安全措施
数据加密、数据加签、时间戳机制、AppId机制、限流机制、黑名单机制、数据合法性校验等等。
详细可看https://blog.csdn.net/fengzongfu/article/details/105267563
如何实现
一、提供接口方
1、设计签名(MD5)
/**
* MD5签名
* 签名内容为: appId={url}&appKey={appKey}&nonce={nonce}&url={url}
*/
public static String getSign(String url, String appId, String appKey, String nonce) throws Exception {
StringBuilder builder = new StringBuilder();
builder.append("appId=").append(appId)
.append("&appKey=").append(appKey)
.append("&nonce=").append(nonce)
.append("&url=").append(url);
String signature = DigestUtils.md5DigestAsHex((builder.toString()).getBytes("UTF-8"));
if (StringUtils.isBlank(signature)) {
throw new RuntimeException("签名失败");
}
return signature;
}
2、验证签名
public static void validateSign(HttpServletRequest request, String appId, String appKey, String nonce, String timestamp) throws Exception {
String requestURL = request.getRequestURI();
String signature = request.getHeader("signature");
if (StringUtils.isNoneBlank(signature) || StringUtils.isNoneBlank(appId) || StringUtils.isNoneBlank(appKey) ||
StringUtils.isNoneBlank(nonce) || StringUtils.isNoneBlank(timestamp)) {
throw new RuntimeException("数字签名校验错误");
}
long interval=1*1*60;//超时时间
long serverTime=System.currentTimeMillis()/1000;
long times = Long.parseLong(timestamp);
if(times<interval+serverTime && times>serverTime-interval){
throw new RuntimeException("数字签名校验错误");
}
String sign = getSign(requestURL, appId, appKey, nonce);
if (StringUtils.isBlank(sign)) {
throw new RuntimeException("数字签名校验错误");
}
if (!signature.equals(sign)) {
throw new RuntimeException("数字签名校验错误");
}
}
3、编写接口
@PostMapping(value = "/order/add?appid={appId}&nonce={nonce}×tamp={timestamp}", produces = "application/json; charset=utf-8")
@ResponseBody
public ResponseObject addOrder(
HttpServletRequest request,
@PathVariable(value = "appId") String appId,
@PathVariable(value = "nonce") String nonce,
@PathVariable(value = "timestamp")String timestamp
//body参数...
) {
try {
SecurityUtils.validateSign(request,appId,appKey,nonce,timestamp);
//DO SOMETHING...
return ResponseObject.success();
} catch (Exception e) {
logger.error("接口异常", e);
return ResponseObject.error(ResponseObject.ResponseCode_COMMON_ERROE, e.getMessage());
}
}
二、使用接口方
同样使用上面的1获得签名
请求方法:
curl '/order/add?appid={appId}&nonce={nonce}×tamp={timestamp}'
-X POST
-H 'Content-Type: application/json,signature:{signature}'//signature为签名
-d '{
"xxx": "xxx",//参数body
"xxx": "xxxx"
}'