基于Volley,Gson封装支持JWT无状态安全验证和数据防篡改的GsonRequest网络请求类

androidVolleyJWT框架网络 
这段时间做新的Android项目的客户端和和REST API通讯框架架构设计,使用了很多新技术,最终的方案也相当简洁优雅,客户端只需要传Java对象,服务器端返回json字符串,自动解析成Java对象, 无状态安全验证基于JWT实现,JWT规范的细节可以参考我前面的文章。JWT的token和数据防篡改签名统一放在HTTP Header中,这样就实现了对请求内容和返回结果的无侵入性,服务器端也可以在全局过滤器中统一处理安全验证。
Android客户端使用了Volley网络请求框架和Gson解析库,基于这2个Goolge的框架封装了自己的GsonRequest网络请求基类, 网络请求类没有做特别处理,网络response返回消息,做了个带泛型的基类,统一处理错误码,消息和返回结果,Android端的代码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
package com.zxt.network;

/**
 * HTTP返回基类,返回正确结果status>0,错误结果status<0,
 * message为服务器端返回消息,客户端直接显示
 * T data为返回的json对象或数组,自动解析为Java对象
 * errorCodes为服务器端返回的Dubbo接口错误码,逗号分隔,仅做调试用途
 * Created by zhangxitao on 15/8/17.
 */
public class BaseResponse<T> {
    public int status;
    public String message;
    public String errorCodes;
    public T data ;

    public int getStatus() {
        return status;
    }

    public void setStatus(int status) {
        this.status = status;
    }

    public String getMessage() {
        return message;
    }

    public void setMessage(String message) {
        this.message = message;
    }

    public String getErrorCodes() {
        return errorCodes;
    }

    public void setErrorCodes(String errorCodes) {
        this.errorCodes = errorCodes;
    }

    public T getData() {
        return data;
    }

    public void setData(T data) {
        this.data = data;
    }
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
package com.zxt.network;

import android.text.TextUtils;
import android.util.Log;

import com.android.volley.AuthFailureError;
import com.android.volley.NetworkResponse;
import com.android.volley.ParseError;
import com.android.volley.Request;
import com.android.volley.Response;
import com.android.volley.Response.ErrorListener;
import com.android.volley.Response.Listener;
import com.android.volley.toolbox.HttpHeaderParser;
import com.google.gson.Gson;
import com.qianmi.qmpos.AppConfig;

import java.io.UnsupportedEncodingException;
import java.util.HashMap;
import java.util.Map;

/**
 * Gson请求类,传入请求对象和返回类名,返回解析好的对象,封装JWT安全验证,数据签名
 * @param <T>
 */
public class GsonRequest<T> extends Request<T> {

    private static final String TAG = "GsonRequest";

    private final Listener<T> mListener;

    private Gson mGson;

    private Class<T> mClass;
    private Object mRequest;
    private String mBody;

    public GsonRequest(int method, String url, Object request, Class<T> clazz, Listener<T> listener, ErrorListener errorListener) {
        super(method, url, errorListener);
        mGson = new Gson();
        mClass = clazz;
        mListener = listener;
        mRequest = request;
        if (null != request) {
            mBody = mGson.toJson(mRequest);
        }
    }

    public GsonRequest(String url, Object request, Class<T> clazz, Listener<T> listener, ErrorListener errorListener) {
        this(Method.POST, url, request, clazz, listener, errorListener);
        Log.d(TAG, "-----url is:" + url);
    }

    @Override
    public byte[] getBody() throws AuthFailureError {
        if (null == mRequest) {
            return null;
        }
        Log.d(TAG, "-----request json: " + mBody);
        return mBody.getBytes();
    }

    @Override
    protected Response<T> parseNetworkResponse(NetworkResponse response) {
        try {
            String jsonString = new String(response.data, HttpHeaderParser.parseCharset(response.headers));
            return Response.success(mGson.fromJson(jsonString, mClass), HttpHeaderParser.parseCacheHeaders(response));
        } catch (UnsupportedEncodingException e) {
            return Response.error(new ParseError(e));
        }
    }

    @Override
    protected void deliverResponse(T response) {
        mListener.onResponse(response);
        Log.i(TAG, "-----response:" + new Gson().toJson(response));
    }

    @Override
    public Map<String, String> getHeaders() throws AuthFailureError {
        HashMap<String, String> extraHeaders = new HashMap<>();
        extraHeaders.put("Content-Type", "application/json");
        extraHeaders.put("Accept", "application/json");

        //Data Sign
        if (!TextUtils.isEmpty(mBody)) {
            extraHeaders.put("Sign", MD5Util.stringToMD5(AppConfig.SIGN_SECRET + mBody + <span style="font-family: Arial, Helvetica, sans-serif;">AppConfig.SIGN_SECRET </span><span style="font-family: Arial, Helvetica, sans-serif;">));</span>
        }
        //JWT token
        if (!TextUtils.isEmpty(AppConfig.TOKEN)) {
            extraHeaders.put("Authorization", "Bearer " + AppConfig.TOKEN);
        }
        Log.d(TAG, "-----extra headers: " + extraHeaders.toString());

        return extraHeaders;
    }
}

一个简单的调用例子

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
  LoginRequest loginRequest = new LoginRequest();
 
        loginRequest.setNickName(username);
        loginRequest.setPassword(RSAUtils.getEncryptPwd(password));

        Request request = new GsonRequest<LoginResponse>(
               AppConfig.SERVER_URL + "/login",loginRequest, LoginResponse.class,
                new Response.Listener<LoginResponse>() {
                    @Override
                    public void onResponse(LoginResponse resp) {
                        L.d("TAG", "user is " + resp.data);
                        //TODO 

                    }
                }, new Response.ErrorListener() {
            @Override
            public void onErrorResponse(VolleyError error) {
                Log.e("TAG", error.getMessage(), error);
            }
        });
mVolleyQueve.add(request)

服务器端使用Spring Boot,Spring MVC, JPA,JWT等技术构建,同样的简洁优雅, Spring Boot微服务技术确实简化了接口的开发,可以做到零XML配置文件。由于暂时权限这边不够复杂,暂时没有引入Spring Security框架,安全验证通过一个全局的过滤器完成。API接口通过使用@RestController注解实现。具体的参考代码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
import com.zxt.domain.BaseResponse;
import com.zxt.domain.pos.Device;
import com.zxt.service.DeviceService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.validation.annotation.Validated;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;

@RestController
@RequestMapping("/api/device")
public class DeviceController {

    @Autowired
    DeviceService deviceService;

    @RequestMapping("activate")
    @ResponseBody
    public BaseResponse activate(@RequestBody @Validated Device device) {

        try {
            this.deviceService.activateDevice(device);
        } catch (Exception e) {
            return new BaseResponse(-1,"activate failed");
        }

        return new BaseResponse(1,"device activated");
    }

}

Google Volley这个框架除了解决了频繁网络请求情景的性能问题之外,可定制性也是很强大的,通过定制我们自己的GsonRequest类,实现了对传输数据无侵入性的JWT安全验证和数据防篡改, 双向自动化的JSON解析能力,极大的简化了Android网络App的开发工作。

Title:基于Volley,Gson封装支持JWT无状态安全验证和数据防篡改的GsonRequest网络请求类

Author:offbye

Created:2015-08-18, 12:52:00

Updated:2016-05-13, 00:39:42

Full URL:http://offbye.com/2015/08/18/基于Volley,Gson封装支持JWT无状态安全验证和数据防篡改的GsonRequest网络请求类/

License: "CC BY-NC-SA 4.0" Keep Link & Author if Distribute.

CSDN原文: http://blog.csdn.net/offbye/article/details/47750175

CSDN PV:1260

Contents
,