添加校验

WebContent/WEB-INF/web.xml

@@ -57,7 +57,7 @@
         <filter-class>com.ejweb.core.filter.BasicVerifyFilter</filter-class>
         <init-param>
             <param-name>excludedPages</param-name>
-            <param-value>*</param-value>
+            <param-value>app</param-value>
         </init-param>
     </filter>
     <filter-mapping>

resources/ejweb.properties

@@ -67,7 +67,7 @@ seat.default.photo=images/user/avatar/seat_avatar.png
 # Sign Private Key(Default FvNMhdkN5eTsgAfU2YHGJ2RfpKVi3omn)
 content.sign.private.key=FvNMhdkN5eTsgAfU2YHGJ2RfpKVi3omn
 # Verify Post Content Sign(Default true)
-is.verify.content.sign=false
+is.verify.content.sign=true
 # \u9996\u822A\u63A5\u53E3\u57FA\u672C\u5730\u5740
 jdair.api.base.url=https://dsp.jdair.net
 jdair.api.base.param=ai.cc=7&ai.cp=10.68.26.52

src/com/ejweb/core/filter/BasicVerifyFilter.java

@@ -116,7 +116,7 @@ public class BasicVerifyFilter implements Filter {
             if (baseBean.getAppCode() != null) { // 基本必要参数验证通过
                 message = "签名验证不匹配";
                 if (GConstants.IS_VERIFY_CONTENT_SIGN == false
-                        || GlobalUtil.verify(content, GConstants.SIGN_PRIVATE_KEY, sign)) {// 签名验证通过
+                        || GlobalUtil.verifySign(content, GConstants.SIGN_PRIVATE_KEY, sign)) {// 签名验证通过
                     filterChain.doFilter(request, response);
                     return;
                 }

src/com/ejweb/core/security/GlobalUtil.java

@@ -4,6 +4,8 @@ import javax.crypto.Mac;
 import javax.crypto.spec.SecretKeySpec;
 import java.io.UnsupportedEncodingException;
 import java.net.URLDecoder;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
 
 public class GlobalUtil {
 
@@ -16,7 +18,20 @@ public class GlobalUtil {
     public static boolean verify(String data, String privateKey, String sign) {
         try {
             String mSign = getParamsSignStr(privateKey, data);
-            if(mSign == null || sign == null)
+            if (mSign == null || sign == null)
+                return true;
+            mSign = URLDecoder.decode(mSign, "UTF-8");
+            return mSign.equals(sign);
+        } catch (Exception e) {
+            // TODO: handle exception
+        }
+        return false;
+    }
+
+    public static boolean verifySign(String data, String privateKey, String sign) {
+        try {
+            String mSign = getParamsSign(privateKey, data);
+            if (mSign == null || sign == null)
                 return true;
             mSign = URLDecoder.decode(mSign, "UTF-8");
             return mSign.equals(sign);
@@ -35,7 +50,24 @@ public class GlobalUtil {
 
     /**
      * 获取加密后的字符串
-     *
+     */
+    public static String getParamsSign(String key, String paramsStr) {
+        if (key == null || paramsStr == null) {
+            return "";
+        }
+//        String signedString = JSON.toJSONString(paramsStr);
+        String signedStr = getSHA256(paramsStr + key);
+//            String signedStr1 = base64(signedStr.getBytes("UTF-8"));
+        return signedStr;
+//        try {
+//        } catch (UnsupportedEncodingException e) {
+//            e.printStackTrace();
+//        }
+//        return "";
+    }
+
+    /**
+     * 获取加密后的字符串
      */
     public static String getParamsSignStr(String key, String paramsStr) {
         if (key == null || paramsStr == null) {
@@ -54,10 +86,8 @@ public class GlobalUtil {
     /**
      * HMACSHA1加密
      *
-     * @param key
-     *            加密使用的key
-     * @param strByte
-     *            待加密的数据
+     * @param key     加密使用的key
+     * @param strByte 待加密的数据
      * @return 生成MD5编码的字符串
      */
 
@@ -80,14 +110,55 @@ public class GlobalUtil {
      * base64加密
      */
     public static String base64(byte[] val) {
-        if (val == null)
+        if (val == null) {
             return null;
-        else
+        } else {
             return Base64.encode(val);
         }
+    }
 
-    public static void main(String[] args) {
+    /**
+     *     * 利用java原生的类实现SHA256加密
+     *     * @param str 加密后的报文
+     *     * @return
+     *     
+     */
+    public static String getSHA256(String str) {
+        MessageDigest messageDigest;
+        String encodeStr = "";
+        try {
+            messageDigest = MessageDigest.getInstance("SHA-256");
+            messageDigest.update(str.getBytes("UTF-8"));
+            encodeStr = byte2Hex(messageDigest.digest());
+        } catch (NoSuchAlgorithmException e) {
+            e.printStackTrace();
+        } catch (UnsupportedEncodingException e) {
+            e.printStackTrace();
+        }
+        return encodeStr;
+    }
 
+    /**
+     *     * 将byte转为16进制
+     *     * @param bytes
+     *     * @return
+     *     
+     */
+    private static String byte2Hex(byte[] bytes) {
+        StringBuffer stringBuffer = new StringBuffer();
+        String temp = null;
+        for (int i = 0; i < bytes.length; i++) {
+            temp = Integer.toHexString(bytes[i] & 0xFF);
+            if (temp.length() == 1) {
+//1得到一位的进行补0操作
+                stringBuffer.append("0");
+            }
+            stringBuffer.append(temp);
+        }
+        return stringBuffer.toString();
+    }
+
+    public static void main(String[] args) {
         //{"shop_code":"ringpu","user_code":"","role_code":"","user_channel":"1002","sub_channel":"AGENCY","version_name":"0.9","password":"111111","telephone":"13752653287"}
         String param = "{\"appCode\":\"30007\",\"appkey\":\"\",\"versionName\":\"6.0.0\",\"platform\":\"Android\",\"deviceToken\":\"deviceToken\",\"language\":\"zh_CN\",email : '123@qwe.com',name : 'name', keywords : '天津', staffAccounts : ['794089036222300160', 'seat791537198252023808']}";
         String sign = GlobalUtil.getParamsSignStr("FvNMhdkN5eTsgAfU2YHGJ2RfpKVi3omn", param);