Home > Others

Webapi token, how the parameter signature is generated (reproduced)

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

API interface Security principles: 1. The identity of the caller 2. The request's uniqueness 3. The requested parameter cannot be tampered with 4. The requested validity time in the new interface development, there may be no such interface call security principle, but the common sense of experience tells us that each request should have the principle of security.

For example, this interface http://127.0.0.1/api/user/list?type=value this request to get the user list information can not be displayed directly in the Address bar input information (although a bit exaggerated, not puppy information so easy get it), The basic requirements for writing WEBAPI interfaces must ensure the security of the data and the validity of the request.

Here I use the token+ parameter signature + timestamp three system parameters to certify the validity of the request (Instant 100% request is valid, can not say 100% is also safe).

Name of parameter Must-Choose Type Role
Token Is String Caller ID to ensure that the identity is from the system certification, and effectively identify the user identity
Sign Is String Key,value of interface parameters to prevent tampering of parameter values and to prevent spoofing requests
Timestamp Is Int Time stamp to prevent replay attacks

So the question comes

How is 1.token generated? What is the role?

2. How are parameter signatures generated? What is the role?

3. What is the role of timestamps?

Read this article and you'll know. These three system parameters are how to ensure the validity of the request, to some extent, improve the security of the data

How is 1.token generated? What is the role? Token generation: The General API is basically divided into two kinds of client access APIs and tokens that require user login, here I say the latter, (simple popular practice) User login Input user name, password, access to the API, verify the database success. This time the token can be generated and the failure is returned directly. Here comes the question again! What is the way 1.token is generated? Where does 2.token exist? 3.token How to verify that you can obtain a unique user ID after verifying the data is successful (user name is also OK), take Username:zhanglin as an example, encrypt the identity (DES,MD5, other lines, critical data must be encrypted), This encrypted string can be used as a token. 2.token each request needs to be delivered, a cookie is recommended, or it can be persisted to the client. Now there is such an API interface http://127.0.0.1/api/user/list?token= Encryptusernamestr This encryptzhanglinstr is the login successful after the encrypted username returned to the client, the client with what to save here is not much introduced, just need to know to return to the client a user access token class can be, When the server-side method is validated, it is decrypted, gets to the string Zhanglin, and then compares this zhanglin with the system user (which can take the cache database, cache token value), if the comparison exists, it indicates that there is permission to access the API, and vice versa, the request is illegal. or code to implement it. The code is easy to understand, just to get this principle straight. [CSharp]View PlainCopy
  2. [Route ("login")]
  4. Public bool Login (string account, string pwd)
  6. {
  8. var obj = Db.dbUsers.FirstOrDefault (f = f.account = = Account && F.pwd = = PWD);
  10. if (obj! = null)
  12. {
  14. String token = account. Desencrypt (Deskey); //Encrypt to generate tokens,
  16. HttpCookie cookie = new HttpCookie (Cookietoken,token);
  18. HTTPCONTEXT.CURRENT.RESPONSE.COOKIES.ADD (cookie); //Save Cookies
  20. return true;
  22. }
  24. Else
  26. {
  28. return false;
  30. }
  32. }
Tokens are generated after landing in a cookie based on the user's identity, so that each time the client sends a request, it will take the token, as follows: [CSharp]View PlainCopy
  2. [Route ("list"), HttpGet]
  4. Public list<string> List (string type,string token)
  6. {
  8. var obj = Db.dbUsers.FirstOrDefault (p = = P.account = token. Desdecrypt (Deskey));
  10. //Verify token
  12. if (obj! = null)
  14. {
  16. //Return Data set
  18. }
  20. Else
  22. {
  24. //Illegal request
  26. }
  28. }
3. This verifies that the token is correct and is generally cached. Token's role is to determine whether the request is issued by the system user, so as to effectively identify the requesting user's identity information 2. How are parameter signatures generated? What is the role? Parameter signature sign: In order to improve the process of communication, to prevent the parameter is maliciously modified, when the request interface with sign can effectively prevent the parameter tampering, then how does sign work? See how it's generated.   Such an interface http:127.0.0.1/api/product?&type=zl&p1=value1&p2=value2&p3=& Sign=signvalue First step: Stitching the parameter string, except the sign parameter itself and the null value of the P3, then the rest is the string type=zl&p1=value1&p2=value2, and then by the parameter name Fu Shen (descending) Order, Get the string P1=value1&p2=value2&type=zl the second step: then do the parameter name and value of the stitching, get the string p1value1p2value2type=zl, note the code, can not appear this &quot; , to transcode after "stitching the third step: the string to DES encryption, assuming that P1value1p2value2type=zl des encryption result is abc123, The resulting string abc123 is the value of the parameter sign Signvalue Fourth step: In the interface we will receive the parameter value abc123, and then decrypt to get the string P1value1p2value2type=zl, And the interface in the parameter stitching after the comparison, if not the same as the parameters of the sequence is different, the value of the parameter must have been modified. Summary: 1. The provider of the interface of the caller and the interface of the unified contract parameter encryption algorithm 2. The parameter signature is a record of the parameter key, value. If the parameter is modified, it must not be signed with the parameter, and the request  3 will not be called. What is the role of timestamps? In the API request interface, the time of the client request occurs is the timestamp, this parameter to the server, and the server-side time, if the time interval is not valid. In the development of ASP. Webapi interface, the MVC filter can be used to intercept the above three key parameters. The following code is implemented in. NET core, and the same approach is to intercept before entering the method, which is a login API. The return API result is a class ApiResult.cs, serialized as a JSON object that contains a successful OK method for two generic method requests, the error method for the request failed [CSharp]View PlainCopy
  2. Public class MyFilterAttribute:Microsoft.AspNetCore.Mvc.Filters.ActionFilterAttribute
  4. {
  6. public override void OnActionExecuting (ActionExecutingContext context)
  8. {
  10. var Request_param = context. Actionarguments.values;
  12. var querycollection = context. HttpContext.Request.Query;
  14. String account = string.  Empty;
  16. String password = string.  Empty;
  18. long timespan = 0;
  20. string signature = string.  Empty;
  22. Try
  24. {
  26. account = Querycollection.where (p = = P.key = = "Account"). Select (f = f.value). FirstOrDefault ().  ToString ();
  28. Password = querycollection.where (p = = P.key = = "password"). Select (f = f.value). FirstOrDefault ().  ToString ();
  30. TimeSpan = long. Parse (querycollection.where (p = = P.key = = "TimeSpan"). Select (f = f.value). FirstOrDefault ().  ToString ());
  32. Signature = Querycollection.where (p = = P.key = = "signature"). Select (f = f.value). FirstOrDefault ().  ToString ();
  34. }
  36. catch (Exception ex)
  38. {
  40. var apiresult = apiresult<bool>. Error ("parameter exception" +ex.  ToString ());
  42. Context.  Result = new Jsonresult (Apiresult);
  44. }
  46. //var AccountName = context. routedata.values["AccountName"]. ToString ()
  48. var expires_minute = (timespan-datetime.now.ticks)/60000000000;
  50. if (expires_minute> 10| | EXPIRES_MINUTE<-10)
  52. {
  54. var Apimodel = apiresult<bool>.  Error ("Request timed out" +expires_minute);
  56. //var json = Jsonconvert.serializeobject (Apimodel);
  58. Jsonresult ret = new Jsonresult (Apimodel);
  60. Context. Result =ret;
  62. }
  64. var ok = ("account" + account + "password" + password). Contains (signature); //todo Encryption and decryption
  66. if (ok = = false)
  68. {
  70. var Apimodel = apiresult<bool>.  Error ("illegal request");
  72. var json = Jsonconvert.serializeobject (Apimodel);
  74. Jsonresult ret = new Jsonresult (Apimodel);
  76. Context. Result = ret;
  78. }
  80. base.  OnActionExecuting (context);
  82. }
  86. }

Zhang Lin
Original title: Webapi token, how the parameter signature is generated
Original link: http://blog.csdn.net/kebi007/article/details/72861532

Webapi token, how the parameter signature is generated (reproduced)

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
parameter is incorrect iphone how to save generated pdf file in php how to verify signature error 0x80070057 parameter is incorrect is digital signature legally binding how to customize outlook signature how to verify gpg signature

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More