Token, Timestamp, and Sign: Implementing Secure API Authentication with Spring Boot and Redis
This article explains the concepts of token, timestamp, and sign, describes how they are used together to secure API calls, shows how to prevent duplicate submissions, and provides complete Spring Boot code examples—including Redis configuration, interceptors, utilities, and ThreadLocal handling—for building a robust backend authentication system.
1. Token Overview Token (access token) is an identifier issued by the server after a client provides an appId and key; it reduces the need to transmit username and password repeatedly. Tokens are stored in Redis (usually as UUIDs) and can be of two types: API Token for public endpoints and USER Token for authenticated user actions.
2. Timestamp Overview Timestamp is the current epoch time sent with each request to mitigate DoS attacks. The server checks the time difference against a configurable window (e.g., 5 minutes) and rejects requests that fall outside this range.
3. Sign Overview Sign is a cryptographic signature generated by concatenating sorted request parameters, token, timestamp, nonce, and a secret key, then applying MD5. It ensures request parameters cannot be tampered with without knowledge of the secret key.
4. Preventing Duplicate Submissions By storing the sign in Redis with an expiration equal to the request timeout, the system can detect and reject repeated submissions of the same request.
5. Usage Flow The client obtains an API token using appId, timestamp, and sign, then calls public APIs. For protected APIs, the client logs in to receive a USER token and includes token, timestamp, nonce, and sign in each request.
6. Example Code
Dependency
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-redis</artifactId>
</dependency>
<dependency>
<groupId>redis.clients</groupId>
<artifactId>jedis</artifactId>
<version>2.9.0</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>RedisConfiguration
@Configuration
public class RedisConfiguration {
@Bean
public JedisConnectionFactory jedisConnectionFactory(){
return new JedisConnectionFactory();
}
@Bean
public RedisTemplate<String, String> redisTemplate(){
RedisTemplate<String, String> redisTemplate = new StringRedisTemplate();
redisTemplate.setConnectionFactory(jedisConnectionFactory());
Jackson2JsonRedisSerializer jackson2JsonRedisSerializer = new Jackson2JsonRedisSerializer(Object.class);
ObjectMapper objectMapper = new ObjectMapper();
objectMapper.setVisibility(PropertyAccessor.ALL, JsonAutoDetect.Visibility.ANY);
objectMapper.enableDefaultTyping(ObjectMapper.DefaultTyping.NON_FINAL);
jackson2JsonRedisSerializer.setObjectMapper(objectMapper);
redisTemplate.setValueSerializer(jackson2JsonRedisSerializer);
redisTemplate.afterPropertiesSet();
return redisTemplate;
}
}TokenController
@Slf4j
@RestController
@RequestMapping("/api/token")
public class TokenController {
@Autowired
private RedisTemplate redisTemplate;
@PostMapping("/api_token")
public ApiResponse<AccessToken> apiToken(String appId,
@RequestHeader("timestamp") String timestamp,
@RequestHeader("sign") String sign) {
Assert.isTrue(!StringUtils.isEmpty(appId) && !StringUtils.isEmpty(timestamp) && !StringUtils.isEmpty(sign), "参数错误");
long reqeustInterval = System.currentTimeMillis() - Long.valueOf(timestamp);
Assert.isTrue(reqeustInterval < 5 * 60 * 1000, "请求过期,请重新请求");
AppInfo appInfo = new AppInfo("1", "12345678954556");
String signString = timestamp + appId + appInfo.getKey();
String signature = MD5Util.encode(signString);
Assert.isTrue(signature.equals(sign), "签名错误");
AccessToken accessToken = this.saveToken(0, appInfo, null);
return ApiResponse.success(accessToken);
}
@NotRepeatSubmit(5000)
@PostMapping("user_token")
public ApiResponse<UserInfo> userToken(String username, String password) {
UserInfo userInfo = new UserInfo(username, "81255cb0dca1a5f304328a70ac85dcbd", "111111");
String pwd = password + userInfo.getSalt();
String passwordMD5 = MD5Util.encode(pwd);
Assert.isTrue(passwordMD5.equals(userInfo.getPassword()), "密码错误");
AppInfo appInfo = new AppInfo("1", "12345678954556");
AccessToken accessToken = this.saveToken(1, appInfo, userInfo);
userInfo.setAccessToken(accessToken);
return ApiResponse.success(userInfo);
}
private AccessToken saveToken(int tokenType, AppInfo appInfo, UserInfo userInfo) {
String token = UUID.randomUUID().toString();
Calendar calendar = Calendar.getInstance();
calendar.setTime(new Date());
calendar.add(Calendar.SECOND, 7200);
Date expireTime = calendar.getTime();
ValueOperations<String, TokenInfo> operations = redisTemplate.opsForValue();
TokenInfo tokenInfo = new TokenInfo();
tokenInfo.setTokenType(tokenType);
tokenInfo.setAppInfo(appInfo);
if (tokenType == 1) {
tokenInfo.setUserInfo(userInfo);
}
operations.set(token, tokenInfo, 7200, TimeUnit.SECONDS);
return new AccessToken(token, expireTime);
}
public static void main(String[] args) {
long timestamp = System.currentTimeMillis();
System.out.println(timestamp);
String signString = timestamp + "1" + "12345678954556";
String sign = MD5Util.encode(signString);
System.out.println(sign);
}
}WebMvcConfiguration
@Configuration
public class WebMvcConfiguration extends WebMvcConfigurationSupport {
private static final String[] excludePathPatterns = {"/api/token/api_token"};
@Autowired
private TokenInterceptor tokenInterceptor;
@Override
public void addInterceptors(InterceptorRegistry registry) {
super.addInterceptors(registry);
registry.addInterceptor(tokenInterceptor)
.addPathPatterns("/api/**")
.excludePathPatterns(excludePathPatterns);
}
}TokenInterceptor
@Component
public class TokenInterceptor extends HandlerInterceptorAdapter {
@Autowired
private RedisTemplate redisTemplate;
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
String token = request.getHeader("token");
String timestamp = request.getHeader("timestamp");
String nonce = request.getHeader("nonce");
String sign = request.getHeader("sign");
Assert.isTrue(!StringUtils.isEmpty(token) && !StringUtils.isEmpty(timestamp) && !StringUtils.isEmpty(sign), "参数错误");
NotRepeatSubmit notRepeatSubmit = ApiUtil.getNotRepeatSubmit(handler);
long expireTime = notRepeatSubmit == null ? 5 * 60 * 1000 : notRepeatSubmit.value();
long reqeustInterval = System.currentTimeMillis() - Long.valueOf(timestamp);
Assert.isTrue(reqeustInterval < expireTime, "请求超时,请重新请求");
ValueOperations<String, TokenInfo> tokenRedis = redisTemplate.opsForValue();
TokenInfo tokenInfo = tokenRedis.get(token);
Assert.notNull(tokenInfo, "token错误");
String signString = ApiUtil.concatSignString(request) + tokenInfo.getAppInfo().getKey() + token + timestamp + nonce;
String signature = MD5Util.encode(signString);
Assert.isTrue(signature.equals(sign), "签名错误");
if (notRepeatSubmit != null) {
ValueOperations<String, Integer> signRedis = redisTemplate.opsForValue();
boolean exists = redisTemplate.hasKey(sign);
Assert.isTrue(!exists, "请勿重复提交");
signRedis.set(sign, 0, expireTime, TimeUnit.MILLISECONDS);
}
return super.preHandle(request, response, handler);
}
}Utility Classes (MD5Util, NotRepeatSubmit, ApiUtil, ApiResponse, etc.) – Full source code is provided in the original article and is kept unchanged within the ... blocks.
7. ThreadLocal A ThreadLocal utility is shown to store request‑scoped data (e.g., the current user) without passing it through method parameters.
Conclusion The article presents a complete, production‑ready example of token‑based API authentication, covering token generation, timestamp validation, request signing, duplicate‑submission protection, and thread‑local context handling, suitable for secure backend services built with Spring Boot.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Top Architect
Top Architect focuses on sharing practical architecture knowledge, covering enterprise, system, website, large‑scale distributed, and high‑availability architectures, plus architecture adjustments using internet technologies. We welcome idea‑driven, sharing‑oriented architects to exchange and learn together.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.