示例程序 WxPortalController#post 为什么不校验签名?

WxPortalController#post 为什么不调用 wxMaService.checkSignature(timestamp, nonce, signature) 校验签名呢？

weixin-java-miniapp-demo/src/main/java/com/github/binarywang/demo/wx/miniapp/controller/WxPortalController.java

Lines 51 to 99 in 02dd8c0

    
           @PostMapping(produces = "application/xml; charset=UTF-8") 
        
           public String post(@PathVariable String appid, 
        
                              @RequestBody String requestBody, 
        
                              @RequestParam(name = "msg_signature", required = false) String msgSignature, 
        
                              @RequestParam(name = "encrypt_type", required = false) String encryptType, 
        
                              @RequestParam(name = "signature", required = false) String signature, 
        
                              @RequestParam("timestamp") String timestamp, 
        
                              @RequestParam("nonce") String nonce) { 
        
               log.info("\n接收微信请求：[msg_signature=[{}], encrypt_type=[{}], signature=[{}]," + 
        
                       " timestamp=[{}], nonce=[{}], requestBody=[\n{}\n] ", 
        
                   msgSignature, encryptType, signature, timestamp, nonce, requestBody); 
        
               if (!wxMaService.switchover(appid)) { 
        
                   throw new IllegalArgumentException(String.format("未找到对应appid=[%s]的配置，请核实！", appid)); 
        
               } 
        
               final boolean isJson = Objects.equals(wxMaService.getWxMaConfig().getMsgDataFormat(), 
        
                   WxMaConstants.MsgDataFormat.JSON); 
        
               if (StringUtils.isBlank(encryptType)) { 
        
                   // 明文传输的消息 
        
                   WxMaMessage inMessage; 
        
                   if (isJson) { 
        
                       inMessage = WxMaMessage.fromJson(requestBody); 
        
                   } else {//xml 
        
                       inMessage = WxMaMessage.fromXml(requestBody); 
        
                   } 
        
                   this.route(inMessage); 
        
                   WxMaConfigHolder.remove();//清理ThreadLocal 
        
                   return "success"; 
        
               } 
        
               if ("aes".equals(encryptType)) { 
        
                   // 是aes加密的消息 
        
                   WxMaMessage inMessage; 
        
                   if (isJson) { 
        
                       inMessage = WxMaMessage.fromEncryptedJson(requestBody, wxMaService.getWxMaConfig()); 
        
                   } else {//xml 
        
                       inMessage = WxMaMessage.fromEncryptedXml(requestBody, wxMaService.getWxMaConfig(), 
        
                           timestamp, nonce, msgSignature); 
        
                   } 
        
                   this.route(inMessage); 
        
                   WxMaConfigHolder.remove();//清理ThreadLocal 
        
                   return "success"; 
        
               } 
        
               WxMaConfigHolder.remove();//清理ThreadLocal 
        
               throw new RuntimeException("不可识别的加密类型：" + encryptType); 
        
           }

WxPortalController#authGet 中校验了签名，但是这个方法只有在小程序管理后台配置url, token, aesKey手动校验 token 的时候才会调用吧？

应该还是需要校验签名的吧? 我看示例程序中是直接解析消息内容 WxMaMessage.fromEncryptedXml(), 这里是直接使用 aes 解密. 没有验证签名和验证消息签名.

	@PostMapping(produces = "application/xml; charset=UTF-8")
	public String post(@PathVariable String appid,
	@RequestBody String requestBody,
	@RequestParam(name = "msg_signature", required = false) String msgSignature,
	@RequestParam(name = "encrypt_type", required = false) String encryptType,
	@RequestParam(name = "signature", required = false) String signature,
	@RequestParam("timestamp") String timestamp,
	@RequestParam("nonce") String nonce) {
	log.info("\n接收微信请求：[msg_signature=[{}], encrypt_type=[{}], signature=[{}]," +
	" timestamp=[{}], nonce=[{}], requestBody=[\n{}\n] ",
	msgSignature, encryptType, signature, timestamp, nonce, requestBody);

	if (!wxMaService.switchover(appid)) {
	throw new IllegalArgumentException(String.format("未找到对应appid=[%s]的配置，请核实！", appid));
	}

	final boolean isJson = Objects.equals(wxMaService.getWxMaConfig().getMsgDataFormat(),
	WxMaConstants.MsgDataFormat.JSON);
	if (StringUtils.isBlank(encryptType)) {
	// 明文传输的消息
	WxMaMessage inMessage;
	if (isJson) {
	inMessage = WxMaMessage.fromJson(requestBody);
	} else {//xml
	inMessage = WxMaMessage.fromXml(requestBody);
	}

	this.route(inMessage);
	WxMaConfigHolder.remove();//清理ThreadLocal
	return "success";
	}

	if ("aes".equals(encryptType)) {
	// 是aes加密的消息
	WxMaMessage inMessage;
	if (isJson) {
	inMessage = WxMaMessage.fromEncryptedJson(requestBody, wxMaService.getWxMaConfig());
	} else {//xml
	inMessage = WxMaMessage.fromEncryptedXml(requestBody, wxMaService.getWxMaConfig(),
	timestamp, nonce, msgSignature);
	}

	this.route(inMessage);
	WxMaConfigHolder.remove();//清理ThreadLocal
	return "success";
	}
	WxMaConfigHolder.remove();//清理ThreadLocal
	throw new RuntimeException("不可识别的加密类型：" + encryptType);
	}