Javascript端加密java服務端解密
通常我們會通過htts來保證傳輸安全,但如果我們不用https,如何通過javascript來保證瀏覽器端發送的參數進行加密,並且通過RSA算法來處理。
這裏我們可以利用jquery的一個加密插件jcryption來處理,可以參考
http://jcryption.org/#examples
現在版本是3.0 但是沒有java端的實現,下次有時間再研究。現在這個用的是1.1的版本
這個可以在
http://linkwithweb.googlecode.com/svn/trunk/Utilities/jCryptionTutorial獲取
不過他的服務端有個缺陷我修改了。
接來大致介紹如下:
1.首先服務端有產生publicKey的servlet:
package com.gsh.oauth.auth.servlet;
import java.io.IOException;
import java.security.KeyPair;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
importjavax.servlet.http.HttpServletRequest;
importjavax.servlet.http.HttpServletResponse;
import com.gsh.oauth.auth.util.JCryptionUtil;
/**
*Servlet implementation class EncryptionServlet
*/
public class EncryptionServlet extendsHttpServlet {
privatestatic final long serialVersionUID = 1L;
/**
* Default constructor.
*/
publicEncryptionServlet() {
//TODO Auto-generated constructor stub
}
/**
* @see HttpServlet#service(HttpServletRequestrequest, HttpServletResponse response)
*/
protectedvoid service(HttpServletRequest request,
HttpServletResponseresponse) throws ServletException, IOException {
intKEY_SIZE = 1024;
if(request.getParameter("generateKeypair") != null) {
JCryptionUtiljCryptionUtil = new JCryptionUtil();
KeyPairkeys = null;
//if(request.getSession().getAttribute("keys") == null) { //這裏註釋掉否則第二次請求會500
keys= jCryptionUtil.generateKeypair(KEY_SIZE);
request.getSession().setAttribute("keys",keys);
//}
StringBufferoutput = new StringBuffer();
Stringe = JCryptionUtil.getPublicKeyExponent(keys);
Stringn = JCryptionUtil.getPublicKeyModulus(keys);
Stringmd = String.valueOf(JCryptionUtil.getMaxDigits(KEY_SIZE));
output.append("{\"e\":\"");
output.append(e);
output.append("\",\"n\":\"");
output.append(n);
output.append("\",\"maxdigits\":\"");
output.append(md);
output.append("\"}");
output.toString();
response.getOutputStream().print(
output.toString().replaceAll("\r","").replaceAll("\n", "")
.trim());
}else {
response.getOutputStream().print(String.valueOf(false));
}
}
}
2.Client例子
<html>
<head>
<title>Login form</title>
</head>
<metahttp-equiv="Content-Type"
content="text/html; charset=utf-8">
<scriptsrc="../js/jquery-1.4.2.min.js"type="text/javascript"></script>
<scriptsrc="../js/jquery-ui-1.8.2.custom.min.js"
type="text/javascript"></script>
<scripttype="text/javascript"
src="../js/security/jquery.jcryption-1.1.min.js"></script>
<scripttype="text/javascript">
$(document).ready(function() {
var $statusText = $('<span id="status"></span>').hide();
$("#status_container").append($statusText);
$("#lf").jCryption({
getKeysURL:"/gsh/oauth/encryption?generateKeypair=true",
beforeEncryption: function(){
$statusText
.text("Test Code")
.show();
returntrue;
},
encryptionFinished: function(
encryptedString,
objectLength){
$statusText
.text(encryptedString);
returntrue;
}
});
});
</script>
<body>
<formid="lf"action="/gsh/oauth/authorization"
method="post">
<fieldset><legend>login</legend>
<div>
<div>client_id:<br>
<inputtype="text"size="45"name="client_id"value=""></div>
<div>redirect_uri:<br>
<inputtype="text"size="45"name="redirect_uri"value=""></div>
</div>
<div>loginid:<br>
<inputtype="text"size="45"name="loginid"value=""></div>
</div>
<div>password:<br>
<inputtype="password"size="45"name="password"value=""></div>
</div>
<div>
<p><inputtype="submit"/><spanid="status_container"></span></p>
</div>
</fieldset>
</form>
</body>
</html>
上面看代碼可以看出他通過/gsh/oauth/encryption?generateKeypair=true來先請求獲取public 然後通過jcryption進行加密然後post到服務端。Encryption就是上面的EncryptionServlet。
通過瀏覽器工具可以看到表單裏面的數據加密爲
jCryption=95f1589502288050e08b4bd8b1a360341cf616d9054531b85a6ef85783c1723b46686ec454ee81f1304fa2370ce24c4d9c06f84d47aa4bdf99310ae12b514db19bfcc325f3a39a584c23b1546550f4e0635c12486f2fd84dec137e1c61cfa775dfa3057a1f0154712aaba0af0cc61810282780f15bed909c24a184e66ab39f2e
3.目標servlet(authorization)的解密
publicclassAuthorization extends HttpServlet {
protectedvoiddoGet(HttpServletRequest httpServletRequest,
HttpServletResponsehttpServletResponse) throws ServletException,
IOException{
PrintWriter out = httpServletResponse.getWriter();
KeyPair keys = (KeyPair)httpServletRequest.getSession().getAttribute("keys");
String encrypted =httpServletRequest.getParameter("epCryption");
String client_id = null;
Stringredirect_uri = null;
Stringloginid = null;
Stringpassword = null;
try {
Stringdata = JCryptionUtil.decrypt(encrypted, keys);
httpServletRequest.getSession().removeAttribute("keys");
Mapparams = JCryptionUtil.parse(data, "UTF-8");
client_id= (String) params.get("client_id");
redirect_uri= (String) params.get("redirect_uri");
loginid= (String) params.get("loginid");
password = (String)params.get("password");
}catch(Throwable e) {
e.printStackTrace();
}
}
}
上面至少片段,需要相關的js和java問題,請在svn上面獲取。另外還需要bcprov-jdk15-1.46.jar
可以在http://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15/1.46
獲取。