Shulou(Shulou.com)06/01 Report--

This article mainly introduces how to set html5's sign encryption algorithm related knowledge, the content is detailed and easy to understand, the operation is simple and fast, has a certain reference value, I believe you will have something to gain after reading this article on how to set html5's sign encryption algorithm, let's take a look.

Taobao accesses h6 in a different way from the client. Because saving appsercret in the js code of h6 has a high risk, mtop assigns tokens randomly, assigning a token to each access end and storing it in the user's cookie. Through the cookie to bring back the token assigned by the server, the client uses the assigned token to generate a summary value for the requested URL parameter sign,MTOP uses this excerpt value and the token in the cookie to prevent URL tampering.

Process flow

When the token in the local cookie is empty (usually the first visit), the mtop receives an error reply that the FAIL_SYS_TOKEN_EXOIRED:: token expires, and the mtop generates a token to write to the cookie (response.cookies)

On the second request, js generates sign according to the agreed algorithm by reading the token value in cookie. Sign takes it in the request of mtop, and mtop calculates sign in the same way as token in cookie, compares it with the requested sign, and checks that the response that will return api prompts "illegal FAIL_SYS_ILLEGAL_ACCESS:: request".

Token in cookie is timed. When token fails, you will receive the reply "FAIL_SYS_TOKEN_EXOIRED:: token expires". At the same time, you will write a new token,js to recalculate sign with the new token and resend the request.

With regard to the self-checking of token in cookie, because token is plaintext in cookie and may be counterfeited, the output cookie contains a token encrypted with the public key of an asymmetric key. MTOP will first check whether the token in cookie is assigned by the server at each request (restore token with encrypted token and private key, compared with plaintext token returned)

Sign generation

About the generation formula of sign:

Md5Hex (token&t&appKey&data)

For example: md5Hex ("30dc68e5b4cf40ebd02fb05673c7e3b7" 1572522062317 "12345678 & {" itemNumId ":" 1502111132496 "}")

Sign=4c1e7b6853fa7a5e1b8f7066ee22932f

Implementation code:

Public static String calcSignature (String token, String timestamp, String appKey, String data) {return DigestUtils.md5Hex (StringUtils.trimToEmpty (token) + "&" + timestamp + "&" + appKey + "&" + data);} public static void main (String [] args) {String token= "30dc68e5b4cf40ebd02fb05673c7e3b7"; String timestamp= "1572522062317"; String sign = calcSignature (token, timestamp, "12345678", "{" itemNumId ":" 1502111132496 "}") System.out.println (sign);}

Token

M_h6tk: the format is plaintext token _ expireTime, which is obtained from response.cookies, such as 30dc68e5b4cf40ebd02fb05673c7e3b7_1572522062317

Token is 30dc68e5b4cf40ebd02fb05673c7e3b7.

The failure time is 1572522062317

Can be encapsulated in a class responsible for storing token

@ Data@NoArgsConstructor@AllArgsConstructor@Builderpublic class Credentials implements Comparable {private String _ massih6roomtk; private String _ massih6roomtkexpanence; private static final int OFFSET = 60000; public String getToken () {return StringUtils.isEmpty (_ m_h6_tk)? Null: _ m_h6_tk.substring (0, _ m_h6_tk.indexOf ("_"));} public long getExpireTimestamp () {long t = new Date () .getTime ()-OFFSET; if (StringUtils.isEmpty (_ m_h6_tk) | | StringUtils.isEmpty (_ m_h6_tk_enc)) {return t } try {return Long.parseLong (_ m_h6_tk.substring (_ m_h6_tk.indexOf ("_") + 1));} catch (NumberFormatException e) {return t;}} public boolean isExpired () {if (StringUtils.isEmpty (_ m_h6_tk) | | StringUtils.isEmpty (_ m_h6_tk_enc)) {return true } return new Date () .getTime () > getExpireTimestamp ();} @ Override public int compareTo (Credentials o) {return Long.compare (o.getExpireTimestamp (), this.getExpireTimestamp ());}}

T

Quite simply, the timestamp is obtained through new Date (). GetTime ()

AppKey

The fixed value can be obtained in the request parameters through the packet grab tool. The parameter name is appKey.

Data

The submitted parameter can be obtained in the request parameter through the package grab tool, usually a JSON string.

This is the end of the article on "how to set up html5's sign encryption algorithm". Thank you for reading! I believe you all have a certain understanding of "how to set up html5's sign encryption algorithm". If you want to learn more, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.