Twilio - 验证传入的回调请求 - Java
Twilio - Validating Incoming Callback Request - Java
当 Twilio 调用回调方法来获取语音的 TwiML 时,我看到 Twilio 在 HTTP header.
中设置了 "x-twilio-signature"
我需要验证实际请求是否来自 Twilio。
我在 Tomcat 上有一个简单的 war 文件 运行,应用程序是使用 Spring.
构建的
我做了类似下面的事情:
//Get the TwilioUtils object initialized
TwilioUtils twilioUtils = new TwilioUtils("******myAuthToken");
//Get the URL from HttpRequest
String url = httpRequest.getRequestURL().toString();
Map<String, String> allRequestParams = getAllRequestParams(httpRequest);
Map<String, String> headers = getAllRequestHeaders(httpRequest);
//Get the signature generated for the Url and request parameters
//allRequestParams is a map of all request values posted to my service by Twilio
String validSig = twilioUtils.getValidationSignature(url, allRequestParams);
//Get the x-twilio-signature value from the http header map
String xTwilioSignature = headers.get("x-twilio-signature”);
//This is different from what I get below
logger.info("validSig = " + validSig);
logger.info("xTwilioSignature = " + xTwilioSignature );
//This is always false
logger.info("Signature matched : " + twilioUtils.validateRequest(xTwilioSignature, url,
allRequestParams));
我想知道我做错了什么。我验证 "x-twilio-signature" 的方法不正确吗?
如果不正确,正确的做法是什么?
我正在使用 Twilio 提供的辅助库 class TwilioUtils 来验证它。
Twilio 的签名始终与我从 TwilioUtils 获得的签名不同object。
这里是来自 Twilio 的梅根。
您是否按照 security documentation 中建议的步骤进行操作?
validateRequest 需要三个参数。我相信你错过了那里的 url 。
考虑这个例子:
public class TwilioUtilsExample {
public static void main(String[] args) {
// Account details
String accountSid = "ACXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";
String authToken = "YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY";
//This is the signature we expect
String expected_sig = "SSSSSSSSSSSSSSSSSSSSSSSSSSSS";
//This is the url that twilio requested
String url = "http://UUUUUUUUUUUUUUU";
//These are the post params twilio sent in its request
Map<String,String> params = new HashMap<String,String>();
// Be sure to see the signing notes at twilio.com/docs/security
TwilioUtils util = new TwilioUtils(authToken, accountSid);
boolean result = util.validateRequest(expected_sig, url, params);
if (result) {
System.out.print( "The signature is valid!\n" );
} else {
System.out.print( "The signature was NOT VALID. It might have been spoofed!\n" );
}
}
}
希望对您有所帮助!
当 Twilio 调用回调方法来获取语音的 TwiML
我需要验证实际请求是否来自 Twilio。
我在 Tomcat 上有一个简单的 war 文件 运行,应用程序是使用 Spring.
构建的我做了类似下面的事情:
//Get the TwilioUtils object initialized
TwilioUtils twilioUtils = new TwilioUtils("******myAuthToken");
//Get the URL from HttpRequest
String url = httpRequest.getRequestURL().toString();
Map<String, String> allRequestParams = getAllRequestParams(httpRequest);
Map<String, String> headers = getAllRequestHeaders(httpRequest);
//Get the signature generated for the Url and request parameters
//allRequestParams is a map of all request values posted to my service by Twilio
String validSig = twilioUtils.getValidationSignature(url, allRequestParams);
//Get the x-twilio-signature value from the http header map
String xTwilioSignature = headers.get("x-twilio-signature”);
//This is different from what I get below
logger.info("validSig = " + validSig);
logger.info("xTwilioSignature = " + xTwilioSignature );
//This is always false
logger.info("Signature matched : " + twilioUtils.validateRequest(xTwilioSignature, url,
allRequestParams));
我想知道我做错了什么。我验证 "x-twilio-signature" 的方法不正确吗?
如果不正确,正确的做法是什么?
我正在使用 Twilio 提供的辅助库 class TwilioUtils 来验证它。
Twilio 的签名始终与我从 TwilioUtils 获得的签名不同object。
这里是来自 Twilio 的梅根。
您是否按照 security documentation 中建议的步骤进行操作?
validateRequest 需要三个参数。我相信你错过了那里的 url 。
考虑这个例子:
public class TwilioUtilsExample {
public static void main(String[] args) {
// Account details
String accountSid = "ACXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";
String authToken = "YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY";
//This is the signature we expect
String expected_sig = "SSSSSSSSSSSSSSSSSSSSSSSSSSSS";
//This is the url that twilio requested
String url = "http://UUUUUUUUUUUUUUU";
//These are the post params twilio sent in its request
Map<String,String> params = new HashMap<String,String>();
// Be sure to see the signing notes at twilio.com/docs/security
TwilioUtils util = new TwilioUtils(authToken, accountSid);
boolean result = util.validateRequest(expected_sig, url, params);
if (result) {
System.out.print( "The signature is valid!\n" );
} else {
System.out.print( "The signature was NOT VALID. It might have been spoofed!\n" );
}
}
}
希望对您有所帮助!