今天这篇文章聊一聊接口安全问题,涉及到接口的加密、解密。
和产品、前端同学对外需求后,梳理了相关技术方案, 主要的需求点如下:
- 尽量少改动,不影响之前的业务逻辑;
- 考虑到时间紧迫性,可采用对称性加密方式,服务需要对接安卓、IOS、H5三端,另外考虑到H5端存储密钥安全性相对来说会低一些,故分针对H5和安卓、IOS分配两套密钥;
- 要兼容低版本的接口,后面新开发的接口可不用兼容;
- 接口有GET和POST两种接口,需要都要进行加解密;
需求解析:
- 服务端、客户端和H5统一拦截加解密,网上有成熟方案,也可以按其他服务中实现的加解密流程来搞;
- 使用AES放松加密,考虑到H5端存储密钥安全性相对来说会低一些,故分针对H5和安卓、IOS分配两套密钥;
- 本次涉及客户端和服务端的整体改造,经讨论,新接口统一加 /secret/ 前缀来区分
按本次需求来简单还原问题,定义两个对象,后面用得着。
用户类:
@Data
publicclassUser {
privateIntegerid;
privateStringname;
privateUserTypeuserType=UserType.COMMON;
@JsonFormat(pattern="yyyy-MM-dd HH:mm:ss")
privateLocalDateTimeregisterTime;
}
用户类型枚举类:
@Getter
@JsonFormat(shape=JsonFormat.Shape.OBJECT)
publicenumUserType {
VIP("VIP用户"),
COMMON("普通用户");
privateStringcode;
privateStringtype;
UserType(Stringtype) {
this.code=name();
this.type=type;
}
}
构造一个简单的用户列表查询示例:
@RestController
@RequestMapping(value= {"/user", "/secret/user"})
publicclassUserController {
@RequestMapping("/list")
ResponseEntity<List<User>>listUser() {
List<User>users=newArrayList<>();
Useru=newUser();
u.setId(1);
u.setName("boyka");
u.setRegisterTime(LocalDateTime.now());
u.setUserType(UserType.COMMON);
users.add(u);
ResponseEntity<List<User>>response=newResponseEntity<>();
response.setCode(200);
response.setData(users);
response.setMsg("用户列表查询成功");
returnresponse;
}
}
调用:localhost:8080/user/list
查询结果如下,没毛病:
{
"code": 200,
"data": [{
"id": 1,
"name": "boyka",
"userType": {
"code": "COMMON",
"type": "普通用户"
},
"registerTime": "2022-03-24 23:58:39"
}],
"msg": "用户列表查询成功"
}目前主要是利用ControllerAdvice来对请求和响应体进行拦截,主要定义SecretRequestAdvice对请求进行加密和SecretResponseAdvice对响应进行加密(实际情况会稍微复杂一点,项目中又GET类型请求,自定义了一个Filter进行不同的请求解密处理)。
好了,网上的ControllerAdvice使用示例非常多,我这把两个核心方法给大家展示看看,相信大佬们一看就晓得了,不需多言。上代码:
SecretRequestAdvice请求解密:
@ControllerAdvice
@Order(Ordered.HIGHEST_PRECEDENCE)
@Slf4j
publicclassSecretRequestAdviceextendsRequestBodyAdviceAdapter {
@Override
publicbooleansupports(MethodParametermethodParameter, Typetype, Class<?extendsHttpMessageConverter<?>>aClass) {
returntrue;
}
@Override
publicHttpInputMessagebeforeBodyRead(HttpInputMessageinputMessage, MethodParameterparameter, TypetargetType, Class<?extendsHttpMessageConverter<?>>converterType) throwsIOException {
//如果支持加密消息,进行消息解密。
StringhttpBody;
if (Boolean.TRUE.equals(SecretFilter.secretThreadLocal.get())) {
httpBody=decryptBody(inputMessage);
} else {
httpBody=StreamUtils.copyToString(inputMessage.getBody(), Charset.defaultCharset());
}
//返回处理后的消息体给messageConvert
returnnewSecretHttpMessage(newByteArrayInputStream(httpBody.getBytes()), inputMessage.getHeaders());
}
/**
* 解密消息体
*
* @param inputMessage 消息体
* @return 明文
*/
privateStringdecryptBody(HttpInputMessageinputMessage) throwsIOException {
InputStreamencryptStream=inputMessage.getBody();
StringrequestBody=StreamUtils.copyToString(encryptStream, Charset.defaultCharset());
// 验签过程
HttpHeadersheaders=inputMessage.getHeaders();
if (CollectionUtils.isEmpty(headers.get("clientType"))
||CollectionUtils.isEmpty(headers.get("timestamp"))
||CollectionUtils.isEmpty(headers.get("salt"))
||CollectionUtils.isEmpty(headers.get("signature"))) {
thrownewResultException(SECRET_API_ERROR, "请求解密参数错误,clientType、timestamp、salt、signature等参数传递是否正确传递");
}
Stringtimestamp=String.valueOf(Objects.requireNonNull(headers.get("timestamp")).get(0));
Stringsalt=String.valueOf(Objects.requireNonNull(headers.get("salt")).get(0));
Stringsignature=String.valueOf(Objects.requireNonNull(headers.get("signature")).get(0));
StringprivateKey=SecretFilter.clientPrivateKeyThreadLocal.get();
ReqSecretreqSecret=JSON.parseObject(requestBody, ReqSecret.class);
Stringdata=reqSecret.getData();
StringnewSignature="";
if (!StringUtils.isEmpty(privateKey)) {
newSignature=Md5Utils.genSignature(timestamp+salt+data+privateKey);
}
if (!newSignature.equals(signature)) {
// 验签失败
thrownewResultException(SECRET_API_ERROR, "验签失败,请确认加密方式是否正确");
}
try {
Stringdecrypt=EncryptUtils.aesDecrypt(data, privateKey);
if (StringUtils.isEmpty(decrypt)) {
decrypt="{}";
}
returndecrypt;
} catch (Exceptione) {
log.error("error: ", e);
}
thrownewResultException(SECRET_API_ERROR, "解密失败");
}
}
SecretResponseAdvice响应加密:
@ControllerAdvice
publicclassSecretResponseAdviceimplementsResponseBodyAdvice {
privateLoggerlogger=LoggerFactory.getLogger(SecretResponseAdvice.class);
@Override
publicbooleansupports(MethodParametermethodParameter, ClassaClass) {
returntrue;
}
@Override
publicObjectbeforeBodyWrite(Objecto, MethodParametermethodParameter, MediaTypemediaType, ClassaClass, ServerHttpRequestserverHttpRequest, ServerHttpResponseserverHttpResponse) {
// 判断是否需要加密
BooleanrespSecret=SecretFilter.secretThreadLocal.get();
StringsecretKey=SecretFilter.clientPrivateKeyThreadLocal.get();
// 清理本地缓存
SecretFilter.secretThreadLocal.remove();
SecretFilter.clientPrivateKeyThreadLocal.remove();
if (null!=respSecret&&respSecret) {
if (oinstanceofResponseBasic) {
// 外层加密级异常
if (SECRET_API_ERROR== ((ResponseBasic) o).getCode()) {
returnSecretResponseBasic.fail(((ResponseBasic) o).getCode(), ((ResponseBasic) o).getData(), ((ResponseBasic) o).getMsg());
}
// 业务逻辑
try {
Stringdata=EncryptUtils.aesEncrypt(JSON.toJSONString(o), secretKey);
// 增加签名
longtimestamp=System.currentTimeMillis() /1000;
intsalt=EncryptUtils.genSalt();
StringdataNew=timestamp+""+salt+""+data+secretKey;
StringnewSignature=Md5Utils.genSignature(dataNew);
returnSecretResponseBasic.success(data, timestamp, salt, newSignature);
} catch (Exceptione) {
logger.error("beforeBodyWrite error:", e);
returnSecretResponseBasic.fail(SECRET_API_ERROR, "", "服务端处理结果数据异常");
}
}
}
returno;
}
}
OK, 代码Demo撸好了,试运行一波:
请求方法:
localhost:8080/secret/user/list
header:
Content-Type:application/json
signature:55efb04a83ca083dd1e6003cde127c45
timestamp:1648308048
salt:123456
clientType:ANDORID
body体:
// 原始请求体
{
"page": 1,
"size": 10
}
// 加密后的请求体
{
"data": "1ZBecdnDuMocxAiW9UtBrJzlvVbueP9K0MsIxQccmU3OPG92oRinVm0GxBwdlXXJ"
}
// 加密响应体:
{
"data": "fxHYvnIE54eAXDbErdrDryEsIYNvsOOkyEKYB1iBcre/QU1wMowHE2BNX/je6OP3NlsCtAeDqcp7J1N332el8q2FokixLvdxAPyW5Un9JiT0LQ3MB8p+nN23pTSIvh9VS92lCA8KULWg2nViSFL5X1VwKrF0K/dcVVZnpw5h227UywP6ezSHjHdA+Q0eKZFGTEv3IzNXWqq/otx5fl1gKQ==",
"code": 200,
"signature": "aa61f19da0eb5d99f13c145a40a7746b",
"msg": "",
"timestamp": 1648480034,
"salt": 632648
}
// 解密后的响应体:
{
"code": 200,
"data": [{
"id": 1,
"name": "boyka",
"registerTime": "2022-03-27T00:19:43.699",
"userType": "COMMON"
}],
"msg": "用户列表查询成功",
"salt": 0
}
OK,客户端请求加密-》发起请求-》服务端解密-》业务处理-》服务端响应加密-》客户端解密展示,看起来没啥问题,实际是头天下午花了2小时碰需求,差不多花1小时写好demo测试,然后对所有接口统一进行了处理,整体一下午赶脚应该行了吧,告诉H5和安卓端同学明儿上午联调(不小的大家到这个时候发现猫腻没有,当时确实疏忽了,翻了大车……)
次日,安卓端反馈,你这个加解密有问题,解密后的数据格式和之前不一样,仔细一看,擦,这个userType和registerTime是不对劲,开始思考:这个能是哪儿的问题呢?1s之后,初步定位,应该是响应体的JSON.toJSONString的问题:
Stringdata=EncryptUtils.aesEncrypt(JSON.toJSONString(o)),
Debug断点调试,果然,是JSON.toJSONString(o)这一步骤转换出了问题,那JSON转换时是不是有高级属性可以配置生成想要的序列化格式呢?FastJson在序列化时提供重载方法,找到其中一个”SerializerFeature”参数可以琢磨一下,这个参数是可以对序列化进行配置的,它提供了很多配置类型,其中感觉这几个比较沾边:
WriteEnumUsingToString,
WriteEnumUsingName,
UseISO8601DateFormat
对枚举类型来说,默认是使用的WriteEnumUsingName(枚举的Name), 另一种WriteEnumUsingToString是重新toString方法,理论上可以转换成想要的样子,即这个样子:
@Getter
@JsonFormat(shape=JsonFormat.Shape.OBJECT)
publicenumUserType {
VIP("VIP用户"),
COMMON("普通用户");
privateStringcode;
privateStringtype;
UserType(Stringtype) {
this.code=name();
this.type=type;
}
@Override
publicStringtoString() {
return"{"+
"\"code\":\""+name() +'\"'+
", \"type\":\""+type+'\"'+
'}';
}
}
结果转换出来的数据是字符串类型”{“code”:”COMMON”, “type”:”普通用户”}”,这个方法好像行不通,还有什么好办法呢?思前想后,看文章开始定义的User和UserType类,标记数据序列化格式@JsonFormat,再突然想起之前看到过的一些文章,SpringMVC底层默认是使用Jackson进行序列化的,那好了,就用Jacksong实施呗,将SecretResponseAdvice中的序列化方法替换一下:
Stringdata=EncryptUtils.aesEncrypt(JSON.toJSONString(o), secretKey);
换为:
Stringdata=EncryptUtils.aesEncrypt(newObjectMapper().writeValueAsString(o), secretKey);
重新运行一波,走起:
{
"code": 200,
"data": [{
"id": 1,
"name": "boyka",
"userType": {
"code": "COMMON",
"type": "普通用户"
},
"registerTime": {
"month": "MARCH",
"year": 2022,
"dayOfMonth": 29,
"dayOfWeek": "TUESDAY",
"dayOfYear": 88,
"monthValue": 3,
"hour": 22,
"minute": 30,
"nano": 453000000,
"second": 36,
"chronology": {
"id": "ISO",
"calendarType": "iso8601"
}
}
}],
"msg": "用户列表查询成功"
}解密后的userType枚举类型和非加密版本一样了,舒服了,== 好像还不对,registerTime怎么变成这个样子了?原本是”2022-03-24 23:58:39″这种格式的,网上有很多解决方案,不过用在我们目前这个需求里面,就是有损改装了啊,不太可取,遂去Jackson官网上查找一下相关文档,当然Jackson也提供了ObjectMapper的序列化配置,重新再初始化配置ObjectMpper对象:
StringDATE_TIME_FORMATTER="yyyy-MM-dd HH:mm:ss";
ObjectMapperobjectMapper=newJackson2ObjectMapperBuilder()
.findModulesViaServiceLoader(true)
.serializerByType(LocalDateTime.class, newLocalDateTimeSerializer(
DateTimeFormatter.ofPattern(DATE_TIME_FORMATTER)))
.deserializerByType(LocalDateTime.class, newLocalDateTimeDeserializer(
DateTimeFormatter.ofPattern(DATE_TIME_FORMATTER)))
.build();
转换结果:
{
"code": 200,
"data": [{
"id": 1,
"name": "boyka",
"userType": {
"code": "COMMON",
"type": "普通用户"
},
"registerTime": "2022-03-29 22:57:33"
}],
"msg": "用户列表查询成功"
}OK,和非加密版的终于一致了,完了吗?感觉还是可能存在些什么问题,首先业务代码的时间序列化需求不一样,有”yyyy-MM-dd hh:mm:ss”的,也有”yyyy-MM-dd”的,还可能其他配置思考不到位的,导致和之前非加密版返回数据不一致的问题,到时候联调测出来了也麻烦,有没有一劳永逸的办法呢?哎,这个时候如果你看过 Spring 源码的话,就应该知道spring框架自身是怎么序列化的,照着配置应该就行嘛,好像有点道理,我这里不从0开始分析源码了。
跟着执行链路,找到具体的响应序列化,重点就是RequestResponseBodyMethodProcessor,
protected<T>voidwriteWithMessageConverters(@NullableTvalue, MethodParameterreturnType, ServletServerHttpRequestinputMessage, ServletServerHttpResponseoutputMessage) throwsIOException, HttpMediaTypeNotAcceptableException, HttpMessageNotWritableException {
// 获取响应的拦截器链并执行beforeBodyWrite方法,也就是执行了我们自定义的SecretResponseAdvice中的beforeBodyWrite啦
body=this.getAdvice().beforeBodyWrite(body, returnType, selectedMediaType, converter.getClass(), inputMessage, outputMessage);
if (body!=null) {
// 执行响应体序列化工作
if (genericConverter!=null) {
genericConverter.write(body, (Type)targetType, selectedMediaType, outputMessage);
} else {
converter.write(body, selectedMediaType, outputMessage);
}
}
进而通过实例化的AbstractJackson2HttpMessageConverter对象找到执行序列化的核心方法
->AbstractGenericHttpMessageConverter:
publicfinalvoidwrite(Tt, @NullableTypetype, @NullableMediaTypecontentType, HttpOutputMessageoutputMessage) throwsIOException, HttpMessageNotWritableException {
...
this.writeInternal(t, type, outputMessage);
outputMessage.getBody().flush();
}
->找到Jackson序列化AbstractJackson2HttpMessageConverter:
// 从spring容器中获取并设置的ObjectMapper实例
protectedObjectMapperobjectMapper;
protectedvoidwriteInternal(Objectobject, @NullableTypetype, HttpOutputMessageoutputMessage) throwsIOException, HttpMessageNotWritableException {
MediaTypecontentType=outputMessage.getHeaders().getContentType();
JsonEncodingencoding=this.getJsonEncoding(contentType);
JsonGeneratorgenerator=this.objectMapper.getFactory().createGenerator(outputMessage.getBody(), encoding);
this.writePrefix(generator, object);
Objectvalue=object;
Class<?>serializationView=null;
FilterProviderfilters=null;
JavaTypejavaType=null;
if (objectinstanceofMappingJacksonValue) {
MappingJacksonValuecontainer= (MappingJacksonValue)object;
value=container.getValue();
serializationView=container.getSerializationView();
filters=container.getFilters();
}
if (type!=null&&TypeUtils.isAssignable(type, value.getClass())) {
javaType=this.getJavaType(type, (Class)null);
}
ObjectWriterobjectWriter=serializationView!=null?this.objectMapper.writerWithView(serializationView) : this.objectMapper.writer();
if (filters!=null) {
objectWriter=objectWriter.with(filters);
}
if (javaType!=null&&javaType.isContainerType()) {
objectWriter=objectWriter.forType(javaType);
}
SerializationConfigconfig=objectWriter.getConfig();
if (contentType!=null&&contentType.isCompatibleWith(MediaType.TEXT_EVENT_STREAM) &&config.isEnabled(SerializationFeature.INDENT_OUTPUT)) {
objectWriter=objectWriter.with(this.ssePrettyPrinter);
}
// 重点进行序列化
objectWriter.writeValue(generator, value);
this.writeSuffix(generator, object);
generator.flush();
}
那么,可以看出SpringMVC在进行响应序列化的时候是从容器中获取的ObjectMapper实例对象,并会根据不同的默认配置条件进行序列化,那处理方法就简单了,我也可以从Spring容器拿数据进行序列化啊。SecretResponseAdvice进行如下进一步改造:
@ControllerAdvice
publicclassSecretResponseAdviceimplementsResponseBodyAdvice {
@Autowired
privateObjectMapperobjectMapper;
@Override
publicObjectbeforeBodyWrite(....) {
.....
StringdataStr=objectMapper.writeValueAsString(o);
Stringdata=EncryptUtils.aesEncrypt(dataStr, secretKey);
.....
}
}
经测试,响应数据和非加密版万全一致啦,还有GET部分的请求加密,以及后面加解密惨遭跨域问题,后面有空再和大家聊聊。
文章来源网络,作者:运维,如若转载,请注明出处:https://shuyeidc.com/wp/147265.html<
