自拍偷在线精品自拍偷,亚洲欧美中文日韩v在线观看不卡

Spring Boot 接口數(shù)據(jù)加解密就該這樣設(shè)計(jì)~

作者:不才陳某
人工智能 機(jī)器學(xué)習(xí)
考慮到時(shí)間緊迫性,可采用對(duì)稱性加密方式,服務(wù)需要對(duì)接安卓、IOS、H5三端,另外考慮到H5端存儲(chǔ)密鑰安全性相對(duì)來(lái)說(shuō)會(huì)低一些,故分針對(duì)H5和安卓、IOS分配兩套密鑰;

今天這篇文章聊一聊接口安全問(wèn)題,涉及到接口的加密、解密。

圖片

和產(chǎn)品、前端同學(xué)對(duì)外需求后,梳理了相關(guān)技術(shù)方案, 主要的需求點(diǎn)如下:

  • 盡量少改動(dòng),不影響之前的業(yè)務(wù)邏輯;
  • 考慮到時(shí)間緊迫性,可采用對(duì)稱性加密方式,服務(wù)需要對(duì)接安卓、IOS、H5三端,另外考慮到H5端存儲(chǔ)密鑰安全性相對(duì)來(lái)說(shuō)會(huì)低一些,故分針對(duì)H5和安卓、IOS分配兩套密鑰;
  • 要兼容低版本的接口,后面新開發(fā)的接口可不用兼容;
  • 接口有GET和POST兩種接口,需要都要進(jìn)行加解密;

需求解析:

  • 服務(wù)端、客戶端和H5統(tǒng)一攔截加解密,網(wǎng)上有成熟方案,也可以按其他服務(wù)中實(shí)現(xiàn)的加解密流程來(lái)搞;
  • 使用AES放松加密,考慮到H5端存儲(chǔ)密鑰安全性相對(duì)來(lái)說(shuō)會(huì)低一些,故分針對(duì)H5和安卓、IOS分配兩套密鑰;
  • 本次涉及客戶端和服務(wù)端的整體改造,經(jīng)討論,新接口統(tǒng)一加 /secret/ 前綴來(lái)區(qū)分

按本次需求來(lái)簡(jiǎn)單還原問(wèn)題,定義兩個(gè)對(duì)象,后面用得著,

用戶類:

@Data
public class User {
    private Integer id;
    private String name;
    private UserType userType = UserType.COMMON;
    @JsonFormat(pattern = "yyyy-MM-dd HH:mm:ss")
    private LocalDateTime registerTime;
}

用戶類型枚舉類:

@Getter
@JsonFormat(shape = JsonFormat.Shape.OBJECT)
public enum UserType {
    VIP("VIP用戶"),
    COMMON("普通用戶");
    private String code;
    private String type;

    UserType(String type) {
        this.code = name();
        this.type = type;
    }
}

構(gòu)造一個(gè)簡(jiǎn)單的用戶列表查詢示例:

@RestController
@RequestMapping(value = {"/user", "/secret/user"})
public class UserController {
    @RequestMapping("/list")
    ResponseEntity<List<User>> listUser() {
        List<User> users = new ArrayList<>();
        User u = new User();
        u.setId(1);
        u.setName("boyka");
        u.setRegisterTime(LocalDateTime.now());
        u.setUserType(UserType.COMMON);
        users.add(u);
        ResponseEntity<List<User>> response = new ResponseEntity<>();
        response.setCode(200);
        response.setData(users);
        response.setMsg("用戶列表查詢成功");
        return response;
    }
}

調(diào)用:localhost:8080/user/list

查詢結(jié)果如下,沒(méi)毛病:

{
 "code": 200,
 "data": [{
  "id": 1,
  "name": "boyka",
  "userType": {
   "code": "COMMON",
   "type": "普通用戶"
  },
  "registerTime": "2022-03-24 23:58:39"
 }],
 "msg": "用戶列表查詢成功"
}

目前主要是利用ControllerAdvice來(lái)對(duì)請(qǐng)求和響應(yīng)體進(jìn)行攔截,主要定義SecretRequestAdvice對(duì)請(qǐng)求進(jìn)行加密和SecretResponseAdvice對(duì)響應(yīng)進(jìn)行加密(實(shí)際情況會(huì)稍微復(fù)雜一點(diǎn),項(xiàng)目中又GET類型請(qǐng)求,自定義了一個(gè)Filter進(jìn)行不同的請(qǐng)求解密處理)。

好了,網(wǎng)上的ControllerAdvice使用示例非常多,我這把兩個(gè)核心方法給大家展示看看,相信大佬們一看就曉得了,不需多言。上代碼:

SecretRequestAdvice請(qǐng)求解密:

@ControllerAdvice
@Order(Ordered.HIGHEST_PRECEDENCE)
@Slf4j
public class SecretRequestAdvice extends RequestBodyAdviceAdapter {
    @Override
    public boolean supports(MethodParameter methodParameter, Type type, Class<? extends HttpMessageConverter<?>> aClass){
        return true;
    }

    @Override
    public HttpInputMessage beforeBodyRead(HttpInputMessage inputMessage, MethodParameter parameter, Type targetType, Class<? extends HttpMessageConverter<?>> converterType) throws IOException {
        //如果支持加密消息,進(jìn)行消息解密。
        String httpBody;
        if (Boolean.TRUE.equals(SecretFilter.secretThreadLocal.get())) {
            httpBody = decryptBody(inputMessage);
        } else {
            httpBody = StreamUtils.copyToString(inputMessage.getBody(), Charset.defaultCharset());
        }
        //返回處理后的消息體給messageConvert
        return new SecretHttpMessage(new ByteArrayInputStream(httpBody.getBytes()), inputMessage.getHeaders());
    }

    /**
     * 解密消息體
     *
     * @param inputMessage 消息體
     * @return 明文
     */
    private String decryptBody(HttpInputMessage inputMessage) throws IOException {
        InputStream encryptStream = inputMessage.getBody();
        String requestBody = StreamUtils.copyToString(encryptStream, Charset.defaultCharset());
        // 驗(yàn)簽過(guò)程
        HttpHeaders headers = inputMessage.getHeaders();
        if (CollectionUtils.isEmpty(headers.get("clientType"))
                || CollectionUtils.isEmpty(headers.get("timestamp"))
                || CollectionUtils.isEmpty(headers.get("salt"))
                || CollectionUtils.isEmpty(headers.get("signature"))) {
            throw new ResultException(SECRET_API_ERROR, "請(qǐng)求解密參數(shù)錯(cuò)誤,clientType、timestamp、salt、signature等參數(shù)傳遞是否正確傳遞");
        }

        String timestamp = String.valueOf(Objects.requireNonNull(headers.get("timestamp")).get(0));
        String salt = String.valueOf(Objects.requireNonNull(headers.get("salt")).get(0));
        String signature = String.valueOf(Objects.requireNonNull(headers.get("signature")).get(0));
        String privateKey = SecretFilter.clientPrivateKeyThreadLocal.get();
        ReqSecret reqSecret = JSON.parseObject(requestBody, ReqSecret.class);
        String data = reqSecret.getData();
        String newSignature = "";
        if (!StringUtils.isEmpty(privateKey)) {
            newSignature = Md5Utils.genSignature(timestamp + salt + data + privateKey);
        }
        if (!newSignature.equals(signature)) {
            // 驗(yàn)簽失敗
            throw new ResultException(SECRET_API_ERROR, "驗(yàn)簽失敗,請(qǐng)確認(rèn)加密方式是否正確");
        }

        try {
            String decrypt = EncryptUtils.aesDecrypt(data, privateKey);
            if (StringUtils.isEmpty(decrypt)) {
                decrypt = "{}";
            }
            return decrypt;
        } catch (Exception e) {
            log.error("error: ", e);
        }
        throw new ResultException(SECRET_API_ERROR, "解密失敗");
    }
}

SecretResponseAdvice響應(yīng)加密:

@ControllerAdvice
public class SecretResponseAdvice implements ResponseBodyAdvice {
    private Logger logger = LoggerFactory.getLogger(SecretResponseAdvice.class);

    @Override
    public boolean supports(MethodParameter methodParameter, Class aClass){
        return true;
    }

    @Override
    public Object beforeBodyWrite(Object o, MethodParameter methodParameter, MediaType mediaType, Class aClass, ServerHttpRequest serverHttpRequest, ServerHttpResponse serverHttpResponse){
        // 判斷是否需要加密
        Boolean respSecret = SecretFilter.secretThreadLocal.get();
        String secretKey = SecretFilter.clientPrivateKeyThreadLocal.get();
        // 清理本地緩存
        SecretFilter.secretThreadLocal.remove();
        SecretFilter.clientPrivateKeyThreadLocal.remove();
        if (null != respSecret && respSecret) {
            if (o instanceof ResponseBasic) {
                // 外層加密級(jí)異常
                if (SECRET_API_ERROR == ((ResponseBasic) o).getCode()) {
                    return SecretResponseBasic.fail(((ResponseBasic) o).getCode(), ((ResponseBasic) o).getData(), ((ResponseBasic) o).getMsg());
                }
                // 業(yè)務(wù)邏輯
                try {
                    String data = EncryptUtils.aesEncrypt(JSON.toJSONString(o), secretKey);
                    // 增加簽名
                    long timestamp = System.currentTimeMillis() / 1000;
                    int salt = EncryptUtils.genSalt();
                    String dataNew = timestamp + "" + salt + "" + data + secretKey;
                    String newSignature = Md5Utils.genSignature(dataNew);
                    return SecretResponseBasic.success(data, timestamp, salt, newSignature);
                } catch (Exception e) {
                    logger.error("beforeBodyWrite error:", e);
                    return SecretResponseBasic.fail(SECRET_API_ERROR, "", "服務(wù)端處理結(jié)果數(shù)據(jù)異常");
                }
            }
        }
        return o;
    }
}

OK, 代碼Demo擼好了,試運(yùn)行一波:

請(qǐng)求方法:
localhost:8080/secret/user/list

header:
Content-Type:application/json
signature:55efb04a83ca083dd1e6003cde127c45
timestamp:1648308048
salt:123456
clientType:ANDORID

body體:
// 原始請(qǐng)求體
{
 "page": 1,
 "size": 10
}
// 加密后的請(qǐng)求體
{
 "data": "1ZBecdnDuMocxAiW9UtBrJzlvVbueP9K0MsIxQccmU3OPG92oRinVm0GxBwdlXXJ"
}

// 加密響應(yīng)體:
{
    "data": "fxHYvnIE54eAXDbErdrDryEsIYNvsOOkyEKYB1iBcre/QU1wMowHE2BNX/je6OP3NlsCtAeDqcp7J1N332el8q2FokixLvdxAPyW5Un9JiT0LQ3MB8p+nN23pTSIvh9VS92lCA8KULWg2nViSFL5X1VwKrF0K/dcVVZnpw5h227UywP6ezSHjHdA+Q0eKZFGTEv3IzNXWqq/otx5fl1gKQ==",
    "code": 200,
    "signature": "aa61f19da0eb5d99f13c145a40a7746b",
    "msg": "",
    "timestamp": 1648480034,
    "salt": 632648
}

// 解密后的響應(yīng)體:
{
 "code": 200,
 "data": [{
  "id": 1,
  "name": "boyka",
  "registerTime": "2022-03-27T00:19:43.699",
  "userType": "COMMON"
 }],
 "msg": "用戶列表查詢成功",
 "salt": 0
}

OK,客戶端請(qǐng)求加密-》發(fā)起請(qǐng)求-》服務(wù)端解密-》業(yè)務(wù)處理-》服務(wù)端響應(yīng)加密-》客戶端解密展示,看起來(lái)沒(méi)啥問(wèn)題,實(shí)際是頭天下午花了2小時(shí)碰需求,差不多花1小時(shí)寫好demo測(cè)試,然后對(duì)所有接口統(tǒng)一進(jìn)行了處理,整體一下午趕腳應(yīng)該行了吧,告訴H5和安卓端同學(xué)明兒上午聯(lián)調(diào)(不小的大家到這個(gè)時(shí)候發(fā)現(xiàn)貓膩沒(méi)有,當(dāng)時(shí)確實(shí)疏忽了,翻了大車......)

次日,安卓端反饋,你這個(gè)加解密有問(wèn)題,解密后的數(shù)據(jù)格式和之前不一樣,仔細(xì)一看,擦,這個(gè)userType和registerTime是不對(duì)勁,開始思考:這個(gè)能是哪兒的問(wèn)題呢?1s之后,初步定位,應(yīng)該是響應(yīng)體的JSON.toJSONString的問(wèn)題:

String data = EncryptUtils.aesEncrypt(JSON.toJSONString(o)),

Debug斷點(diǎn)調(diào)試,果然,是JSON.toJSONString(o)這一步驟轉(zhuǎn)換出了問(wèn)題,那JSON轉(zhuǎn)換時(shí)是不是有高級(jí)屬性可以配置生成想要的序列化格式呢?FastJson在序列化時(shí)提供重載方法,找到其中一個(gè)"SerializerFeature"參數(shù)可以琢磨一下,這個(gè)參數(shù)是可以對(duì)序列化進(jìn)行配置的,它提供了很多配置類型,其中感覺(jué)這幾個(gè)比較沾邊:

WriteEnumUsingToString,
WriteEnumUsingName,
UseISO8601DateFormat

對(duì)枚舉類型來(lái)說(shuō),默認(rèn)是使用的WriteEnumUsingName(枚舉的Name), 另一種WriteEnumUsingToString是重新toString方法,理論上可以轉(zhuǎn)換成想要的樣子,即這個(gè)樣子:

@Getter
@JsonFormat(shape = JsonFormat.Shape.OBJECT)
public enum UserType {
    VIP("VIP用戶"),
    COMMON("普通用戶");
    private String code;
    private String type;

    UserType(String type) {
        this.code = name();
        this.type = type;
    }

    @Override
    public String toString(){
        return "{" +
                "\"code\":\"" + name() + '\"' +
                ", \"type\":\"" + type + '\"' +
                '}';
    }
}

結(jié)果轉(zhuǎn)換出來(lái)的數(shù)據(jù)是字符串類型"{"code":"COMMON", "type":"普通用戶"}",這個(gè)方法好像行不通,還有什么好辦法呢?思前想后,看文章開始定義的User和UserType類,標(biāo)記數(shù)據(jù)序列化格式@JsonFormat,再突然想起之前看到過(guò)的一些文章,SpringMVC底層默認(rèn)是使用Jackson進(jìn)行序列化的,那好了,就用Jacksong實(shí)施唄,將SecretResponseAdvice中的序列化方法替換一下:

String data = EncryptUtils.aesEncrypt(JSON.toJSONString(o), secretKey);
 換為:
String data =EncryptUtils.aesEncrypt(new ObjectMapper().writeValueAsString(o), secretKey);

重新運(yùn)行一波,走起:

{
 "code": 200,
 "data": [{
  "id": 1,
  "name": "boyka",
  "userType": {
   "code": "COMMON",
   "type": "普通用戶"
  },
  "registerTime": {
   "month": "MARCH",
   "year": 2022,
   "dayOfMonth": 29,
   "dayOfWeek": "TUESDAY",
   "dayOfYear": 88,
   "monthValue": 3,
   "hour": 22,
   "minute": 30,
   "nano": 453000000,
   "second": 36,
   "chronology": {
    "id": "ISO",
    "calendarType": "iso8601"
   }
  }
 }],
 "msg": "用戶列表查詢成功"
}

解密后的userType枚舉類型和非加密版本一樣了,舒服了,== 好像還不對(duì),registerTime怎么變成這個(gè)樣子了?原本是"2022-03-24 23:58:39"這種格式的,網(wǎng)上有很多解決方案,不過(guò)用在我們目前這個(gè)需求里面,就是有損改裝了啊,不太可取,遂去Jackson官網(wǎng)上查找一下相關(guān)文檔,當(dāng)然Jackson也提供了ObjectMapper的序列化配置,重新再初始化配置ObjectMpper對(duì)象:

String DATE_TIME_FORMATTER = "yyyy-MM-dd HH:mm:ss";
ObjectMapper objectMapper = new Jackson2ObjectMapperBuilder()
                            .findModulesViaServiceLoader(true)
                            .serializerByType(LocalDateTime.class, new LocalDateTimeSerializer(
                                    DateTimeFormatter.ofPattern(DATE_TIME_FORMATTER)))
                            .deserializerByType(LocalDateTime.class, new LocalDateTimeDeserializer(
                                    DateTimeFormatter.ofPattern(DATE_TIME_FORMATTER)))
                            .build();

轉(zhuǎn)換結(jié)果:

{
 "code": 200,
 "data": [{
  "id": 1,
  "name": "boyka",
  "userType": {
   "code": "COMMON",
   "type": "普通用戶"
  },
  "registerTime": "2022-03-29 22:57:33"
 }],
 "msg": "用戶列表查詢成功"
}

OK,和非加密版的終于一致了,完了嗎?感覺(jué)還是可能存在些什么問(wèn)題,首先業(yè)務(wù)代碼的時(shí)間序列化需求不一樣,有"yyyy-MM-dd hh:mm:ss"的,也有"yyyy-MM-dd"的,還可能其他配置思考不到位的,導(dǎo)致和之前非加密版返回?cái)?shù)據(jù)不一致的問(wèn)題,到時(shí)候聯(lián)調(diào)測(cè)出來(lái)了也麻煩,有沒(méi)有一勞永逸的辦法呢?哎,這個(gè)時(shí)候如果你看過(guò) Spring 源碼的話,就應(yīng)該知道spring框架自身是怎么序列化的,照著配置應(yīng)該就行嘛,好像有點(diǎn)道理,我這里不從0開始分析源碼了。

跟著執(zhí)行鏈路,找到具體的響應(yīng)序列化,重點(diǎn)就是RequestResponseBodyMethodProcessor,

protected <T> void writeWithMessageConverters(@Nullable T value, MethodParameter returnType, ServletServerHttpRequest inputMessage, ServletServerHttpResponse outputMessage) throws IOException, HttpMediaTypeNotAcceptableException, HttpMessageNotWritableException {
        // 獲取響應(yīng)的攔截器鏈并執(zhí)行beforeBodyWrite方法,也就是執(zhí)行了我們自定義的SecretResponseAdvice中的beforeBodyWrite啦
  body = this.getAdvice().beforeBodyWrite(body, returnType, selectedMediaType, converter.getClass(), inputMessage, outputMessage);
  if (body != null) {
      // 執(zhí)行響應(yīng)體序列化工作
   if (genericConverter != null) {
    genericConverter.write(body, (Type)targetType, selectedMediaType, outputMessage);
   } else {
    converter.write(body, selectedMediaType, outputMessage);
   }
    }

進(jìn)而通過(guò)實(shí)例化的AbstractJackson2HttpMessageConverter對(duì)象找到執(zhí)行序列化的核心方法

-> AbstractGenericHttpMessageConverter:
 
 public final void write(T t, @Nullable Type type, @Nullable MediaType contentType, HttpOutputMessage outputMessage) throws IOException, HttpMessageNotWritableException {
        ...
  this.writeInternal(t, type, outputMessage);
  outputMessage.getBody().flush();
     
    }
 -> 找到Jackson序列化 AbstractJackson2HttpMessageConverter:
 // 從spring容器中獲取并設(shè)置的ObjectMapper實(shí)例
 protected ObjectMapper objectMapper;
 
 protected void writeInternal(Object object, @Nullable Type type, HttpOutputMessage outputMessage) throws IOException, HttpMessageNotWritableException {
        MediaType contentType = outputMessage.getHeaders().getContentType();
        JsonEncoding encoding = this.getJsonEncoding(contentType);
        JsonGenerator generator = this.objectMapper.getFactory().createGenerator(outputMessage.getBody(), encoding);

  this.writePrefix(generator, object);
  Object value = object;
  Class<?> serializationView = null;
  FilterProvider filters = null;
  JavaType javaType = null;
  if (object instanceof MappingJacksonValue) {
   MappingJacksonValue container = (MappingJacksonValue)object;
   value = container.getValue();
   serializationView = container.getSerializationView();
   filters = container.getFilters();
  }

  if (type != null && TypeUtils.isAssignable(type, value.getClass())) {
   javaType = this.getJavaType(type, (Class)null);
  }

  ObjectWriter objectWriter = serializationView != null ? this.objectMapper.writerWithView(serializationView) : this.objectMapper.writer();
  if (filters != null) {
   objectWriter = objectWriter.with(filters);
  }

  if (javaType != null && javaType.isContainerType()) {
   objectWriter = objectWriter.forType(javaType);
  }

  SerializationConfig config = objectWriter.getConfig();
  if (contentType != null && contentType.isCompatibleWith(MediaType.TEXT_EVENT_STREAM) && config.isEnabled(SerializationFeature.INDENT_OUTPUT)) {
   objectWriter = objectWriter.with(this.ssePrettyPrinter);
  }
        // 重點(diǎn)進(jìn)行序列化
  objectWriter.writeValue(generator, value);
  this.writeSuffix(generator, object);
  generator.flush();
    }

那么,可以看出SpringMVC在進(jìn)行響應(yīng)序列化的時(shí)候是從容器中獲取的ObjectMapper實(shí)例對(duì)象,并會(huì)根據(jù)不同的默認(rèn)配置條件進(jìn)行序列化,那處理方法就簡(jiǎn)單了,我也可以從Spring容器拿數(shù)據(jù)進(jìn)行序列化啊。SecretResponseAdvice進(jìn)行如下進(jìn)一步改造:

@ControllerAdvice
public class SecretResponseAdvice implements ResponseBodyAdvice {

    @Autowired
    private ObjectMapper objectMapper;
     
      @Override
    public Object beforeBodyWrite(....){
        .....
        String dataStr =objectMapper.writeValueAsString(o);
        String data = EncryptUtils.aesEncrypt(dataStr, secretKey);
        .....
    }
 }

經(jīng)測(cè)試,響應(yīng)數(shù)據(jù)和非加密版萬(wàn)全一致啦,還有GET部分的請(qǐng)求加密,以及后面加解密慘遭跨域問(wèn)題,后面有空再和大家聊聊。

責(zé)任編輯:武曉燕 來(lái)源: 碼猿技術(shù)專欄
接口Spring解密
相關(guān)推薦

2022-07-27 08:49:34

接口加密解密

2024-09-27 15:24:15

Spring數(shù)據(jù)加解密

2022-09-15 08:41:16

數(shù)據(jù)異構(gòu)分庫(kù)分表

2022-12-05 09:08:12

微服務(wù)灰度發(fā)布

2023-06-27 08:58:03

2021-03-09 13:18:53

加密解密參數(shù)

2022-06-04 12:25:10

解密加密過(guò)濾器

2023-03-06 08:49:02

加密和解密SpringBoot

2022-07-18 08:39:18

ACL訪問(wèn)控制機(jī)制

2025-04-15 02:25:00

2023-07-05 13:58:10

權(quán)限模型設(shè)計(jì)模式

2022-09-14 18:23:01

工具加解密接口

2011-08-01 14:36:06

加密RSA

2025-02-03 08:16:56

2021-04-20 10:50:38

Spring Boot代碼Java

2023-11-01 08:58:10

2025-02-28 13:00:00

SpringBoot接口接口安全

2022-11-18 18:36:24

2022-02-16 23:58:41

Spring過(guò)濾器驗(yàn)證碼

2024-01-02 10:46:14

點(diǎn)贊
收藏

51CTO技術(shù)棧公眾號(hào)