使用 AWS SDK 进行 SNS 验证 Java,版本 2
[英]SNS verification using the AWS SDK for Java, version 2
问题描述
I use AWS SDK for Java 2.x, dependency software.amazon.awssdk:sns
我将 AWS SDK 用于 Java 2.x,依赖软件.amazon.awssdk:sns
I receive message from sns topic via http.我通过 http 收到来自 sns 主题的消息。 I'm wondering if there're any official or non-official but well-supported libraries that can do verification of signature.我想知道是否有任何官方或非官方但得到良好支持的库可以验证签名。
I've implemented verification using code snippets from https://docs.aws.amazon.com/sns/latest/dg/sns-example-code-endpoint-java-servlet.html , but perhaps better solution is existing我已经使用https://docs.aws.amazon.com/sns/latest/dg/sns-example-code-endpoint-java-servlet.html中的代码片段实现了验证,但可能存在更好的解决方案
public void verifySignature(SnsMessage message) {
String signatureVersion = message.getSignatureVersion();
if (signatureVersion.equals("1")) {
// Check the signature and throw an exception if the signature verification fails.
if (isMessageSignatureVersion1Valid(message)) {
log.info("Signature verification succeeded");
} else {
log.info("Signature verification failed");
throw new SecurityException("Signature verification failed.");
}
} else {
log.info("Unexpected signature version. Unable to verify signature.");
throw new SecurityException("Unexpected signature version. Unable to verify signature.");
}
}
3 个解决方案
解决方案1
1 2021-08-19 08:53:16
At the time of writing (August 2021) AWS SDK for Java 2.x doesn't yet support all the features of AWS SDK for Java 1.x. At the time of writing (August 2021) AWS SDK for Java 2.x doesn't yet support all the features of AWS SDK for Java 1.x. But fortunately, you can use them side-by-side.但幸运的是,您可以并排使用它们。 Quote from the official documentation :引用官方文档:
You can use both versions of the AWS SDK for Java in your projects.
And in 1.x you have SnsMessageManager that apparently does the job:在 1.x 中,您有SnsMessageManager显然可以完成这项工作:
public class SnsMessageManager
extends Object
Unmarshalls an SNS message and validates it using the SNS public certificate.
解决方案2
1 2021-08-19 12:23:33
Perhaps adding a snippet for isMessageSignatureVersion1Valid() would help as well?也许为isMessageSignatureVersion1Valid()添加一个片段也会有所帮助?
解决方案3
0 2022-08-26 11:18:30
For latest version of SNS SDK at the moment 1.12.286 - signature verification is done automatically during message deserialization to SnsMessage object.对于最新版本的 SNS SDK 目前1.12.286 - 在消息反序列化到SnsMessage object 期间自动完成签名验证。
You can use SnsMessageManager#parseMessage to deserialize incoming message to SnsMessage object.您可以使用SnsMessageManager#parseMessage将传入消息反序列化为 SnsMessage object。
From SNS SDK javadoc :来自 SNS SDK javadoc :
Unmarshalls a message into a subclass of SnsMessage.
It's clear from SNS SDK source code as well:从 SNS SDK 源代码中也很清楚:
SnsMessageManager#parseMessage -> SignatureVerifier#verifySignature
So something like this will work:所以这样的事情会起作用:
InputStream messageInputStream = "<message received from SNS>"
SnsMessage snsMessage = new SnsMessageManager().parseMessage(messageInputStream)
See this part of SNS documentation is useful for signature verification details.有关签名验证的详细信息,请参阅SNS 文档的这一部分。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.