1、业务背景
最近接触了一些电商业务,发现在处理电商业务接口时,比如淘宝、支付类接口,接口双方为了确保数据参数在传输过程中未经过篡改,都需要对接口数据进行加签,然后在接口服务器端对接口参数进行验签,确保两个签名是一样的,验签通过之后再进行业务逻辑处理。我们这里主要介绍一下处理思路,至于签名算法我不做过多介绍,网上一大堆。
2、处理思路
双方约定好,参数按特定顺序排列,比如按首字母的顺序排列,如url:http://xxx/xxx.do?a=wersd&b=sd2354&c=4&signature=XXXXXXXXXXXX(signature为传入的签名),等你拿到入参后,将参数串a=wersd&b=sd2354&c=4按你们约定的签名规则,自己用md5加签一次,然后和入参的signature值对比,以确认调用者是否合法,这就是接口签名验证的思路。
3、实例练习
接口双方经过沟通,对接口达成如下共识:
1、注意事项,主要指接口的的协议、传入参数类型、签名算法、文件格式等说明
2、下面是一个电商业务接口的真实案例,双方约定好了接口URL、业务参数、固定参数、签名以及返回数据格式
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
|
package com.pcmall; import java.io.BufferedReader; import java.io.DataOutputStream; import java.io.IOException; import java.io.InputStreamReader; import java.io.UnsupportedEncodingException; import java.net.HttpURLConnection; import java.net.URL; import java.net.URLEncoder; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; import java.util.ArrayList; import java.util.Collections; import java.util.Iterator; import java.util.List; import java.util.Map; import java.util.TreeMap; public class APITest { static String TEST_URL = "待定" ; static String TEST_KEY = "待定" ; static String TEST_SEC = "待定" ; public static void main(String[] args) throws UnsupportedEncodingException, NoSuchAlgorithmException { String result = getResult(TEST_URL, getReqParam()); System.out.print(result); } private static String getReqParam() throws UnsupportedEncodingException, NoSuchAlgorithmException { TreeMap<String, String> req = new TreeMap<String, String>(); req.put( "a" , TEST_KEY); req.put( "f" , "json" ); req.put( "l" , "zh_CN" ); req.put( "m" , "zhongan.repair.query" ); req.put( "v" , "1.0" ); req.put( "i" , "" + System.currentTimeMillis() / 1000 ); req.put( "params" , "{\"assignNo\":\"TEST018\"}" ); req.put( "s" , sign(req, null , TEST_SEC)); StringBuilder param = new StringBuilder(); for (Iterator<Map.Entry<String, String>> it = req.entrySet().iterator(); it.hasNext();) { Map.Entry<String, String> e = it.next(); param.append( "&" ).append(e.getKey()).append( "=" ).append(URLEncoder.encode(e.getValue(), "UTF-8" )); } return param.toString().substring( 1 ); } private static String sign(Map<String, String> paramValues, List<String> ignoreParamNames, String secret) throws NoSuchAlgorithmException, UnsupportedEncodingException { StringBuilder sb = new StringBuilder(); List<String> paramNames = new ArrayList<String>(paramValues.size()); paramNames.addAll(paramValues.keySet()); if (ignoreParamNames != null && ignoreParamNames.size() > 0 ) { for (String ignoreParamName : ignoreParamNames) { paramNames.remove(ignoreParamName); } } Collections.sort(paramNames); sb.append(secret); for (String paramName : paramNames) { sb.append(paramName).append(paramValues.get(paramName)); } sb.append(secret); MessageDigest md = MessageDigest.getInstance( "SHA-1" ); return byte2hex(md.digest(sb.toString().getBytes( "UTF-8" ))); } private static String byte2hex( byte [] bytes) { StringBuilder sign = new StringBuilder(); for ( int i = 0 ; i < bytes.length; i++) { String hex = Integer.toHexString(bytes[i] & 0xFF ); if (hex.length() == 1 ) { sign.append( "0" ); } sign.append(hex.toUpperCase()); } return sign.toString(); } private static String getResult(String urlStr, String content) { URL url = null ; HttpURLConnection connection = null ; try { url = new URL(urlStr); connection = (HttpURLConnection) url.openConnection(); connection.setDoOutput( true ); connection.setDoInput( true ); connection.setRequestMethod( "POST" ); connection.setRequestProperty( "Content-Type" , "application/x-www-form-urlencoded;charset=UTF-8" ); connection.setUseCaches( false ); connection.connect(); DataOutputStream out = new DataOutputStream(connection.getOutputStream()); out.write(content.getBytes( "UTF-8" )); out.flush(); out.close(); BufferedReader reader = new BufferedReader( new InputStreamReader(connection.getInputStream(), "UTF-8" )); StringBuffer buffer = new StringBuffer(); String line = "" ; while ((line = reader.readLine()) != null ) { buffer.append(line); } reader.close(); return buffer.toString(); } catch (IOException e) { e.printStackTrace(); } finally { if (connection != null ) { connection.disconnect(); } } return null ; } } |
服务器端代码如下(仅供参考):
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
|
@RequestMapping ( "/repairTakeOrder" ) @ResponseBody public ResponseVO repairTakeOrder( @RequestBody String jsonStr) { logger.info( "repairTakeOrder入参:" + jsonStr); ResponseVO responseVO = null ; try { RepairOrder repairOrder = JackJsonUtil.toBean(jsonStr, RepairOrder. class ); TreeMap<String, String> paramsMap = new TreeMap<String, String>(); paramsMap.put( "gsxx01" , repairOrder.getGsxx01()); paramsMap.put( "orderType" , repairOrder.getOrderType().toString()); paramsMap.put( "serviceNo" , repairOrder.getServiceNo()); paramsMap.put( "vipCard" , repairOrder.getVipCard()); paramsMap.put( "customerName" , repairOrder.getCustomerName()); paramsMap.put( "customerPhone" , repairOrder.getCustomerPhone()); paramsMap.put( "customerTel" , repairOrder.getCustomerTel()); paramsMap.put( "province" , repairOrder.getProvince()); paramsMap.put( "city" , repairOrder.getCity()); paramsMap.put( "county" , repairOrder.getCounty()); paramsMap.put( "address" , repairOrder.getAddress()); paramsMap.put( "salerCode" , repairOrder.getSalerCode()); paramsMap.put( "salerName" , repairOrder.getSalerName()); paramsMap.put( "storeCode" , repairOrder.getStoreCode()); paramsMap.put( "storeName" , repairOrder.getStoreName()); paramsMap.put( "site" , repairOrder.getSite()); paramsMap.put( "siteDesp" , repairOrder.getSiteDesp()); paramsMap.put( "engineerCode" , repairOrder.getEngineerCode()); paramsMap.put( "engineerName" , repairOrder.getEngineerName()); if (repairOrder.getServiceDate() != null ) { paramsMap.put( "serviceDate" , DateUtils.formatDate(repairOrder.getServiceDate())); } if (repairOrder.getSalePrice() != null ) { paramsMap.put( "salePrice" , repairOrder.getSalePrice() .toString()); } paramsMap.put( "profitCenter" , repairOrder.getProfitCenter()); paramsMap.put( "costCenter" , repairOrder.getCostCenter()); paramsMap.put( "gsxx02" , repairOrder.getGsxx02()); paramsMap.put( "returnReason" , repairOrder.getReturnReason()); if (repairOrder.getOriOrder() != null ) { paramsMap.put( "oriOrder" , repairOrder.getOriOrder().toString()); } if (repairOrder.getOriServiceNo() != null ) { paramsMap.put( "oriServiceNo" , repairOrder.getOriServiceNo()); } // 拼接签名原串(a=1&b=2) String paramSrc = RequestUtils.getParamSrc(paramsMap); logger.info( "签名原串:" + paramSrc); //进行验签操作 if (SignUtils.verifymd5(paramSrc, repairOrder.getSign())) { //处理业务逻辑 responseVO=erpServiceImpl.repairTakeOrder(repairOrder); } else { responseVO = new ResponseVO(); responseVO.setSuccess( false ); responseVO.setErrorMsg( "验签失败" ); } } catch (Exception e) { logger.error( "" , e); responseVO = new ResponseVO(); responseVO.setSuccess( false ); responseVO.setErrorMsg(StringUtils.isNotBlank(e.getMessage()) ? e.getMessage() : "后台异常" ); } return responseVO; } |
以上这篇Java Http接口加签、验签操作方法就是小编分享给大家的全部内容了,希望能给大家一个参考,也希望大家多多支持服务器之家。