asp.net mvc webapi 实用的接口加密方法示例
在很多项目中,因为webapi是对外开放的,这个时候,我们就要得考虑接口交换数据的安全性。 安全机制也比较多,如andriod与webapi 交换数据的时候,可以走双向证书方法,但是开发成本比较大, 今天我们不打算介绍这方面的知识,我们说说一个较简单也较常见的安全交换机制 在这里要提醒读者,目前所有的加密机制都不是绝对的安全! 我们的目标是,任何用户或者软件获取到我们的webapi接口url后用来再次访问该地址都是无效的! 达到这种目标的话,我们必须要在url中增加一个时间戳,但是仅仅如此还是不够,用户可以修改我们的时间戳! 因此我们可以对时间戳 进行MD5加密,但是这样依然不够,用户可以直接对我们的时间戳md5的哦,因些需要引入一个绝对安全 的双方约定的key,并同时加入其它参数进行混淆! 注意:这个key要在app里和我们的webapi里各保存相同的一份! 于是我们约定公式: 加密结果=md5(时间戳+随机数+key+post或者get的参数) 下面我们开始通过上述公式写代码: 于由我的环境是asp.net mvc 的,所以重写一个加密类ApiSecurityFilter 1、获取参数 if (request.Headers.Contains("timestamp")) timestamp = HttpUtility.UrlDecode(request.Headers.GetValues("timestamp").FirstOrDefault()); if (request.Headers.Contains("nonce")) nonce = HttpUtility.UrlDecode(request.Headers.GetValues("nonce").FirstOrDefault()); if (request.Headers.Contains("signature")) signature = HttpUtility.UrlDecode(request.Headers.GetValues("signature").FirstOrDefault()); if (string.IsNullOrEmpty(timestamp) || string.IsNullOrEmpty(nonce) || string.IsNullOrEmpty(signature)) throw new SecurityException(); 2、判断时间戳是否超过指定时间 double ts = 0; bool timespanvalidate = double.TryParse(timestamp,out ts); bool falg = (DateTime.UtcNow - new DateTime(1970,1,0)).TotalMilliseconds - ts > 60 * 1000; if (falg || (!timespanvalidate)) throw new SecurityException(); 3、POST/DELETE/UPDATE 三种方式提取参数 case "POST": case "PUT": case "DELETE": Stream stream = HttpContext.Current.Request.InputStream; StreamReader streamReader = new StreamReader(stream); sortedParams = new SortedDictionary<string,string>(new JsonSerializer().Deserialize<Dictionary<string,string>>(new JsonTextReader(streamReader))); break; 4、GET 方式提取参数 case "GET": IDictionary<string,string> parameters = new Dictionary<string,string>(); foreach (string key in HttpContext.Current.Request.QueryString) { if (!string.IsNullOrEmpty(key)) { parameters.Add(key,HttpContext.Current.Request.QueryString[key]); } } sortedParams = new SortedDictionary<string,string>(parameters); break; 5、排序上述参数并拼接,形成我们要参与md5的约定公式中的第四个参数 StringBuilder query = new StringBuilder(); if (sortedParams != null) { foreach (var sort in sortedParams.OrderBy(k => k.Key)) { if (!string.IsNullOrEmpty(sort.Key)) { query.Append(sort.Key).Append(sort.Value); } } data = query.ToString().Replace(" ",""); } 6、开始约定公式计算结果并对比传过的结果是否一致 var md5Staff = Seedwork.Utils.CharHelper.MD5(string.Concat(timestamp + nonce + staffId + data),32); if (!md5Staff.Equals(signature)) throw new SecurityException(); 完整的代码如下: public class ApiSecurityFilter : ActionFilterAttribute { public override void OnActionExecuting(HttpActionContext actionContext) { var request = actionContext.Request; var method = request.Method.Method; var staffId = "^***********************************$"; string timestamp = string.Empty,nonce = string.Empty,signature = string.Empty; if (request.Headers.Contains("timestamp")) timestamp = request.Headers.GetValues("timestamp").FirstOrDefault(); if (request.Headers.Contains("nonce")) nonce = request.Headers.GetValues("nonce").FirstOrDefault(); if (request.Headers.Contains("signature")) signature = request.Headers.GetValues("signature").FirstOrDefault(); if (string.IsNullOrEmpty(timestamp) || string.IsNullOrEmpty(nonce) || string.IsNullOrEmpty(signature)) throw new SecurityException(); double ts = 0; bool timespanvalidate = double.TryParse(timestamp,0)).TotalMilliseconds - ts > 60 * 1000; if (falg || (!timespanvalidate)) throw new SecurityException("timeSpanValidate"); var data = string.Empty; IDictionary<string,string> sortedParams = null; switch (method.ToUpper()) { case "POST": case "PUT": case "DELETE": Stream stream = HttpContext.Current.Request.InputStream; StreamReader streamReader = new StreamReader(stream); sortedParams = new SortedDictionary<string,string>>(new JsonTextReader(streamReader))); break; case "GET": IDictionary<string,string>(parameters); break; default: throw new SecurityException("defaultOptions"); } StringBuilder query = new StringBuilder(); if (sortedParams != null) { foreach (var sort in sortedParams.OrderBy(k => k.Key)) { if (!string.IsNullOrEmpty(sort.Key)) { query.Append(sort.Key).Append(sort.Value); } } data = query.ToString().Replace(" ",""); } var md5Staff = Seedwork.Utils.CharHelper.MD5(string.Concat(timestamp + nonce + staffId + data),32); if (!md5Staff.Equals(signature)) throw new SecurityException("md5Staff"); base.OnActionExecuting(actionContext); } public override void OnActionExecuted(HttpActionExecutedContext actionExecutedContext) { base.OnActionExecuted(actionExecutedContext); } } 7、最后在asp.net mvc 里加入配置上述类 public static class WebApiConfig { public static void Register(HttpConfiguration config) { // Web API configuration and services config.Filters.Add(new ApiSecurityFilter()); config.Filters.Add(new ApiHandleErrorAttribute()); // Web API routes config.MapHttpAttributeRoutes(); config.Routes.MapHttpRoute( name: "DefaultApi",routeTemplate: "api/{controller}/{id}",defaults: new { id = RouteParameter.Optional } ); } } 8、添加写入日志类 public class ApiHandleErrorAttribute: ExceptionFilterAttribute { /// <summary> /// add by laiyunba /// </summary> /// <param name="filterContext">context oop</param> public override void OnException(HttpActionExecutedContext filterContext) { LoggerFactory.CreateLog().LogError(Messages.error_unmanagederror,filterContext.Exception); } } 9、利用微信小程序测试接口 var data = { UserName: username,Password: password,Action: 'Mobile',Sms: '' }; var timestamp = util.gettimestamp(); var nonce = util.getnonce(); if (username && password) { wx.request({ url: rootUrl + '/api/login',method: "POST",data: data,header: { 'content-type': 'application/json','timestamp': timestamp,'nonce': nonce,'signature': util.getMD5Staff(data,timestamp,nonce) },success: function (res) { if (res.data) { 1)其中getMD5Staff函数: function getMD5Staff(queryData,nonce) { var staffId = getstaffId();//保存的key与webapi同步 var data = dictionaryOrderWithData(queryData); return md5.md5(timestamp + nonce + staffId + data); } 2)dictionaryOrderWithData函数: function dictionaryOrderWithData(dic) { //eg {x:2,y:3,z:1} var result = ""; var sdic = Object.keys(dic).sort(function (a,b) { return a.localeCompare(b) }); var value = ""; for (var ki in sdic) { if (dic[sdic[ki]] == null) { value = "" } else { value = dic[sdic[ki]]; } result += sdic[ki] + value; } return result.replace(/s/g,""); } (编辑:大庆站长网) 【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容! |
- asp.net-mvc – 依赖注入和ASP.Net成员提供程序
- asp.net – ASP.NET中的“关键字不支持:”错误
- asp.net – 如何检查SQL Server代理是否正在运行
- asp.net-mvc – 有没有办法重命名RequestVerificationToken
- ASP.NET Core中调整HTTP请求大小的几种方法详解
- asp.net – 如何以编程方式从LDAP检索信息
- asp.net-mvc – RequireHttps导致Amazon Elastic Load Bala
- asp.net – Dropzone没有绑定到模型
- ASP.Net WebAPI与Ajax进行跨域数据交互时Cookies数据的传递
- 过滤ASP.NET Core API中的属性