我要评论概述
在分布式系统交互中,api接口的安全性至关重要。本文将深入解析基于spring boot实现的http请求签名验证机制,该方案支持get/post等多种请求方式,提供时效性验证和数据完整性保障。以下是核心实现的技术要点解析。
功能特性
- 多协议支持:完整覆盖get、post(json/form-data)等常见请求类型
- 时效控制:5分钟有效期的请求时间窗口
- 多重验证:公钥校验 + 签名验证 + 时间戳的三重防护机制
- 安全过滤:自动排除签名参数参与验签计算
- 编码兼容:自动处理url特殊字符编码问题
核心实现解析
1. 主校验流程
public boolean verifysignature(httpservletrequest request,
httpservletresponse response,
gridaccountuser accountuser) {
// 获取公钥配置
stategridaccount gridaccount = stategridservice
.getstategridaccountbyid(accountuser.getaccountid());
// 请求类型路由
if(httpmethod.post.matches(request.getmethod())) {
// 处理json/form-data类型
} else if(httpmethod.get.matches(request.getmethod())) {
// 处理get参数
}
// 统一返回校验结果
}
2. 关键技术点
2.1 时间戳验证
private boolean verifytimestamp(string timestampstr) {
long timestamp = long.parselong(timestampstr);
long currenttime = system.currenttimemillis();
return math.abs(currenttime - timestamp) <= 300_000; // 5分钟有效期
}
- 防止重放攻击
- 要求客户端服务端时间同步
- 误差窗口可配置化建议
2.2 请求体处理
json请求处理:
string requeststr = getrequestbody(request);
jsonobject jsonobject = json.parseobject(requeststr);
map.remove("sign"); // 过滤签名参数
form-data处理:
map<string, object> formdata = webutils.getparametersstartingwith(request, "");
formdata.remove("sign");
get请求处理:
map<string, string[]> queryparams = request.getparametermap();
signature = signature.replaceall(" ", "+"); // 处理url编码
2.3 签名验证
signutil.verifysignature(
uri, // 请求路径
data.tostring(), // 过滤后的参数
long.parselong(timestamp),
signature,
publickey
);
优化建议
1.参数序列化优化
- 当前同时使用fastjson和hutool的jsonutil,建议统一json处理库
- 推荐使用jackson进行标准化处理
2.异常处理增强
try {
// 验签逻辑
} catch (numberformatexception e) {
log.error("时间戳格式异常: {}", timestampstr);
throw new invalidtimestampexception();
} catch (signatureexception e) {
log.warn("签名验证失败: {}", e.getmessage());
}
3.性能优化
- 添加公钥缓存机制(rediscache)
- 采用连接池管理数据库查询
4.安全增强
- 添加重放攻击计数器
- 支持动态时间窗口配置
- 增加黑名单ip机制
注意事项
- 时间同步:确保ntp服务的时间同步
- 密钥管理:建议采用密钥轮换机制
- 空参数处理:需要明确空字符串和null的处理策略
- 编码一致性:统一使用utf-8字符集
- 日志脱敏:敏感参数需要做日志过滤
总结
该实现方案为api接口安全提供了基础保障,在实际生产环境中可根据业务需求扩展以下功能:
- 增加流量限频控制
- 实现双向证书验证
- 支持多种哈希算法
- 添加openapi规范支持
- 集成api管理平台
通过持续优化验签流程和完善监控机制,可以有效构建安全可靠的api网关体系。
完整代码
生产秘钥私钥工具类
package com.aspire.datasynchron.common.utils;
import java.security.keypair;
import java.security.keypairgenerator;
import java.security.nosuchalgorithmexception;
import java.util.base64;
import java.util.map;
public class keygenexample {
private static final string algorithm = "rsa";
public static map<string, string> generatekey() throws nosuchalgorithmexception {
// 1. 选择算法(rsa/ec/dsa)
keypairgenerator keygen = keypairgenerator.getinstance(algorithm);
keygen.initialize(2048); // 密钥长度
// 2. 生成密钥对
keypair keypair = keygen.generatekeypair();
// 3. 获取公私钥(base64 编码打印)
byte[] privatekeybytes = keypair.getprivate().getencoded();
byte[] publickeybytes = keypair.getpublic().getencoded();
string privatekey = base64.getencoder().encodetostring(privatekeybytes);
string publickey = base64.getencoder().encodetostring(publickeybytes);
map<string, string> map = apikeygenerator.generateapicredentials();
map.put("private_key", privatekey);
map.put("public_key", publickey);
return map;
}
public static void main(string[] args) {
try {
map<string, string> stringstringmap = generatekey();
system.out.println(stringstringmap);
} catch (nosuchalgorithmexception e) {
e.printstacktrace();
}
}
}
生成签名和验签方法
package com.aspire.datasynchron.common.utils;
import cn.hutool.core.bean.beanutil;
import cn.hutool.json.jsonutil;
import org.apache.commons.lang3.arrayutils;
import java.nio.charset.charset;
import java.nio.charset.standardcharsets;
import java.security.*;
import java.security.spec.pkcs8encodedkeyspec;
import java.security.spec.x509encodedkeyspec;
import java.util.base64;
import java.util.hashmap;
import java.util.map;
/**
* <b>system:</b>ncc
* <b>title:</b>signutil.java
* <b>description:</b>添加描述信息
* <b>@author: </b>zhouxiaomin_a
* <b>@date:</b>2018/6/21 17:00
* <b>@version:</b> 1.0.0.0
* <b>copyright (c) 2017 aspire tech.</b>
*/
public class signutil {
private static final string charset = "utf-8";
private static final string signature_algorithm = "sha256withrsa";
private static final string key_algorithm = "rsa";
// 通过传入私钥、数据和时间戳生成签名的方法
public static string generatesignature(string url, string data, long timestamp, string privatekeystr) throws exception {
// 将数据和时间戳合并成一个字符串
string datawithtimestamp = url + "|" + data + "|" + timestamp;
// 通过传入的私钥字符串生成私钥
privatekey privatekey = getprivatekeyfromstring(privatekeystr);
// 创建签名对象,使用 sha256withrsa 算法
signature signature = signature.getinstance(signature_algorithm);
signature.initsign(privatekey);
// 更新数据
signature.update(datawithtimestamp.getbytes(standardcharsets.utf_8));
// 生成签名
byte[] signeddata = signature.sign();
// 将签名转换为 base64 编码的字符串
return base64.getencoder().encodetostring(signeddata);
}
// 通过传入私钥字符串,生成私钥对象的方法
public static privatekey getprivatekeyfromstring(string privatekeystr) throws exception {
// 将 base64 编码的私钥字符串解码为字节数组
byte[] decodedkey = base64.getdecoder().decode(privatekeystr);
// 使用 keyfactory 生成私钥对象
keyfactory keyfactory = keyfactory.getinstance(key_algorithm);
pkcs8encodedkeyspec keyspec = new pkcs8encodedkeyspec(decodedkey);
return keyfactory.generateprivate(keyspec);
}
// 验证签名的方法
public static boolean verifysignature(string url, string data, long timestamp, string signaturestr, string publickeystr) throws exception {
if (stringutils.isempty(url) || stringutils.isempty(data) || null == timestamp
|| stringutils.isempty(signaturestr) || stringutils.isempty(publickeystr)) {
return false;
}
// 将数据和时间戳合并成一个字符串
string datawithtimestamp = url + "|" + data + "|" + timestamp;
// 通过传入的公钥字符串生成公钥
publickey publickey = getpublickeyfromstring(publickeystr);
// 创建签名对象,使用 sha256withrsa 算法
signature signature = signature.getinstance(signature_algorithm);
signature.initverify(publickey);
// 更新数据
signature.update(datawithtimestamp.getbytes(standardcharsets.utf_8));
// 将 base64 编码的签名字符串转换为字节数组
byte[] signaturebytes = base64.getdecoder().decode(signaturestr);
// 验证签名
return signature.verify(signaturebytes);
}
// 通过传入公钥字符串,生成公钥对象的方法
public static publickey getpublickeyfromstring(string publickeystr) throws exception {
// 将 base64 编码的公钥字符串解码为字节数组
byte[] decodedkey = base64.getdecoder().decode(publickeystr);
// 使用 keyfactory 生成公钥对象
keyfactory keyfactory = keyfactory.getinstance(key_algorithm);
x509encodedkeyspec keyspec = new x509encodedkeyspec(decodedkey);
return keyfactory.generatepublic(keyspec);
}
// 测试代码
public static void main(string[] args) throws exception {
// 获取公钥和私钥的 base64 编码字符串
string privatekeystr = "miievgibadanbgkqhkig9w0baqefaascbkgwggskageaaoibaqc+3zth/vcewaesy4muy7fovqlltx07qpfjveg1kzkscjeciih3vrqfmn1psxl0elmufifrkgotjs7o0+v3uqawajcozyxempw3ogkq0bb2dcid/tcnjwkfpsoj1ukct/ldot/cz07bu+8dcynjzhsxwate2dywzp8fhf9fauyjpuxhkefekf+/tg5obyde4vqzhitb4xmjkjcuhk98h5clocrwb+niyhpbp/fpf865qzeg1n9/pyfkymdsbgsxmx0ixdher6ue/wotxndvjggqag00kd88r/ou2m3xo581a9sf+v6fzncldtf+mhjjvd4ohfcscahbysehiuy9tzo/agmbaaecggeaih6tp7mba+vec5wzocuqhqvij0a5adqmnuikgjgncxlhirszg62svmdetlajp2n0mwtwikxln9wiup1simobxjv7dcpi1ahbvhvybwih7ooxk6i8xd8kfkfcomhhuam0isbgrnzyp9q8ldobj+zxoyvfez62aigkzte6b9hguqtwv4ygl3vtiki5tvzhprpjoeeyhek+zghdcn9dr7gy+3mm3efnnl69s78jwadkib8fhqsgunob4nia4gnn58aphzw/syio6ms5ierxz4h9ng77ui4agkuu6qhymdt+s+7yts4z6+ixne3f0zhzjt/ua1gitcxnyuznl2x+vkws3qkbgqd3l/lufh5r2n40rb16ce4w75bett59tijew+/g5vy4whzzxemii7hwcxoayxetp1/ls2krkwyas5ys89ltmasjh2m8afs04mutctoo2/bsnuxc0g7p8m913x2fwme+uivlxbbg2+0xfxgglctsgzro5ikdqrho09sx8s02joabjqkbgqdfq5hkgsxjzzs7anfoabnxxuk590bkit4eiyos5z7aldppwiat5ucr9taq3n29rvxbpbwirkisghlethtkvccimdecu6ztvubn1oaudvnnhpbuyi5rfxg+dakuolxx3nznisyupyn94qdq+q/opitbopyaxxrmnfn8x3ygvoi0kwkbgqcv3d/e7x1fga2tr66jr5enhdn4jhza6rj7epwuytr4si+r7+iy7tonokkldsx+dhxhbk6ke6qorkd5i1va8jkq5hojrbzdypykwa99+dzjjnnn0ukcijtvjc+vyk1jlb+xj8lenx85mihabmxofd7b5ovcqfrsrt6zbdmf1kyyyqkbghqq32nrygr/b0n5s8rtgxtubcecphvezfcima4lkayas0ql5xm2prxcjzubd4mxm7hwzixpdff4r9zevkofkcbism1vzexbpppu3fpchjgkgp93do7im4rig1e7mtr9aateujbcrr4grjbt2sv3q3y0xwq+veu3nwhkavemv6mxaogbam0tri9b/k7ohs8z9ffetteixxac3puumrcgt3hmcispmxxc4rwmvbmpuwszm2kfdwtkeymmxvszceg90rxm/mh3uhdj8pdz2iwancghpwzatp60n2ykxjyq80grfywtlnp70vxdxycfz9dugjzg7nt2jbhodsjozdp9fxg+konq";
string publickeystr = "miibijanbgkqhkig9w0baqefaaocaq8amiibcgkcaqeavt2ux/1qnlmnrgojrsu3zr6iy019o0kxyvxhtsmskgo3niood1uuhzj9t7ms9hptfbsh0shjry0u6npld1kgmgiqqm8srdd8nzhikng29nqihf0wp41pbaujo9vcnlfy3tk/wmdowbvvawsp48x0scae3tg2fmafhx3/rqlmiz7l4zhhrjh/v0xutm8gxofasx4k2+f5o5cqrozpfb+qizgq1m/jysh6w6f3zxfouumxbtz/f6chssja7ayeszsdilw4xkernv8klczw7yybqmhtnja/pk/6fnjn8aofnwvbbfr+n8zqpxbrfjbysvxedorxlhgoqckhisfgpu2apwidaqab";
string url = "/api/rest/demo/queryalarminfo";
// 要签名的数据和时间戳
string json = "{\"specialty\":8,\"networktype\":801,\"vendorname\":\"华为\",\"netype\":\"801\",\"alarmtitle\":\"\",\"org_event_id\":\"\"}";
map map = jsonutil.tobean(json, map.class);
string data = map.tostring();
system.out.println(data);
long timestamp = system.currenttimemillis(); // 当前时间戳
system.out.println(timestamp);
// 生成签名
string signature = generatesignature(url, data, timestamp, privatekeystr);
system.out.println("generated signature: " + signature);
// 验证签名
boolean isverified = signutil.verifysignature(url, data, timestamp, signature, publickeystr);
system.out.println("signature verified: " + isverified);
system.out.println("---------------------------------------------------------");
string url2 = "/api/rest/demo/getuser";
map<string, object> params = new hashmap<>();
params.put("idcard", "123456");
long timestamp1 = system.currenttimemillis(); // 当前时间戳
system.out.println(timestamp1);
string data2 = params.tostring();
system.out.println(data2);
// 生成签名
string signature1 = generatesignature(url2, data2, timestamp1, privatekeystr);
system.out.println("generated signature1: " + signature1);
// 验证签名
boolean isverified1 = signutil.verifysignature(url2, data2, timestamp1, signature1, publickeystr);
system.out.println("signature isverified1: " + isverified1);
system.out.println("---------------------------------------------------------");
string url3 = "/api/rest/demo/getidcard";
map<string, object> params1 = new hashmap<>();
params1.put("name", "李四");
params1.put("age", "27");
string data3 = params1.tostring();
system.out.println(data3);
long timestamp2 = system.currenttimemillis(); // 当前时间戳
system.out.println(timestamp2);
// 生成签名
string signature2 = generatesignature(url3, data3, timestamp2, privatekeystr);
system.out.println("generated signature2: " + signature2);
// 验证签名
boolean isverified2 = signutil.verifysignature(url3, data3, timestamp2, signature2, publickeystr);
system.out.println("signature isverified2: " + isverified2);
}
}
自定义拦截器
package com.aspire.datasynchron.framework.interceptor;
import com.aspire.datasynchron.common.core.domain.model.gridaccountuser;
import com.aspire.datasynchron.common.utils.stringutils;
import com.aspire.datasynchron.framework.web.service.tokenservice;
import com.aspire.datasynchron.framework.web.service.verifysignatureservice;
import lombok.extern.slf4j.slf4j;
import org.springframework.beans.factory.annotation.autowired;
import org.springframework.http.httpstatus;
import org.springframework.http.mediatype;
import org.springframework.stereotype.component;
import org.springframework.web.servlet.handlerinterceptor;
import javax.servlet.http.httpservletrequest;
import javax.servlet.http.httpservletresponse;
import java.nio.charset.standardcharsets;
@slf4j
@component
public class signatureinterceptor implements handlerinterceptor {
private final tokenservice tokenservice;
private final verifysignatureservice verifysignatureservice;
@autowired
public signatureinterceptor(tokenservice tokenservice, verifysignatureservice verifysignatureservice) {
this.tokenservice = tokenservice;
this.verifysignatureservice = verifysignatureservice;
}
@override
public boolean prehandle(httpservletrequest request, httpservletresponse response, object handler) throws exception {
string clienttype = request.getheader("clienttype");
if (stringutils.isnotempty(clienttype)) {
gridaccountuser accountuser = tokenservice.getaccountuser(request);
// 自定义验签逻辑
boolean verified = verifysignatureservice.verifysignature(request, response, accountuser);
if (!verified) {
log.error("验签失败");
response.setstatus(httpstatus.forbidden.value());
response.setcontenttype(mediatype.application_json_value);
response.setcharacterencoding(standardcharsets.utf_8.name());
// 构建错误响应
string errormessage = "{\"error\": \"签名不合法\", \"message\": \"signature is invalid.\"}";
response.getwriter().write(errormessage);
return false;
}
}
return true;
}
}
验签实现类
package com.aspire.datasynchron.framework.web.service;
import cn.hutool.json.jsonutil;
import com.alibaba.fastjson2.json;
import com.alibaba.fastjson2.jsonobject;
import com.aspire.datasynchron.common.core.domain.model.gridaccountuser;
import com.aspire.datasynchron.common.core.redis.rediscache;
import com.aspire.datasynchron.common.utils.signutil;
import com.aspire.datasynchron.stategrid.domain.stategridaccount;
import com.aspire.datasynchron.stategrid.domain.vo.stategridaccountdetailsvo;
import com.aspire.datasynchron.stategrid.service.istategridaccountservice;
import com.fasterxml.jackson.databind.objectmapper;
import lombok.extern.slf4j.slf4j;
import org.springframework.beans.factory.annotation.autowired;
import org.springframework.http.httpmethod;
import org.springframework.http.mediatype;
import org.springframework.stereotype.service;
import org.springframework.util.stringutils;
import org.springframework.web.util.contentcachingrequestwrapper;
import org.springframework.web.util.contentcachingresponsewrapper;
import org.springframework.web.util.webutils;
import javax.servlet.http.httpservletrequest;
import javax.servlet.http.httpservletresponse;
import java.io.bufferedreader;
import java.io.ioexception;
import java.io.inputstream;
import java.io.inputstreamreader;
import java.nio.charset.charset;
import java.nio.charset.standardcharsets;
import java.util.*;
@slf4j
@service
public class verifysignatureservice {
@autowired
private istategridaccountservice stategridservice;
public boolean verifysignature(httpservletrequest request, httpservletresponse response, gridaccountuser accountuser) {
//查询公钥
stategridaccount gridaccount = stategridservice.getstategridaccountbyid(accountuser.getaccountid());
if (gridaccount == null || stringutils.isempty(gridaccount.getpublickey())) {
log.error("账号[{}]公钥未配置", accountuser.getaccountid());
return false;
}
string publickey = gridaccount.getpublickey();
string uri = request.getrequesturi();
// 判断当前请求方式
if (httpmethod.post.name().equals(request.getmethod())) {
// 判断是否是 json 格式的请求
if (mediatype.application_json_value.equals(request.getcontenttype())) {
// 获取请求体的内容
string requeststr = getrequestbody(request);
log.info("请求体内容:{}", requeststr);
if (stringutils.isempty(requeststr)) {
return false;
}
jsonobject jsonobject = json.parseobject(requeststr);
map map = jsonutil.tobean(requeststr, map.class);
map.remove("sign");
map.remove("timestamp");
string timestamp = jsonobject.getstring("timestamp");
string signature = jsonobject.getstring("sign");
// 验证时间戳
boolean verifed = veriftimestamp(timestamp);
if (!verifed) {
return false;
}
try {
boolean isvalid = signutil.verifysignature(uri, map.tostring(), long.parselong(timestamp), signature, publickey);
return isvalid;
} catch (exception e) {
log.error(e.getmessage());
return false;
}
} else if (request.getcontenttype() != null && request.getcontenttype().startswith(mediatype.multipart_form_data_value)) {
// 处理 form 表单数据格式
map<string, object> formdata = webutils.getparametersstartingwith(request, "");
log.info("表单数据:{}", formdata);
string timestamp = (string) formdata.get("timestamp");
string signature = (string) formdata.get("sign");
formdata.remove("sign");
formdata.remove("timestamp");
// 验证时间戳
boolean verifed = veriftimestamp(timestamp);
if (!verifed) {
return false;
}
try {
boolean isvalid = signutil.verifysignature(uri, formdata.tostring(), long.parselong(timestamp), signature, publickey);
return isvalid;
} catch (exception e) {
throw new runtimeexception(e);
}
}
} else if (httpmethod.get.name().equals(request.getmethod())) {
// get 请求的处理,获取查询参数进行验签
map<string, string[]> queryparams = request.getparametermap();
if (queryparams == null) {
return false;
}
map<string, string> filteredparams = new hashmap<>();
queryparams.foreach((key, values) -> {
// 过滤掉 "sign" 和 "timestamp" 参数
if (!"sign".equals(key) && !"timestamp".equals(key)) {
filteredparams.put(key, values.length > 0 ? values[0] : "");
}
});
string timestamp = request.getparameter("timestamp");
string signature = request.getparameter("sign");
if (timestamp == null || signature == null) {
return false;
}
// 验证时间戳
boolean verifed = veriftimestamp(timestamp);
if (!verifed) {
return false;
}
//+ 符号通常会被转换为一个空格 (%20),这是因为在 url 编码中,+ 符号表示空格
signature = signature.replaceall(" ", "+");
boolean isvalid = false;
try {
isvalid = signutil.verifysignature(uri, filteredparams.tostring(), long.parselong(timestamp), signature, publickey);
if (!isvalid) {
return false; // 返回 false 表示验签失败
}
return true; // 返回 true 表示验签成功
} catch (exception e) {
log.error(e.getmessage());
return false;
}
}
return false; // 默认返回 false,如果请求方法不支持
}
/**
* @throws
* @methodname veriftimestamp
* @author zhouzihao
* @param: timestampstr
* @datetime 2025年3月25日, 0025 下午 06:13
* @return: java.lang.boolean
* @description:检查时间戳:确保客户端和服务端时间同步,误差在5分钟内。
*/
private boolean veriftimestamp(string timestampstr) {
long timestamp = long.parselong(timestampstr);
long currenttime = system.currenttimemillis();
if (math.abs(currenttime - timestamp) > 300000) { // 5分钟
log.error("验签失败:时间戳已过期");
return false;
}
return true;
}
/**
* 读取请求体的内容
*/
private static string getrequestbody(httpservletrequest request) {
inputstream in = null;
stringbuffer sb = null;
try {
in = request.getinputstream();
bufferedreader br = new bufferedreader(new inputstreamreader(in,
charset.forname("utf-8")));
sb = new stringbuffer("");
string temp;
while ((temp = br.readline()) != null) {
sb.append(temp);
}
if (in != null) {
in.close();
}
if (br != null) {
br.close();
}
} catch (ioexception e) {
throw new runtimeexception(e);
}
return sb.tostring();
}
}到此这篇关于基于springboot实现http请求签名验证机制的文章就介绍到这了,更多相关springboot http请求签名验证内容请搜索代码网以前的文章或继续浏览下面的相关文章希望大家以后多多支持代码网!
发表评论