Wechat public platform development - verify that the message does come from the wechat server

Keywords: Java Spring Boot wechat

1. Preface

In the previous article, we have successfully configured and enabled the server information. Wechat officials have confirmed that our server is legal.

However, there is another problem, that is, how can we confirm that the messages we receive are legitimate, that is, how can we confirm that the messages we receive are sent by wechat rather than forged?

This requires us to verify whether the message really comes from the wechat server.

2. Build the project

We need a project to put the code related to wechat development into it.

2.1 building a SpringBoot project

Build a Spring Boot project using Maven, and then pom.xml is configured as follows.

It should be noted that we have introduced Weixin Java MP, an open-source encapsulated wechat Java SDK and GitHub high star project. Our introduction of this SDK can greatly improve our development efficiency without building a wheel from scratch.

<project xmlns="http://maven.apache.org/POM/4.0.0"
	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
		<relativePath /> <!-- lookup parent from repository -->
		<!-- WeChat official account -->

2.2 preparation of configuration files

Write the applicaiton.yml configuration file as follows, so our project starts from port 80, and the root path to access the project is / Wx server

   port: 80 #port
      context-path: /wx-server

2.3 writing startup classes

The startup class is written as follows to quickly start our project:

 * SpringBoot Startup class
public class WxServerApplication {
	public static void main(String[] args) {
		SpringApplication.run(WxServerApplication.class, args);

3. The verification message comes from wechat

3.1 get official account number.

Enter the [basic configuration] menu and memorize the following parameters, which need to be configured into our code.

3.2 development of public platform configuration

The configuration class of wechat public platform is developed as follows. Note that the parameters in the above figure need to be filled in the following code.

This class has two purposes. The first is to register the wxMpDefaultConfigImpl component, which saves the parameters of wechat public platform.

The second is to register the wxMpService component, which is used to call encapsulated methods, such as the method of verifying messages required in this article.

 * Wechat public platform configuration
public class WxMpConfig {

	public WxMpDefaultConfigImpl wxMpDefaultConfigImpl() {
		WxMpDefaultConfigImpl config = new WxMpDefaultConfigImpl();
		config.setAppId(""); // Set up appid for WeChat official account.
		config.setSecret(""); // Setting up app corpSecret of WeChat official account
		config.setToken(""); // Set up token for WeChat official account.
		config.setAesKey(""); // Set up EncodingAESKey for WeChat official account.
		return config;

	public WxMpService wxMpService() {
		WxMpService wxMpService = new WxMpServiceImpl();// In the actual project, please note that you should keep the singleton and do not construct the instance every time you request. For details, please refer to the demo project
		return wxMpService;

3.3 call of verification message method

Automatically injecting wxMpService and calling its method to verify whether the message comes from WeChat.

 * Verify controller
public class CheckController {
	private WxMpService wxMpService;

	// Access verification
	public String checkToken(@RequestParam("signature") String signature, @RequestParam("timestamp") String timestamp, @RequestParam("nonce") String nonce, @RequestParam("echostr") String echostr) {
		if (!wxMpService.checkSignature(timestamp, nonce, signature)) {
			// The message is illegal
			return "The message is illegal";
		// Message legal
		return echostr;

By calling the checkSignature method, we can determine that the message is from wechat rather than maliciously disguised. If you want to ensure security, all messages from wechat should be verified, not just for access verification.

4. Summary

This paper introduces how to quickly use WxJava, an open source SDK, to quickly realize the function of verifying that messages come from wechat servers.

Posted by Dat on Sat, 25 Sep 2021 04:01:06 -0700