1.前言
由于这久做了一个乐企数电开票的项目,已经上线了,真的是一言难尽,再回首已经是轻舟已过万重山,接口通过外网暴露给业务方使用,由于业务方的服务是在阿里云上,我的这个服务是在华为云上,所以k8s上的服务只能通过service对外暴露出去给阿里云上的业务侧使用,所以我就有了下面的这个思路,使用ip白名单和sm2对请求body的做解密,响应做加密,只需要把秘钥和加密工具类对给业务侧就可以安全的调用接口,其实在华为云上可以在负载均衡器上配置白名单,只允许阿里云上那几台服务器的ip访问,所以在项目中就不用加这个ip白名单,那如果在没有云的情况下,这个方案也是可以的,安全性更高且可以灵活配置,本文介绍三种方式,至于其它的方式还有很多,毕竟密码学是一门高深的学科,常用的加密算法有MD5,AES(加密在前端使用会被找到秘钥),RSA(文本太长就会有点慢的,这个我之前也试过的,网上也有好多的工具类,去搜几个来调试一下就可以用了,之前搞的那个懒得去找了,后面有时间找一下看看分享一波),SM国密系列的,可以说非常的多,但是常用的就这几种。
2.姿势
2.1 AES
https://www.jianshu.com/p/f9284c3f732c2.2 body参数签名及验签
这种方式只适用于接口数据不重要的情况下使用一个sign的参数,将body中的其它map参数进行排序之后签名,被调用端收掉body中的sign之后,对body中的参数进行验签,这种方式可能判断参数是否被篡改,数据明文传输就类似于裸奔,所以这种方式不推荐使用,安全性太差。
SignUtils工具类代码如下:
package xxx.xxx.xxx.util;import org.apache.commons.lang3.StringUtils;import javax.crypto.Mac;import javax.crypto.spec.SecretKeySpec;import java.nio.charset.StandardCharsets;import java.security.MessageDigest;import java.security.NoSuchAlgorithmException;import java.util.Arrays;import java.util.Map;/*** Description:签名工具类*/public class SignUtils {public static String getSign(Map<String, Object> requestMap, String appKey) {return hmacSHA256Encrypt(requestMap2Str(requestMap), appKey);}private static String hmacSHA256Encrypt(String encryptText, String encryptKey) {byte[] result = null;try {//根据给定的字节数组构造一个密钥,第二参数指定一个密钥算法的名称SecretKeySpec signinKey = new SecretKeySpec(encryptKey.getBytes(StandardCharsets.UTF_8), "HmacSHA256");//生成一个指定 Mac 算法 的 Mac 对象Mac mac = Mac.getInstance("HmacSHA256");//用给定密钥初始化 Mac 对象mac.init(signinKey);//完成 Mac 操作byte[] rawHmac = mac.doFinal(encryptText.getBytes(StandardCharsets.UTF_8));return bytesToHexString(rawHmac);} catch (Exception e) {e.printStackTrace();}return null;}private static String requestMap2Str(Map<String, Object> requestMap) {String[] keys = requestMap.keySet().toArray(new String[0]);Arrays.sort(keys);StringBuilder stringBuilder = new StringBuilder();for (String str : keys) {if (!str.equals("sign")) {stringBuilder.append(str).append(requestMap.get(str).toString());}}return stringBuilder.toString();}public static String bytesToHexString(byte[] bArray) {StringBuffer sb = new StringBuffer(bArray.length);for (byte aBArray : bArray) {String sTemp = Integer.toHexString(255 & aBArray);if (sTemp.length() < 2) {sb.append(0);}sb.append(sTemp.toUpperCase());}return sb.toString();}/*** MD5生成签名字符串** @param str 需签名参数* @return*/public static String md5(String str) {if (StringUtils.isEmpty(str)) {return "";}MessageDigest md5 = null;try {md5 = MessageDigest.getInstance("MD5");byte[] bytes = md5.digest(str.getBytes());String result = "";for (byte b : bytes) {String temp = Integer.toHexString(b & 0xff);if (temp.length() == 1) {temp = "0" + temp;}result += temp;}return result;} catch (NoSuchAlgorithmException e) {e.printStackTrace();}return "";}}
2.3使用sm2 加ip白名单
这个思路是来源于hutool官网:
https://doc.hutool.cn/pages/SmUtil/#%E5%AF%B9%E7%A7%B0%E5%8A%A0%E5%AF%86sm4Bouncy Castle依赖<dependency><groupId>org.bouncycastlegroupId><artifactId>bcpkix-jdk18onartifactId><version>1.78.1version>dependency>
说明
bcprov-jdk18on的版本请前往Maven中央库搜索,查找对应JDK的最新版本。
body中栗子如下:
{"appId":"xxxx",//哪个业务的标识"method":"xxxx",//调用那个方法,被调用端可以将其它接口全部聚合到一个接口上对外暴露出去"encryptStr":"04A51E4C0CA2766B9F382C7D308AB7E8C3DD1E104CAF83D95C72C46154F6D1ACBCD199A4BAC57C9FF9EF9864728BFE20F8568ADDD1C1BD51ECFF24D6F37095091F55AE3A3C1518B308092E8338D4A8BDD87DEC5C68DB6373A0D50709AD82B0FA484CEE169FD7DA7156133E396FAE77E315DE49D7F3F99BE4701B1686763F026412DEA8334123D8A3E186B16B4E806D4E866229029973F34D9A298F715304AEDEE069A6E1CBBF86D3757DC4A02F66EBE7652E64465081313C6242F67687F48D67A29C61F2ED6C115F627DD032331A7F04D1475B3D8A86D640BA8C64E310B4689EFA835943F7C3057B057E5B888A0E87D167EAE2F4028564406C2A08ACF3516453B099A89CE66AF4634079F79E710182E967530ACF1E4D39A349F3083CDD5E05ACB5A866BE49164BD3C26A163ADD8D2BA7ADF499EEAF220B9545B67CE654D80C84E51E02D3975633812B7FFF97E65179FBB13B74D337615E8D04C9C1A534F554DA1F9D626BDC4EE985D9326986A07618EDA24623AE254EA5FC3A32E79443E8ED5F15C8D586D91752AC488CD0600F6509F422A11B7766CD1FA2332BC28B3E676A50985292E6CE6FB7891B358AACAB94C974EA34437DD8154F4CB79B35BA0AE5588562E5F93255FA5BF60742E82EB530E379B7117B12EBFD42B6D2643884FD360350B4AB92D5C11F04D326C1EB8C0674A972755C25B06B73209653A922C2BF0F64EB1750453E4308D6E791BAC903786ECABF493E0B19118AA7A76D8422C1FBDD1191B401FB113551460AE301383A10C23D18994E00FFBB99059B05D31F86F3DDED25C5B45CAB08EDA46FBA357DF5CEBEE9846D81D6A06B308466BE44EB0DD2800A457C8AF698CCBE3D2C0B0D013F830E6F5153BA95EFC10C98597909D9BDE39B14C30B6AEEE274D80A576326D04774C43B84778B2724E2344F54E793487023823FA0F5F6506CBC9E49DD25852D7DD2918AB440EE27975456DF80F65CECC51167929E0B96A4F98D770959166B348F0F202173A5EE7B3D8CED79E8BB4757A877F97D725BED91E07634B45B0E890D860277C15D9ADFA87C2EEDD359D47048BEA1AEF7A568E5F6EFFE9C530C5B67A7C94D67BC2FE3D065C50C2384C786DF637A39E827D2BCE31BD493D8874498C7F75C3F75DA5E8ED300DB9842059D923E9DD136500863121324A909BA3A8"}
IpUtil工具类:
package xxxxx.xxxx.util;import lombok.extern.slf4j.Slf4j;import javax.servlet.http.HttpServletRequest;/*** 常用获取客户端信息的工具*/public final class IpUtil {/*** 获取请求主机IP地址,如果通过代理进来,则透过防火墙获取真实IP地址;** @param request* @return*/public static String getIpAddress(HttpServletRequest request) {// 获取请求主机IP地址,如果通过代理进来,则透过防火墙获取真实IP地址String ip = request.getHeader("X-Forwarded-For");log.info("getIpAddress(HttpServletRequest) - X-Forwarded-For - String ip=" + ip);if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {ip = request.getHeader("Proxy-Client-IP");log.info("getIpAddress(HttpServletRequest) - Proxy-Client-IP - String ip=" + ip);}if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {ip = request.getHeader("WL-Proxy-Client-IP");log.info("getIpAddress(HttpServletRequest) - WL-Proxy-Client-IP - String ip=" + ip);}if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {ip = request.getHeader("HTTP_CLIENT_IP");log.info("getIpAddress(HttpServletRequest) - HTTP_CLIENT_IP - String ip=" + ip);}if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {ip = request.getHeader("HTTP_X_FORWARDED_FOR");log.info("getIpAddress(HttpServletRequest) - HTTP_X_FORWARDED_FOR - String ip=" + ip);}if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {ip = request.getRemoteAddr();log.info("getIpAddress(HttpServletRequest) - getRemoteAddr - String ip=" + ip);}} else if (ip.length() > 15) {String[] ips = ip.split(",");for (int index = 0; index < ips.length; index++) {String strIp = (String) ips[index];if (!("unknown".equalsIgnoreCase(strIp))) {ip = strIp;break;}}}return ip;}}
WhiteIpConfig白名单配置类:
package xxx.xxxx.config;import xxxx.xxxx.IpUtil;import lombok.Data;import org.apache.commons.lang3.StringUtils;import org.springframework.beans.factory.annotation.Value;import org.springframework.cloud.context.config.annotation.RefreshScope;import org.springframework.context.annotation.Configuration;import org.springframework.web.context.request.RequestContextHolder;import org.springframework.web.context.request.ServletRequestAttributes;import javax.servlet.http.HttpServletRequest;import java.util.ArrayList;import java.util.Arrays;import java.util.List;public class WhiteIpConfig {("${whiteIp:192.168.40.60}")private String whiteIp;public List<String> getWhiteIps() {List<String> appIds = new ArrayList<>();if (StringUtils.isNotEmpty(whiteIp)) {String[] split = whiteIp.split(",");appIds = Arrays.asList(split);}return appIds;}public void checkWhiteIp() {HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest();List<String> whiteIps = this.getWhiteIps();String ipAddress = IpUtil.getIpAddress(request);if (StringUtils.isEmpty(ipAddress)) {throw new RuntimeException("未获取到请求的ip地址!");}if (!whiteIps.contains(ipAddress)) {throw new RuntimeException("请求ip地址不在ip白名单内,不允许访问!");}}}
还需要对响应的数据进行sm2加密,接收响应端使用密钥对进行解密就可以拿到响应的明文数据了,这种接口就非常的安全。
这里在分享一个采集服务器的ip地址和mac地址的工具类,亲测好用:
NetUtil工具类:
package xxxx.xxxx.util;import lombok.extern.slf4j.Slf4j;import java.net.InetAddress;import java.net.NetworkInterface;import java.net.SocketException;import java.util.ArrayList;import java.util.Enumeration;import java.util.List;public class NetUtil {/*** 此方法描述的是:获得服务器的IP地址** @return*/public static String getLocalIP() {String sIP = "";InetAddress ip = null;try {boolean bFindIP = false;EnumerationnetInterfaces = (Enumeration ) NetworkInterface .getNetworkInterfaces();while (netInterfaces.hasMoreElements()) {if (bFindIP) {break;}NetworkInterface ni = (NetworkInterface) netInterfaces.nextElement();Enumerationips = ni.getInetAddresses(); while (ips.hasMoreElements()) {ip = (InetAddress) ips.nextElement();if (!ip.isLoopbackAddress()&& ip.getHostAddress().matches("(\\d{1,3}\\.){3}\\d{1,3}")) {bFindIP = true;break;}}}} catch (Exception e) {log.error("getLocalIP.ex:{}", e.getMessage());}if (null != ip) {sIP = ip.getHostAddress();}return sIP;}/*** 此方法描述的是:获得服务器的IP地址(多网卡)** @return*/public static ListgetLocalIPS() { InetAddress ip = null;ListipList = new ArrayList (); try {EnumerationnetInterfaces = (Enumeration ) NetworkInterface .getNetworkInterfaces();while (netInterfaces.hasMoreElements()) {NetworkInterface ni = (NetworkInterface) netInterfaces.nextElement();Enumerationips = ni.getInetAddresses(); while (ips.hasMoreElements()) {ip = (InetAddress) ips.nextElement();if (!ip.isLoopbackAddress()&& ip.getHostAddress().matches("(\\d{1,3}\\.){3}\\d{1,3}")) {ipList.add(ip.getHostAddress());}}}} catch (Exception e) {log.error("getLocalIPS.ex:{}", e.getMessage());}return ipList;}/*** 此方法描述的是:获得服务器的MAC地址** @return*/public static String getMacId() {String macId = "";InetAddress ip = null;NetworkInterface ni = null;try {boolean bFindIP = false;EnumerationnetInterfaces = (Enumeration ) NetworkInterface .getNetworkInterfaces();while (netInterfaces.hasMoreElements()) {if (bFindIP) {break;}ni = (NetworkInterface) netInterfaces.nextElement();// ----------特定情况,可以考虑用ni.getName判断// 遍历所有ipEnumerationips = ni.getInetAddresses(); while (ips.hasMoreElements()) {ip = (InetAddress) ips.nextElement();if (!ip.isLoopbackAddress() // 非127.0.0.1&& ip.getHostAddress().matches("(\\d{1,3}\\.){3}\\d{1,3}")) {bFindIP = true;break;}}}} catch (Exception e) {log.error("getMacId.ex1:{}", e.getMessage());}if (null != ip) {try {macId = getMacFromBytes(ni.getHardwareAddress());} catch (SocketException e) {log.error("getMacId.ex2:{}", e.getMessage());}}return macId;}/*** 此方法描述的是:获得服务器的MAC地址(多网卡)** @return*/public static ListgetMacIds() { InetAddress ip = null;NetworkInterface ni = null;ListmacList = new ArrayList (); try {EnumerationnetInterfaces = (Enumeration ) NetworkInterface .getNetworkInterfaces();while (netInterfaces.hasMoreElements()) {ni = (NetworkInterface) netInterfaces.nextElement();// ----------特定情况,可以考虑用ni.getName判断// 遍历所有ipEnumerationips = ni.getInetAddresses(); while (ips.hasMoreElements()) {ip = (InetAddress) ips.nextElement();if (!ip.isLoopbackAddress() // 非127.0.0.1&& ip.getHostAddress().matches("(\\d{1,3}\\.){3}\\d{1,3}")) {macList.add(getMacFromBytes(ni.getHardwareAddress()));}}}} catch (Exception e) {log.error("getMacIds.ex2:{}", e.getMessage());}return macList;}private static String getMacFromBytes(byte[] bytes) {StringBuffer mac = new StringBuffer();byte currentByte;boolean first = false;for (byte b : bytes) {if (first) {mac.append("-");}currentByte = (byte) ((b & 240) >> 4);mac.append(Integer.toHexString(currentByte));currentByte = (byte) (b & 15);mac.append(Integer.toHexString(currentByte));first = true;}return mac.toString().toUpperCase();}public static void main(String[] args) {String localIP = NetUtil.getLocalIP();String macId = NetUtil.getMacId();log.info("localIP:{},macId:{}", localIP, macId);}}
3.总结
本次分享到此结束,希望我的分享对你有所启发和帮助,思路基本上都是大同小异,套路基本上是一个套路,主要是的是姿势,姿势真的很重要,姿势不对努力白费,好久没有写文章了,请尊重作者原创,转载请注明出处,否则发现抄袭直接举报,创作不易,请一键三连,么么么哒!