In our system, all Web Servers are controlled by permissions. Record here for future use!
一、示例ws
@Service @Transactional @WebService(endpointInterface = "com.mycompany.sms.ws.SmsService", targetNamespace = "http://www.mycompany.cn/sms", serviceName = "ServiceInstance") public class SmsServiceImpl implements SmsService { private SecretKey secretKey; @Autowired private SessionManager sessionManager; // Convert a hexadecimal number string into a byte stream [keep 16 bits] private String hexStr = "3243456789123459"; public SmsServiceImpl() { byte[] hex = SecurityHelper.hexStrToByte(hexStr); secretKey = new SecretKeySpec(hex, "DES"); } @Override public String login(String account, String password) { User user = sessionManager.login(secretKey, account, password); return user.getSessionId(); } @Override public void logoff(String sessionId) { sessionManager.logoff(sessionId); } @Override public boolean sendMessage(String sessionId, String msgNumber, String msgContent) { sessionManager.getUser(secretKey, sessionId); do something...; return true; } }
Remarks:
1. Provide a user and password to the client when using it. The user and password are related to the key in ws.
2. Log in first, verify the user and password, and return the sessionId.
3. To use other functions, you must pass in sessionId to determine whether there is this ID in the session and whether the secretKey is equal. It seems that this step is useless.
二、session管理
@Component public class SessionManager { @Autowired private CacheProvider cacheProvider; public User login(SecretKey secretKey, String account, String password) { SecurityHelper securityHelper = new SecurityHelper(secretKey); String password2; try { password2 = SecurityHelper.byteToHexStr(securityHelper .encode(account.getBytes("UTF-8"))); } catch (UnsupportedEncodingException e) { throw new LoginException(e); } if (password2.equals(password)) { User user = new User(account); user.setSecretKey(secretKey.getEncoded()); addSession(user); return user; } else { throw new LoginException("Login failed"); } } public void logoff(String sessionId) { removeSession(sessionId); } private void addSession(User user) { cacheProvider.put("webservice-session-" + user.getSessionId(), user); } private void removeSession(String sessionId) { cacheProvider.remove("webservice-session-" + sessionId); } public User getUser(SecretKey secretKey, String sessionId) { User user = (User) cacheProvider.get("webservice-session-" + sessionId); if (user == null) { throw new WsException("User is not logged in or logged in timeout"); } else if (!bytesEquals(secretKey.getEncoded(), user.getSecretKey())) { throw new WsException("No permission to call this interface"); } else { return user; } } private boolean bytesEquals(byte[] bytes1, byte[] bytes2) { for (int i = 0; iNote: cacheProvider is a general cache tool interface. 3. Encryption algorithm I just saw des above, here is a brief summary of the encryption algorithm: 1. HASH MD5, SHA1, SHA256 are all one-way HASH algorithms, the original content cannot be derived from the result, the original content has any change, HASH The value will change. The characteristic is irreversible. 2. Symmetric encryption DES, 3DES, AES are characterized by the same key used for encryption and decryption. DES is old and insecure, and AES is the newest. 3. Asymmetric encryption RSA, ECC (elliptic curve), these are characterized by different keys, one public and one private. One encrypted encryption can only be decrypted with the other. The public encryption guarantee can only be seen by the private person, and the private encryption guarantees that the content is sent by this person. 4. For the commonly used https, you can use asymmetric encryption to transfer the symmetric encryption key first, and use symmetric encryption to transfer the normal content.