API接口签名验证实战

news2026/5/24 0:48:19

API接口签名验证实战一、接口签名概述API签名验证是保护接口安全的重要手段防止请求被篡改或伪造。1.1 签名机制原理┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ │ 客户端 │ │ 网络 │ │ 服务端 │ ├─────────────────┤ ├─────────────────┤ ├─────────────────┤ │ 1. 构造请求参数 │────▶│ 传输请求 │────▶│ 1. 获取请求参数 │ │ 2. 生成签名 │ │ │ │ 2. 重新生成签名 │ │ 3. 发送请求 │ │ │ │ 3. 验证签名 │ └─────────────────┘ └─────────────────┘ │ 4. 处理请求 │ └─────────────────┘1.2 签名要素要素说明示例AppKey应用标识app001AppSecret应用密钥xxxxxxTimestamp时间戳1704067200Nonce随机数abc123Signature签名结果md5(xxx)二、签名算法实现2.1 签名生成流程public class SignatureUtil { private static final String SIGN_METHOD MD5; private static final String CHARSET UTF-8; public static String generateSignature(MapString, String params, String appSecret) { // 1. 去除sign参数 params.remove(sign); // 2. 按字典序排序 ListString keys new ArrayList(params.keySet()); Collections.sort(keys); // 3. 拼接参数 StringBuilder sb new StringBuilder(); for (String key : keys) { String value params.get(key); if (value ! null !value.isEmpty()) { sb.append(key).append().append(value).append(); } } // 4. 拼接密钥 sb.append(key).append(appSecret); // 5. 计算签名 return md5(sb.toString()); } private static String md5(String input) { try { MessageDigest md MessageDigest.getInstance(SIGN_METHOD); byte[] digest md.digest(input.getBytes(CHARSET)); StringBuilder sb new StringBuilder(); for (byte b : digest) { sb.append(String.format(%02x, b)); } return sb.toString().toUpperCase(); } catch (Exception e) { throw new RuntimeException(MD5 calculation failed, e); } } }2.2 HMAC-SHA256签名public class HmacSignatureUtil { private static final String ALGORITHM HmacSHA256; public static String generateHmacSignature(MapString, String params, String appSecret) { params.remove(sign); ListString keys new ArrayList(params.keySet()); Collections.sort(keys); StringBuilder sb new StringBuilder(); for (String key : keys) { String value params.get(key); if (value ! null !value.isEmpty()) { sb.append(key).append().append(value).append(); } } sb.append(key).append(appSecret); try { Mac mac Mac.getInstance(ALGORITHM); SecretKeySpec keySpec new SecretKeySpec(appSecret.getBytes(), ALGORITHM); mac.init(keySpec); byte[] digest mac.doFinal(sb.toString().getBytes()); return Base64.getEncoder().encodeToString(digest); } catch (Exception e) { throw new RuntimeException(HMAC calculation failed, e); } } }三、签名验证实现3.1 验证过滤器public class SignatureFilter implements Filter { private static final long TIMESTAMP_TOLERANCE 5 * 60 * 1000; // 5分钟 Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) { HttpServletRequest httpRequest (HttpServletRequest) request; HttpServletResponse httpResponse (HttpServletResponse) response; try { // 1. 获取参数 MapString, String params getRequestParams(httpRequest); // 2. 验证时间戳 String timestamp params.get(timestamp); validateTimestamp(timestamp); // 3. 验证随机数 String nonce params.get(nonce); validateNonce(nonce); // 4. 获取AppKey String appKey params.get(appKey); String appSecret getAppSecret(appKey); // 5. 验证签名 String sign params.get(sign); String expectedSign SignatureUtil.generateSignature(params, appSecret); if (!sign.equalsIgnoreCase(expectedSign)) { httpResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED); httpResponse.getWriter().write(Invalid signature); return; } chain.doFilter(request, response); } catch (Exception e) { httpResponse.setStatus(HttpServletResponse.SC_BAD_REQUEST); } } private void validateTimestamp(String timestamp) { long ts Long.parseLong(timestamp); long now System.currentTimeMillis() / 1000; if (Math.abs(now - ts) TIMESTAMP_TOLERANCE / 1000) { throw new RuntimeException(Invalid timestamp); } } private void validateNonce(String nonce) { if (nonce null || nonce.length() 8) { throw new RuntimeException(Invalid nonce); } } }3.2 Nonce去重public class NonceManager { private final StringRedisTemplate redisTemplate; private static final String PREFIX nonce:; private static final long EXPIRE_SECONDS 5 * 60; // 5分钟 public void validateNonce(String nonce) { String key PREFIX nonce; Boolean exists redisTemplate.hasKey(key); if (Boolean.TRUE.equals(exists)) { throw new RuntimeException(Duplicate nonce); } redisTemplate.opsForValue().set(key, true, EXPIRE_SECONDS, TimeUnit.SECONDS); } }四、请求示例4.1 客户端请求public class ApiClient { private String appKey app001; private String appSecret secret123; public String sendRequest(String url, MapString, Object data) { MapString, String params new HashMap(); params.put(appKey, appKey); params.put(timestamp, String.valueOf(System.currentTimeMillis() / 1000)); params.put(nonce, UUID.randomUUID().toString().replace(-, ).substring(0, 16)); for (Map.EntryString, Object entry : data.entrySet()) { params.put(entry.getKey(), String.valueOf(entry.getValue())); } String sign SignatureUtil.generateSignature(params, appSecret); params.put(sign, sign); // 发送请求... return doPost(url, params); } }4.2 curl示例curl -X POST http://api.example.com/endpoint \ -H Content-Type: application/x-www-form-urlencoded \ -d appKeyapp001 \ -d timestamp1704067200 \ -d nonceabc123def456 \ -d datatest \ -d signA1B2C3D4E5F6五、安全加固5.1 使用HTTPSserver: ssl: enabled: true key-store: classpath:keystore.p12 key-store-password: password key-store-type: PKCS12 key-alias: tomcat5.2 IP白名单public class IpWhitelistFilter implements Filter { private SetString whitelist Set.of( 192.168.1.1, 10.0.0.0/8 ); Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) { String clientIp getClientIp((HttpServletRequest) request); if (!isIpWhitelisted(clientIp)) { ((HttpServletResponse) response).setStatus(HttpServletResponse.SC_FORBIDDEN); return; } chain.doFilter(request, response); } }5.3 频率限制public class RateLimitFilter implements Filter { private final StringRedisTemplate redisTemplate; private static final int MAX_REQUESTS 100; private static final int TIME_WINDOW_SECONDS 60; Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) { String clientIp getClientIp((HttpServletRequest) request); String key rate_limit: clientIp; Long count redisTemplate.opsForValue().increment(key); if (count 1) { redisTemplate.expire(key, TIME_WINDOW_SECONDS, TimeUnit.SECONDS); } if (count MAX_REQUESTS) { ((HttpServletResponse) response).setStatus(429); return; } chain.doFilter(request, response); } }六、签名算法对比算法安全性性能适用场景MD5低高内部系统SHA-1中高一般场景SHA-256高中重要场景HMAC-SHA256高中对外API七、最佳实践7.1 签名规范参数排序按字典序升序排列空值处理忽略空参数编码格式统一使用UTF-8签名格式统一大写或小写7.2 安全建议密钥管理使用密钥管理服务存储密钥定期轮换定期更换AppSecret日志审计记录签名验证失败日志异常监控监控异常签名请求7.3 常见问题问题原因解决方案签名不一致参数顺序不同统一排序规则时间戳过期客户端时间不准增加时间容错Nonce重复请求重放实现Nonce去重八、总结API签名验证是保护接口安全的重要手段选择合适算法根据安全需求选择HMAC-SHA256实现完整验证时间戳、Nonce、签名缺一不可配合其他措施HTTPS、IP白名单、频率限制做好密钥管理使用安全的密钥存储方案通过以上措施可以有效防止接口被篡改和重放攻击。

本文来自互联网用户投稿，该文观点仅代表作者本人，不代表本站立场。本站仅提供信息存储空间服务，不拥有所有权，不承担相关法律责任。如若转载，请注明出处：http://www.coloradmin.cn/o/2639331.html

如若内容造成侵权/违法违规/事实不符，请联系多彩编程网进行投诉反馈，一经查实，立即删除！