Java servlet mobile app access interface (I) data encryption transmission verification
The previous essays on servlets sort out the simple use process of servlets. The next article will focus on the mobile app access interface, MD5 encrypted transmission -- > SMS verification -- > mobile push -- > Sharing -- > Baidu cloud -- > payment Third party business As I am a novice, I also write while learning. I hope to understand my shortcomings.
Today's article mainly involves the encryption of data transmitted by java servlet and the combination of client request parameters, and will be accompanied by all the problems I encountered halfway and solutions.
Since the mobile access interface is published, no matter what language is used to write the interface, we should take corresponding security measures. Otherwise, after people know your URL, they will intercept the client's request and modify the submission parameters, which will cause great losses. The most common way to write interfaces with servlets is to encrypt the transmitted data, if it is a web service Net, and it also involves certificate matching
1、 Encryption and implementation of request data parameters.
Encryption here I use MD5 32-bit encryption. 32-bit is an irreversible encryption. In this way, even if it is intercepted by hackers, it is impossible to decrypt our encrypted MD5 value into the string we combined when encrypting. Of course, this is not absolute. It seems that some computer experts have deciphered the MD5 encryption method a few years ago, but I think the technology may not be published at will, and even if it is published, it is not understood by ordinary people. Otherwise, if you ask a programmer whether you are still using MD5 encryption, the answer is No.
1. First, let me talk about the combination of my request parameters. Because MD5 encryption is involved here, we must feed back two tokens to the user after the user logs in to the account using the app. The first token is the unique value representing the user's identity, This token needs to be added to the request interface parameter (whether this parameter is involved in encryption is determined by yourself, and I am involved here), because the servlet needs to query the user's encryption token through it. The second token is used to encrypt the value of MD5. This token cannot be added to the request interface parameter, Moreover, these two tokens must be saved in the database, because after the user requests the interface, the Serlvet needs to obtain the user token in the parameter, and then query the token required for MD5 encryption in the database, and then the servlet adds the queried encrypted token to the string passed by the user, and performs MD5 encryption again. After encryption, compare the MD5 encrypted value passed by the user, Whether it is the same as the encrypted value of the servlet. If it is different, there may be two reasons. The encrypted string combination on the servlet side is wrong, and the user's transmission data has been intercepted and modified in the middle. These two tokens are generated by using the Java UUID. A unique value should be generated for the UUID. The generation method is very simple. Here is the code
The following is the Java MD5 32-bit encryption method
The following is a comparison between the encryption result and the encryption result requested by the user after the servlet obtains the parameters for encryption. If it is the same, the request is OK, otherwise the request parameter value may have been modified
The front is the encapsulated method called by the servlet, and the following is all the code called by the servlet page
1. Requested URL
What I pass here is a parameter in the form of dictionary conversion JSON, which is a key value pair. Only one request parameter is used. The idtoken in the parameter is the user token, and the value I randomly added in the database is 123456
I didn't use UUID. Of course, it won't be done formally.
http://localhost:8080/JAVAServletTest/2.jsp?parameter= {"parameter": "{\" idtoken \ ": \" 123456 \ ", \" PWD \ ": \" Chinese character \ ", \" account \ ": \" hang \ "}", "md5str": "672f4a8c6fb92103c01d4275e46df790"}
The following is the code for servlet page processing. The whole process is to verify whether the user request has been modified during delivery.
The above is the whole content of this article. I hope it will be helpful to your study, and I hope you can support programming tips.