peihaoyu/forest
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

🔒 安全问题处理

Browse Source
This commit is contained in:
ronger 2021-12-10 09:40:56 +08:00
parent fa9d9dd92c
commit 67f7615a18
5 changed files with 35 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
src/main/java/com/rymcu/forest/jwt/aop/RestAuthTokenInterceptor.java
View File

@ -4,6 +4,7 @@ package com.rymcu.forest.jwt.aop;
import com.rymcu.forest.jwt.def.JwtConstants; import com.rymcu.forest.jwt.def.JwtConstants;
import com.rymcu.forest.jwt.model.TokenModel; import com.rymcu.forest.jwt.model.TokenModel;
import com.rymcu.forest.jwt.service.TokenManager; import com.rymcu.forest.jwt.service.TokenManager;
import com.rymcu.forest.mapper.UserMapper;
import com.rymcu.forest.web.api.exception.BaseApiException; import com.rymcu.forest.web.api.exception.BaseApiException;
import com.rymcu.forest.web.api.exception.ErrorCode; import com.rymcu.forest.web.api.exception.ErrorCode;
import io.jsonwebtoken.Claims; import io.jsonwebtoken.Claims;
@ -14,6 +15,7 @@ import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.servlet.HandlerInterceptor; import org.springframework.web.servlet.HandlerInterceptor;
import org.springframework.web.servlet.ModelAndView; import org.springframework.web.servlet.ModelAndView;
import javax.annotation.Resource;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;
import java.util.Objects; import java.util.Objects;
@ -28,6 +30,8 @@ public class RestAuthTokenInterceptor implements HandlerInterceptor {
@Autowired @Autowired
private TokenManager manager; private TokenManager manager;
@Resource
private UserMapper userMapper;
@Override @Override
public void afterCompletion(HttpServletRequest httpservletrequest, HttpServletResponse httpservletresponse, Object obj, Exception exception) throws Exception { public void afterCompletion(HttpServletRequest httpservletrequest, HttpServletResponse httpservletresponse, Object obj, Exception exception) throws Exception {
@ -36,7 +40,6 @@ public class RestAuthTokenInterceptor implements HandlerInterceptor {
@Override @Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object obj) throws Exception { public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object obj) throws Exception {
//从header中得到token //从header中得到token
String authHeader = request.getHeader(JwtConstants.AUTHORIZATION); String authHeader = request.getHeader(JwtConstants.AUTHORIZATION);
if(StringUtils.isBlank(authHeader)){ if(StringUtils.isBlank(authHeader)){
@ -63,6 +66,19 @@ public class RestAuthTokenInterceptor implements HandlerInterceptor {
request.setAttribute(JwtConstants.CURRENT_TOKEN_CLAIMS, claims); request.setAttribute(JwtConstants.CURRENT_TOKEN_CLAIMS, claims);
//如果token验证成功将token对应的用户id存在request中便于之后注入 //如果token验证成功将token对应的用户id存在request中便于之后注入
request.setAttribute(JwtConstants.CURRENT_USER_NAME, model.getUsername()); request.setAttribute(JwtConstants.CURRENT_USER_NAME, model.getUsername());
// 判断是否为后台接口或财政划转接口
String adminApi = "/admin";
String transactionApi = "/transaction";
String uri = request.getRequestURI();
if (uri.contains(adminApi) || uri.contains(transactionApi)) {
// 判断管理员权限
boolean hasPermission = userMapper.hasAdminPermission(model.getUsername());
if (hasPermission) {
return true;
} else {
throw new BaseApiException(ErrorCode.ACCESS_DENIED);
}
}
return true; return true;
} else { } else {
throw new BaseApiException(ErrorCode.TOKEN_); throw new BaseApiException(ErrorCode.TOKEN_);

11
src/main/java/com/rymcu/forest/mapper/UserMapper.java
View File

@ -95,13 +95,11 @@ public interface UserMapper extends Mapper<User> {
* @param nickname * @param nickname
* @param avatarType * @param avatarType
* @param avatarUrl * @param avatarUrl
* @param email
* @param phone
* @param signature * @param signature
* @param sex * @param sex
* @return * @return
*/ */
Integer updateUserInfo(@Param("idUser") Integer idUser, @Param("nickname") String nickname, @Param("avatarType") String avatarType, @Param("avatarUrl") String avatarUrl, @Param("email") String email, @Param("phone") String phone, @Param("signature") String signature, @Param("sex") String sex); Integer updateUserInfo(@Param("idUser") Integer idUser, @Param("nickname") String nickname, @Param("avatarType") String avatarType, @Param("avatarUrl") String avatarUrl, @Param("signature") String signature, @Param("sex") String sex);
/** /**
* 验证昵称是否重复 * 验证昵称是否重复
@ -153,4 +151,11 @@ public interface UserMapper extends Mapper<User> {
* @return * @return
*/ */
Integer updateLastOnlineTimeByEmail(@Param("email") String email); Integer updateLastOnlineTimeByEmail(@Param("email") String email);
/**
* 判断用户是否拥有管理员权限
* @param email
* @return
*/
boolean hasAdminPermission(@Param("email") String email);
} }

5
src/main/java/com/rymcu/forest/service/impl/UserServiceImpl.java
View File

@ -199,8 +199,7 @@ public class UserServiceImpl extends AbstractService<User> implements UserServic
user.setAvatarUrl(avatarUrl); user.setAvatarUrl(avatarUrl);
user.setAvatarType("0"); user.setAvatarType("0");
} }
Integer result = userMapper.updateUserInfo(user.getIdUser(), user.getNickname(), user.getAvatarType(),user.getAvatarUrl(), Integer result = userMapper.updateUserInfo(user.getIdUser(), user.getNickname(), user.getAvatarType(),user.getAvatarUrl(),user.getSignature(), user.getSex());
user.getEmail(),user.getPhone(),user.getSignature(), user.getSex());
UserIndexUtil.addIndex(UserLucene.builder() UserIndexUtil.addIndex(UserLucene.builder()
.idUser(user.getIdUser()) .idUser(user.getIdUser())
.nickname(user.getNickname()) .nickname(user.getNickname())
@ -263,7 +262,7 @@ public class UserServiceImpl extends AbstractService<User> implements UserServic
String email = changeEmailDTO.getEmail(); String email = changeEmailDTO.getEmail();
String code = changeEmailDTO.getCode(); String code = changeEmailDTO.getCode();
String vCode = redisService.get(email); String vCode = redisService.get(email);
if(StringUtils.isNotBlank(vCode)){ if(StringUtils.isNotBlank(vCode) && StringUtils.isNotBlank(code)){
if(vCode.equals(code)){ if(vCode.equals(code)){
userMapper.updateEmail(idUser, email); userMapper.updateEmail(idUser, email);
map.put("message","更新成功!"); map.put("message","更新成功!");

5
src/main/java/com/rymcu/forest/web/api/exception/ErrorCode.java
View File

@ -2,10 +2,11 @@ package com.rymcu.forest.web.api.exception;
public enum ErrorCode { public enum ErrorCode {
UNAUTHORIZED(401, "请求要求用户的身份认证"),//未认证签名错误 UNAUTHORIZED(401, "请求要求用户的身份认证"),
INVALID_TOKEN(402, "TOKEN验证失败无效的TOKEN"), INVALID_TOKEN(402, "TOKEN验证失败无效的TOKEN"),
TOKEN_(402, "TOKEN验证失败无效的TOKEN"), TOKEN_(402, "TOKEN验证失败无效的TOKEN"),
NOT_FOUND(404, "此接口不存在"),//接口不存在 ACCESS_DENIED(403, "服务器拒绝请求!"),
NOT_FOUND(404, "此接口不存在"),
INTERNAL_SERVER_ERROR(500, "服务内部异常"); INTERNAL_SERVER_ERROR(500, "服务内部异常");
private int code; private int code;

9
src/main/java/mapper/UserMapper.xml
View File

@ -63,10 +63,7 @@
update forest_user set status = #{status} where id = #{idUser} update forest_user set status = #{status} where id = #{idUser}
</update> </update>
<update id="updateUserInfo"> <update id="updateUserInfo">
update forest_user set nickname = #{nickname},email = #{email},signature = #{signature},avatar_type = #{avatarType},avatar_url = #{avatarUrl},sex = #{sex} update forest_user set nickname = #{nickname},signature = #{signature},avatar_type = #{avatarType},avatar_url = #{avatarUrl},sex = #{sex}
<if test="phone != null and phone != ''">
,phone = #{phone}
</if>
where id = #{idUser} where id = #{idUser}
</update> </update>
<update id="updateLastLoginTime"> <update id="updateLastLoginTime">
@ -115,5 +112,9 @@
</where> </where>
order by last_online_time desc order by last_online_time desc
</select> </select>
<select id="hasAdminPermission" resultType="java.lang.Boolean">
select if(count(fur.id_role) = 0, false, true) from forest_user_role fur join forest_user fu on fur.id_user = fu.id
where fu.email = #{email} and exists(select id_role from forest_role fr where instr(fr.input_code, 'admin') > 0 and fr.id = fur.id_role)
</select>
</mapper> </mapper>