一、接口的安全性
- 1、防偽裝攻擊
- 處理方式:接口防刷
- 出現的的情況:公共網絡環境中,第三方有意或者惡意調用我們的接口
- 2、防篡改攻擊
- 處理方式:簽名機制
- 出現情況:請求頭/查詢字符串/內容 在傳輸中來修改其內容
- 3、防重放攻擊
- 處理方式:接口時效性
- 出現情況:請求被截獲,稍后被重放或多次重放
- 4、防止止數據信息泄露
- 處理方式:接口加密(對稱加解密)
- 出現情況:截獲用戶登錄請求,主要是截獲賬號密碼
二、實現自定義的注解
import JAVA.lang.Annotation.Documented;import java.lang.annotation.Retention;import java.lang.annotation.RetentionPolicy;import java.lang.annotation.Target;import static java.lang.annotation.ElementType.METHOD;@Retention(RetentionPolicy.RUNTIME)@Target(METHOD)@Documentedpublic @interface RateLimit {String cycle() default "5"; //請求等待的時間String number() default "1"; //短時間內多少次的請求String msg() default "請求繁忙,請稍后點擊";
三、切面代碼的實現
import com.south.wires.config.annotation.RateLimit;import com.south.wires.result.JsonResult;import lombok.extern.slf4j.Slf4j;import org.aspectj.lang.ProceedingJoinPoint;import org.aspectj.lang.Signature;import org.aspectj.lang.annotation.Around;import org.aspectj.lang.annotation.Aspect;import org.aspectj.lang.reflect.MethodSignature;import org.springframework.beans.factory.annotation.Autowired;import org.springframework.data.redis.core.RedisTemplate;import org.springframework.data.redis.core.script.DefaultRedisScript;import org.springframework.data.redis.serializer.StringRedisSerializer;import org.springframework.stereotype.Component;import org.springframework.web.context.Request.RequestContextHolder;import org.springframework.web.context.request.ServletRequestAttributes;import javax.servlet.http.HttpServletRequest;import java.lang.reflect.Method;import java.util.Collections;@Slf4j@Aspect@Componentpublic class RateLimitAspect {@Autowiredprivate RedisTemplate redisTemplate;@Around("@annotation(com.xxx.xxx.config.annotation.RateLimit)")public JsonResult around(ProceedingJoinPoint joinPoint) throws Throwable {// 業務方法執行之前設置數據源...Boolean pass=doingSomthingBefore(joinPoint);Object result;if(pass){// 執行業務方法result =joinPoint.proceed();}else{// 業務方法執行之后清除數據源設置...result=doingSomthingAfter(joinPoint);//自定義的返回值的類型return JsonResult.success(result);private boolean doingSomthingBefore(ProceedingJoinPoint joinPoint) throws NoSuchMethodException {// 接收到請求,記錄請求內容ServletRequestAttributes attributes = (ServletRequestAttributes) RequestContextHolder.getRequestAttributes();HttpServletRequest request = attributes.getRequest();String ip = request.getRemoteAddr();String uri = request.getRequestURI();// 記錄下請求內容log.info("請求類型 :" + request.getMethod() + " " + "請求URL : " + request.getRequestURL());log.info("請求IP : " + request.getRemoteAddr());log.info("請求方法 : " + joinPoint.getSignature().getDeclaringTypeName() + "." + joinPoint.getSignature().getName());Method targetMethod=getTargetMethod(joinPoint);return selectLimit(ip, uri,targetMethod);private Method getTargetMethod(ProceedingJoinPoint joinPoint) throws NoSuchMethodException {//獲取目標對象對應的字節碼對象Class targetCls=joinPoint.getTarget().getClass();//獲取方法簽名信息從而獲取方法名和參數類型Signature signature=joinPoint.getSignature();//將方法簽名強轉成MethodSignature類型,方便調用MethodSignature ms= (MethodSignature)signature;return targetCls.getDeclaredMethod(ms.getName(),ms.getParameterTypes());private String doingSomthingAfter(ProceedingJoinPoint joinPoint) throws NoSuchMethodException {System.out.println("開始后");//獲取方法上的自定義RateLimit注解RateLimit rateLimit=getTargetMethod(joinPoint).getAnnotation(RateLimit.class);return rateLimit.msg();private static final String SCRIPT = "local limit = tonumber(ARGV[1]);"// 限制次數+ "local expire_time = ARGV[2];"// 過期時間+ "local result = redis.call('setNX',KEYS[1],1);"// key不存在時設置value為1,返回1、否則返回0+ "if result == 1 then"// 返回值為1,key不存在此時需要設置過期時間+ " redis.call('expire',KEYS[1],expire_time);"// 設置過期時間+ " return 1; "// 返回1+ "else"// key存在+ " if tonumber(redis.call('GET', KEYS[1])) >= limit then"// 判斷數目比對+ " return 0;"// 如果超出限制返回0+ " else" //+ " redis.call('incr', KEYS[1]);"// key自增+ " return 1 ;"// 返回1+ " end "// 結束+ "end";// 結束public Boolean selectLimit(String ip, String url,Method targetMethod) {String key = "custom:rate" + ip + ":" + url;StringRedisSerializer stringRedisSerializer = new StringRedisSerializer();redisTemplate.setValueSerializer(stringRedisSerializer);redisTemplate.setKeySerializer(stringRedisSerializer);DefaultRedisScript defaultRedisScript = new DefaultRedisScript<>(SCRIPT);defaultRedisScript.setResultType(Boolean.class);Boolean execute = null;try {RateLimit rateLimit=targetMethod.getAnnotation(RateLimit.class);execute = (Boolean) redisTemplate.execute(defaultRedisScript, Collections.singletonList(key), rateLimit.number(),rateLimit.cycle());} catch (Exception ex) {ex.printStackTrace();if (!execute) {return false;return true;
四、控制層添加相應的注解
@RateLimit@ResponseBody@RequestMApping("testRateLimit")public Object test2(){System.out.println("執行檢索");return "請求成功";
控制層代碼執行
接口請求執行成功
接口請求失敗
