInt(width), r.nextInt(height));
}
//画随机数字
g.setColor(Color.RED);
g.setFont(new Font("宋体", Font.BOLD|Font.ITALIC, 20));
String code = "";//每次随机生成的验证码
int x = 8;
for(int i = 0; i < 4; i++){
int num = r.nextInt(10);
code+=num+"";
g.drawString(num +"", x, 23);//drawString(String str, int x, int y);x轴,y轴表示验证码数字在图像中的位置
x += 25;
}
RedisUtils.set(code, code, 1800); //每次生成一个验证码先缓存在redis里面1800s
ImageIO.write(bi, "jpg", response.getOutputStream());
}
jsp加入验证码模块。
<div class="item">
<label class="mui-pull-left"><img src="<%=basePath%>/reversion/img/yanzheng@2x.png" alt=""></label>
<div class="item-input mui-pull-left">
<input id="verificationCode" class="code-input mui-pull-left" type="text" placeholder="请输入图形验证码" >
<img id="imgObj" style="padding-top: 12px;padding-left: 18px;" src = "/MessageController/code" onclick="changeImg()">
</div>
<p id="codeDescribe" class="prompt mui-hidden">请输入图形验证码</p>
</div>
刷新验证码方法
function changeImg() {
var imgSrc = $("#imgObj");
var src = imgSrc.attr("src");
imgSrc.attr("src", changeUrl(src));
}
//为了使每次生成图片不一致,所以需要加上时间戳
function changeUrl(url) {
var timestamp = (new Date()).valueOf();
var index = url.indexOf("?",url);
if (index > 0) {
url = url.substring(0, index);
}
if ((url.indexOf("?") >= 0)) {
url = url + "?timestamp=" + timestamp;
} else {
url = url + "?timestamp=" + timestamp;
}
return url;
}
点击发送短信按钮一系列js校验,包括校验手机号,验证码是否为空等,然后再把输入的验证码带到后台判断
$('.code-btn').click(function () {
$(".prompt").eq(0).addClass('mui-hidden');
$(".prompt").eq(1).addClass('mui-hidden');
var phone = $('#phone').val();
if(""==phone){
$(".prompt").eq(0).removeClass('mui-hidden');
return;
}else{
if(!( /^\d{11}$/.test(phone))){
$('.prompt').eq(1).removeClass('mui-hidden');
return;
}
}
var verificationCode = $('#verificationCode').val();
if(verificationCode==""){
$("#codeDescribe").removeClass('mui-hidden');
return;
}
var channel = 40;
var urlStr = window.location.pathname;
var busiType =10;
if(urlStr.indexOf("password.jsp")>0 ){
busiType =20;
}
var data={
phoneNumber:phone,
channel:channel,
busiType:busiType,
verificationCode:verificationCode
};
var e = $(this);
$.ajax({
type: 'POST',
url: '../../MessageController/send',
data: {"param":JSON.stringify(data),"url":"/securityCode.do"},
timeout: 15000,
success: function(data) {
if(data.status=='10000'){
mui.toast('发送成功',{ duration:'2000', type:'div' });
sessionStorage.setItem("msite-timeStamp",new Date().getTime());//把当前毫秒数放入缓存
CountDown(e);
}else{
mui.toast(data.info);
}
},
error: function() {
mui.toast('网络错误',{ duration:'2000', type:'div' });
}
});
});
执行短信发送方法,根据页面传递过来的验证码进行判断,因为每次生成一个图形验证码我都缓存在redis一段时间,如果前台传过来的验证码跟redis缓存的不一致,不发送短信,如果一致的话则调用后台接口执行短信发送方法,并且把该验证码删除,这样就算对方知道了短信接口,也不能随便写个方法就调用了,这样可以暂时挡住大部分无效的调用
@RequestMapping(value = { "send" })
@ResponseBody
public Object send(HttpServletRequest request,HttpServletResponse response,@RequestParam(required = true) String param,@RequestParam(required = true) String url) throws Exception {
JSONObject object = JSONObject.fromObject(param);
String verificationCode = object.getString("verificationCode");
if (verificationCode.equals(RedisUtils.get(verificationCode))) {
String result = this.httpClientJson(base_url + url, param);
JSONObject jsStr = JSONObject.fromObject(result);
RedisUtils.del(verificationCode);
return jsStr;
}else {
JSONObject obj = new JSONObject();
obj.put("status", "20000");
obj.put("info", "图形验证码错误或过期,请重新获取");
return obj;
}
}
最后的效果如下