情景:在工作时,遇到被黄牛刷接口的现象,都是绕过前端,24小时请求接口,以下校验使黄牛不能绕过前端直接访问接口
解决方法:后端生成rsa公钥和私钥,公钥给前端,前端将时间戳+用户信息或者UUID生成密文后发送给后端,后端使用私钥进行解密并且将当前解密结果存放至redis,如果是没有携带或者携带重复的密文将视为非法请求不予响应
rsa工具类:
import org.apache.commons.codec.binary.Base64;
import javax.crypto.Cipher;
import java.security.*;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.X509EncodedKeySpec;
import java.util.HashMap;
import java.util.Map;
public class RSAEncrypt {
private static Map<Integer, String> keyMap = new HashMap<Integer, String>(); //用于封装随机产生的公钥与私钥
public static void main(String[] args) throws Exception {
//生成公钥和私钥
genKeyPair();
//加密字符串
String message = "df723820";
System.out.println("随机生成的公钥为:" + keyMap.get(0));
System.out.println("随机生成的私钥为:" + keyMap.get(1));
String messageEn = encrypt(message,keyMap.get(0));
System.out.println(message + "\t加密后的字符串为:" + messageEn);
String messageDe = decrypt(messageEn,keyMap.get(1));
System.out.println("还原后的字符串为:" + messageDe);
}
/**
* 随机生成密钥对
* @throws NoSuchAlgorithmException
*/
public static void genKeyPair() throws NoSuchAlgorithmException {
// KeyPairGenerator类用于生成公钥和私钥对,基于RSA算法生成对象
KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("RSA");
// 初始化密钥对生成器,密钥大小为96-1024位
keyPairGen.initialize(1024,new SecureRandom());
// 生成一个密钥对,保存在keyPair中
KeyPair keyPair = keyPairGen.generateKeyPair();
RSAPrivateKey privateKey = (RSAPrivateKey) keyPair.getPrivate(); // 得到私钥
RSAPublicKey publicKey = (RSAPublicKey) keyPair.getPublic(); // 得到公钥
String publicKeyString = new String(Base64.encodeBase64(publicKey.getEncoded()));
// 得到私钥字符串
String privateKeyString = new String(Base64.encodeBase64((privateKey.getEncoded())));
// 将公钥和私钥保存到Map
keyMap.put(0,publicKeyString); //0表示公钥
keyMap.put(1,privateKeyString); //1表示私钥
}
/**
* RSA公钥加密
*
* @param str
* 加密字符串
* @param publicKey
* 公钥
* @return 密文
* @throws Exception
* 加密过程中的异常信息
*/
public static String encrypt( String str, String publicKey ) throws Exception{
//base64编码的公钥
byte[] decoded = Base64.decodeBase64(publicKey);
RSAPublicKey pubKey = (RSAPublicKey) KeyFactory.getInstance("RSA").generatePublic(new X509EncodedKeySpec(decoded));
//RSA加密
Cipher cipher = Cipher.getInstance("RSA");
cipher.init(Cipher.ENCRYPT_MODE, pubKey);
String outStr = Base64.encodeBase64String(cipher.doFinal(str.getBytes("UTF-8")));
return outStr;
}
/**
* RSA私钥解密
*
* @param str
* 加密字符串
* @param privateKey
* 私钥
* @return 铭文
* @throws Exception
* 解密过程中的异常信息
*/
public static String decrypt(String str, String privateKey) throws Exception{
//64位解码加密后的字符串
byte[] inputByte = Base64.decodeBase64(str.getBytes("UTF-8"));
//base64编码的私钥
byte[] decoded = Base64.decodeBase64(privateKey);
RSAPrivateKey priKey = (RSAPrivateKey) KeyFactory.getInstance("RSA").generatePrivate(new PKCS8EncodedKeySpec(decoded));
//RSA解密
Cipher cipher = Cipher.getInstance("RSA");
cipher.init(Cipher.DECRYPT_MODE, priKey);
String outStr = new String(cipher.doFinal(inputByte));
return outStr;
}
}
后端代码,我写在常量类里面,方便调用!
/**
* rsa校验
*/
public static boolean rsaCheck() {
HttpServletRequest request = ServletUtils.getRequest();
String ip = getIpAddr(request);
String city = AddressUtils.getRealAddressByIP(ip);
if (!city.contains(CITY)) {
System.out.println("地区不符合===> ip=" + ip + " 地区:" + city);
return false;
}
RedisUtils redisUtils = MyApplicationContext.getBean(RedisUtils.class);
String rsaSecretKey = ServletUtils.getRequest().getHeader("Secret");
if (StringUtils.isBlank(rsaSecretKey)) {
System.out.println("未携带前端密文请求=" + ip);
return false;
}
String messageDe = null;
try {
messageDe = RSAEncrypt.decrypt(rsaSecretKey, MyCoant.privateKey);
} catch (Exception e) {
System.out.println("非前端加密数据=" + ip);
return false;
}
Integer time = 3 * 60 * 60;
String key = redisUtils.RSA_KEY + messageDe;
String value = (String) redisUtils.get(key);
if (StringUtils.isNotBlank(value)) {
System.out.println("使用前端重复数据请求=" + ip);
return false;
} else {
redisUtils.set(redisUtils.RSA_KEY + messageDe, "rsa", time);
}
return true;
}