加密URL查询参数

时间:2014-12-05 10:20:35

标签: java javascript extjs encryption

我使用liferay 5.2 ans extjs 3.4

我在URL中传递参数时遇到问题 我有通过url中传递的参数生成的报告 但问题是我们可以对这些参数进行手动更改,因此在此期间将生成另一个被禁止的报告。 我的目标是找到加密这些参数的解决方案 在java类中,我们将解密这些参数以生成报告。 因此,在这种情况下,参数保持相同,甚至在URL中进行手动更改。 因此,我们将在调用此URL(在javascript中)和在java中解密时进行加密以读取参数。 但我认为我们应该在加密和解密参数中创建一个唯一的密钥

这是我的代码:

在javascript中:

var numDec = numDec_decsion.getValue();     

var yearDec = yearCorresp_decsion.getValue();       

    var url = "<c:url value='/printer'/>?method=genreport&numDec="+ numDec + 
                        "&yearDec=" + yearDec ;
                window.open(url);

这是java代码:

public void createReport(HttpServletRequest request,
    HttpServletResponse response) throws Exception {

    try {
        ServletContext context = request.getSession().getServletContext();
        String contextPath = context.getRealPath("/");
        contextPath += ((contextPath.endsWith("/") ||
            contextPath.endsWith("\\")) ? "" : "/");
        String root_dir = contextPath + "WEB-INF\\Template\\report\\";
        String reportFile = root_dir + request.getParameter("report") +
            ".jasper";
        ApplicationContext appContext = WebApplicationContextUtils.getWebApplicationContext(context);
        Connection connection = getSession(appContext).connection();
        Map parameters = new HashMap();
        Iterator iter = request.getParameterMap().keySet().iterator();
        while (iter.hasNext()) {
            String paramName = (String) iter.next();
            parameters.put(paramName, request.getParameter(paramName));
            System.out.println(paramName + ":" + request.getParameter(paramName));
        }
        parameters.put("root_dir", root_dir);
        createPDFReport(response, reportFile, parameters, connection);
    } catch (Exception e) {
        e.printStackTrace();
    }
}




 public void createPDFReport(HttpServletResponse response,
        String reportFile, Map parameters, Connection connection) {


        byte[] bytes = null;

        try {
            System.out.println("-------start run report-------");
            bytes = JasperRunManager.runReportToPdf(reportFile, parameters,
                    connection);
        } catch (JRException e) {
            e.printStackTrace();
        }



        if ((bytes != null) && (bytes.length > 0)) {
            response.setContentType("application/pdf");
            response.setContentLength(bytes.length);

            try {
                ServletOutputStream ouputStream = response.getOutputStream();
                ouputStream.write(bytes, 0, bytes.length);
                ouputStream.flush();
                ouputStream.close();
            } catch (IOException e1) {
                e1.printStackTrace();
            }
        }
    }

这是我生成的网址:

http://com.supcom:8080/SupCom/printer?method=genreport&numDec=265&yearDec=1435

已更新:

我使用 SHA1 功能,并在我的网址中进行了此更改:

var numDec = numDec_decsion.getValue(); 

var yearDec = yearCorresp_decsion.getValue();       

    var url = "<c:url value='/printer'/>?method=genreport&numDec="+ SHA1(numDec) + 
                        "&yearDec=" + yearDec ;
                window.open(url);

参数将如下生成:

http://com.supcom:8080/SupCom/printer?method=genreport&numDec=6216f8a75fd5bb3d5f22b6f9958cdede3fc086c2&yearDec=1435

但我通常在 createReport方法

中找不到在java类中解密的方法

这是 SHA1 功能

的代码 
/**
*  Secure Hash Algorithm (SHA1)
*  http://www.webtoolkit.info/
**/
function SHA1(msg) {
  function rotate_left(n,s) {
    var t4 = ( n<<s ) | (n>>>(32-s));
    return t4;
  };
  function lsb_hex(val) {
    var str="";
    var i;
    var vh;
    var vl;
    for( i=0; i<=6; i+=2 ) {
      vh = (val>>>(i*4+4))&0x0f;
      vl = (val>>>(i*4))&0x0f;
      str += vh.toString(16) + vl.toString(16);
    }
    return str;
  };
  function cvt_hex(val) {
    var str="";
    var i;
    var v;
    for( i=7; i>=0; i-- ) {
      v = (val>>>(i*4))&0x0f;
      str += v.toString(16);
    }
    return str;
  };
  function Utf8Encode(string) {
    string = string.replace(/\r\n/g,"\n");
    var utftext = "";
    for (var n = 0; n < string.length; n++) {
      var c = string.charCodeAt(n);
      if (c < 128) {
        utftext += String.fromCharCode(c);
      }
      else if((c > 127) && (c < 2048)) {
        utftext += String.fromCharCode((c >> 6) | 192);
        utftext += String.fromCharCode((c & 63) | 128);
      }
      else {
        utftext += String.fromCharCode((c >> 12) | 224);
        utftext += String.fromCharCode(((c >> 6) & 63) | 128);
        utftext += String.fromCharCode((c & 63) | 128);
      }
    }
    return utftext;
  };
  var blockstart;
  var i, j;
  var W = new Array(80);
  var H0 = 0x67452301;
  var H1 = 0xEFCDAB89;
  var H2 = 0x98BADCFE;
  var H3 = 0x10325476;
  var H4 = 0xC3D2E1F0;
  var A, B, C, D, E;
  var temp;
  msg = Utf8Encode(msg);
  var msg_len = msg.length;
  var word_array = new Array();
  for( i=0; i<msg_len-3; i+=4 ) {
    j = msg.charCodeAt(i)<<24 | msg.charCodeAt(i+1)<<16 |
    msg.charCodeAt(i+2)<<8 | msg.charCodeAt(i+3);
    word_array.push( j );
  }
  switch( msg_len % 4 ) {
    case 0:
      i = 0x080000000;
    break;
    case 1:
      i = msg.charCodeAt(msg_len-1)<<24 | 0x0800000;
    break;
    case 2:
      i = msg.charCodeAt(msg_len-2)<<24 | msg.charCodeAt(msg_len-1)<<16 | 0x08000;
    break;
    case 3:
      i = msg.charCodeAt(msg_len-3)<<24 | msg.charCodeAt(msg_len-2)<<16 | msg.charCodeAt(msg_len-1)<<8  | 0x80;
    break;
  }
  word_array.push( i );
  while( (word_array.length % 16) != 14 ) word_array.push( 0 );
  word_array.push( msg_len>>>29 );
  word_array.push( (msg_len<<3)&0x0ffffffff );
  for ( blockstart=0; blockstart<word_array.length; blockstart+=16 ) {
    for( i=0; i<16; i++ ) W[i] = word_array[blockstart+i];
    for( i=16; i<=79; i++ ) W[i] = rotate_left(W[i-3] ^ W[i-8] ^ W[i-14] ^ W[i-16], 1);
    A = H0;
    B = H1;
    C = H2;
    D = H3;
    E = H4;
    for( i= 0; i<=19; i++ ) {
      temp = (rotate_left(A,5) + ((B&C) | (~B&D)) + E + W[i] + 0x5A827999) & 0x0ffffffff;
      E = D;
      D = C;
      C = rotate_left(B,30);
      B = A;
      A = temp;
    }
    for( i=20; i<=39; i++ ) {
      temp = (rotate_left(A,5) + (B ^ C ^ D) + E + W[i] + 0x6ED9EBA1) & 0x0ffffffff;
      E = D;
      D = C;
      C = rotate_left(B,30);
      B = A;
      A = temp;
    }
    for( i=40; i<=59; i++ ) {
      temp = (rotate_left(A,5) + ((B&C) | (B&D) | (C&D)) + E + W[i] + 0x8F1BBCDC) & 0x0ffffffff;
      E = D;
      D = C;
      C = rotate_left(B,30);
      B = A;
      A = temp;
    }
    for( i=60; i<=79; i++ ) {
      temp = (rotate_left(A,5) + (B ^ C ^ D) + E + W[i] + 0xCA62C1D6) & 0x0ffffffff;
      E = D;
      D = C;
      C = rotate_left(B,30);
      B = A;
      A = temp;
    }
    H0 = (H0 + A) & 0x0ffffffff;
    H1 = (H1 + B) & 0x0ffffffff;
    H2 = (H2 + C) & 0x0ffffffff;
    H3 = (H3 + D) & 0x0ffffffff;
    H4 = (H4 + E) & 0x0ffffffff;
  }
  var temp = cvt_hex(H0) + cvt_hex(H1) + cvt_hex(H2) + cvt_hex(H3) + cvt_hex(H4);

  return temp.toLowerCase();
}

1 个答案:

答案 0 :(得分:1)

对于加密和其他技术(如MAC),您需要客户端上的密钥。由于客户端代码是自由可见的(毕竟它是JavaScript),因此无法有效地隐藏密钥。因此,用户可以查看代码并根据它创建有效的URL。

您不需要加密,因为这些参数似乎并不保密。您只需要一个消息验证码(MAC)。这意味着您使用客户端和服务器已知的某些秘密(使用可选的salt)来散列您要进行身份验证的数字(如yearDec):

hYearDec = HASH(HASH(yearDec | key) | key [| salt])

请注意,|表示字节数组或字符串的连接。现在,您使用yearDec hYearDec生成网址。两个参数都发送到服务器。服务器可以通过运行与上面相同的散列函数来检查yearDec是否未被更改,因为该密钥应该是客户端和服务器的秘密。盐值也需要发送到服务器,因为它不是秘密。

请注意,如果您要加密这些值,您仍然需要像MAC一样进行某种完整性检查。

虽然任何哈希函数(如SHA1)都可以,但是你应该使用PBKDF2来根据数据导出MAC,因为它更难打破它。

CryptoJS提供appropriate functions来执行此操作。

var secretKey = "someSecretRandomString_k345kretiu46kzjnh";
var requestParameters = "yearDec=123456"; // send this
var salt = CryptoJS.lib.WordArray.random(128/8);
var key = CryptoJS.PBKDF2(requestParameters+secretKey, salt, { keySize: 256/32, iterations: 500 });
var saltHex = salt.toString(); // send this
var macHex = key.toString() // send this

在服务器上:

String plaintext = "yearDec=123456"; // request parameter
String secretKey = "someSecretRandomString_k345kretiu46kzjnh";
plaintext += secretKey; // add key in the same way as in the client
char[] plaintextChars = new char[plaintext.length()];
plaintext.getChars(0, plaintext.length(), plaintextChars, 0);
int keySize = 256; // during the system setup
int iterations = 500; // during the system setup
String macHex = "bf92577e37627dbdc4a67510510c130aca6cf8e2e8bed0ea218f6cd909e3270d";  // further request parameters
String saltHex = "639a8d66d6a4fac8a39ce7c8b42fe0d8"; // further request parameters

// convert
byte[] mac = hexStringToByteArray(macHex);
byte[] salt = hexStringToByteArray(saltHex);

// derive
SecretKeyFactory f = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
KeySpec ks = new PBEKeySpec(plaintextChars, salt, iterations, keySize);
SecretKey s = f.generateSecret(ks);

// check
Arrays.equals(s.getEncoded(), mac);

我使用this将十六进制转换为字节数组:

public static byte[] hexStringToByteArray(String s) {
    int len = s.length();
    byte[] data = new byte[len / 2];
    for (int i = 0; i < len; i += 2) {
        data[i / 2] = (byte) ((Character.digit(s.charAt(i), 16) << 4)
                + Character.digit(s.charAt(i+1), 16));
    }
    return data;
}
相关问题
最新问题