增加点击劫持和xss等防护，修改新增人员时密码问题和角色菜单关系时不更新修改时间

modules/i3plus-core-apiservice/src/main/java/cn/estsh/i3plus/core/apiservice/configuration/FilterConfig.java

@@ -0,0 +1,29 @@
+package cn.estsh.i3plus.core.apiservice.configuration;
+
+import cn.estsh.i3plus.core.apiservice.filter.CookieFrameFilter;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.web.servlet.FilterRegistrationBean;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+import java.util.ArrayList;
+import java.util.List;
+
+@Configuration
+public class FilterConfig {
+
+    @Autowired
+    private CookieFrameFilter cookieFrameFilter;
+
+    @Bean
+    public FilterRegistrationBean requestFilterRegistration() {
+        FilterRegistrationBean registration = new FilterRegistrationBean();
+        registration.setFilter(cookieFrameFilter);
+        registration.setName("cookieFrameFilter");
+        registration.setOrder(1);
+        List<String> urlPatterns = new ArrayList<>();
+        urlPatterns.add("/*");
+        registration.setUrlPatterns(urlPatterns);
+        return registration;
+    }
+}

modules/i3plus-core-apiservice/src/main/java/cn/estsh/i3plus/core/apiservice/controller/base/WhiteController.java

@@ -968,6 +968,8 @@ public class WhiteController extends CoreBaseController {
     @PostMapping(value = "/user/insert")
     @ApiOperation(value = "添加用户信息", notes = "返回内容添加用户信息")
     public ResultBean insertUserDetailModel(@RequestBody UserDetailModel model) {
+        //设置【密码】和【确认密码】一致
+        model.setPassword(model.getUserLoginPassword());
         return personnelController.insertUserDetailModel(model);
     }
 

modules/i3plus-core-apiservice/src/main/java/cn/estsh/i3plus/core/apiservice/controller/busi/PersonnelController.java

@@ -36,6 +36,7 @@ import org.apache.commons.lang3.StringUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.util.ObjectUtils;
 import org.springframework.web.bind.annotation.DeleteMapping;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
@@ -101,6 +102,10 @@ public class PersonnelController extends CoreBaseController {
     @ApiOperation(value = "添加用户信息", notes = "返回内容添加用户信息")
     public ResultBean insertUserDetailModel(UserDetailModel model) {
         try {
+            ResultBean validateResult = validatePassword(model);
+            if (validateResult != null && !validateResult.isSuccess()) {
+                return validateResult;
+            }
             startMultiService();
             licenseClickService.checkLicenseNumberUser();
 
@@ -193,6 +198,27 @@ public class PersonnelController extends CoreBaseController {
     }
 
     /**
+     * 校验前端输入的【密码】和【确认密码】
+     * @param model
+     * @return
+     */
+    private ResultBean validatePassword(UserDetailModel model) {
+        if(ObjectUtils.isEmpty(model)){
+            return ResultBean.fail("用户信息不能为空");
+        }
+        if(StringUtils.isBlank(model.getPassword())){
+            return ResultBean.fail("密码不能为空");
+        }
+        if(StringUtils.isBlank(model.getUserLoginPassword())){
+            return ResultBean.fail("确认密码不能为空");
+        }
+        if(!model.getPassword().equals(model.getUserLoginPassword())){
+            return ResultBean.fail("密码和确认密码不相同,请检查密码和确认密码");
+        }
+        return ResultBean.success();
+    }
+
+    /**
      * 修改用户信息
      *
      * @param model 用户信息

modules/i3plus-core-apiservice/src/main/java/cn/estsh/i3plus/core/apiservice/filter/CookieFrameFilter.java

@@ -0,0 +1,45 @@
+package cn.estsh.i3plus.core.apiservice.filter;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.stereotype.Component;
+
+import javax.servlet.*;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+/**
+ * @Description: 解决 点击劫持：X-Frame-Options未配置
+ * @Param:
+ * @return:
+ * @Date:
+ */
+@Component
+public class CookieFrameFilter implements Filter {
+    public static final Logger LOGGER = LoggerFactory.getLogger(CookieFrameFilter.class);
+
+    @Override
+    public void init(FilterConfig filterConfig) throws ServletException {
+        LOGGER.info("CookieFrameFilter Init...");
+    }
+
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
+        HttpServletRequest req = (HttpServletRequest) request;
+        HttpServletResponse resp = (HttpServletResponse) response;
+        // 点击劫持问题
+        resp.addHeader("X-Frame-Options", "SAMEORIGIN");
+        resp.addHeader("Content-Security-Policy", "frame-ancestors 'self'");
+        // 防止基于 MIME 类型混淆的攻击
+        resp.addHeader("X-Content-Type-Options", "nosniff");
+        // xss 保护
+        resp.addHeader("X-XSS-Protection", "1; mode=block");
+        chain.doFilter(req, resp);
+    }
+
+    @Override
+    public void destroy() {
+        LOGGER.info("CookieFrameFilter Destory.");
+    }
+}

modules/i3plus-core-apiservice/src/main/java/cn/estsh/i3plus/core/apiservice/serviceimpl/busi/SysRoleService.java

@@ -217,6 +217,9 @@ public class SysRoleService extends CrudService<SysRole> implements ISysRoleServ
 
             if (CollectionUtils.isNotEmpty(refs)) {
                 refRoleMenuRDao.saveAll(refs);
+                //更新角色
+                ConvertBean.serviceModelUpdate(role,AuthUtil.getSessionUser().getUserName());
+                roleRDao.update(role);
             }
         }
     }

pom.xml

@@ -346,6 +346,7 @@
                 <artifactId>elasticsearch</artifactId>
                 <version>7.5.1</version>
             </dependency>
+
         </dependencies>
     </dependencyManagement>