一.需求
请求加上Authorization头部,按指定格式添加校验内容。Authorization包含以下几个方面信息:- 校验方式:固定为HMAC-SHA256
- timestamp:当前时间的13位毫秒时间戳
- signature:请求签名,按指定方式生成
二.实现
private boolean authorizationValidation(HttpServletRequest request) {
CachedBodyHttpServletRequest cachedRequest = (CachedBodyHttpServletRequest) request;
String authorizationHeader = request.getHeader("Authorization");try {
// 解析 Authorization 值
String[] authValues = authorizationHeader.split(",");
String timestamp = authValues[1];
String body = cachedRequest.getBody();
if (body == null) {
body = "";
}
String receivedSignature = authValues[2];
String path = request.getRequestURI();
String query = request.getQueryString();
if (StringUtils.isNotBlank(query)) {
path += "?" + query;
}
// 构建参与签名的字符串
StringBuilder stringToSign = new StringBuilder();
stringToSign.append(path).append("\n");
stringToSign.append(timestamp).append("\n");
stringToSign.append(body).append("\n");// 使用 HMAC-SHA256 算法进行签名
SecretKeySpec signingKey = new SecretKeySpec(secretKey.getBytes(StandardCharsets.UTF_8),
algorithm);
Mac mac = Mac.getInstance(algorithm);
mac.init(signingKey);
byte[] signatureBytes = mac.doFinal(stringToSign.toString().getBytes(StandardCharsets.UTF_8));
// 对签名进行 Base64 编码
String calculatedSignature = Base64.getEncoder().encodeToString(signatureBytes);// 对比签名值
if (calculatedSignature.equals(receivedSignature)) {return true;
}
} catch (NoSuchAlgorithmException | InvalidKeyException e) {
e.printStackTrace();
log.info(e.getMessage());
}
return false;
}
public class CachedBodyHttpServletRequest extends HttpServletRequestWrapper {
private final byte[] cachedBody;
public CachedBodyHttpServletRequest(HttpServletRequest request) throws IOException {
super(request);
InputStream requestInputStream = request.getInputStream();
this.cachedBody = StreamUtils.copyToByteArray(requestInputStream);
}
@Override
public ServletInputStream getInputStream() {
return new CachedBodyServletInputStream(this.cachedBody);
}
@Override
public BufferedReader getReader() throws IOException {
ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(this.cachedBody);
return new BufferedReader(new InputStreamReader(byteArrayInputStream));
}
public String getBody() {
return new String(cachedBody);
}
}
public abstract class StreamUtils {
public static final int BUFFER_SIZE = 4096;
public StreamUtils() {
}
public static byte[] copyToByteArray(InputStream in) throws IOException {
ByteArrayOutputStream out = new ByteArrayOutputStream(4096);
copy(in, out);
return out.toByteArray();
}
public static int copy(InputStream in, OutputStream out) throws IOException {
int byteCount = 0;
byte[] buffer = new byte[4096];
int bytesRead;
for(boolean var4 = true; (bytesRead = in.read(buffer)) != -1; byteCount += bytesRead) {
out.write(buffer, 0, bytesRead);
}
out.flush();
return byteCount;
}
}
标签:return,String,request,HMAC,签名,new,SHA256,public,append From: https://www.cnblogs.com/Anti-General/p/17760196.html