饿了么开放平台http推送签名验证规则

应用将接收到的POST Body，进行json反序列化解析

将解析得到的json map对象，移除signature字段

遍历map对象，按照key=value的格式拼接字符串，存入一个数组

将上一步得到的数组，按照字母序进行排序

将上一步得到的字符串数组每一项连接在一起

将上一步得到的字符串后面拼接secret

对上一步得到的字符串进行md5哈希

校验签名是否正确

python 示例代码：

message = json.loads(post_body.decode("utf-8")) signature = message['signature'] del message['signature'] data = [] for k, v in message.items(): data.append("{}={}".format(k, v)) sorted_msg = sorted(data) string = "".join(sorted_msg) string = "{}{}".format(string, secret） hash_value = hashlib.md5(string.encode("utf-8")).hexdigest().upper() if hash_value == signature: print('{"message":"ok"}')

Java 示例代码：

package eleme.openapi.demo; import eleme.openapi.sdk.api.exception.ServiceException; import eleme.openapi.sdk.utils.Md5Util; import lombok.Data; import java.lang.reflect.Field; import java.util.HashMap; import java.util.Map; import java.util.TreeMap; public class callback_signature { public static void main(String[] args) throws ServiceException { PostBody postBody = new PostBody(); postBody.setMessage("{\"orderId\":\"806XXXX31367\",\"state\":\"valid\",\"shopId\":50XXXX80,\"updateTime\":1669789526,\"role\":3}"); postBody.setType(12); postBody.setRequestId("300XXXXX0873"); postBody.setShopId(50XXXX680L); postBody.setTimestamp(1669XXXXXX803L); postBody.setUserId(79232XXXX0321L); postBody.setAppId(XXXX); System.out.println(getSig(postBody, "XXXXXXX")); } private static String getSig(PostBody postBody, String sercret) { Map<String, Object> params = EntityToMapUtil.getValueMap(postBody); return generateSignature(params, sercret); } public static String generateSignature(Map<String, Object> params, String secret) { final Map<String, Object> sorted = new TreeMap<>(); params.forEach((key, value) -> sorted.put(key, value)); StringBuilder string = new StringBuilder(); sorted.forEach((key, value) -> string.append(key + "=" + value)); String splice = String.format("%s%s", string, secret); System.out.println("splice: " + splice); String calculatedSignature = Md5Util.Md5(splice); return calculatedSignature.toUpperCase(); } @Data public static class PostBody { private String requestId; private int type; private int appId; private String message; private long shopId; private long timestamp; private String signature; private long userId; } public static Map<String, Object> getValueMap(Object obj) { Map<String, Object> valueMap = new HashMap<>(); Field[] fields = obj.getClass().getDeclaredFields(); for (Field field : fields) { try { field.setAccessible(true); Object value = field.get(obj); if (value != null) { valueMap.put(field.getName(), value); } } catch (IllegalAccessException e) { e.printStackTrace(); } } return valueMap; } }