最近公司有个参数签名的需求,大致流程是前端把token,时间戳,还有body通过md5算法计算一个sign值,并且把token,时间戳,sign放在请求的头部,后端接收请求的时候,把token,时间戳,还有body重新用md5算法计算一次,这一次计算出的sign跟前端传过来的sign进行匹配,如果匹配成功,说明参数在网络传输的过程没有被篡改,匹配不成功,则参数在网络传输的过程中有被篡改,则拒绝请求
前端计算sign的js代码如下(md5算法是用CryptoJS框架实现的):
var timestamp= new Date().getTime(); //生成一个毫秒时间戳
var token=pm.request.headers.get("token"); //获取请求头部token参数
var body=pm.request.body.raw; //获取请求body体参数
var sign = CryptoJS.MD5(CryptoJS.MD5(token).toString().toUpperCase() + timestamp + body ).toString().toUpperCase(); //签名算法生产签名
postmam中调用请求头部如下:
后端代码如下(md5算法是用spring自带的):
import org.springframework.http.HttpMethod;
import org.springframework.util.DigestUtils;
import javax.servlet.http.HttpServletRequest;
import java.io.BufferedReader;
import java.io.IOException;
public class Md5Sign {
public static String md5Encrypt(HttpServletRequest request){
String token = request.getHeader("token");
String timestamp = request.getHeader("timestamp");
String body = "";
String requestMethod = request.getMethod();
if(HttpMethod.POST.name().equals(requestMethod)){
body = getPostData(request);
}else if(HttpMethod.GET.name().equals(requestMethod)){
body = getGetData(request);
}
String tokenMd5 = DigestUtils.md5DigestAsHex(token.getBytes());
StringBuilder sb = new StringBuilder();
sb.append(tokenMd5.toUpperCase()).append(timestamp).append(body);
String md502 = DigestUtils.md5DigestAsHex(sb.toString().getBytes());
return md502.toUpperCase();
}
public static boolean paramIsDistort (HttpServletRequest request){
String sign = request.getHeader("sign");
if(sign.equals(md5Encrypt(request))){
return true;
}
return false;
}
public static String getPostData(HttpServletRequest request) {
StringBuffer data = new StringBuffer();
String line = null;
BufferedReader reader = null;
try {
reader = request.getReader();
while (null != (line = reader.readLine()))
data.append(line);
} catch (IOException e) {
} finally {
}
return data.toString();
}
public static String getGetData(HttpServletRequest request) {
String par = request.getQueryString() ;
return par == null?"":par;
}
}
后端调用Md5Sign.paramIsDistort(httpRequest)来验证post请求/get请求 中的参数是否被篡改