一、接口的安全性
- 1、防偽裝攻擊
- 處理方式:接口防刷
- 出現(xiàn)的的情況:公共網(wǎng)絡(luò)環(huán)境中,第三方有意或者惡意調(diào)用我們的接口
- 2、防篡改攻擊
- 處理方式:簽名機(jī)制
- 出現(xiàn)情況:請(qǐng)求頭/查詢字符串/內(nèi)容 在傳輸中來修改其內(nèi)容
- 3、防重放攻擊
- 處理方式:接口時(shí)效性
- 出現(xiàn)情況:請(qǐng)求被截獲,稍后被重放或多次重放
- 4、防止止數(shù)據(jù)信息泄露
- 處理方式:接口加密(對(duì)稱加解密)
- 出現(xiàn)情況:截獲用戶登錄請(qǐng)求,主要是截獲賬號(hào)密碼
二、實(shí)現(xiàn)自定義的注解
import JAVA.lang.Annotation.Documented;import java.lang.annotation.Retention;import java.lang.annotation.RetentionPolicy;import java.lang.annotation.Target;import static java.lang.annotation.ElementType.METHOD;@Retention(RetentionPolicy.RUNTIME)@Target(METHOD)@Documentedpublic @interface RateLimit {String cycle() default "5"; //請(qǐng)求等待的時(shí)間String number() default "1"; //短時(shí)間內(nèi)多少次的請(qǐng)求String msg() default "請(qǐng)求繁忙,請(qǐng)稍后點(diǎn)擊";
三、切面代碼的實(shí)現(xiàn)
import com.south.wires.config.annotation.RateLimit;import com.south.wires.result.JsonResult;import lombok.extern.slf4j.Slf4j;import org.aspectj.lang.ProceedingJoinPoint;import org.aspectj.lang.Signature;import org.aspectj.lang.annotation.Around;import org.aspectj.lang.annotation.Aspect;import org.aspectj.lang.reflect.MethodSignature;import org.springframework.beans.factory.annotation.Autowired;import org.springframework.data.redis.core.RedisTemplate;import org.springframework.data.redis.core.script.DefaultRedisScript;import org.springframework.data.redis.serializer.StringRedisSerializer;import org.springframework.stereotype.Component;import org.springframework.web.context.Request.RequestContextHolder;import org.springframework.web.context.request.ServletRequestAttributes;import javax.servlet.http.HttpServletRequest;import java.lang.reflect.Method;import java.util.Collections;@Slf4j@Aspect@Componentpublic class RateLimitAspect {@Autowiredprivate RedisTemplate redisTemplate;@Around("@annotation(com.xxx.xxx.config.annotation.RateLimit)")public JsonResult around(ProceedingJoinPoint joinPoint) throws Throwable {// 業(yè)務(wù)方法執(zhí)行之前設(shè)置數(shù)據(jù)源...Boolean pass=doingSomthingBefore(joinPoint);Object result;if(pass){// 執(zhí)行業(yè)務(wù)方法result =joinPoint.proceed();}else{// 業(yè)務(wù)方法執(zhí)行之后清除數(shù)據(jù)源設(shè)置...result=doingSomthingAfter(joinPoint);//自定義的返回值的類型return JsonResult.success(result);private boolean doingSomthingBefore(ProceedingJoinPoint joinPoint) throws NoSuchMethodException {// 接收到請(qǐng)求,記錄請(qǐng)求內(nèi)容ServletRequestAttributes attributes = (ServletRequestAttributes) RequestContextHolder.getRequestAttributes();HttpServletRequest request = attributes.getRequest();String ip = request.getRemoteAddr();String uri = request.getRequestURI();// 記錄下請(qǐng)求內(nèi)容log.info("請(qǐng)求類型 :" + request.getMethod() + " " + "請(qǐng)求URL : " + request.getRequestURL());log.info("請(qǐng)求IP : " + request.getRemoteAddr());log.info("請(qǐng)求方法 : " + joinPoint.getSignature().getDeclaringTypeName() + "." + joinPoint.getSignature().getName());Method targetMethod=getTargetMethod(joinPoint);return selectLimit(ip, uri,targetMethod);private Method getTargetMethod(ProceedingJoinPoint joinPoint) throws NoSuchMethodException {//獲取目標(biāo)對(duì)象對(duì)應(yīng)的字節(jié)碼對(duì)象Class targetCls=joinPoint.getTarget().getClass();//獲取方法簽名信息從而獲取方法名和參數(shù)類型Signature signature=joinPoint.getSignature();//將方法簽名強(qiáng)轉(zhuǎn)成MethodSignature類型,方便調(diào)用MethodSignature ms= (MethodSignature)signature;return targetCls.getDeclaredMethod(ms.getName(),ms.getParameterTypes());private String doingSomthingAfter(ProceedingJoinPoint joinPoint) throws NoSuchMethodException {System.out.println("開始后");//獲取方法上的自定義RateLimit注解RateLimit rateLimit=getTargetMethod(joinPoint).getAnnotation(RateLimit.class);return rateLimit.msg();private static final String SCRIPT = "local limit = tonumber(ARGV[1]);"// 限制次數(shù)+ "local expire_time = ARGV[2];"// 過期時(shí)間+ "local result = redis.call('setNX',KEYS[1],1);"// key不存在時(shí)設(shè)置value為1,返回1、否則返回0+ "if result == 1 then"// 返回值為1,key不存在此時(shí)需要設(shè)置過期時(shí)間+ " redis.call('expire',KEYS[1],expire_time);"// 設(shè)置過期時(shí)間+ " return 1; "// 返回1+ "else"// key存在+ " if tonumber(redis.call('GET', KEYS[1])) >= limit then"// 判斷數(shù)目比對(duì)+ " return 0;"// 如果超出限制返回0+ " else" //+ " redis.call('incr', KEYS[1]);"// key自增+ " return 1 ;"// 返回1+ " end "// 結(jié)束+ "end";// 結(jié)束public Boolean selectLimit(String ip, String url,Method targetMethod) {String key = "custom:rate" + ip + ":" + url;StringRedisSerializer stringRedisSerializer = new StringRedisSerializer();redisTemplate.setValueSerializer(stringRedisSerializer);redisTemplate.setKeySerializer(stringRedisSerializer);DefaultRedisScript defaultRedisScript = new DefaultRedisScript<>(SCRIPT);defaultRedisScript.setResultType(Boolean.class);Boolean execute = null;try {RateLimit rateLimit=targetMethod.getAnnotation(RateLimit.class);execute = (Boolean) redisTemplate.execute(defaultRedisScript, Collections.singletonList(key), rateLimit.number(),rateLimit.cycle());} catch (Exception ex) {ex.printStackTrace();if (!execute) {return false;return true;
四、控制層添加相應(yīng)的注解
@RateLimit@ResponseBody@RequestMApping("testRateLimit")public Object test2(){System.out.println("執(zhí)行檢索");return "請(qǐng)求成功";
控制層代碼執(zhí)行
接口請(qǐng)求執(zhí)行成功
接口請(qǐng)求失敗
