工作日记之权限校验-token的实战案例
背景说明
我们组负责维护的一个系统,前端界面挂载在其他两个系统上,因为历史遗留原因,同时也挂在公网上,没有登陆功能和用户体系,只要输入网址就能访问,虽然这个系统是给公司内部人员使用,但是存在被恶意登陆并修改用户数据的风险;
解决思想
这个问题显然是权限校验的问题;系统配置拦截器或者过滤器,对其他系统发送的请求进行拦截、设计的方案是先校验参数完不完整、再校验token在不在有效期内,最后校验token是否正确;这三个环节哪个环节没有校验成功,不允许访问;
因为我们的系统是用于公司其他系统使用,这里以系统A为例代表其他系统;我们系统和系统A都要在程序中保存一个密钥,系统A每次访问我们系统前,会先根据userId和当前时间戳timestamp根据SHA-256算法生成token,最后将userId、timestamp和token参数传输到我们系统,我们系统进行权限校验;
程序流程
public class ApiSignatureInterceptor implements HandlerInterceptor {private static final long MAX_TIME_DIFF = TimeUnit.MINUTES.toMillis(5);@Value("${custom.interceptor.enabled:false}")private boolean enableInterceptor;@Overridepublic boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {if (this.enableInterceptor){String userId = request.getHeader("userId");String userName = request.getHeader("userName");String timestamp = request.getHeader("timestamp");String signature = request.getHeader("signature");//1.先验证数据都存不存在if (userId == null || timestamp == null || signature == null) {sendErr(response,"参数不全");log.error("参数不全");return false;}//boolean isAccess = SignatureUtils.verifySignature()//2.验证签名是否过期long currentTime = System.currentTimeMillis();long timeDiff = currentTime - Long.parseLong(timestamp);if (timeDiff > MAX_TIME_DIFF) {sendErr(response,"签名过期,请重新发送");return false;}//3.验证token的有效性boolean isAccess = SignatureUtils.verifySignature(buildSignData(userId,timestamp), signature);if (!isAccess) {sendErr(response,"签名校验不通过");return false;}return true;}else {return true;}}/**** 生成签名的原始数据* @param userId* @param timestamp* @return*/private static String buildSignData(String userId,String timestamp){return String.format("userId=%s×tamp=%s",userId,timestamp);}public static void sendErr(HttpServletResponse response,String msg) throws Exception {ResultResponse<Object> error = ResultResponseUtil.error(StatusEnum.FORBIDDEN, msg);response.setContentType("application/json;charset=utf-8");String errJson = JSON.toJSONString(error);response.getWriter().write(errJson);}
}
public static String generateSignatureUtils(String data){try{//签名实例Mac sha256HMAC = Mac.getInstance(HMAC_SHA256);SecretKeySpec spec = new SecretKeySpec(secret.getBytes(StandardCharsets.UTF_8), HMAC_SHA256);sha256HMAC.init(spec);byte[] hashBytes = sha256HMAC.doFinal(data.getBytes(StandardCharsets.UTF_8));return Base64.getEncoder().encodeToString(hashBytes);}catch (Exception e){log.error("签名生成失败" + e.getMessage());throw new BusinessException("签名生成失败");}