How to make Web project exposed services indestructible?

Read Catalogue

• 1. Specific Business processes
• 2. Access to service security assurance first practice
• 3. Access to service instant guarantee first practice

WEB projects are generally used for specific people, some are internal systems with less than 1K of local area network users, and some WAN users tens of thousands of medium-sized projects, of course, users hundreds of billions of large projects.

These large and small Web projects will have the presence of a user login, login with specific permissions, access to specific resources.

Users who are not logged on have no access to system resources, and this feature is usually limited by a Filter.

A free-service configuration in Filter allows users to access specific resources without logging in.

User authentication and authorization can be based on open source third-party frameworks, such as shiro,spring Security ....

The simple implementation of inheriting javax.servlet.Filter interfaces in small projects is also a viable option.

Some of the services encountered in recent projects require users to operate on other mobile devices without logging on.

How do you ensure that exposed services are indestructible?

This article borrowed a similar demand for the realization, to share in the practice encountered problems and solutions, only as a point of use, if there is anything wrong in the text, but also hope that the spectators master Pat bricks.

Back to top of 1. Specific business processes

Because the service is operated on top of other mobile devices without a user logged on outside the system.

The author here "Indestructible" is mainly refers to access to the backend Service before the two times guarantee.

1. Guarantee the security of the service, only to the right person, and the transmission parameters can not be easily accessible to others.

2. Guarantee the immediacy of the service, each generated access link, only for a limited period of time to provide services, to prevent others from intercepting the connection, at any time on the user's resources to operate.

Back to top of 2. Access to service security assurance first practice

Access to the security of the link, the first when it will think of the link after the parameter encryption.

There are many ways to encrypt, first of all to rule out irreversible encryption (MD5, SHA, HMAC ...). After all, after decryption, it is necessary to use parameters as a basis for operation.

OK, then consider bidirectional encryption, because it is the same system plus decryption, personally think it is not necessary to use asymmetric encryption algorithm.

Finally, the eyes locked in the symmetric encryption, using the public key for encryption and decryption (BASE64 is really a little low, directly erased).

Commonly used symmetric encryption (DES, Idea, RC2, RC4, skipjack, RC5, AES. ), select the appropriate algorithm according to the project requirements or your preference.

As for the implementation of cryptographic algorithms, I do not find third-party open source projects, using the JDK JCE framework package.

If you are interested in the algorithm implementation in JCE, you can read the source code.

Specific business symmetry plus decryption tool class implementation:

View CodeBack to top of 3. Initial practice of accessing service instant guarantee

As described above, only a simple guarantee of the security of the link, not yet meet the current project requirements.

You also need to have each generated access link, which can only be served for a limited period of time, to prevent others from intercepting the connection, and to manipulate the user's resources at any time.

Specific sequence diagram:

Append system current Timestamp parameter:

public static string Encrypt (string Parm1, String pam2) {        string resstr = null;        try {            encryptiondecryption des = new encryptiondecryption ("defined public key");            if (Stringutil.isnotempty (PARM1) && stringutil.isnotempty (pam2)) {                resstr = Des.encrypt (Parm1 + "," + Pam2 + " , "+ Dateformatutils.format (new Date ()," yyyymmddhhmm "));            }        } catch (Exception e) {            e.printstacktrace ();        }        return resstr;    }

The smallest granularity in the project can be judged by the minute, and of course you can adjust the timestamp granularity to the second or millisecond level depending on your specific needs.

Contract public key decryption for expired validation:

 private Boolean hasinvalidrequest (String param) {encryptiondecryption encryptiondecryption = new Encrypti        Ondecryption ("defined public key");                String requestdate = Encryptiondecryption.decrypt (param). Split (",") [5];        if (Requestdate.length ()! =) {return boolean.true;        } Date Nowdate = new Date ();        int NOWTIME_YYYYMMDD = Integer.parseint (Dateformatutils.format (nowdate, "yyyyMMdd"));        int REQUESTTIME_YYYYMMDD = integer.parseint (requestdate.substring (0, 8));        if (Nowtime_yyyymmdd > Requesttime_yyyymmdd) {return boolean.true;        } int nowtime_hhmm = Integer.parseint (Dateformatutils.format (nowdate, "HHmm"));        int requesttime_hhmm = Integer.parseint (requestdate.substring (8));        if (Nowtime_hhmm-requesttime_hhmm > Configutil.getconfig ("Valid_request_time")) {return boolean.true;    } return boolean.false; }

Judge the length, judge the day, judge seconds, here to Int did not use float contrast reason, one is not good control, the other is the code is not concise.

Effective time interval, placed in the configuration file, because here is the sensitive point of demand changes, unified configuration, code is not moving, easy to manage.

How to make Web project exposed services indestructible?