机制与应用剖析"/>
消息认证机制与应用剖析
需求:
为了兼容JAVA团队和PHP团队的系统认证和为了降低JAVA网关域名暴露的风险,需要在外部请求进入JAVA系统时切入请求认证机制,校验请求的合法性。
实施:
借鉴RocketMQ(消息中间件)-acl(服务使用授权)模块
流程梳理
基本流程准备梳理如下
1 PHP和java方规定好自己的密钥基础串,和salt(防止彩虹表爆破签名串)
2 所有请求进JAVA由网关转发至Authentication-SERVICE做请求认证
3 PHP使用相同的加密算法加密之后调Authentication-SERVICE做请求认证,并把签名后的密钥传入
4 Authentication-SERIVCE使用相同的salt和加密基础串做相同算法处理比对是否相同,相同则校验成功,反之失败。
5 如成功由Zuul请求正常请求拦截放行,失败则请求失败由ZUUL返回客户端403,告知请求未认证
为了膜拜大佬这里给出对应思路:
PS:当然ROCKET-MQ之中client 和 broker之间的通信认证就是通过HMAC算法实现的具体我们吧源码贴出来如下:
// jack
public class AclSigner {
public static final Charset DEFAULT_CHARSET = Charset.forName("UTF-8");//建议使用SHA256,网上已经有流传GOOGLE公司破解SHA1的资料,有兴趣的可以看下public static final SigningAlgorithm DEFAULT_ALGORITHM = SigningAlgorithm.HmacSHA1;//private static final int CAL_SIGNATURE_FAILED = 10015;private static final String CAL_SIGNATURE_FAILED_MSG = "[%s:signature-failed] unable to calculate a request signature. error=%s";public static String calSignature(String data, String key) throws AclException {return calSignature(data, key, DEFAULT_ALGORITHM, DEFAULT_CHARSET);}public static String calSignature(String data, String key, SigningAlgorithm algorithm,Charset charset) throws AclException {return signAndBase64Encode(data, key, algorithm, charset);}private static String signAndBase64Encode(String data, String key, SigningAlgorithm algorithm, Charset charset)throws AclException {try {byte[] signature = sign(data.getBytes(charset), key.getBytes(charset), algorithm);return new String(Base64.encodeBase64(signature), DEFAULT_CHARSET);} catch (Exception e) {String message = String.format(CAL_SIGNATURE_FAILED_MSG, CAL_SIGNATURE_FAILED, e.getMessage());throw new AclException("CAL_SIGNATURE_FAILED", CAL_SIGNATURE_FAILED, message, e);}}private static byte[] sign(byte[] data, byte[] key, SigningAlgorithm algorithm) throws AclException {try {Mac mac = Mac.getInstance(algorithm.toString());mac.init(new SecretKeySpec(key, algorithm.toString()));return mac.doFinal(data);} catch (Exception e) {String message = String.format(CAL_SIGNATURE_FAILED_MSG, CAL_SIGNATURE_FAILED, e.getMessage());throw new AclException("CAL_SIGNATURE_FAILED", CAL_SIGNATURE_FAILED, message, e);}}public static String calSignature(byte[] data, String key) throws AclException {return calSignature(data, key, DEFAULT_ALGORITHM, DEFAULT_CHARSET);}public static String calSignature(byte[] data, String key, SigningAlgorithm algorithm,Charset charset) throws AclException {return signAndBase64Encode(data, key, algorithm, charset);}private static String signAndBase64Encode(byte[] data, String key, SigningAlgorithm algorithm, Charset charset)throws AclException {try {byte[] signature = sign(data, key.getBytes(charset), algorithm);return new String(Base64.encodeBase64(signature), DEFAULT_CHARSET);} catch (Exception e) {String message = String.format(CAL_SIGNATURE_FAILED_MSG, CAL_SIGNATURE_FAILED, e.getMessage());throw new AclException("CAL_SIGNATURE_FAILED", CAL_SIGNATURE_FAILED, message, e);}}}
以上方法有签名以及相关签名编码,代码都是固定的在官网有COPY 。
这里做一个记录,其余的希望大家自己去研究啦。。。。
更多推荐
消息认证机制与应用剖析
发布评论