为啥接口加解密
在我们做接口的时候,如果是外部用户直接能看到我们的参数,可能会造成我们的接口不安全,比如直接用明文的参数请求我们的接口,把参数自己定义,脏数据就会存到我们的数据库中,严重的话导致我们的关系错误,系统奔溃。
所以我们在h5开发的过程中,为了不让f12看到我们的接口请求参数,我们就必须对参数进行加密处理,加密传输的话,就可以避免这样的问题发生。
在我们分布式的系统中,我们准备在网关层进行参数的加密和解密的操作
加密方式
常用的加密方式:对称加密和非对称加密
rsa非对称加密
1973年,在英国政府通讯总部工作的数学家克利福德·柯克斯(Clifford Cocks)在一个内部文件中提出了一个相同的算法,但他的发现被列入机密,一直到1997年才被发表。对极大整数做因数分解的难度决定了RSA算法的可靠性。换言之,对一极大整数做因数分解愈困难,RSA算法愈可靠。
用RSA加密的信息实际上是不能被解破的。
rsa加解密过程
- 服务端生成生成公钥和私钥,公钥发给客户端保存,私钥自己保留,防止泄露
- 客户端拿到公钥之后,利用公钥进行接口参数的加密处理,请求中采用加密后的参数进行调用
- 服务端接收到请求的参数之后,对加密的参数,利用私钥进行解密操作,就可以获得用户的请求参数了
rsa工具类
package com.demo.utils;
import com.demo.excepiton.RsaException;
import lombok.extern.slf4j.Slf4j;
import org.apache.commons.codec.binary.Base64;
import javax.crypto.Cipher;
import java.nio.charset.StandardCharsets;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.SecureRandom;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.X509EncodedKeySpec;
import java.util.HashMap;
import java.util.Map;
@Slf4j
public class RSAUtils {
public static final String PUBLIC_KEY = "public_key";
public static final String PRIVATE_KEY = "private_key";
public static Map<String, String> generateRasKey() {
Map<String, String> rs = new HashMap<>();
try {
// KeyPairGenerator类用于生成公钥和私钥对,基于RSA算法生成对象
KeyPairGenerator keyPairGen = null;
keyPairGen = KeyPairGenerator.getInstance("RSA");
keyPairGen.initialize(1024, new SecureRandom());
// 生成一个密钥对,保存在keyPair中
KeyPair keyPair = keyPairGen.generateKeyPair();
// 得到私钥 公钥
RSAPrivateKey privateKey = (RSAPrivateKey) keyPair.getPrivate();
RSAPublicKey publicKey = (RSAPublicKey) keyPair.getPublic();
String publicKeyString = new String(Base64.encodeBase64(publicKey.getEncoded()));
// 得到私钥字符串
String privateKeyString = new String(Base64.encodeBase64((privateKey.getEncoded())));
// 将公钥和私钥保存到Map
rs.put(PUBLIC_KEY, publicKeyString);
rs.put(PRIVATE_KEY, privateKeyString);
} catch (Exception e) {
log.error("RsaUtils invoke genKeyPair failed.", e);
throw new RsaException("RsaUtils invoke genKeyPair failed.");
}
return rs;
}
public static String encrypt(String str, String publicKey) {
try {
//base64编码的公钥
byte[] decoded = Base64.decodeBase64(publicKey);
RSAPublicKey pubKey = (RSAPublicKey) KeyFactory.getInstance("RSA").generatePublic(new X509EncodedKeySpec(decoded));
//RSA加密
Cipher cipher = Cipher.getInstance("RSA");
cipher.init(Cipher.ENCRYPT_MODE, pubKey);
return Base64.encodeBase64String(cipher.doFinal(str.getBytes(StandardCharsets.UTF_8)));
} catch (Exception e) {
log.error("RsaUtils invoke encrypt failed.", e);
throw new RsaException("RsaUtils invoke encrypt failed.");
}
}
public static String decrypt(String str, String privateKey) {
try {
//64位解码加密后的字符串
byte[] inputByte = Base64.decodeBase64(str.getBytes(StandardCharsets.UTF_8));
//base64编码的私钥
byte[] decoded = Base64.decodeBase64(privateKey);
RSAPrivateKey priKey = (RSAPrivateKey) KeyFactory.getInstance("RSA").generatePrivate(new PKCS8EncodedKeySpec(decoded));
//RSA解密
Cipher cipher = Cipher.getInstance("RSA");
cipher.init(Cipher.DECRYPT_MODE, priKey);
return new String(cipher.doFinal(inputByte));
} catch (Exception e) {
log.error("RsaUtils invoke decrypt failed.", e);
throw new RsaException("RsaUtils invoke decrypt failed.");
}
}
}
写个test进行演示
public class RsaTest {
/** * 用测试生成的公钥,私钥赋值 */
private static final String PUBLIC_KEY = "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCFtTlL61IqIGd+fRLUhJ0MjsqFXFJswCohJ45m51WvbxDPRP3gllW0WChk74D5JEOpMDSWo4C7RfoGlBRNW7kQ6qYGukYZ5jgYpzoT0+gp3on96fQXEyQJysv9xiTPIdmSXXVVj1HAOJw29RbzxIVKUSzzPXvEtXRTtCC1+wkAJQIDAQAB";
private static final String PRIVATE_KEY = "MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAIW1OUvrUiogZ359EtSEnQyOyoVcUmzAKiEnjmbnVa9vEM9E/eCWVbRYKGTvgPkkQ6kwNJajgLtF+gaUFE1buRDqpga6RhnmOBinOhPT6Cneif3p9BcTJAnKy/3GJM8h2ZJddVWPUcA4nDb1FvPEhUpRLPM9e8S1dFO0ILX7CQAlAgMBAAECgYBC4amtbiKFa/wY61tV7pfYRjzLhKi+OUlZmD3E/4Z+4KGZ7DrJ8qkgMtDR3HO5LAikQrare1HTW2d7juqw32ascu+uDObf4yrYNKin+ZDLUYvIDfLhThPxnZJwQ/trdtfxO3VM//XbwZacmwYbAsYW/3QPUXwwOPAgbC2oth8kqQJBANKLyXcdjZx4cwJVl7xNeC847su8y6bPpcBASsaQloCIPiNBIg1h76dpfEGIQBYWJWbBsxtHe/MhOmz7fNFDS2sCQQCiktYZR0dZNH4eNX329LoRuBiltpr9tf36rVOlKr1GSHkLYEHF2qtyXV2mdrY8ZWpvuo3qm1oSLaqmop2rN9avAkBHk85B+IIUF77BpGeZVJzvMOO9z8lMRHuNCE5jgvQnbinxwkrZUdovh+T+QlvHJnBApslFFOBGn51FP5oHamFRAkEAmwZmPsinkrrpoKjlqz6GyCrC5hKRDWoj/IyXfKKaxpCJTH3HeoIghvfdO8Vr1X/n1Q8SESt+4mLFngznSMQAZQJBAJx07bCFYbA2IocfFV5LTEYTIiUeKdue2NP2yWqZ/+tB5H7jNwQTJmX1mn0W/sZm4+nJM7SjfETpNZhH49+rV6U=";
/** * 生成公钥私钥 */
@Test
public void generateRsaKey() {
Map<String, String> map = RSAUtils.generateRasKey();
System.out.println("随机生成的公钥为:" + map.get(RSAUtils.PUBLIC_KEY));
System.out.println("随机生成的私钥为:" + map.get(RSAUtils.PRIVATE_KEY));
}
/** * 加密: Yeidauky/iN1/whevov2+ntzXJKAp2AHfESu5ixnDqH5iB7ww+TcfqJpDfkPHfb12Y0sVXw0gBHNJ4inkh7l2/SJBze3pKQU/mg3oyDokTia3JZIs+e80/iJcSfN+yA1JaqY+eJPYiBiOGAF2S6x0ynvJg/Wj0fwp2Tq3PDzRMo= */
@Test
public void testEncrypt() {
JSONObject jsonObject = new JSONObject();
jsonObject.put("username", "rosh");
jsonObject.put("password", "123456");
String str = jsonObject.toJSONString();
String encrypt = RSAUtils.encrypt(str, PUBLIC_KEY);
System.out.println(encrypt);
}
@Test
public void testDecrypt() {
String decrypt = RSAUtils.decrypt("Yeidauky/iN1/whevov2+ntzXJKAp2AHfESu5ixnDqH5iB7ww+TcfqJpDfkPHfb12Y0sVXw0gBHNJ4inkh7l2/SJBze3pKQU/mg3oyDokTia3JZIs+e80/iJcSfN+yA1JaqY+eJPYiBiOGAF2S6x0ynvJg/Wj0fwp2Tq3PDzRMo=",
PRIVATE_KEY);
System.out.println(decrypt);
}
}
接下来,在微服务项目架构中,我们在网关层进行接口的加解密操作演示:
SpringCloud Gateway + SpringBoot + Nacos+redis
在前后分离的微服务项目架构中,前端代码进行参数的加密操作:前端接收到公钥的情况下
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>登录页面</title>
</head>
<body>
<h1>登录</h1>
<from id="from">
账号:<input id="username" type="text"/>
<br/>
密码:<input id="password" type="password"/>
<br/>
<input id="btn_login" type="button" value="登录"/>
</from>
<script src="js/jquery.min.js"></script>
<script src="js/jsencrypt.js"></script>
<script type="text/javascript"> var encrypt = new JSEncrypt(); encrypt.setPublicKey("MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCFtTlL61IqIGd+fRLUhJ0MjsqFXFJswCohJ45m51WvbxDPRP3gllW0WChk74D5JEOpMDSWo4C7RfoGlBRNW7kQ6qYGukYZ5jgYpzoT0+gp3on96fQXEyQJysv9xiTPIdmSXXVVj1HAOJw29RbzxIVKUSzzPXvEtXRTtCC1+wkAJQIDAQAB"); $("#btn_login").click(function () { const username = $("#username").val(); const password = $("#password").val(); const form = {}; form.username = username; form.password = password; $.ajax({ url: "http://localhost:9000/api/user/login", data: encrypt.encrypt(JSON.stringify(form)), type: "POST", dataType: "json", contentType: "application/json;charset=utf-8", success: function (data) { console.log(data); } }); })</script>
</body>
</html>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>查询测试</title>
</head>
<body>
id:<input id="id_txt" type="text"/>
<input id="btn_search" type="button" value="查询"/>
<script src="js/jquery.min.js"></script>
<script src="js/jsencrypt.js"></script>
<script type="text/javascript"> var encrypt = new JSEncrypt(); encrypt.setPublicKey("MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCFtTlL61IqIGd+fRLUhJ0MjsqFXFJswCohJ45m51WvbxDPRP3gllW0WChk74D5JEOpMDSWo4C7RfoGlBRNW7kQ6qYGukYZ5jgYpzoT0+gp3on96fQXEyQJysv9xiTPIdmSXXVVj1HAOJw29RbzxIVKUSzzPXvEtXRTtCC1+wkAJQIDAQAB"); $("#btn_search").click(function () { const id = $("#id_txt").val(); const param = "id=" + id + "&requestId=" + getUuid(); encrypt.encrypt(param); const url = "http://localhost:9000/api/user/detail?param=" + encrypt.encrypt(param); $.ajax({ url: url, beforeSend: function (XMLHttpRequest) { XMLHttpRequest.setRequestHeader("token", "eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiIzYzE1ODczYS1iMGUxLTQyNzctYTRjOS1kYTMwNjdiYmE0NWIiLCJpYXQiOjE2MzUzMDYwMDAsInN1YiI6IntcInBhc3N3b3JkXCI6XCIxMjM0NTZcIixcInVzZXJJZFwiOjEsXCJ1c2VybmFtZVwiOlwiYWRtaW5cIn0iLCJleHAiOjE2MzU1NjUyMDB9.fIQi_cV2ZMszBVFV4GoIpGhCSENQKrDi8DsbArk7mGk"); }, type: "GET", success: function (data) { console.log(data); } }); }); function getUuid() { var s = []; var hexDigits = "0123456789abcdef"; for (var i = 0; i < 32; i++) { s[i] = hexDigits.substr(Math.floor(Math.random() * 0x10), 1); } s[14] = "4"; // bits 12-15 of the time_hi_and_version field to 0010 s[19] = hexDigits.substr((s[19] & 0x3) | 0x8, 1); // bits 6-7 of the clock_seq_hi_and_reserved to 01 s[8] = s[13] = s[18] = s[23]; var uuid = s.join(""); return uuid; }</script>
</body>
</html>
package com.demo.gateway.config;
import com.demo.constant.UserConstant;
import com.demo.excepiton.RSAException;
import com.demo.utils.RSAUtils;
import com.demo.utils.TokenUtils;
import io.jsonwebtoken.Claims;
import org.apache.commons.lang3.StringUtils;
import org.springframework.cloud.gateway.filter.GatewayFilterChain;
import org.springframework.cloud.gateway.filter.GlobalFilter;
import org.springframework.cloud.gateway.filter.factory.rewrite.CachedBodyOutputMessage;
import org.springframework.cloud.gateway.support.BodyInserterContext;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.Ordered;
import org.springframework.core.io.buffer.DataBuffer;
import org.springframework.http.HttpHeaders;
import org.springframework.http.ReactiveHttpOutputMessage;
import org.springframework.http.server.reactive.ServerHttpRequest;
import org.springframework.http.server.reactive.ServerHttpRequestDecorator;
import org.springframework.stereotype.Component;
import org.springframework.util.AntPathMatcher;
import org.springframework.web.reactive.function.BodyInserter;
import org.springframework.web.reactive.function.BodyInserters;
import org.springframework.web.reactive.function.server.HandlerStrategies;
import org.springframework.web.reactive.function.server.ServerRequest;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Flux;
import reactor.core.publisher.Mono;
import java.lang.reflect.Field;
import java.net.URI;
/** * @Description: * @Author: rosh * @Date: 2021/10/26 22:24 */
@Configuration
@Component
public class GatewayFilterConfig implements GlobalFilter, Ordered {
@Override
public Mono<Void> filter(ServerWebExchange exchange, GatewayFilterChain chain) {
//1 如果是登录不校验Token
String requestUrl = exchange.getRequest().getPath().value();
AntPathMatcher pathMatcher = new AntPathMatcher();
if (!pathMatcher.match("/user/login", requestUrl)) {
String token = exchange.getRequest().getHeaders().getFirst(UserConstant.TOKEN);
Claims claim = TokenUtils.getClaim(token);
if (StringUtils.isBlank(token) || claim == null) {
return FilterUtils.invalidToken(exchange);
}
}
//2 修改请求参数,并获取请求参数
try {
updateRequestParam(exchange);
} catch (Exception e) {
return FilterUtils.invalidUrl(exchange);
}
//3 获取请求体,修改请求体
ServerRequest serverRequest = ServerRequest.create(exchange, HandlerStrategies.withDefaults().messageReaders());
Mono<String> modifiedBody = serverRequest.bodyToMono(String.class).flatMap(body -> {
String encrypt = RSAUtils.decrypt(body, RSAConstant.PRIVATE_KEY);
return Mono.just(encrypt);
});
//创建BodyInserter修改请求体
BodyInserter<Mono<String>, ReactiveHttpOutputMessage> bodyInserter = BodyInserters.fromPublisher(modifiedBody, String.class);
HttpHeaders headers = new HttpHeaders();
headers.putAll(exchange.getRequest().getHeaders());
headers.remove(HttpHeaders.CONTENT_LENGTH);
//创建CachedBodyOutputMessage并且把请求param加入
CachedBodyOutputMessage outputMessage = new CachedBodyOutputMessage(exchange, headers);
return bodyInserter.insert(outputMessage, new BodyInserterContext()).then(Mono.defer(() -> {
ServerHttpRequestDecorator decorator = new ServerHttpRequestDecorator(exchange.getRequest()) {
@Override
public Flux<DataBuffer> getBody() {
return outputMessage.getBody();
}
};
return chain.filter(exchange.mutate().request(decorator).build());
}));
}
/** * 修改前端传的参数 */
private void updateRequestParam(ServerWebExchange exchange) throws NoSuchFieldException, IllegalAccessException {
ServerHttpRequest request = exchange.getRequest();
URI uri = request.getURI();
String query = uri.getQuery();
if (StringUtils.isNotBlank(query) && query.contains("param")) {
String[] split = query.split("=");
String param = RSAUtils.decrypt(split[1], RSAConstant.PRIVATE_KEY);
Field targetQuery = uri.getClass().getDeclaredField("query");
targetQuery.setAccessible(true);
targetQuery.set(uri, param);
}
}
@Override
public int getOrder() {
return 80;
}
}
接口限时请求
为了避免非法的高频的请求接口,我们进行每个接口的时长限制,在请求的合理时间内,接口正常返回,否则拦截接口
在接口的header中添加时间戳,后台获取到该时间戳后进行校验,如果这时间戳大于5分钟,也就是5分钟前这个接口的请求,直接拒绝服务,防止别人那这个接口进行频繁操作
private Long getDateTimestamp(HttpHeaders httpHeaders) {
List<String> list = httpHeaders.get("timestamp");
if (CollectionUtils.isEmpty(list)) {
throw new IllegalArgumentException("拒绝服务");
}
long timestamp = Long.parseLong(list.get(0));
long currentTimeMillis = System.currentTimeMillis();
//有效时长为5分钟
if (currentTimeMillis - timestamp > 1000 * 60 * 5) {
throw new IllegalArgumentException("拒绝服务");
}
return timestamp;
}
另一个办法就是每一个url进行标识唯一性,然后存redis中,进行redis过期时间限制。如果是redis有,这个url就不能请求,过期之后才可以再次调用接口
url+uuid即可
接口签名
为了接口参数安全,防止恶意篡改参数,我们可以对参数的顺序进行调整。比如:我们的json参数进行ascii码的升序,签名之后进行接口调用
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>登录页面</title>
</head>
<body>
<h1>登录</h1>
<from id="from">
账号:<input id="username" type="text"/>
<br/>
密码:<input id="password" type="password"/>
<br/>
<input id="btn_login" type="button" value="登录"/>
</from>
<script src="js/jquery.min.js"></script>
<script src="js/jsencrypt.js"></script>
<script src="js/md5.min.js"></script>
<script type="text/javascript"> var encrypt = new JSEncrypt(); encrypt.setPublicKey("MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCFtTlL61IqIGd+fRLUhJ0MjsqFXFJswCohJ45m51WvbxDPRP3gllW0WChk74D5JEOpMDSWo4C7RfoGlBRNW7kQ6qYGukYZ5jgYpzoT0+gp3on96fQXEyQJysv9xiTPIdmSXXVVj1HAOJw29RbzxIVKUSzzPXvEtXRTtCC1+wkAJQIDAQAB"); $("#btn_login").click(function () { //表单 const username = $("#username").val(); const password = $("#password").val(); const form = {}; form.username = username; form.password = password; //生成签名,也可以加盐 const timestamp = Date.parse(new Date()); const data = JSON.stringify(sort_ASCII(form)); const requestId = getUuid(); const sign = MD5(data + requestId + timestamp); $.ajax({ url: "http://localhost:9000/api/user/login", beforeSend: function (XMLHttpRequest) { XMLHttpRequest.setRequestHeader("timestamp", timestamp); XMLHttpRequest.setRequestHeader("requestId", requestId); XMLHttpRequest.setRequestHeader("sign", sign); }, data: encrypt.encrypt(data), type: "POST", dataType: "json", contentType: "application/json;charset=utf-8", success: function (data) { console.log(data); } }); }); function getUuid() { var s = []; var hexDigits = "0123456789abcdef"; for (var i = 0; i < 32; i++) { s[i] = hexDigits.substr(Math.floor(Math.random() * 0x10), 1); } s[14] = "4"; // bits 12-15 of the time_hi_and_version field to 0010 s[19] = hexDigits.substr((s[19] & 0x3) | 0x8, 1); // bits 6-7 of the clock_seq_hi_and_reserved to 01 s[8] = s[13] = s[18] = s[23]; var uuid = s.join(""); return uuid; } function sort_ASCII(obj) { var arr = new Array(); var num = 0; for (var i in obj) { arr[num] = i; num++; } var sortArr = arr.sort(); var sortObj = {}; for (var i in sortArr) { sortObj[sortArr[i]] = obj[sortArr[i]]; } return sortObj; }</script>
</body>
</html>
gateway中进行签名的校验,不合法的直接返回即可