[英]SNS verification using the AWS SDK for Java, version 2
I use AWS SDK for Java 2.x, dependency software.amazon.awssdk:sns我将 AWS SDK 用于 Java 2.x,依赖软件.amazon.awssdk:sns
I receive message from sns topic via http.我通过 http 收到来自 sns 主题的消息。 I'm wondering if there're any official or non-official but well-supported libraries that can do verification of signature.我想知道是否有任何官方或非官方但得到良好支持的库可以验证签名。
I've implemented verification using code snippets from https://docs.aws.amazon.com/sns/latest/dg/sns-example-code-endpoint-java-servlet.html , but perhaps better solution is existing我已经使用https://docs.aws.amazon.com/sns/latest/dg/sns-example-code-endpoint-java-servlet.html中的代码片段实现了验证,但可能存在更好的解决方案
public void verifySignature(SnsMessage message) {
String signatureVersion = message.getSignatureVersion();
if (signatureVersion.equals("1")) {
// Check the signature and throw an exception if the signature verification fails.
if (isMessageSignatureVersion1Valid(message)) {
log.info("Signature verification succeeded");
} else {
log.info("Signature verification failed");
throw new SecurityException("Signature verification failed.");
}
} else {
log.info("Unexpected signature version. Unable to verify signature.");
throw new SecurityException("Unexpected signature version. Unable to verify signature.");
}
}
At the time of writing (August 2021) AWS SDK for Java 2.x doesn't yet support all the features of AWS SDK for Java 1.x. At the time of writing (August 2021) AWS SDK for Java 2.x doesn't yet support all the features of AWS SDK for Java 1.x. But fortunately, you can use them side-by-side.但幸运的是,您可以并排使用它们。 Quote from the official documentation :引用官方文档:
You can use both versions of the AWS SDK for Java in your projects.您可以在项目中为 Java 使用 AWS SDK 的两个版本。
And in 1.x you have SnsMessageManager that apparently does the job:在 1.x 中,您有SnsMessageManager显然可以完成这项工作:
public class SnsMessageManager公共 class SnsMessageManager
extends Object扩展 Object
Unmarshalls an SNS message and validates it using the SNS public certificate.解组 SNS 消息并使用 SNS 公共证书对其进行验证。
Perhaps adding a snippet for isMessageSignatureVersion1Valid()
would help as well?也许为isMessageSignatureVersion1Valid()
添加一个片段也会有所帮助?
For latest version of SNS SDK at the moment 1.12.286 - signature verification is done automatically during message deserialization to SnsMessage object.对于最新版本的 SNS SDK 目前1.12.286 - 在消息反序列化到SnsMessage object 期间自动完成签名验证。
You can use SnsMessageManager#parseMessage to deserialize incoming message to SnsMessage object.您可以使用SnsMessageManager#parseMessage将传入消息反序列化为 SnsMessage object。
From SNS SDK javadoc :来自 SNS SDK javadoc :
Unmarshalls a message into a subclass of SnsMessage.将消息解组为 SnsMessage 的子类。 This will automatically validate the authenticity of the mesage to ensure it was sent by SNS.这将自动验证消息的真实性,以确保它是由 SNS 发送的。 If the validity of the message cannot be verified an exception will be thrown.如果无法验证消息的有效性,则会抛出异常。 Params: messageBody – Input stream containing message JSON.参数:messageBody – 输入 stream 包含消息 JSON。 Returns: Unmarshalled message object.返回:未编组的消息 object。
It's clear from SNS SDK source code as well:从 SNS SDK 源代码中也很清楚:
SnsMessageManager#parseMessage -> SignatureVerifier#verifySignature
So something like this will work:所以这样的事情会起作用:
InputStream messageInputStream = "<message received from SNS>"
SnsMessage snsMessage = new SnsMessageManager().parseMessage(messageInputStream)
See this part of SNS documentation is useful for signature verification details.有关签名验证的详细信息,请参阅SNS 文档的这一部分。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.