1. Example ws
@Service
@Transactional
@WebService(endpointInterface = "com.mycompany.sms.ws.SmsService", targetNamespace = "http://www.mycompany.cn/sms", serviceName = "ServiceInstance")
public class SmsServiceImpl implements SmsService {
private SecretKey secretKey;
@Autowired
private SessionManager sessionManager;
// Convert hexadecimal number string to byte stream [keep 16 bits]
private String hexStr = "3243456789123459";
public SmsServiceImpl() {
byte[] hex = SecurityHelper.hexStrToByte(hexStr);
secretKey = new SecretKeySpec(hex, "DES");
}
@Override
public String login(String account, String password) {
User user = sessionManager.login(secretKey, account, password);
return user.getSessionId();
}
@Override
public void logoff(String sessionId) {
sessionManager.logoff(sessionId);
}
@Override
public boolean sendMessage(String sessionId, String msgNumber,
String msgContent) {
sessionManager.getUser(secretKey, sessionId);
do something...;
return true;
}
}
Remarks:
1. Provide a user and password to the client when using it. The relationship between the user and the password is related to the key in ws.
2. Log in first, verify the user and password, and return the sessionId.
3. When using other functions, you must pass in the sessionId to determine whether there is this ID in the session and whether the secretKey is equal. It seems that this step is useless.
2. Session management
@Component
public class SessionManager {
@Autowired
private CacheProvider cacheProvider;
public User login(SecretKey secretKey, String account, String password) {
SecurityHelper securityHelper = new SecurityHelper(secretKey);
String password2;
try {
password2 = SecurityHelper.byteToHexStr(securityHelper
.encode(account.getBytes("UTF-8")));
} catch (UnsupportedEncodingException e) {
throw new LoginException(e);
}
if (password2.equals(password)) {
User user = new User(account);
user.setSecretKey(secretKey.getEncoded());
addSession(user);
return user;
} else {
throw new LoginException("Login failed");
}
}
public void logoff(String sessionId) {
removeSession(sessionId);
}
private void addSession(User user) {
cacheProvider.put("webservice-session-" + user.getSessionId(), user);
}
private void removeSession(String sessionId) {
cacheProvider.remove("webservice-session-" + sessionId);
}
public User getUser(SecretKey secretKey, String sessionId) {
User user = (User) cacheProvider.get("webservice-session-" + sessionId);
if (user == null) {
throw new WsException("User not logged in or login timed out");
} else if (!bytesEquals(secretKey.getEncoded(), user.getSecretKey())) {
throw new WsException("No permission to call this interface");
} else {
return user;
}
}
private boolean bytesEquals(byte[] bytes1, byte[] bytes2) {
for (int i = 0; i < bytes1.length; i++) {
if (bytes1[i] != bytes2[i]) {
return false;
}
}
return true;
}
}
Remarks:
cacheProvider is a generic cache tool interface.
3. Encryption algorithm I just saw des
above , here is a brief summary of the encryption algorithm:
1. HASH
MD5, SHA1, SHA256 and the like are all one-way HASH algorithms, and the original content cannot be derived from the result. If there is any change in the original content, HASH value will change. The characteristic is irreversible.
2. Symmetric encryption
DES, 3DES, AES are characterized by the same key used for encryption and decryption. DES is old and insecure, AES is newest.
3. Asymmetric encryption
RSA, ECC (elliptic curve) are characterized by different keys, one public and one private. One encrypted key can only be decrypted with another. Public encryption guarantees that only the private person can see it, and private encryption guarantees that the content is sent by this person.
4. For the commonly used https, you can first use asymmetric encryption to transmit the symmetric encryption key, and the normal content is transmitted using symmetric encryption.