小贝子编程

Twilio-验证传入的回调请求-Java



当Twilio调用回调方法来获取TwiML<说>对于Voice,我看到Twilio在HTTP头中设置了"x-Twilio-signture"。

我需要核实实际请求是否来自Twilio。

我有一个在Tomcat上运行的简单war文件,该应用程序是使用Spring构建的。

我做了如下的事情:

//Get the TwilioUtils object initialized
TwilioUtils twilioUtils = new TwilioUtils("******myAuthToken");
//Get the URL from HttpRequest
String url = httpRequest.getRequestURL().toString();
Map<String, String> allRequestParams = getAllRequestParams(httpRequest);
Map<String, String> headers = getAllRequestHeaders(httpRequest);
//Get the signature generated for the Url and request parameters 
//allRequestParams is a map of all request values posted to my service by Twilio
String validSig = twilioUtils.getValidationSignature(url, allRequestParams);
//Get the x-twilio-signature value from the http header map
String xTwilioSignature = headers.get("x-twilio-signature”);
//This is different from what I get below
logger.info("validSig = " + validSig);
logger.info("xTwilioSignature = " + xTwilioSignature );
//This is always false
logger.info("Signature matched : " +  twilioUtils.validateRequest(xTwilioSignature, url,
   allRequestParams));

我想知道我做错了什么。我验证"x-twilio-signture"的方法不正确吗?

如果不正确,正确的方法是什么?

我正在使用Twilio提供的助手库类TwilioUtils来验证它

一直以来,来自Twilio的签名与我从TwilioUtils对象获得的签名不同。

来自Twilio的Megan。

您是否遵循了安全文档中建议的步骤?

validateRequest需要三个参数。我相信你错过了那里的网址。

考虑这个例子:

public class TwilioUtilsExample {
    public static void main(String[] args) {
        // Account details
        String accountSid = "ACXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";
        String authToken = "YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY";
        //This is the signature we expect
        String expected_sig = "SSSSSSSSSSSSSSSSSSSSSSSSSSSS";
        //This is the url that twilio requested
        String url = "http://UUUUUUUUUUUUUUU";
        //These are the post params twilio sent in its request
        Map<String,String> params = new HashMap<String,String>();
        // Be sure to see the signing notes at twilio.com/docs/security
        TwilioUtils util = new TwilioUtils(authToken, accountSid);
        boolean result = util.validateRequest(expected_sig, url, params);
        if (result) {
            System.out.print( "The signature is valid!n" );
        } else {
            System.out.print( "The signature was NOT VALID.  It might have been spoofed!n" );
        }
    }
}

希望这有帮助!

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium