Shulou(Shulou.com)06/01 Report--

Most people do not understand the knowledge points of this article "SpringBoot how to achieve api encryption", so the editor summarizes the following content, detailed content, clear steps, and has a certain reference value. I hope you can get something after reading this article. Let's take a look at this "SpringBoot how to achieve api encryption" article.

API encryption and docking of SpringBoot

In the project, in order to ensure the security of the data, we often encrypt the transmitted data. Commonly used encryption algorithms include symmetric encryption (AES) and asymmetric encryption (RSA). Bloggers select the simplest API encryption project on Code Cloud for the following explanation.

Next, please list our brightest items.

Rsa-encrypt-body-spring-boot

Project introduction

The project uses RSA encryption to encrypt the data returned by the API interface to make API data more secure. The data provided cannot be cracked by others. The Spring Boot API is encrypted, and the returned values and parameter values can be automatically encrypted and decrypted by annotations.

What is RSA encryption

First of all, of course, we understand RSA encryption.

RSA encryption is a kind of asymmetric encryption. Decryption can be completed without passing the key directly. This ensures the security of the information and avoids the risk of cracking caused by the direct transmission of the key. It is the process of encryption and decryption by a pair of keys, called public key and private key respectively. There is a mathematical correlation between the two. The principle of the encryption algorithm is the difficulty of factoring a maximum integer to ensure security. Usually individuals keep the private key, and the public key is public (it may be held by multiple people at the same time).

Give an example of Dafa.

Encryption and signature are for security reasons, but they are slightly different. It is often asked whether encryption and signature are private keys or public keys. In fact, there is some confusion about the role of encryption and signature. To put it simply, encryption is to prevent information from being disclosed, while signature is to prevent information from being tampered with. Here are two examples.

The first scene: on the battlefield, B sends a message to A with a certain instruction.

The encryption process of RSA is as follows:

(1) A generates a pair of keys (public key and private key), the private key is not public, and A keeps it. The public key is public and can be obtained by anyone.

(2) A passes its own public key to BMageB to encrypt the message with A's public key.

(3) A receives the message encrypted by B and uses A's own private key to decrypt the message.

In this process, there are only two delivery processes, the first is that A passes the public key to B, and the second is that B transmits the encrypted message to A, even if it is intercepted by the enemy, it is not dangerous, because only the private key of A can decrypt the message and prevent the disclosure of the message content.

* * second scenario: * * A needs to reply "received" after receiving the message sent by B.

The process of RSA signature is as follows:

(1) A generates a pair of keys (public key and private key), the private key is not public, and A keeps it. The public key is public and can be obtained by anyone.

(2) A signs the message with its own private key, forms a signature, and transmits the signed message to B together with the message itself.

(3) after B receives the message, it verifies the signature after obtaining the public key of A. if the content of the verification is consistent with the message itself, it proves that the message is replied by A.

In this process, there are only two delivery processes, the first is that A transmits the signed message and the message itself to B, and the second time is that B obtains the public key of A, even if it is intercepted by the enemy, there is no danger. Because only the private key of A can sign the message, even if the message content is known, it is impossible to forge a signed reply to B to prevent tampering of the message content.

However, combining the two scenarios, you will find that in the first scenario, although the intercepted message is not leaked, the false instruction can be encrypted using the intercepted public key and then passed to A. Although the intercepted message in the second scenario cannot be tampered with, the content of the message can be obtained by public key verification, which does not prevent disclosure. Therefore, in practical applications, encryption and signature can also be used according to the situation. For example, both An and B have their own public and private keys. When A wants to send a message to B, it first encrypts the message with the public key of B, and then uses the private key of A to sign the encrypted message, so that it can neither disclose nor be tampered with, and can better ensure the security of the message.

Encryption actual combat

There are so many bloggers like bilibili, I already know what RSA is. It is public key encryption, private key decryption, private key signature, public key verification.

Actual combat preparation

1. Create a new springboot project

Springboot_api_encryption

2. Introduce maven Yilai

Cn.shuibo rsa-encrypt-body-spring-boot 1.0.1.RELEASE

3. Add @ EnableSecurity annotation to the startup class Application

@ SpringBootApplication@EnableSecuritypublic class DemoApplication {public static void main (String [] args) {SpringApplication.run (DemoApplication.class, args);}}

4. Add RSA public key and private key to application.yml or application.properties

The generation tool will be released after the public key and private key generation article.

Rsa: encrypt: open: false # whether to enable encryption true or false showLog: true # whether to print encryption and decryption log true or false publicKey: # RSA public key software generation privateKey: # RSA private key software generation

5. Encrypt the API method in Controller

@ Encrypt@GetMapping ("/ encryption") public TestBean encryption () {TestBean testBean = new TestBean (); testBean.setName ("shuibo.cn"); testBean.setAge (18); return testBean;}

6. Decrypt the transmitted encryption parameters

Other Java-side programs can be annotated. If it is vue, please decrypt it with RSA key.

@ Decrypt@PostMapping ("/ decryption") public String Decryption (@ RequestBody TestBean testBean) {return testBean.toString ();} real gun

1. Introduce maven

2. Add comments to the startup class

3. YML add configuration key

4. Create an entity class

5. Write an external API interface

6. Start the project

Request address: http://localhost:8080/encryption

We see that the returned data is not encrypted

7. Modification

Modify open to turn on encryption for true

Rsa: encrypt: open: true # whether to enable encryption true or false showLog: true # whether to print encryption and decryption log true or false publicKey: # RSA public key software generation privateKey: # RSA private key software generation

8. Restart the project again

Request address: http://localhost:8080/encryption

We see that the returned data is encrypted

9. Encrypt the log

Decryption actual combat

If it's any other springboot project, it's the same as before. We will treat the client as a springboot project here, please decrypt the rest using RSA decryption protocol!

The server has a private key and a public key

The front end only needs a public key.

Actual combat preparation

Write a decryption method based on the original springboot

1. Decryption method of front-end js

2. Add the decryption method in the background

/ * * decrypt * @ param user * @ return * / @ PostMapping ("/ decryption") @ Decrypt@ResponseBodypublic String Decryption (@ RequestBody User user) {System.out.println (user.toString ()); return user.toString ();}

3. Js method

# Public key var PUBLIC_KEY = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAobhGH4WMwMvJRUlTxWrCVIOQtsHijAxPJNvAWAgq80ADpFEWrpbcGB9cKqp6XHRH4k/CVtCUZ7jm9UKwhaeAm18sKtcwe+M8JFNX6FSHpgde0o8C9S/QpcmLxf4iN7nGZ7P3ZTvMdmKUcdRMsVQnsydG2Bj6gRxP2+kexEebTeODbdM7dHlkxAL0RxGWmX/ZOBzsoWZw2gKcC0vxwyIZBGHUdImG2T3nEA+VMfK2Yqv3uSYukmlKP+0mjfhrTtLFDuTV1VER9BfryBMvpQCxLO4pqgZnXPd+SOQcZHZ2OL0wqo5OX1+GPYx7TNxz5Qi76pK//T2mH7s6X/BuyT21HQIDAQAB"; / * encryption method * @ returns {PromiseLike} * @ constructor * / function RSA_encryption (jsonData) {var encrypt = new JSEncrypt (); encrypt.setPublicKey ("- BEGIN PUBLIC KEY-" + PUBLIC_KEY + "- END PUBLIC KEY-"); var encrypted = encrypt.encrypt (JSON.stringify (jsonData)) Console.log ("data before encryption:% o", str); console.log ("data after encryption:% o", encrypted); return encrypted;} / * * submission method * / function tijiao () {var str = {"name": "1223334", "password": "asd", age:1}; $.ajax ({url: "/ decryption", type: "POST", contentType: "application/json" Charset=utf-8 ", data: RSA_encryption (str), success: function (data) {alert (data);}})} genuine knife and gun

1. Controller add decryption method API

2. Introduce js into the front-end page and the method

Title encryption back-end, back-end decryption

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.