对于每一次HTTP或者HTTPS协议请求,我们会根据访问中的签名信息验证访问请求者身份。具体由使用AccessKey ID和AccessKey Secret对称加密验证实现。其中AccessKey ID是访问者身份,AccessKey Secret是加密签名字符串和服务器端验证签名字符串的密钥,必须严格保密谨防泄露。
步骤一:指定请求参数
在代码中指定请求参数,参数中需要包含公共请求头和接口必备的参数信息。
说明 请求参数中不允许出现以Signature为key的参数。
示例代码如下:
String accessKeyId = "testId";
String accessSecret = "testSecret";
java.text.SimpleDateFormat df = new java.text.SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss'Z'");
df.setTimeZone(new java.util.SimpleTimeZone(0, "GMT"));// 这里一定要设置GMT时区
java.util.Map<String, String> paras = new java.util.HashMap<String, String>();
// 1. 系统参数
paras.put("SignatureMethod", "HMAC-SHA1");
paras.put("SignatureNonce", java.util.UUID.randomUUID().toString());
paras.put("AccessKeyId", accessKeyId);
paras.put("SignatureVersion", "1.0");
paras.put("Timestamp", df.format(new java.util.Date()));
paras.put("Format", "XML");
// 2. 业务API参数
paras.put("Action", "SendCcoSmartCall");
paras.put("Version", "2019-10-15");
paras.put("CalledShowNumber", "05711234****");
paras.put("CalledNumber", "13900001234");
paras.put("VoiceCode", "e25c6601-5c33-55d6-9e95-a1b7cdb1c11a.wav");
paras.put("AsrModelled", "177281846660");
paras.put("AsrVocabld", "177281846660");
// 3. 去除签名关键字Key
if (paras.containsKey("Signature"))
paras.remove("Signature");
步骤二:根据参数Key排序(顺序)
参考代码如下:
java.util.TreeMap<String, String> sortParas = new java.util.TreeMap<String, String>();
sortParas.putAll(paras);
步骤三:构造待签名的请求串
首先介绍下面会用到的特殊URL编码这个是POP特殊的一种规则,即在一般的URLEncode后再增加三种字符替换:加号
(+)
替换成 %20
、星号(*)
替换成 %2A
、%7E
替换回波浪号(~)
参考代码如下: public static String specialUrlEncode(String value) throws Exception {
return java.net.URLEncoder.encode(value, "UTF-8").replace("+", "%20").replace("*", "%2A").replace("%7E", "~");
}
构造待签名的请求串:
- 把排序后的参数顺序拼接成如下格式:
specialUrlEncode(参数Key) + "=" + specialUrlEncode(参数值)
参考代码如下:java.util.Iterator<String> it = sortParas.keySet().iterator(); StringBuilder sortQueryStringTmp = new StringBuilder(); while (it.hasNext()) { String key = it.next(); sortQueryStringTmp.append("&").append(specialUrlEncode(key)).append("=").append(specialUrlEncode(paras.get(key))); } String sortedQueryString = sortQueryStringTmp.substring(1);// 去除第一个多余的&符号
打印上面的sortQueryString
。结果如下:AccessKeyId%3DtestId&Action%3DSendCcoSmartCall&CalledNumber%3D13900001234&CalledShowNumber%3D05711234****&Format%3DXML&VoiceCode%3De25c6601-5c33-55d6-9e95-a1b7cdb1c11a.wav&SignatureMethod%3DHMAC-SHA1&SignatureNonce%3Df7d2d4ef-6d5f-4da4-86ed-88e001a66abb&SignatureVersion%3D1.0&Timestamp%3D2017-09-28T14%253A31%253A56Z&AsrModelled%3D177281846660&AsrVocabld%3D177281846660&Version%3D2019-10-15
对应的未URL编码的值(方便用户对比):AccessKeyId=testId&Action=SendCcoSmartCall&CalledNumber=13900001234&CalledShowNumber=05711234****&Format=XML&OutId=123&VoiceCode=e25c6601-5c33-55d6-9e95-a1b7cdb1c11a.wav&SignatureMethod=HMAC-SHA1&SignatureNonce=f7d2d4ef-6d5f-4da4-86ed-88e001a66abb&SignatureVersion=1.0&Timestamp=2017-09-28T14%3A31%3A56Z&AsrModelled=177281846660&AsrVocabld=177281846660&Version=2019-10-15
- 按POP的签名规则拼接成最终的待签名串。
规则如下:
HTTPMethod + “&” + specialUrlEncode(“/”) + ”&” + specialUrlEncode(sortedQueryString)
参考代码如下:StringBuilder stringToSign = new StringBuilder(); stringToSign.append("GET").append("&"); stringToSign.append(specialUrlEncode("/")).append("&"); stringToSign.append(specialUrlEncode(sortedQueryString));
完成待签名的请求字符串。打印结果如下:GET&%2F&AccessKeyId%3DtestId&Action%3DSendCcoSmartCall&CalledNumber%3D13900001234&CalledShowNumber%3D05711234****&Format%3DXML&VoiceCode%3De25c6601-5c33-55d6-9e95-a1b7cdb1c11a.wav&SignatureMethod%3DHMAC-SHA1&SignatureNonce%3Df7d2d4ef-6d5f-4da4-86ed-88e001a66abb&SignatureVersion%3D1.0&Timestamp%3D2017-09-28T14%253A31%253A56Z&AsrModelled%3D177281846660&AsrVocabld%3D177281846660&Version%3D2019-10-15
步骤四:签名
签名采用HmacSHA1算法 + Base64,编码采用UTF-8。参考代码如下:
String sign = sign(accessSecret + "&", stringToSign.toString());
public static String sign(String accessSecret, String stringToSign) throws Exception {
javax.crypto.Mac mac = javax.crypto.Mac.getInstance("HmacSHA1");
mac.init(new javax.crypto.spec.SecretKeySpec(accessSecret.getBytes("UTF-8"), "HmacSHA1"));
byte[] signData = mac.doFinal(stringToSign.getBytes("UTF-8"));
return new sun.misc.BASE64Encoder().encode(signData);
}
参数说明:
accessSecret
:您的AccessKey ID
对应的密钥AccessSecret
,特别说明:POP要求需要后面多加一个“&
”字符,即accessSecret + “&”
。stringToSign
:即第三步生成的待签名请求串。
签名后的结果打印如下:
aMfgrx8DLS7vLfpeR1c2rrKLr0Q=
步骤五:增加签名结果到请求参数中,发送请求
说明 签名也要做特殊URL编码。
String Signature = specialUrlEncode(sign);// aMfgrx8DLS7vLfpeR1c2rrKLr0Q%3D
最终完整的GET请求HTTP为:
http://aiccs.aliyuncs.com/?Signature=aMfgrx8DLS7vLfpeR1c2rrKLr0Q%3D&AccessKeyId=testId&Action=SendCcoSmartCall&CalledNumber=13900001234&CalledShowNumber=05711234****&Format=XML&SignatureMethod=HMAC-SHA1&SignatureNonce=f7d2d4ef-6d5f-4da4-86ed-88e001a66abb&SignatureVersion=1.0&Timestamp=2017-09-28T14%3A31%3A56Z&Version=2019-10-15
Java示例
完整的Java签名Demo代码:
public class VmsSignDemo {
public static void main(String[] args) throws Exception {
String accessKeyId = "testId";
String accessSecret = "testSecret";
java.text.SimpleDateFormat df = new java.text.SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss'Z'");
df.setTimeZone(new java.util.SimpleTimeZone(0, "GMT"));// 这里一定要设置GMT时区
java.util.Map<String, String> paras = new java.util.HashMap<String, String>();
// 1. 系统参数
paras.put("SignatureMethod", "HMAC-SHA1");
paras.put("SignatureNonce", java.util.UUID.randomUUID().toString());
paras.put("AccessKeyId", accessKeyId);
paras.put("SignatureVersion", "1.0");
paras.put("Timestamp", df.format(new java.util.Date()));
paras.put("Format", "XML");
// 2. 业务API参数
paras.put("Action", "SendCcoSmartCall");
paras.put("Version", "2019-10-15");
paras.put("CalledShowNumber", "05711234****");
paras.put("CalledNumber", "13900001234");
paras.put("VoiceCode", "e25c6601-5c33-55d6-9e95-a1b7cdb1c11a.wav");
paras.put("AsrModelled", "177281846660");
paras.put("AsrVocabld", "177281846660");
// 3. 去除签名关键字Key
if (paras.containsKey("Signature"))
paras.remove("Signature");
// 4. 参数KEY排序
java.util.TreeMap<String, String> sortParas = new java.util.TreeMap<String, String>();
sortParas.putAll(paras);
// 5. 构造待签名的字符串
java.util.Iterator<String> it = sortParas.keySet().iterator();
StringBuilder sortQueryStringTmp = new StringBuilder();
while (it.hasNext()) {
String key = it.next();
sortQueryStringTmp.append("&").append(specialUrlEncode(key)).append("=").append(specialUrlEncode(paras.get(key)));
}
String sortedQueryString = sortQueryStringTmp.substring(1);// 去除第一个多余的&符号
StringBuilder stringToSign = new StringBuilder();
stringToSign.append("GET").append("&");
stringToSign.append(specialUrlEncode("/")).append("&");
stringToSign.append(specialUrlEncode(sortedQueryString));
String sign = sign(accessSecret + "&", stringToSign.toString());
// 6. 签名最后也要做特殊URL编码
String signature = specialUrlEncode(sign);
System.out.println(paras.get("SignatureNonce"));
System.out.println("\r\n=========\r\n");
System.out.println(paras.get("Timestamp"));
System.out.println("\r\n=========\r\n");
System.out.println(sortedQueryString);
System.out.println("\r\n=========\r\n");
System.out.println(stringToSign.toString());
System.out.println("\r\n=========\r\n");
System.out.println(sign);
System.out.println("\r\n=========\r\n");
System.out.println(signature);
System.out.println("\r\n=========\r\n");
// 最终打印出合法GET请求的URL
System.out.println("http://aiccs.aliyuncs.com/?Signature=" + signature + sortQueryStringTmp);
}
public static String specialUrlEncode(String value) throws Exception {
return java.net.URLEncoder.encode(value, "UTF-8").replace("+", "%20").replace("*", "%2A").replace("%7E", "~");
}
public static String sign(String accessSecret, String stringToSign) throws Exception {
javax.crypto.Mac mac = javax.crypto.Mac.getInstance("HmacSHA1");
mac.init(new javax.crypto.spec.SecretKeySpec(accessSecret.getBytes("UTF-8"), "HmacSHA1"));
byte[] signData = mac.doFinal(stringToSign.getBytes("UTF-8"));
return new sun.misc.BASE64Encoder().encode(signData);
}
}