1. Preface
In the previous article, we have successfully configured and enabled the server information. Wechat officials have confirmed that our server is legal.
However, there is another problem, that is, how can we confirm that the messages we receive are legitimate, that is, how can we confirm that the messages we receive are sent by wechat rather than forged?
This requires us to verify whether the message really comes from the wechat server.
2. Build the project
We need a project to put the code related to wechat development into it.
2.1 building a SpringBoot project
Build a Spring Boot project using Maven, and then pom.xml is configured as follows.
It should be noted that we have introduced Weixin Java MP, an open-source encapsulated wechat Java SDK and GitHub high star project. Our introduction of this SDK can greatly improve our development efficiency without building a wheel from scratch.
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd"> <modelVersion>4.0.0</modelVersion> <parent> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-parent</artifactId> <version>2.2.5.RELEASE</version> <relativePath /> <!-- lookup parent from repository --> </parent> <groupId>cn.pandabrother</groupId> <artifactId>wx-server</artifactId> <version>0.0.1-SNAPSHOT</version> <packaging>war</packaging> <properties> <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding> <java.version>1.8</java.version> <maven-jar-plugin.version>3.0.0</maven-jar-plugin.version> </properties> <dependencies> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> </dependency> <dependency> <groupId>org.projectlombok</groupId> <artifactId>lombok</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-devtools</artifactId> </dependency> <!-- WeChat official account --> <dependency> <groupId>com.github.binarywang</groupId> <artifactId>weixin-java-mp</artifactId> <version>4.1.0</version> </dependency> </dependencies> <build> <plugins> <plugin> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-maven-plugin</artifactId> </plugin> </plugins> </build> </project>
2.2 preparation of configuration files
Write the applicaiton.yml configuration file as follows, so our project starts from port 80, and the root path to access the project is / Wx server
server: port: 80 #port servlet: context-path: /wx-server
2.3 writing startup classes
The startup class is written as follows to quickly start our project:
/** * SpringBoot Startup class */ @SpringBootApplication public class WxServerApplication { public static void main(String[] args) { SpringApplication.run(WxServerApplication.class, args); } }
3. The verification message comes from wechat
3.1 get official account number.
Enter the [basic configuration] menu and memorize the following parameters, which need to be configured into our code.
3.2 development of public platform configuration
The configuration class of wechat public platform is developed as follows. Note that the parameters in the above figure need to be filled in the following code.
This class has two purposes. The first is to register the wxMpDefaultConfigImpl component, which saves the parameters of wechat public platform.
The second is to register the wxMpService component, which is used to call encapsulated methods, such as the method of verifying messages required in this article.
/** * Wechat public platform configuration */ @Configuration public class WxMpConfig { @Bean public WxMpDefaultConfigImpl wxMpDefaultConfigImpl() { WxMpDefaultConfigImpl config = new WxMpDefaultConfigImpl(); config.setAppId(""); // Set up appid for WeChat official account. config.setSecret(""); // Setting up app corpSecret of WeChat official account config.setToken(""); // Set up token for WeChat official account. config.setAesKey(""); // Set up EncodingAESKey for WeChat official account. return config; } @Bean public WxMpService wxMpService() { WxMpService wxMpService = new WxMpServiceImpl();// In the actual project, please note that you should keep the singleton and do not construct the instance every time you request. For details, please refer to the demo project wxMpService.setWxMpConfigStorage(wxMpDefaultConfigImpl()); return wxMpService; } }
3.3 call of verification message method
Automatically injecting wxMpService and calling its method to verify whether the message comes from WeChat.
/** * Verify controller */ @Controller public class CheckController { @Autowired private WxMpService wxMpService; // Access verification @RequestMapping("/checkToken") @ResponseBody public String checkToken(@RequestParam("signature") String signature, @RequestParam("timestamp") String timestamp, @RequestParam("nonce") String nonce, @RequestParam("echostr") String echostr) { if (!wxMpService.checkSignature(timestamp, nonce, signature)) { // The message is illegal return "The message is illegal"; } // Message legal return echostr; } }
By calling the checkSignature method, we can determine that the message is from wechat rather than maliciously disguised. If you want to ensure security, all messages from wechat should be verified, not just for access verification.
4. Summary
This paper introduces how to quickly use WxJava, an open source SDK, to quickly realize the function of verifying that messages come from wechat servers.