Created
September 9, 2015 13:49
-
-
Save pwojt/3e2c18895e21f831239f to your computer and use it in GitHub Desktop.
Check Auth Changes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| public boolean checkAuth(HttpServletRequest request) throws Exception { | |
| // Use the first part to look up the key, don't hard code it and can change it for prod. | |
| String auth = request.getHeader("authorization") | |
| .substring(request.getHeader("authorization").indexOf(":") + 1) | |
| .trim(); | |
| // This is wrong, it should be caluclated from the body itself and not taken from the header. | |
| // The header is only used to compare if it matches and be able to throw errors. | |
| // If we just check the header MD5, an attacker could send the same message with a modified body and | |
| // still get it to authenticate. | |
| String content_MD5 = request.getHeader("Content-MD5") == null ? "" | |
| : request.getHeader("Content-MD5"); | |
| // Date should expire after 5-15 minutes so that we prevent replay attacks. | |
| String date = request.getHeader("date"); | |
| // This should check for null and use and empty string if it is | |
| String content_Type = ObjectUtils.firstNonNull(request.getHeader("Content-Type"), ""); | |
| String uri = request.getRequestURI(); | |
| String data = content_Type + "," + content_MD5 + "," + uri + "," + date; | |
| String checkcode = HMACSHA1.HmacSHA1Encrypt( | |
| data, | |
| ResourceBundle.getBundle("system").getString( | |
| "unionpay_key")).trim(); | |
| logger.info("server checkcode:" + checkcode); | |
| return checkcode.equals(auth); | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| public boolean checkAuth(HttpServletRequest request) throws Exception { | |
| String auth = request.getHeader("authorization") | |
| .substring(request.getHeader("authorization").indexOf(":") + 1) | |
| .trim(); | |
| String content_MD5 = request.getHeader("Content-MD5") == null ? "" | |
| : request.getHeader("Content-MD5"); | |
| String date = request.getHeader("date"); | |
| String content_Type = request.getHeader("Content-Type"); | |
| String uri = request.getRequestURI(); | |
| String data = content_Type + "," + content_MD5 + "," + uri + "," + date; | |
| String checkcode = HMACSHA1.HmacSHA1Encrypt( | |
| data, | |
| ResourceBundle.getBundle("system").getString( | |
| "unionpay_key")).trim(); | |
| logger.info("server checkcode:" + checkcode); | |
| return checkcode.equals(auth); | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment