From 6e082b66d20b78da44d8998b27783d824d432e42 Mon Sep 17 00:00:00 2001 From: nies Date: Thu, 16 Jun 2022 13:18:35 +0800 Subject: [PATCH] =?UTF-8?q?=E5=A2=9E=E5=8A=A0=E7=82=B9=E5=87=BB=E5=8A=AB?= =?UTF-8?q?=E6=8C=81=E5=92=8Cxss=E7=AD=89=E9=98=B2=E6=8A=A4=EF=BC=8C?= =?UTF-8?q?=E4=BF=AE=E6=94=B9=E6=96=B0=E5=A2=9E=E4=BA=BA=E5=91=98=E6=97=B6?= =?UTF-8?q?=E5=AF=86=E7=A0=81=E9=97=AE=E9=A2=98=E5=92=8C=E8=A7=92=E8=89=B2?= =?UTF-8?q?=E8=8F=9C=E5=8D=95=E5=85=B3=E7=B3=BB=E6=97=B6=E4=B8=8D=E6=9B=B4?= =?UTF-8?q?=E6=96=B0=E4=BF=AE=E6=94=B9=E6=97=B6=E9=97=B4?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../apiservice/configuration/FilterConfig.java | 29 ++++++++++++++ .../controller/base/WhiteController.java | 2 + .../controller/busi/PersonnelController.java | 26 +++++++++++++ .../core/apiservice/filter/CookieFrameFilter.java | 45 ++++++++++++++++++++++ .../serviceimpl/busi/SysRoleService.java | 3 ++ pom.xml | 1 + 6 files changed, 106 insertions(+) create mode 100644 modules/i3plus-core-apiservice/src/main/java/cn/estsh/i3plus/core/apiservice/configuration/FilterConfig.java create mode 100644 modules/i3plus-core-apiservice/src/main/java/cn/estsh/i3plus/core/apiservice/filter/CookieFrameFilter.java diff --git a/modules/i3plus-core-apiservice/src/main/java/cn/estsh/i3plus/core/apiservice/configuration/FilterConfig.java b/modules/i3plus-core-apiservice/src/main/java/cn/estsh/i3plus/core/apiservice/configuration/FilterConfig.java new file mode 100644 index 0000000..2a0b458 --- /dev/null +++ b/modules/i3plus-core-apiservice/src/main/java/cn/estsh/i3plus/core/apiservice/configuration/FilterConfig.java @@ -0,0 +1,29 @@ +package cn.estsh.i3plus.core.apiservice.configuration; + +import cn.estsh.i3plus.core.apiservice.filter.CookieFrameFilter; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.web.servlet.FilterRegistrationBean; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; + +import java.util.ArrayList; +import java.util.List; + +@Configuration +public class FilterConfig { + + @Autowired + private CookieFrameFilter cookieFrameFilter; + + @Bean + public FilterRegistrationBean requestFilterRegistration() { + FilterRegistrationBean registration = new FilterRegistrationBean(); + registration.setFilter(cookieFrameFilter); + registration.setName("cookieFrameFilter"); + registration.setOrder(1); + List urlPatterns = new ArrayList<>(); + urlPatterns.add("/*"); + registration.setUrlPatterns(urlPatterns); + return registration; + } +} diff --git a/modules/i3plus-core-apiservice/src/main/java/cn/estsh/i3plus/core/apiservice/controller/base/WhiteController.java b/modules/i3plus-core-apiservice/src/main/java/cn/estsh/i3plus/core/apiservice/controller/base/WhiteController.java index 3abe2f3..d521801 100644 --- a/modules/i3plus-core-apiservice/src/main/java/cn/estsh/i3plus/core/apiservice/controller/base/WhiteController.java +++ b/modules/i3plus-core-apiservice/src/main/java/cn/estsh/i3plus/core/apiservice/controller/base/WhiteController.java @@ -968,6 +968,8 @@ public class WhiteController extends CoreBaseController { @PostMapping(value = "/user/insert") @ApiOperation(value = "添加用户信息", notes = "返回内容添加用户信息") public ResultBean insertUserDetailModel(@RequestBody UserDetailModel model) { + //设置【密码】和【确认密码】一致 + model.setPassword(model.getUserLoginPassword()); return personnelController.insertUserDetailModel(model); } diff --git a/modules/i3plus-core-apiservice/src/main/java/cn/estsh/i3plus/core/apiservice/controller/busi/PersonnelController.java b/modules/i3plus-core-apiservice/src/main/java/cn/estsh/i3plus/core/apiservice/controller/busi/PersonnelController.java index 08e000b..9fb3d0f 100644 --- a/modules/i3plus-core-apiservice/src/main/java/cn/estsh/i3plus/core/apiservice/controller/busi/PersonnelController.java +++ b/modules/i3plus-core-apiservice/src/main/java/cn/estsh/i3plus/core/apiservice/controller/busi/PersonnelController.java @@ -36,6 +36,7 @@ import org.apache.commons.lang3.StringUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.util.ObjectUtils; import org.springframework.web.bind.annotation.DeleteMapping; import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.PathVariable; @@ -101,6 +102,10 @@ public class PersonnelController extends CoreBaseController { @ApiOperation(value = "添加用户信息", notes = "返回内容添加用户信息") public ResultBean insertUserDetailModel(UserDetailModel model) { try { + ResultBean validateResult = validatePassword(model); + if (validateResult != null && !validateResult.isSuccess()) { + return validateResult; + } startMultiService(); licenseClickService.checkLicenseNumberUser(); @@ -193,6 +198,27 @@ public class PersonnelController extends CoreBaseController { } /** + * 校验前端输入的【密码】和【确认密码】 + * @param model + * @return + */ + private ResultBean validatePassword(UserDetailModel model) { + if(ObjectUtils.isEmpty(model)){ + return ResultBean.fail("用户信息不能为空"); + } + if(StringUtils.isBlank(model.getPassword())){ + return ResultBean.fail("密码不能为空"); + } + if(StringUtils.isBlank(model.getUserLoginPassword())){ + return ResultBean.fail("确认密码不能为空"); + } + if(!model.getPassword().equals(model.getUserLoginPassword())){ + return ResultBean.fail("密码和确认密码不相同,请检查密码和确认密码"); + } + return ResultBean.success(); + } + + /** * 修改用户信息 * * @param model 用户信息 diff --git a/modules/i3plus-core-apiservice/src/main/java/cn/estsh/i3plus/core/apiservice/filter/CookieFrameFilter.java b/modules/i3plus-core-apiservice/src/main/java/cn/estsh/i3plus/core/apiservice/filter/CookieFrameFilter.java new file mode 100644 index 0000000..b006ef4 --- /dev/null +++ b/modules/i3plus-core-apiservice/src/main/java/cn/estsh/i3plus/core/apiservice/filter/CookieFrameFilter.java @@ -0,0 +1,45 @@ +package cn.estsh.i3plus.core.apiservice.filter; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.stereotype.Component; + +import javax.servlet.*; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import java.io.IOException; + +/** + * @Description: 解决 点击劫持:X-Frame-Options未配置 + * @Param: + * @return: + * @Date: + */ +@Component +public class CookieFrameFilter implements Filter { + public static final Logger LOGGER = LoggerFactory.getLogger(CookieFrameFilter.class); + + @Override + public void init(FilterConfig filterConfig) throws ServletException { + LOGGER.info("CookieFrameFilter Init..."); + } + + @Override + public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { + HttpServletRequest req = (HttpServletRequest) request; + HttpServletResponse resp = (HttpServletResponse) response; + // 点击劫持问题 + resp.addHeader("X-Frame-Options", "SAMEORIGIN"); + resp.addHeader("Content-Security-Policy", "frame-ancestors 'self'"); + // 防止基于 MIME 类型混淆的攻击 + resp.addHeader("X-Content-Type-Options", "nosniff"); + // xss 保护 + resp.addHeader("X-XSS-Protection", "1; mode=block"); + chain.doFilter(req, resp); + } + + @Override + public void destroy() { + LOGGER.info("CookieFrameFilter Destory."); + } +} diff --git a/modules/i3plus-core-apiservice/src/main/java/cn/estsh/i3plus/core/apiservice/serviceimpl/busi/SysRoleService.java b/modules/i3plus-core-apiservice/src/main/java/cn/estsh/i3plus/core/apiservice/serviceimpl/busi/SysRoleService.java index bf7028e..009ed45 100644 --- a/modules/i3plus-core-apiservice/src/main/java/cn/estsh/i3plus/core/apiservice/serviceimpl/busi/SysRoleService.java +++ b/modules/i3plus-core-apiservice/src/main/java/cn/estsh/i3plus/core/apiservice/serviceimpl/busi/SysRoleService.java @@ -217,6 +217,9 @@ public class SysRoleService extends CrudService implements ISysRoleServ if (CollectionUtils.isNotEmpty(refs)) { refRoleMenuRDao.saveAll(refs); + //更新角色 + ConvertBean.serviceModelUpdate(role,AuthUtil.getSessionUser().getUserName()); + roleRDao.update(role); } } } diff --git a/pom.xml b/pom.xml index 96dcaf7..ae55546 100644 --- a/pom.xml +++ b/pom.xml @@ -346,6 +346,7 @@ elasticsearch 7.5.1 +