网站防篡改设备 篡改常识的系统最新章节

什么是Api接口幂等?
简单来说Api接口幂等在有限的时间内限制接口访问请求,限制ip访问次数,不限制平台访问,都可以拿到数据 。一个接口不可以重复表单提交,生产一次消费一次 。
用户场景:同一时间重复提交多次请求 。
什么是数据篡改?
api接口数据篡改,脚本文件,篡改接口参数进行服务器数据窃取,严重的数据篡改会导致数据库宕机,程序软件崩溃 。
想到这里都知道后台api接口幂等多重要了吧 。今天给大家讲非对称加密实现后台接口api幂等 。
实现思路:jtw+ 验证标识+签名密钥+当前时间戳+存放过期时间+AES 实现加密算法token 。
实现步骤:1,用户登录成功后,生产加密token存放redis.
2,下次登录检验token 是否过期,过期请重新登录 。
3,用户登录存在有效期,不需要登录 。(这里就是单点登录方式)
code核心实现类:
import io.jsonwebtoken.*;import org.slf4j.Logger;import org.slf4j.LoggerFactory;import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;import org.springframework.security.core.Authentication;import org.springframework.security.core.GrantedAuthority;import org.springframework.security.core.authority.SimpleGrantedAuthority;import org.springframework.security.core.userdetails.User;import org.springframework.stereotype.Component;import org.springframework.util.StringUtils;import javax.annotation.PostConstruct;import javax.servlet.http.HttpServletRequest;import java.util.*;import java.util.stream.Collectors;@Componentpublic class JWTTokenUtils { public static final String AUTHORIZATION_HEADER = "x-token"; public static final String AUTHORIZATION_TOKEN = "x-token"; private final Logger logger = LoggerFactory.getLogger(JWTTokenUtils.class); private static final String AUTHORITIES_KEY = "auth"; private String secretKey; // 签名密钥 private long tokenValidityInMilliseconds; // 失效日期 private long tokenValidityInMillisecondsForRememberMe; // (记住我)失效日期 @PostConstruct public void init() {this.secretKey = "isoftstone.huwei";int secondIn1day = 1000 * 60 * 60 * 24;this.tokenValidityInMilliseconds = secondIn1day * 2L;this.tokenValidityInMillisecondsForRememberMe = secondIn1day * 7L; } // 创建Token public String createToken(Authentication authentication, Boolean rememberMe) {String authorities = authentication.getAuthorities().stream() // 获取用户的权限字符串,如 USER,ADMIN.map(GrantedAuthority::getAuthority).collect(Collectors.joining(","));long now = (new Date()).getTime(); // 获取当前时间戳Date validity; // 存放过期时间if (rememberMe) {validity = new Date(now + this.tokenValidityInMilliseconds);} else {validity = new Date(now + this.tokenValidityInMillisecondsForRememberMe);}return SysConst.SYS_COMPANY_HEAD+"."+ Jwts.builder() // 创建Token令牌.setSubject(authentication.getName()) // 设置面向用户.claim(AUTHORITIES_KEY, authorities) // 添加权限属性.setExpiration(validity) // 设置失效时间.signWith(SignatureAlgorithm.HS512, secretKey) // 生成签名.compact(); } // 获取用户权限 public Authentication getAuthentication(String token) {logger.info("JWTTokenUtils Start Get User Auth");// 解析Token的payloadClaims claims = Jwts.parser().setSigningKey(secretKey).parseClaimsJws(token).getBody();Collection<? extends GrantedAuthority> authorities = Arrays.stream(claims.get(AUTHORITIES_KEY).toString().split(",")) // 获取用户权限字符串.map(SimpleGrantedAuthority::new).collect(Collectors.toList()); // 将元素转换为GrantedAuthority接口集合User principal = new User(claims.getSubject(), "", authorities);return new UsernamePasswordAuthenticationToken(principal, null, authorities); } /*** 解析token获取用户编码* @param token* @return*/ public String getAuthSubject(String token) {Claims claims = Jwts.parser().setSigningKey(secretKey).parseClaimsJws(token).getBody();return claims.getSubject(); }public String resolveToken(HttpServletRequest request){String bearerToken = request.getHeader(AUTHORIZATION_HEADER);//从HTTP头部获取TOKENif (StringUtils.hasText(bearerToken) && bearerToken.startsWith(SysConst.SYS_COMPANY_HEAD)){return bearerToken.substring(bearerToken.indexOf(".")+1, bearerToken.length());//返回Token字符串,去除Bearer}String jwt = request.getParameter(AUTHORIZATION_TOKEN);//从请求参数中获取TOKENif (StringUtils.hasText(jwt) && jwt.startsWith(SysConst.SYS_COMPANY_HEAD)) {return jwt.substring(bearerToken.indexOf(".")+1, jwt.length());}return null;} // 验证Token是否正确 public boolean validateToken(String token) {try {Jwts.parser().setSigningKey(secretKey).parseClaimsJws(token); // 通过密钥验证Tokenreturn true;}catch (MalformedJwtException e) { // JWT格式错误logger.info("Invalid JWT token.");logger.trace("Invalid JWT token trace: {}", e);} catch (ExpiredJwtException e) { // JWT过期logger.info("Expired JWT token.");logger.trace("Expired JWT token trace: {}", e);} catch (UnsupportedJwtException e) { // 不支持该JWTlogger.info("Unsupported JWT token.");logger.trace("Unsupported JWT token trace: {}", e);} catch (IllegalArgumentException e) { // 参数错误异常logger.info("JWT token compact of handler are invalid.");logger.trace("JWT token compact of handler are invalid trace: {}", e);}catch (SignatureException e) { // 签名异常logger.info("Invalid JWT signature.");logger.trace("Invalid JWT signature trace: {}", e);}return false; }}

推荐阅读