1.問(wèn)題

賬密登錄方式中用戶(hù)輸入密碼后，把賬號(hào)、密碼通過(guò)http傳輸?shù)胶蠖诉M(jìn)行校驗(yàn)，然而密碼屬于敏感信息，不能以明文傳輸，否則容易被攔截竊取，因此需要考慮如何安全傳輸密碼

2.解決方案

使用rsa加密方式，rsa屬于非對(duì)稱(chēng)加密，特點(diǎn)就是公鑰加密私鑰解密

2.1后端生成公鑰私鑰

生成公私鑰，把公鑰返回給前端，私鑰用redis緩存

ManagerController.java

    @GetMapping("/key")public ResponseEntity<ApiResponse> key(@RequestParam("loginNo") String loginNo) {String key = managerService.generateKey(loginNo);return ApiResponse.success(key);}

ManagerServiceImpl.java

    @Overridepublic String generateKey(String loginNo) {QueryWrapper<Manager> wrapper = new QueryWrapper<>();wrapper.eq("loginNo", loginNo);Manager entity = this.getOne(wrapper);if (Objects.isNull(entity)) {throw new CodeException("用戶(hù)不存在：loginNo=" + loginNo);}try {KeyPair keyPair = RSAUtil.generateKeyPair();String publicKey = RSAUtil.getPublicKey(keyPair);String privateKey = RSAUtil.getPrivateKey(keyPair);log.info("publicKey={}", publicKey);log.info("privateKey={}", privateKey);String redisKey = RedisKey.MANAGE_LOGIN_RSA_PRIVATEKEY + "$" + loginNo;// 清除緩存redisService.del(redisKey);// 私鑰添加到緩存redisService.set(redisKey, privateKey, 5, TimeUnit.MINUTES);return publicKey;} catch (Exception e) {log.error("生成rsa密鑰失敗", e);}return null;}

RSAUtil.java

public class RSAUtil {private static final Charset CHARSET = StandardCharsets.UTF_8;private static final String ALGORITHM = "RSA";/*** 生成密鑰對(duì)* @return* @throws NoSuchAlgorithmException*/public static KeyPair generateKeyPair() throws NoSuchAlgorithmException {KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(ALGORITHM);keyPairGenerator.initialize(1024);return keyPairGenerator.generateKeyPair();}/*** 生成公鑰* @param keyPair* @return*/public static String getPublicKey(KeyPair keyPair) {PublicKey publicKey = keyPair.getPublic();byte[] bytes = base64Encode(publicKey.getEncoded());return new String(bytes, CHARSET);}/*** 生成私鑰* @param keyPair* @return*/public static String getPrivateKey(KeyPair keyPair) {PrivateKey privateKey = keyPair.getPrivate();byte[] bytes = base64Encode(privateKey.getEncoded());return new String(bytes, CHARSET);}/*** base64加密* @param bytes* @return*/public static byte[] base64Encode(byte[] bytes) {return Base64.getEncoder().encode(bytes);}/*** base64解密* @param bytes* @return*/public static byte[] base64Decode(byte[] bytes) {return Base64.getDecoder().decode(bytes);}/*** base64解密* @param src* @return*/public static byte[] base64Decode(String src) {return Base64.getDecoder().decode(src);}/*** 解密* @param key* @param data* @return* @throws NoSuchAlgorithmException* @throws InvalidKeySpecException* @throws NoSuchPaddingException* @throws InvalidKeyException* @throws IllegalBlockSizeException* @throws BadPaddingException*/public static String decrypt(String key, String data) throws NoSuchAlgorithmException, InvalidKeySpecException, NoSuchPaddingException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException {byte[] bytes = base64Decode(key);PKCS8EncodedKeySpec pkcs8EncodedKeySpec = new PKCS8EncodedKeySpec(bytes);KeyFactory keyFactory = KeyFactory.getInstance(ALGORITHM);PrivateKey privateKey = keyFactory.generatePrivate(pkcs8EncodedKeySpec);Cipher cipher = Cipher.getInstance("RSA/ECB/PKCS1Padding");cipher.init(Cipher.DECRYPT_MODE, privateKey);return new String(cipher.doFinal(base64Decode(data.getBytes(CHARSET))), CHARSET);}

2.2前端使用公鑰加密

安裝這個(gè)依賴(lài)

npm install jsencrypt@3.2.0

import JSEncrypt from 'jsencrypt';// key為后端返回的公鑰，this.form.password為明文密碼
const jsEncrypt = new JSEncrypt();
jsEncrypt.setPublicKey(key);
// pwd為加密后的密碼
var pwd = jsEncrypt.encrypt(this.form.password);

2.3后端使用私鑰解密

從redis獲取私鑰，用私鑰解密，得到明文后和數(shù)據(jù)庫(kù)保存的密碼比對(duì)，數(shù)據(jù)庫(kù)的密碼是以用戶(hù)id為鹽值對(duì)明文密碼作md5加密，相同則放行，否則報(bào)錯(cuò)，注意登錄成功的話(huà)需要把redis的密鑰移除

ManagerController.java

    @PostMapping("/login")public ResponseEntity<ApiResponse> login(@RequestParam("loginNo") String loginNo, @RequestParam("password") String password)throws Exception {UserDTOWithToken dto = managerService.login(loginNo, password);return ApiResponse.success(dto);}

ManagerServiceImpl.java

    @Overridepublic UserDTOWithToken login(String loginNo, String password) throws Exception {QueryWrapper<Manager> wrapper = new QueryWrapper<>();wrapper.eq("loginNo", loginNo);Manager entity = this.getOne(wrapper);if (Objects.isNull(entity)) {throw new CodeException("用戶(hù)不存在：loginNo=" + loginNo);}String redisKey = RedisKey.MANAGE_LOGIN_RSA_PRIVATEKEY + "$" + loginNo;// 從緩存獲取私鑰String privateKey = (String) redisService.get(redisKey);if (StrUtil.isEmpty(privateKey)) {throw new CodeException("私鑰不存在");}// 用私鑰解密String realPassword = RSAUtil.decrypt(privateKey, password);log.info("realPassword={}", realPassword);// 校驗(yàn)密碼Digester digester = new Digester(DigestAlgorithm.MD5);digester.setSalt(entity.getId().getBytes(StandardCharsets.UTF_8));String encodePassword = digester.digestHex(realPassword);log.info("encodePassword={}", encodePassword);if (!encodePassword.equals(entity.getPassword())) {throw new CodeException("密碼錯(cuò)誤");}//從認(rèn)證服務(wù)獲取tokenResponseEntity<ApiResponse> responseEntity = authClient.token(AuthConst.PASSWORD_GRANT_TYPE, AuthConst.ADMIN_CLIENT_ID,AuthConst.ADMIN_CLIENT_SECRET, null, loginNo, password);ApiResponse response = responseEntity.getBody();TokenDTO tokenDTO = response.toObject(TokenDTO.class);if (Objects.isNull(tokenDTO)) {throw new CodeException("獲取token失敗：" + response.getMessage());}UserDTOWithToken dto = new UserDTOWithToken();dto.setUserId(entity.getId());dto.setToken(tokenDTO);entity.setLoginTime(LocalDateTime.now());Integer loginCount = entity.getLoginCount();entity.setLoginCount(Objects.isNull(loginCount) ? 1 : loginCount + 1);entity.setUpdateTime(LocalDateTime.now());this.updateById(entity);// 成功則清除緩存的私鑰redisService.del(redisKey);return dto;}

3.總結(jié)

非對(duì)稱(chēng)加密還有其它算法，rsa是其中一種

后端存儲(chǔ)私鑰除了redis也可以用其它緩存工具如J2Cache