Twilio - 验证传入回调请求 - Java

时间:2015-12-04 21:54:51

标签: java validation callback twilio

当Twilio调用回调方法来获取TwiML< Say>对于Voice,我看到Twilio在HTTP标头中设置了“x-twilio-signature”。

我需要验证实际请求来自Twilio。

我在Tomcat上运行了一个简单的war文件,该应用程序是使用Spring构建的。

我做了类似以下的事情:

//Get the TwilioUtils object initialized
TwilioUtils twilioUtils = new TwilioUtils("******myAuthToken");

//Get the URL from HttpRequest
String url = httpRequest.getRequestURL().toString();
Map<String, String> allRequestParams = getAllRequestParams(httpRequest);
Map<String, String> headers = getAllRequestHeaders(httpRequest);

//Get the signature generated for the Url and request parameters 
//allRequestParams is a map of all request values posted to my service by Twilio
String validSig = twilioUtils.getValidationSignature(url, allRequestParams);

//Get the x-twilio-signature value from the http header map
String xTwilioSignature = headers.get("x-twilio-signature”);

//This is different from what I get below
logger.info("validSig = " + validSig);
logger.info("xTwilioSignature = " + xTwilioSignature );
//This is always false
logger.info("Signature matched : " +  twilioUtils.validateRequest(xTwilioSignature, url,
   allRequestParams));

我想知道我做错了什么。我验证“x-twilio-signature”的方法不正确吗?

如果不正确,那么正确的做法是什么?

我正在使用Twilio提供的帮助程序库类TwilioUtils来验证它。

Twilio的签名与TwilioUtils对象的签名不同。

1 个答案:

答案 0 :(得分:0)

来自Twilio的梅根在这里。

您是否按照security documentation中建议的步骤进行了操作?

validateRequest期待三个论点。我相信你错过了那里的网址。

考虑这个例子:

public class TwilioUtilsExample {

    public static void main(String[] args) {

        // Account details
        String accountSid = "ACXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";
        String authToken = "YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY";

        //This is the signature we expect
        String expected_sig = "SSSSSSSSSSSSSSSSSSSSSSSSSSSS";

        //This is the url that twilio requested
        String url = "http://UUUUUUUUUUUUUUU";

        //These are the post params twilio sent in its request
        Map<String,String> params = new HashMap<String,String>();

        // Be sure to see the signing notes at twilio.com/docs/security
        TwilioUtils util = new TwilioUtils(authToken, accountSid);

        boolean result = util.validateRequest(expected_sig, url, params);

        if (result) {
            System.out.print( "The signature is valid!\n" );
        } else {
            System.out.print( "The signature was NOT VALID.  It might have been spoofed!\n" );
        }

    }

}

希望这有用!

相关问题
最新问题