Shulou(Shulou.com)06/02 Report--

The content of this article mainly explains "springboot aop with reflection unified signature verification how to achieve", interested friends may wish to take a look. The method introduced in this paper is simple, fast and practical. Next let the editor to take you to learn "springboot aop with reflection unified signature verification how to achieve" it!

Aop cooperates with reflection Unified signature Verification

Go straight to the code as a record.

CheckSignAspect.java

@ Aspect / / define a section @ Configuration@Log4j2public class CheckSignAspect {/ / define a tangent point Pointcut @ Pointcut ("execution (* com.lsj.xxl.controller.*.*CheckSign (..)") Public void excudeService () {} @ Around ("excudeService ()") public Object doAround (ProceedingJoinPoint pjp) throws Throwable {String class_name = pjp.getTarget (). GetClass (). GetName (); String method_name = pjp.getSignature (). GetName (); String [] paramNames = getFieldsName (class_name, method_name); Object [] method_args = pjp.getArgs (); SortedMap map = logParam (paramNames, method_args) If (map! = null) {String sign = map.get ("sign"). ToUpperCase (); map.remove ("sign"); String realSign = SignUtil.createSign ("utf8", map); if (! realSign.equals (sign)) {return "signature verification error";}} Object result = pjp.proceed () Return result;} / * use javassist to get the method parameter name * * @ param class_name class name * @ param method_name method name * @ return * @ throws Exception * / private String [] getFieldsName (String class_name, String method_name) throws Exception {Class clazz = Class.forName (class_name); String clazz_name = clazz.getName () ClassPool pool = ClassPool.getDefault (); ClassClassPath classPath = new ClassClassPath (clazz); pool.insertClassPath (classPath); CtClass ctClass = pool.get (clazz_name); CtMethod ctMethod = ctClass.getDeclaredMethod (method_name); MethodInfo methodInfo = ctMethod.getMethodInfo (); CodeAttribute codeAttribute = methodInfo.getCodeAttribute (); LocalVariableAttribute attr = (LocalVariableAttribute) codeAttribute.getAttribute (LocalVariableAttribute.tag) If (attr = = null) {return null;} String [] paramsArgsName = new String [ctMethod.getParameterTypes () .length]; int pos = Modifier.isStatic (ctMethod.getModifiers ())? 0: 1; for (int I = 0; I

< paramsArgsName.length; i++) { paramsArgsName[i] = attr.variableName(i + pos); } return paramsArgsName; } /** * 打印方法参数值 基本类型直接打印，非基本类型需要重写toString方法 * * @param paramsArgsName 方法参数名数组 * @param paramsArgsValue 方法参数值数组 */ private SortedMap logParam(String[] paramsArgsName, Object[] paramsArgsValue) { Map map = new HashMap(); if (ArrayUtils.isEmpty(paramsArgsName) || ArrayUtils.isEmpty(paramsArgsValue)) { log.info("该方法没有参数"); return null; }// StringBuffer buffer = new StringBuffer(); for (int i = 0; i < paramsArgsName.length; i++) { //参数名 String name = paramsArgsName[i]; //参数值 Object value = paramsArgsValue[i];// if ("sign".equals(name)){// continue;// } if (isPrimite(value.getClass())) { map.put(name, String.valueOf(value)); } else { map.put(name, value.toString()); } } return new TreeMap(map); } /** * 判断是否为基本类型：包括String * * @param clazz clazz * @return true：是; false：不是 */ private boolean isPrimite(Class clazz) { if (clazz.isPrimitive() || clazz == String.class) { return true; } else { return false; } }} SignUtil.java public class SignUtil { public static String createSign(String characterEncoding, SortedMap parameters) { StringBuffer sb = new StringBuffer(); for (Map.Entry entry : parameters.entrySet()) { if (!Strings.isNullOrEmpty(entry.getValue()) && !"sign".equals(entry.getKey()) && !"key".equals(entry.getKey())) { sb.append(entry.getKey() + "=" + entry.getValue() + "&"); } } String s = sb.toString(); if (s.length() >

0) {s = s.substring (0, sb.toString (). Length ()-1);} System.out.println ("string to be encrypted:" + s); String sign = MD5Util.MD5Encode (s, characterEncoding). ToUpperCase (); return sign;}}

test

PostMapping ("test1") public String bbCheckSign (@ RequestParam ("value") String value, @ RequestParam ("bb") String bb, @ RequestParam ("sign") String sign) {return "ok";}

Add:

The above method can also be replaced with annotation implementation. The specific modification code is as follows:

Add comment

@ Target (ElementType.METHOD) @ Retention (RetentionPolicy.RUNTIME) public @ interface CheckSign {}

Change the tangent point

@ Pointcut ("@ annotation (com.lsj.xxl.annotation.CheckSign)") API unified signature verification

Implement the API request signature verification, timestamp judgment, response data return signature and so on.

This signature verification and return signature can be implemented in a variety of ways.

The first way to implement aop

Custom annotation body

/ * * @ author xxx * / @ Retention (value = RetentionPolicy.RUNTIME) public @ interface SignatureValidation {}

Aop implementation

/ * * @ author xxx * / @ Aspect@Componentpublic class SignatureValidation {/ * timestamp request minimum limit (600s) * the smaller the setting, the higher the safety factor, but pay attention to the fault tolerance * / private static final long MAX_REQUEST = 10 * 60 * 1000L; / * * key * / private static final String SECRET= "test" / * checkpoint (complete find the set file address) * / @ Pointcut ("execution (@ com.xx.xxx.xxxxx.aop.SignatureValidation * * (..)")) Private void verifyUserKey () {} / * * get the request data and verify the signature data * / @ Before ("verifyUserKey ()") public void doBasicProfiling (JoinPoint point) {ServletRequestAttributes attributes = (ServletRequestAttributes) RequestContextHolder.getRequestAttributes (); HttpServletRequest request = Objects.requireNonNull (attributes). GetRequest (); String sign = "; String timestamp ="; String version = "" SortedMap sortedMap = new TreeMap (); for (Object obj: point.getArgs ()) {JSONObject jsonObject = JSONUtil.parseObj (obj); if (! StrUtil.isEmptyIfStr (jsonObject.get ("sign")) {sign=jsonObject.get ("sign"). ToString () } if (! StrUtil.isEmptyIfStr (jsonObject.get ("timestamp")) {timestamp=jsonObject.get ("timestamp") .toString (); sortedMap.put ("timestamp", timestamp);} if (! StrUtil.isEmptyIfStr (jsonObject.get ("version") {version=jsonObject.get ("version") .toString () SortedMap.put ("version", version);} if (! StrUtil.isEmptyIfStr (jsonObject.get ("data")) {String dataStr= jsonObject.get ("data") .toString () If (! JSONUtil.isJsonObj (dataStr)) {if (JSONUtil.isJsonArray (dataStr)) {sortedMap.put ("data", JSONUtil.parseArray (dataStr). ToString ());} sortedMap.put ("data", dataStr) } else {JSONObject dataJson= JSONUtil.parseObj (dataStr); @ SuppressWarnings ("unchecked") Set keySet = dataJson.keySet (); String key = ""; Object value = null / / traverse the json data and add it to the SortedMap object for (Iterator iterator = keySet.iterator (); iterator.hasNext ();) {key = iterator.next (); value = dataJson.get (key); String valueStr= "" If (! StrUtil.isEmptyIfStr (value)) {valueStr=value.toString ();} sortedMap.put (key, valueStr) } if (StrUtil.isEmptyIfStr (sign)) {throw new CustomException (BaseResultInfoEnum.ERROR_MISSING_SIGN_1009.getMsg (), BaseResultInfoEnum.ERROR_MISSING_SIGN_1009.getCode ());} / / New signature String newSign = createSign (sortedMap,SECRET) If (! newSign.equals (sign.toUpperCase () {throw new CustomException (BaseResultInfoEnum.ERROR_SIGN_1010.getMsg (), BaseResultInfoEnum.ERROR_SIGN_1010.getCode ()) }} / * * @ param point * @ param responseObject return parameter * / @ AfterReturning (pointcut= "verifyUserKey ()", returning= "responseObject") public void afterReturning (JoinPoint point,Object responseObject) {HttpServletResponse response= ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes ()) .getResponse (); if (responseObject instanceof ResponseModel) {ResponseModel responseModel= (ResponseModel) responseObject ResponseModel.setTimestamp (System.currentTimeMillis ()); responseModel.setVersion (0); String sign= Md5Utils.createSign (Md5Utils.createParameters (responseModel), SECRET); responseModel.setSign (sign);}

Md5 signature

/ * @ author xxx * / public class Md5Utils {/ * generate signature * @ param parameters * @ param key merchant ID * @ return * / public static String createSign (SortedMap parameters, String key) {StringBuffer sb = new StringBuffer (); Set es = parameters.entrySet (); Iterator it = es.iterator () While (it.hasNext ()) {Map.Entry entry = (Map.Entry) it.next (); String k = (String) entry.getKey (); Object v = entry.getValue () If (null! = v & &! ".equals (v) & &!" sign ".equals (k) & &!" key ".equals (k)) {sb.append (k +" = "+ v +" & ");} sb.append (" key= "+ key) String sign = SecureUtil.md5 (sb.toString ()). ToUpperCase (); return sign;} / * * signature parameter * @ param responseModel response data signature returned to the caller * @ return * / public static SortedMap createParameters (ResponseModel responseModel) {SortedMap sortedMap = new TreeMap () If {sortedMap.put ("timestamp", Convert.toStr (responseModel.getTimestamp (); sortedMap.put ("version", Convert.toStr (responseModel.getVersion (); JSONObject json = JSONUtil.parseObj (responseModel, false); if (responseModel.getData ()! = null) {sortedMap.put ("data", json.get ("data"). ToString ()) }} return sortedMap;}}

To use, you can comment above the method in control.

The second interceptor

Only the time is judged here, and the signature verification can be modified as needed.

Filter

Import javax.servlet.*;import javax.servlet.annotation.WebFilter;import javax.servlet.http.HttpServletRequest;import java.io.IOException;/** * @ author xx * / @ WebFilter (urlPatterns = "/ *", filterName = "channelFilter") public class ChannelFilter implements Filter {@ Override public void init (FilterConfig filterConfig) throws ServletException {} @ Override public void doFilter (ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {ServletRequest requestWrapper = null If (servletRequest instanceof HttpServletRequest) {requestWrapper = new RequestWrapper ((HttpServletRequest) servletRequest);} if (requestWrapper = = null) {filterChain.doFilter (servletRequest, servletResponse);} else {filterChain.doFilter (requestWrapper, servletResponse);} @ Override public void destroy () {}}

Interceptor configuration

Import org.springframework.boot.web.servlet.FilterRegistrationBean;import org.springframework.context.annotation.Bean;import org.springframework.context.annotation.Configuration;import org.springframework.web.servlet.HandlerInterceptor;import org.springframework.web.servlet.config.annotation.CorsRegistry;import org.springframework.web.servlet.config.annotation.InterceptorRegistry;import org.springframework.web.servlet.config.annotation.WebMvcConfigurer / * * @ author xxxx * / @ Configurationpublic class InterceptorConfig implements WebMvcConfigurer {@ Override public void addInterceptors (InterceptorRegistry registry) {registry.addInterceptor (getHandlerInterceptor ()) } @ Override public void addCorsMappings (CorsRegistry registry) {registry.addMapping ("/ * *") .allowedHeaders ("Content-Type", "x-requested-with", "X-Custom-Header") .allowedMethods ("PUT", "POST", "GET", "DELETE", "OPTIONS") .allowedOrigins ("*") .allowCredentials (true) @ Bean public FilterRegistrationBean repeatedlyReadFilter () {FilterRegistrationBean registration = new FilterRegistrationBean (); ChannelFilter repeatedlyReadFilter = new ChannelFilter (); registration.setFilter (repeatedlyReadFilter); registration.addUrlPatterns ("/ *"); return registration;} @ Bean public HandlerInterceptor getHandlerInterceptor () {return new TimestampInterceptor ();}}

RequestWrapper request stream rewrite processing

Import javax.servlet.ReadListener;import javax.servlet.ServletInputStream;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletRequestWrapper;import java.io.*;/** * @ author xxx * / public class RequestWrapper extends HttpServletRequestWrapper {private final String body; public RequestWrapper (HttpServletRequest request) {super (request); StringBuilder stringBuilder = new StringBuilder (); BufferedReader bufferedReader = null; InputStream inputStream = null; try {inputStream = request.getInputStream () If (inputStream! = null) {bufferedReader = new BufferedReader (new InputStreamReader (inputStream)); char [] charBuffer = new char [128]; int bytesRead =-1; while ((bytesRead = bufferedReader.read (charBuffer)) > 0) {stringBuilder.append (charBuffer, 0, bytesRead) }} else {stringBuilder.append (");}} catch (IOException ex) {} finally {if (inputStream! = null) {try {inputStream.close () } catch (IOException e) {e.printStackTrace ();}} if (bufferedReader! = null) {try {bufferedReader.close () } catch (IOException e) {e.printStackTrace ();} body = stringBuilder.toString ();} @ Override public ServletInputStream getInputStream () throws IOException {final ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream (body.getBytes ()) ServletInputStream servletInputStream = new ServletInputStream () {@ Override public boolean isFinished () {return false;} @ Override public boolean isReady () {return false } @ Override public void setReadListener (ReadListener readListener) {} @ Override public int read () throws IOException {return byteArrayInputStream.read ()}; return servletInputStream;} @ Override public BufferedReader getReader () throws IOException {return new BufferedReader (new InputStreamReader (this.getInputStream () } public String getBody () {return this.body;}}

The interceptor can implement the signature processing of the request here, and only deal with the time here.

Import cn.hutool.core.util.StrUtil;import cn.hutool.json.JSONObject;import cn.hutool.json.JSONUtil;import xxx.xxx.xxx.common.result.BaseResultInfoEnum;import xxx.xxx.common.core.exception.CustomException;import org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController;import org.springframework.web.method.HandlerMethod;import org.springframework.web.servlet.HandlerInterceptor;import org.springframework.web.servlet.ModelAndView;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse / * * @ author xxx * / public class TimestampInterceptor implements HandlerInterceptor {/ * timestamp request minimum limit (600s) * the smaller the setting, the higher the safety factor, but pay attention to the fault tolerance * / private static final long MAX_REQUEST = 10 * 60 * 1000L @ Override public boolean preHandle (HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {if (handler instanceof HandlerMethod) {HandlerMethod handlerMethod = (HandlerMethod) handler; if (handlerMethod.getBean () instanceof BasicErrorController) {return true;} / / if ("GET" .equals (request.getMethod () {/ / return true / /} ValidateResponse validateResponse= new ValidateResponse (true, null); RequestWrapper myRequestWrapper = new RequestWrapper ((HttpServletRequest) request); validateResponse= checkTimestamp (myRequestWrapper.getBody ()); if (! validateResponse.isValidate ()) {throw validateResponse.getException ();}} return true } @ Override public void postHandle (HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) {} @ Override public void afterCompletion (HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) {} private ValidateResponse checkTimestamp (String requestBody) {try {JSONObject jsonObject = JSONUtil.parseObj (requestBody); String timestamp = "" If (! StrUtil.isEmptyIfStr (jsonObject.get ("timestamp")) {timestamp=jsonObject.get ("timestamp"). ToString ();} if (StrUtil.isEmptyIfStr (timestamp)) {return new ValidateResponse (false, new CustomException (BaseResultInfoEnum.ERROR_MISSING_TIMESTAMP_1007.getMsg (), BaseResultInfoEnum.ERROR_MISSING_TIMESTAMP_1007.getCode () } long now = System.currentTimeMillis (); long time = Long.parseLong (timestamp); if (now-time > MAX_REQUEST) {return new ValidateResponse (false, new CustomException (BaseResultInfoEnum.ERROR_TIMESTAMP_TIMEOUT_1008.getMsg (), BaseResultInfoEnum.ERROR_TIMESTAMP_TIMEOUT_1008.getCode () } catch (Exception e) {e.printStackTrace ();} return new ValidateResponse (true, null);} / * check the returned object * / private static class ValidateResponse {private boolean validate; private CustomException exception; public ValidateResponse (boolean validate, CustomException exception) {this.validate = validate This.exception = exception;} public boolean isValidate () {return validate;} public Exception getException () {return exception;}

Return to the front-end (or other platform) processing class

Import comzzzz.xx.common.pojo.PageResponseModel;import com.zzz.xxxx.common.pojo.ResponseModel;import org.springframework.core.MethodParameter;import org.springframework.http.MediaType;import org.springframework.http.server.ServerHttpRequest;import org.springframework.http.server.ServerHttpResponse;import org.springframework.web.bind.annotation.ControllerAdvice;import org.springframework.web.servlet.mvc.method.annotation.ResponseBodyAdvice / * * @ author sunrh * / @ ControllerAdvicepublic class ResponseBodyTimestamp implements ResponseBodyAdvice {@ Override public boolean supports (MethodParameter methodParameter, Class aClass) {return true;} @ Override public Object beforeBodyWrite (Object o, MethodParameter methodParameter, MediaType mediaType, Class aClass, ServerHttpRequest serverHttpRequest, ServerHttpResponse serverHttpResponse) {/ / this is where the signature data if (o instanceof ResponseModel) {ResponseModel responseModel= (ResponseModel) o; responseModel.setTimestamp (System.currentTimeMillis ()) is returned. Return responseModel;} if (o instanceof PageResponseModel) {PageResponseModel responseModel= (PageResponseModel) o; responseModel.setTimestamp (System.currentTimeMillis ()); return responseModel;} return o;}}

The effect picture of the final realization

At this point, I believe that everyone on the "springboot aop with reflection unified signature verification how to achieve" have a deeper understanding, might as well to the actual operation of it! Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.