// Scene: third-party companies to keep up with the company, providing an interface to the other dock, so the interface needs to be authorized, otherwise anyone can tune our company interface, will lead to security risks: Ideas: In each interface request and parameters are put ApiKey sign signature: Before we docked, give each other a ApiKey and password secrect, these two values easily define your own, trying to be difficult as long as both sides agreed to: Other things to do: In addition to the request for participation requestDTO sign signature field, turn into a JSON string, Then before and after the fight on secrect, and then get the MD5 signature sign: Fake code: String reqStr=JSON.toJSONStirng(requestDTO); StringBuilder sb = new StringBuilder(); sb.append(BeeBoxConstant.SECRET); sb.append(json); sb.append(BeeBoxConstant.SECRET); String sign = Md5Util.getMd5(sb.toString()); requestDTO.setSign(sign); Note: requestDTO password will not be with the past We need to do: Get the other request parameters: requestDTO Gets sign value and apiKey: String sign=requestDTO.getSign(); String apiKey=requestDTO.getApiKey(); By apikey to get a password secrect, because we apikey password and password provided by us, so it must know where to get; After the request object is provided sign null: requestDTO.setSign(null); Turn into JSON, then in the same manner as the signature generating sign: String reqStr=JSON.toJSONStirng(requestDTO); StringBuilder sb = new StringBuilder(); sb.append(BeeBoxConstant.SECRET); sb.append(json); sb.append(BeeBoxConstant.SECRET); String sign2 = Md5Util.getMd5(sb.toString()); Compare the value of the other party pass over the sign and we calculated sign2 are not identical, the signature verification on the adoption of inconsistent signature is a failure;