BNSTechnologyDevelopment
/
LargeModelProject
6
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

三方测试 漏洞安全解决

This commit is contained in:
lizhenhua 2024-07-01 18:30:15 +08:00
parent 98b01a5092
commit 440ed74aca
15 changed files with 207 additions and 169 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
LargeScreenServer(1)/large-admin/pom.xml
View File

@ -15,14 +15,15 @@
</description> </description>
<properties> <properties>
<elasticsearch.version>8.8.2</elasticsearch.version> <elasticsearch.version>8.8.2</elasticsearch.version>
<bcprov-jdk15on.version>1.70</bcprov-jdk15on.version>
</properties> </properties>
<dependencies> <dependencies>
<!-- spring-boot-devtools --> <!-- spring-boot-devtools -->
<dependency> <!-- <dependency>
<groupId>org.springframework.boot</groupId> <groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-devtools</artifactId> <artifactId>spring-boot-devtools</artifactId>
<optional>true</optional> <!-- 表示依赖不会传递 --> <optional>true</optional> &lt;!&ndash; 表示依赖不会传递 &ndash;&gt;
</dependency> </dependency>-->
<!--elasticsearch--> <!--elasticsearch-->
<!-- https://mvnrepository.com/artifact/org.elasticsearch/elasticsearch --> <!-- https://mvnrepository.com/artifact/org.elasticsearch/elasticsearch -->
@ -183,7 +184,12 @@
<systemPath>${project.basedir}/src/main/resources/lib/com.sgscc.encryptdecrypt_1.1.jar <systemPath>${project.basedir}/src/main/resources/lib/com.sgscc.encryptdecrypt_1.1.jar
</systemPath> </systemPath>
</dependency> </dependency>
<!--加密解密-->
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk15on</artifactId>
<version>${bcprov-jdk15on.version}</version>
</dependency>
</dependencies> </dependencies>
<build> <build>

206
LargeScreenServer(1)/large-admin/src/main/java/com/bonus/web/controller/system/SysLoginController.java
View File

@ -5,22 +5,16 @@ import java.net.URLDecoder;
import java.util.*; import java.util.*;
import com.alibaba.fastjson.JSONObject; import com.alibaba.fastjson.JSONObject;
import com.alibaba.fastjson2.JSON;
import com.bonus.common.constant.Constants; import com.bonus.common.constant.Constants;
import com.bonus.common.constant.HttpStatus; import com.bonus.common.core.domain.entity.IscMenu;
import com.bonus.common.core.domain.entity.*; import com.bonus.common.core.domain.entity.ListHelper;
import com.bonus.common.core.domain.model.LoginUser; import com.bonus.common.core.domain.model.LoginUser;
import com.bonus.common.gpt.GptUtils;
import com.bonus.system.domain.KnowledgeEntity;
import com.bonus.system.domain.SysOperLog; import com.bonus.system.domain.SysOperLog;
import com.bonus.system.mapper.KnowledgeMapper;
import com.bonus.system.mapper.SysRoleMapper;
import com.bonus.system.service.ISysUserService; import com.bonus.system.service.ISysUserService;
import com.sgcc.isc.core.orm.complex.FunctionContext; import com.sgcc.isc.core.orm.complex.FunctionContext;
import com.sgcc.isc.service.adapter.factory.AdapterFactory; import com.sgcc.isc.service.adapter.factory.AdapterFactory;
import com.sgcc.isc.service.adapter.helper.IResourceService; import com.sgcc.isc.service.adapter.helper.IResourceService;
import io.swagger.annotations.ApiOperation; import io.swagger.annotations.ApiOperation;
import org.apache.commons.lang3.ObjectUtils;
import org.apache.commons.lang3.StringUtils; import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
@ -31,6 +25,8 @@ import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody; import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RestController; import org.springframework.web.bind.annotation.RestController;
import com.bonus.common.core.domain.AjaxResult; import com.bonus.common.core.domain.AjaxResult;
import com.bonus.common.core.domain.entity.SysMenu;
import com.bonus.common.core.domain.entity.SysUser;
import com.bonus.common.core.domain.model.LoginBody; import com.bonus.common.core.domain.model.LoginBody;
import com.bonus.common.utils.SecurityUtils; import com.bonus.common.utils.SecurityUtils;
import com.bonus.framework.web.service.SysLoginService; import com.bonus.framework.web.service.SysLoginService;
@ -39,8 +35,6 @@ import com.bonus.system.service.ISysMenuService;
import org.springframework.web.client.ResourceAccessException; import org.springframework.web.client.ResourceAccessException;
import org.springframework.web.client.RestTemplate; import org.springframework.web.client.RestTemplate;
import javax.annotation.Resource;
/** /**
* 登录验证 * 登录验证
@ -48,7 +42,8 @@ import javax.annotation.Resource;
* @author ruoyi * @author ruoyi
*/ */
@RestController @RestController
public class SysLoginController { public class SysLoginController
{
@Autowired @Autowired
private SysLoginService loginService; private SysLoginService loginService;
@ -61,15 +56,6 @@ public class SysLoginController {
@Autowired @Autowired
private ISysUserService userService; private ISysUserService userService;
@Autowired
private GptUtils gptUtils;
@Resource
private KnowledgeMapper mapper;
@Autowired
private SysRoleMapper roleMapper;
final Logger logger = LoggerFactory.getLogger(getClass()); final Logger logger = LoggerFactory.getLogger(getClass());
/** /**
@ -189,7 +175,6 @@ public class SysLoginController {
} }
return map; return map;
}*/ }*/
/** /**
* 登录方法 * 登录方法
* *
@ -197,7 +182,8 @@ public class SysLoginController {
* @return 结果 * @return 结果
*/ */
@PostMapping("/login") @PostMapping("/login")
public AjaxResult login(@RequestBody LoginBody loginBody) { public AjaxResult login(@RequestBody LoginBody loginBody)
{
System.out.println("--------------------------------------------------------------------------------"); System.out.println("--------------------------------------------------------------------------------");
System.out.println("走了login当前登录的人员信息> "); System.out.println("走了login当前登录的人员信息> ");
AjaxResult ajax = AjaxResult.success(); AjaxResult ajax = AjaxResult.success();
@ -214,10 +200,11 @@ public class SysLoginController {
* @return 用户信息 * @return 用户信息
*/ */
@GetMapping("getInfo") @GetMapping("getInfo")
public AjaxResult getInfo() { public AjaxResult getInfo()
{
SysUser user = SecurityUtils.getLoginUser().getUser(); SysUser user = SecurityUtils.getLoginUser().getUser();
String ISCuserId = user.getIscUserId(); String ISCuserId = user.getIscUserId();
// ISCuserId = null; // ISCuserId = null;
/* if(ISCuserId != null){ /* if(ISCuserId != null){
String data = (String) (new RestTemplate()).getForObject(url_xn + "/getUserOrgPathByUserId" + "?" + "systemId" + "=" + appId + "&userId=" + ISCuserId, String data = (String) (new RestTemplate()).getForObject(url_xn + "/getUserOrgPathByUserId" + "?" + "systemId" + "=" + appId + "&userId=" + ISCuserId,
String.class, new Object[0]); String.class, new Object[0]);
@ -234,24 +221,12 @@ public class SysLoginController {
}*/ }*/
// 角色集合 // 角色集合
Set<String> roles = permissionService.getRolePermission(user); Set<String> roles = permissionService.getRolePermission(user);
List<SysRole> perms = roleMapper.selectRolePermissionByUserId(user.getUserId());
Set<String> permsKnow = new HashSet<>();
for (SysRole perm : perms) {
if (com.bonus.common.utils.StringUtils.isNotNull(perm)) {
permsKnow.addAll(Arrays.asList(perm.getKnowId().trim().split(",")));
}
}
List<String> knowIds = permissionService.getKnowIds();
permsKnow.addAll(knowIds);
// 权限集合 // 权限集合
Set<String> permissions = permissionService.getMenuPermission(user); Set<String> permissions = permissionService.getMenuPermission(user);
AjaxResult ajax = AjaxResult.success(); AjaxResult ajax = AjaxResult.success();
String knowId = permissionService.getKnowId(user);
ajax.put("permsKnow", permsKnow);
ajax.put("user", user); ajax.put("user", user);
ajax.put("roles", roles); ajax.put("roles", roles);
ajax.put("permissions", permissions); ajax.put("permissions", permissions);
ajax.put("knowId", knowId);
return ajax; return ajax;
} }
@ -261,45 +236,45 @@ public class SysLoginController {
* @return 路由信息 * @return 路由信息
*/ */
@GetMapping("getRouters") @GetMapping("getRouters")
public AjaxResult getRouters() { public AjaxResult getRouters()
{
Long userId = SecurityUtils.getUserId(); Long userId = SecurityUtils.getUserId();
List<SysMenu> menus = menuService.selectMenuTreeByUserId(userId); List<SysMenu> menus = menuService.selectMenuTreeByUserId(userId);
return AjaxResult.success(menuService.buildMenus(menus)); return AjaxResult.success(menuService.buildMenus(menus));
} }
/** /**
* 获取前台页面展示路由信息 * 获取前台页面展示路由信息
* *
* @return 路由信息 * @return 路由信息
*/ */
@GetMapping("getShowRouters") @GetMapping("getShowRouters")
public AjaxResult getShowRouters() { public AjaxResult getShowRouters()
// getMenuList("152F220513052722E0630417321BE312"); {
String roleId = ""; // getMenuList("152F220513052722E0630417321BE312");
if ("3".equals(SecurityUtils.getUserId().toString())) { String roleId ="";
roleId = "100"; if("3".equals(SecurityUtils.getUserId().toString())){
} else { roleId="100";
roleId = "101"; }else{
roleId="101";
} }
List<IscMenu> menus = menuService.selectShowMenuTreeByUserId(roleId); List<IscMenu> menus = menuService.selectShowMenuTreeByUserId(roleId);
return AjaxResult.success(menus); return AjaxResult.success(menus);
} }
@ApiOperation(value = "根据统一权限获取人员基本信息") @ApiOperation(value = "根据统一权限获取人员基本信息")
@GetMapping("getUserTicket1") @GetMapping("getUserTicket1")
public AjaxResult getUserTicket(String ticket, String model, String accessToken) { public AjaxResult getUserTicket(String ticket, String model, String accessToken) {
System.out.println("--------------------------------------------------------------------------------"); System.out.println("--------------------------------------------------------------------------------");
AjaxResult ajax = AjaxResult.success(); AjaxResult ajax = AjaxResult.success();
ajax.put(Constants.FALSETOKEN, "1"); ajax.put(Constants.FALSETOKEN, "1");
System.out.println("--------------------------------------------------------------------------------" + model); System.out.println("--------------------------------------------------------------------------------"+model);
System.out.println("走了ticket" + ticket); System.out.println("走了ticket"+ticket);
IscUserInfo user = null; IscUserInfo user = null;
try { try {
String userInfo = ""; String userInfo = "";
if (model.equals("xn")) { if (model.equals("xn")) {
userInfo = (new RestTemplate()).getForObject(url_xn + "/serviceValidate" + "?" + "ticket" + "=" + ticket + "&service=" + targetIndex, String.class, new Object[0]); userInfo = (new RestTemplate()).getForObject(url_xn + "/serviceValidate" + "?" + "ticket" + "=" + ticket + "&service=" + targetIndex, String.class, new Object[0]);
System.out.println("--------------------------------------------------------------------------------" + userInfo.toString()); System.out.println("--------------------------------------------------------------------------------"+userInfo.toString());
} else { } else {
userInfo = (new RestTemplate()).getForObject(url_aq + "/oauth2.0/profile" + "?" + "access_token" + "=" + accessToken, String.class, new Object[0]); userInfo = (new RestTemplate()).getForObject(url_aq + "/oauth2.0/profile" + "?" + "access_token" + "=" + accessToken, String.class, new Object[0]);
} }
@ -308,49 +283,34 @@ public class SysLoginController {
throw new RuntimeException("ticket或accessToken不正确请重新校验其可用性"); throw new RuntimeException("ticket或accessToken不正确请重新校验其可用性");
} else { } else {
String cd = URLDecoder.decode(userInfo, "UTF-8"); String cd = URLDecoder.decode(userInfo, "UTF-8");
System.out.println("+++++++++++++++++++++++++++++++" + cd); System.out.println("+++++++++++++++++++++++++++++++"+cd);
if (model.equals("xn")) { if (model.equals("xn")) {
cd = cd.substring(cd.indexOf("<cas:user>"), cd.indexOf("</cas:user>")); cd = cd.substring(cd.indexOf("<cas:user>"), cd.indexOf("</cas:user>"));
cd = cd.replace("<cas:user>", ""); cd = cd.replace("<cas:user>", "");
} }
user = JSONObject.parseObject(cd, IscUserInfo.class); user = JSONObject.parseObject(cd, IscUserInfo.class);
System.out.println("+++++++++++++++++++++++++++++++" + user.toString()); System.out.println("+++++++++++++++++++++++++++++++"+user.toString());
// 用户校验 // 用户校验
SysUser sysuser = new SysUser(); SysUser sysuser = new SysUser();
//sysuser.setMenus(getMenuList(user.getIscUserId())); //sysuser.setMenus(getMenuList(user.getIscUserId()));
sysuser.setIscUserId(user.getIscUserId()); sysuser.setIscUserId(user.getIscUserId());
sysuser.setUserName(user.getIscAdCode()); sysuser.setUserName(user.getIscAdCode());
sysuser.setNickName(user.getName()); sysuser.setNickName(user.getName());
sysuser.setDeptId(105L); sysuser.setDeptId(105L);
if (userService.ISCcheckUserNameUnique(sysuser)) { if (userService.ISCcheckUserNameUnique(sysuser)){
sysuser.setCreateBy(user.getName()); sysuser.setCreateBy(user.getName());
sysuser.setPassword(SecurityUtils.encryptPassword("Bonus@1234")); sysuser.setPassword(SecurityUtils.encryptPassword("Bonus@1234"));
int i = userService.insertUser(sysuser); userService.insertUser(sysuser);
if (i > 0) {
Map<String, Object> map = new HashMap<>(1);
map.put("knowledge_base_name", sysuser.getUserName());
String knowledgeBase = gptUtils.createKnowledgeBase(map);
if (ObjectUtils.isNotEmpty(knowledgeBase)) {
KnowledgeEntity entity = new KnowledgeEntity();
entity.setKnowName(sysuser.getUserName());
entity.setUserId(sysuser.getUserId());
entity.setKnowType("2");
com.alibaba.fastjson2.JSONObject jsonObject = JSON.parseObject(knowledgeBase);
if (jsonObject.getInteger(AjaxResult.CODE_TAG) == HttpStatus.SUCCESS) {
mapper.insertKnowledge(entity);
}
}
}
} }
// 资源获取接口 // 资源获取接口
// Map<String, Object> resultMap = tokenService.createToken(loginUser); // Map<String, Object> resultMap = tokenService.createToken(loginUser);
Map<String, Object> resultMap = null; Map<String, Object> resultMap = null;
System.out.println("sysuser.getUserName()" + sysuser.getUserName()); System.out.println("sysuser.getUserName()"+sysuser.getUserName());
//生产是wb_zhouy2028 测试是 //生产是wb_zhouy2028 测试是
if (sysuser.getUserName().equals("wb_huzw3813")) { if(sysuser.getUserName().equals("wb_huzw3813")){
sysuser.setUserName("admin"); sysuser.setUserName("admin");
} }
String token = loginService.login(sysuser.getUserName(), "Bonus@1234", "", ""); String token = loginService.login(sysuser.getUserName(), "Bonus@1234","","");
// addLoginLog(user.getLogintime(), "用户登录", "系统登录", "com.securityControl.auth.controller.getUserTicket()", "/auth/getUserTicket"); // addLoginLog(user.getLogintime(), "用户登录", "系统登录", "com.securityControl.auth.controller.getUserTicket()", "/auth/getUserTicket");
ajax.put(Constants.TOKEN, token); ajax.put(Constants.TOKEN, token);
} }
@ -360,47 +320,31 @@ public class SysLoginController {
} }
return ajax; return ajax;
} }
@GetMapping("getUserTicket") @GetMapping("getUserTicket")
public AjaxResult getUserTicket1(String ticket, String model, String accessToken) { public AjaxResult getUserTicket1(String ticket, String model, String accessToken) {
System.out.println("--------------------------------------------------------------------------------"); System.out.println("--------------------------------------------------------------------------------");
System.out.println("走了getUserTicket当前登录的人员信息> "); System.out.println("走了getUserTicket当前登录的人员信息> ");
AjaxResult ajax = AjaxResult.success(); AjaxResult ajax = AjaxResult.success();
ajax.put(Constants.FALSETOKEN, "1"); ajax.put(Constants.FALSETOKEN, "1");
// 资源获取接口 // 资源获取接口
SysUser sysuser = new SysUser(); SysUser sysuser = new SysUser();
sysuser.setIscUserId("sdsdfsf3434324234abc"); sysuser.setIscUserId("sdsdfsf3434324234");
sysuser.setUserName("test1234"); sysuser.setUserName("李振华");
sysuser.setDeptId(105L); sysuser.setDeptId(105L);
sysuser.setNickName(sysuser.getUserName()); sysuser.setNickName(sysuser.getUserName());
try { try {
if (userService.ISCcheckUserNameUnique(sysuser)) { if (userService.ISCcheckUserNameUnique(sysuser)){
sysuser.setCreateBy(sysuser.getUserName()); sysuser.setCreateBy(sysuser.getUserName());
sysuser.setPassword(SecurityUtils.encryptPassword("Bonus@1234")); sysuser.setPassword(SecurityUtils.encryptPassword("Bonus@1234"));
int i = userService.insertUser(sysuser); userService.insertUser(sysuser);
if (i > 0) {
Map<String, Object> map = new HashMap<>(1);
map.put("knowledge_base_name", sysuser.getUserName());
String knowledgeBase = gptUtils.createKnowledgeBase(map);
if (ObjectUtils.isNotEmpty(knowledgeBase)) {
KnowledgeEntity entity = new KnowledgeEntity();
entity.setKnowName(sysuser.getUserName());
entity.setUserId(sysuser.getUserId());
entity.setKnowType("2");
com.alibaba.fastjson2.JSONObject jsonObject = JSON.parseObject(knowledgeBase);
if (jsonObject.getInteger(AjaxResult.CODE_TAG) == HttpStatus.SUCCESS) {
mapper.insertKnowledge(entity);
}
}
}
} }
Map<String, Object> resultMap = null; Map<String, Object> resultMap = null;
/* if(sysuser.getUserName().equals("李振华")){ /* if(sysuser.getUserName().equals("李振华")){
sysuser.setUserName("admin"); sysuser.setUserName("admin");
}*/ }*/
String token = loginService.login(sysuser.getUserName(), "Bonus@1234", "", ""); String token = loginService.login(sysuser.getUserName(), "Bonus@1234","","");
ajax.put(Constants.TOKEN, token); ajax.put(Constants.TOKEN, token);
} catch (Exception e) { }catch (Exception e){
ajax.put(Constants.FALSETOKEN, "无法获取用户信息"); ajax.put(Constants.FALSETOKEN, "无法获取用户信息");
e.printStackTrace(); e.printStackTrace();
} }
@ -408,7 +352,6 @@ public class SysLoginController {
return ajax; return ajax;
} }
/** /**
* 记录登录信息 * 记录登录信息
* *
@ -434,71 +377,70 @@ public class SysLoginController {
} }
private List<SysMenu> getMenuList(String userId) { private List<SysMenu> getMenuList(String userId){
List<SysMenu> menuList = new ArrayList<>(); List<SysMenu> menuList=new ArrayList<>();
System.out.println("IscMenu 请求路径----------------------------------------------------------------------->=" + userId); System.out.println("IscMenu 请求路径----------------------------------------------------------------------->="+userId);
System.out.println("IscMenu 请求路径----------------------------------------------------------------------->service" + appId); System.out.println("IscMenu 请求路径----------------------------------------------------------------------->service"+appId);
try { try{
System.out.println("IscMenu 请求路径-----------------999999------------------------------------------------------>service" + appId); System.out.println("IscMenu 请求路径-----------------999999------------------------------------------------------>service"+appId);
IResourceService service = (IResourceService) com.sgcc.isc.service.adapter.factory.AdapterFactory.getInstance(com.sgcc.isc.framework.common.constant.Constants.CLASS_RESOURCE); IResourceService service = (IResourceService) com.sgcc.isc.service.adapter.factory.AdapterFactory.getInstance(com.sgcc.isc.framework.common.constant.Constants.CLASS_RESOURCE);
System.out.println("IscMenu 请求路径--------------------------------------------2--------------------------->service2222222lzh" + appId); System.out.println("IscMenu 请求路径--------------------------------------------2--------------------------->service2222222lzh"+appId);
List<FunctionContext> map = service.getUserPermitionFuncs(userId, appId, "001", new HashMap<>()); List<FunctionContext> map = service.getUserPermitionFuncs (userId,appId,"001",new HashMap<>());
List<FunctionContext> map2 = service.getUserPermitionFuncs(userId, appId, "002", new HashMap<>()); List<FunctionContext> map2 = service.getUserPermitionFuncs (userId,appId,"002",new HashMap<>());
System.out.println("------------------------------------------------>key" + map.toString()); System.out.println("------------------------------------------------>key"+map.toString());
System.out.println("------------------------------------------------>key" + map2.toString()); System.out.println("------------------------------------------------>key"+map2.toString());
// com.alibaba.fastjson2.JSONObject obj = com.alibaba.fastjson2.JSONObject.parseObject(data); // com.alibaba.fastjson2.JSONObject obj = com.alibaba.fastjson2.JSONObject.parseObject(data);
// com.alibaba.fastjson2.JSONArray jsonArray=obj.getJSONArray("data"); // com.alibaba.fastjson2.JSONArray jsonArray=obj.getJSONArray("data");
// List<IscMenu> list= jsonArray.toList(IscMenu.class); // List<IscMenu> list= jsonArray.toList(IscMenu.class);
// System.out.println("list 菜单数据----------->"+list); // System.out.println("list 菜单数据----------->"+list);
// getChilderList(menuList,list); // getChilderList(menuList,list);
} catch (Exception e) { }catch (Exception e){
e.printStackTrace(); e.printStackTrace();
} }
return menuList; return menuList;
} }
private static void getChilderList(List<SysMenu> menuList, List<IscMenu> iscList) { private static void getChilderList(List<SysMenu> menuList, List<IscMenu> iscList){
try { try{
for (IscMenu isc : iscList) { for (IscMenu isc: iscList) {
if (StringUtils.isEmpty(isc.getParentId())) {//没有上级节点的为父节点 if(StringUtils.isEmpty(isc.getParentId())){//没有上级节点的为父节点
SysMenu menu = new SysMenu(); SysMenu menu=new SysMenu();
menu.setMenuId(1L); menu.setMenuId(1L);
menu.setMenuName(isc.getName()); menu.setMenuName(isc.getName());
menu.setUrl(isc.getConent()); menu.setUrl(isc.getConent());
menu.setLast(false); menu.setLast(false);
getChilderList2(menu, iscList); getChilderList2(menu,iscList);
if ("Y".equals(isc.getStatus())) { if("Y".equals(isc.getStatus())){
menuList.add(menu); menuList.add(menu);
} }
} }
} }
} catch (Exception e) { }catch (Exception e){
e.toString(); e.toString();
} }
} }
private static void getChilderList2(SysMenu sysMenu,List<IscMenu> iscLis){
private static void getChilderList2(SysMenu sysMenu, List<IscMenu> iscLis) { List<SysMenu> childer=new ArrayList<>();
List<SysMenu> childer = new ArrayList<>(); for (IscMenu isc:iscLis) {
for (IscMenu isc : iscLis) { if(StringUtils.isNotEmpty(sysMenu.getMenuId()+"")){
if (StringUtils.isNotEmpty(sysMenu.getMenuId() + "")) { if (sysMenu.getMenuId().equals(isc.getParentId())){
if (sysMenu.getMenuId().equals(isc.getParentId())) { SysMenu menu=new SysMenu();
SysMenu menu = new SysMenu();
menu.setMenuId(1L); menu.setMenuId(1L);
menu.setMenuName(isc.getName()); menu.setMenuName(isc.getName());
menu.setUrl(isc.getConent()); menu.setUrl(isc.getConent());
menu.setLast(true); menu.setLast(true);
if ("Y".equals(isc.getStatus())) { if("Y".equals(isc.getStatus())){
childer.add(menu); childer.add(menu);
} }
} }
} }
} }
if (ListHelper.isEmpty(childer)) { if(ListHelper.isEmpty(childer)){
sysMenu.setLast(true); sysMenu.setLast(true);
} else { }else{
sysMenu.setLast(false); sysMenu.setLast(false);
sysMenu.setChildren(childer); sysMenu.setChildren(childer );
} }

16
LargeScreenServer(1)/large-common/src/main/java/com/bonus/common/utils/StringUtils.java
View File

@ -6,6 +6,9 @@ import java.util.HashSet;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
import java.util.Set; import java.util.Set;
import java.util.regex.Pattern;
import com.bonus.common.core.domain.entity.SysDept;
import org.springframework.util.AntPathMatcher; import org.springframework.util.AntPathMatcher;
import com.bonus.common.constant.Constants; import com.bonus.common.constant.Constants;
import com.bonus.common.core.text.StrFormatter; import com.bonus.common.core.text.StrFormatter;
@ -635,4 +638,17 @@ public class StringUtils extends org.apache.commons.lang3.StringUtils
} }
return sb.toString(); return sb.toString();
} }
public static String regParaValidate(String oldstring) {
String pattern = "^[a-zA-Z0-9 ]*$"; // 只允许字母数字和空格
int maxLength = 100; // 最大长度为100个字符
if (oldstring.length() > maxLength) {
System.out.println("Input is too long");
} else if (!Pattern.matches(pattern, oldstring)) {
System.out.println("Input contains invalid characters");
} else {
System.out.println("Input is valid");
}
return oldstring;
}
} }

23
LargeScreenServer(1)/large-common/src/main/java/com/bonus/common/utils/file/FileUtils.java
View File

@ -48,8 +48,17 @@ public class FileUtils {
} catch (IOException e) { } catch (IOException e) {
throw e; throw e;
} finally { } finally {
IOUtils.close(os);
IOUtils.close(fis); if(fis != null){
try{
fis.close();
IOUtils.close(os);
IOUtils.close(fis);
}catch (Exception e){
e.printStackTrace();
}
}
} }
} }
@ -82,7 +91,15 @@ public class FileUtils {
fos = new FileOutputStream(file); fos = new FileOutputStream(file);
fos.write(data); fos.write(data);
} finally { } finally {
IOUtils.close(fos); if(fos != null){
try{
fos.close();
IOUtils.close(fos);
}catch (Exception e){
e.printStackTrace();
}
}
} }
return FileUploadUtils.getPathFileName(uploadDir, pathName); return FileUploadUtils.getPathFileName(uploadDir, pathName);
} }

8
LargeScreenServer(1)/large-common/src/main/java/com/bonus/common/utils/file/ImageUtils.java
View File

@ -92,6 +92,14 @@ public class ImageUtils
} }
finally finally
{ {
if(in != null){
try{
in.close();
}catch (Exception e){
e.printStackTrace();
}
}
IOUtils.closeQuietly(in); IOUtils.closeQuietly(in);
} }
} }

16
LargeScreenServer(1)/large-common/src/main/java/com/bonus/common/utils/http/HttpUtils.java
View File

@ -189,6 +189,7 @@ public class HttpUtils
return result.toString(); return result.toString();
} }
public static String sendSSLPost(String url, String param) public static String sendSSLPost(String url, String param)
{ {
StringBuilder result = new StringBuilder(); StringBuilder result = new StringBuilder();
@ -196,8 +197,8 @@ public class HttpUtils
try try
{ {
log.info("sendSSLPost - {}", urlNameString); log.info("sendSSLPost - {}", urlNameString);
SSLContext sc = SSLContext.getInstance("SSL"); // SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, new TrustManager[] { new TrustAnyTrustManager() }, new java.security.SecureRandom()); // sc.init(null, new TrustManager[] { new TrustAnyTrustManager() }, new java.security.SecureRandom());
URL console = new URL(urlNameString); URL console = new URL(urlNameString);
HttpsURLConnection conn = (HttpsURLConnection) console.openConnection(); HttpsURLConnection conn = (HttpsURLConnection) console.openConnection();
conn.setRequestProperty("accept", "*/*"); conn.setRequestProperty("accept", "*/*");
@ -208,7 +209,7 @@ public class HttpUtils
conn.setDoOutput(true); conn.setDoOutput(true);
conn.setDoInput(true); conn.setDoInput(true);
conn.setSSLSocketFactory(sc.getSocketFactory()); // conn.setSSLSocketFactory(sc.getSocketFactory());
conn.setHostnameVerifier(new TrustAnyHostnameVerifier()); conn.setHostnameVerifier(new TrustAnyHostnameVerifier());
conn.connect(); conn.connect();
InputStream is = conn.getInputStream(); InputStream is = conn.getInputStream();
@ -223,7 +224,14 @@ public class HttpUtils
} }
log.info("recv - {}", result); log.info("recv - {}", result);
conn.disconnect(); conn.disconnect();
br.close(); if(br != null){
try{
br.close();
}catch (Exception e){
e.printStackTrace();
}
}
} }
catch (ConnectException e) catch (ConnectException e)
{ {

26
LargeScreenServer(1)/large-common/src/main/java/com/bonus/common/utils/poi/ExcelUtil.java
View File

@ -85,6 +85,7 @@ import com.bonus.common.core.domain.AjaxResult;
import com.bonus.common.core.text.Convert; import com.bonus.common.core.text.Convert;
import com.bonus.common.exception.UtilException; import com.bonus.common.exception.UtilException;
import com.bonus.common.utils.reflect.ReflectUtils; import com.bonus.common.utils.reflect.ReflectUtils;
import org.springframework.util.ReflectionUtils;
/** /**
* Excel相关处理 * Excel相关处理
@ -650,8 +651,17 @@ public class ExcelUtil<T>
} }
finally finally
{ {
IOUtils.closeQuietly(wb); if(out != null){
IOUtils.closeQuietly(out); try{
out.close();
IOUtils.closeQuietly(wb);
IOUtils.closeQuietly(out);
}catch (Exception e){
e.printStackTrace();
}
}
} }
} }
@ -748,7 +758,8 @@ public class ExcelUtil<T>
{ {
if (subField.isAnnotationPresent(Excel.class)) if (subField.isAnnotationPresent(Excel.class))
{ {
subField.setAccessible(true); // subField.setAccessible(true);
ReflectionUtils.makeAccessible(subField);
Excel attr = subField.getAnnotation(Excel.class); Excel attr = subField.getAnnotation(Excel.class);
this.addCell(attr, row, (T) obj, subField, column + subIndex); this.addCell(attr, row, (T) obj, subField, column + subIndex);
} }
@ -1410,7 +1421,8 @@ public class ExcelUtil<T>
{ {
Class<?> clazz = o.getClass(); Class<?> clazz = o.getClass();
Field field = clazz.getDeclaredField(name); Field field = clazz.getDeclaredField(name);
field.setAccessible(true); // field.setAccessible(true);
ReflectionUtils.makeAccessible(field);
o = field.get(o); o = field.get(o);
} }
return o; return o;
@ -1445,7 +1457,8 @@ public class ExcelUtil<T>
Excel attr = field.getAnnotation(Excel.class); Excel attr = field.getAnnotation(Excel.class);
if (attr != null && (attr.type() == Type.ALL || attr.type() == type)) if (attr != null && (attr.type() == Type.ALL || attr.type() == type))
{ {
field.setAccessible(true); //field.setAccessible(true);
ReflectionUtils.makeAccessible(field);
fields.add(new Object[] { field, attr }); fields.add(new Object[] { field, attr });
} }
if (Collection.class.isAssignableFrom(field.getType())) if (Collection.class.isAssignableFrom(field.getType()))
@ -1467,7 +1480,8 @@ public class ExcelUtil<T>
if (!ArrayUtils.contains(this.excludeFields, field.getName() + "." + attr.targetAttr()) if (!ArrayUtils.contains(this.excludeFields, field.getName() + "." + attr.targetAttr())
&& (attr != null && (attr.type() == Type.ALL || attr.type() == type))) && (attr != null && (attr.type() == Type.ALL || attr.type() == type)))
{ {
field.setAccessible(true); // field.setAccessible(true);
ReflectionUtils.makeAccessible(field);
fields.add(new Object[] { field, attr }); fields.add(new Object[] { field, attr });
} }
} }

7
LargeScreenServer(1)/large-common/src/main/java/com/bonus/common/utils/reflect/ReflectUtils.java
View File

@ -15,6 +15,7 @@ import org.apache.commons.lang3.Validate;
import org.apache.poi.ss.usermodel.DateUtil; import org.apache.poi.ss.usermodel.DateUtil;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
import org.springframework.util.ReflectionUtils;
/** /**
* 反射工具类. 提供调用getter/setter方法, 访问私有变量, 调用私有方法, 获取泛型类型Class, 被AOP过的真实类等工具函数. * 反射工具类. 提供调用getter/setter方法, 访问私有变量, 调用私有方法, 获取泛型类型Class, 被AOP过的真实类等工具函数.
@ -316,7 +317,8 @@ public class ReflectUtils
if ((!Modifier.isPublic(method.getModifiers()) || !Modifier.isPublic(method.getDeclaringClass().getModifiers())) if ((!Modifier.isPublic(method.getModifiers()) || !Modifier.isPublic(method.getDeclaringClass().getModifiers()))
&& !method.isAccessible()) && !method.isAccessible())
{ {
method.setAccessible(true); //method.setAccessible(true);
ReflectionUtils.makeAccessible(method);
} }
} }
@ -328,7 +330,8 @@ public class ReflectUtils
if ((!Modifier.isPublic(field.getModifiers()) || !Modifier.isPublic(field.getDeclaringClass().getModifiers()) if ((!Modifier.isPublic(field.getModifiers()) || !Modifier.isPublic(field.getDeclaringClass().getModifiers())
|| Modifier.isFinal(field.getModifiers())) && !field.isAccessible()) || Modifier.isFinal(field.getModifiers())) && !field.isAccessible())
{ {
field.setAccessible(true); //field.setAccessible(true);
ReflectionUtils.makeAccessible(field);
} }
} }

4
LargeScreenServer(1)/large-common/src/main/java/com/bonus/common/utils/uuid/UUID.java
View File

@ -94,8 +94,8 @@ public final class UUID implements java.io.Serializable, Comparable<UUID>
*/ */
public static UUID randomUUID(boolean isSecure) public static UUID randomUUID(boolean isSecure)
{ {
final Random ng = isSecure ? Holder.numberGenerator : getRandom(); // final Random ng = isSecure ? Holder.numberGenerator : getRandom();
final SecureRandom ng = isSecure ? Holder.numberGenerator : getSecureRandom();
byte[] randomBytes = new byte[16]; byte[] randomBytes = new byte[16];
ng.nextBytes(randomBytes); ng.nextBytes(randomBytes);
randomBytes[6] &= 0x0f; /* clear version */ randomBytes[6] &= 0x0f; /* clear version */

4
LargeScreenServer(1)/large-framework/src/main/java/com/bonus/framework/config/KaptchaTextCreator.java
View File

@ -1,5 +1,6 @@
package com.bonus.framework.config; package com.bonus.framework.config;
import java.security.SecureRandom;
import java.util.Random; import java.util.Random;
import com.google.code.kaptcha.text.impl.DefaultTextCreator; import com.google.code.kaptcha.text.impl.DefaultTextCreator;
@ -16,7 +17,8 @@ public class KaptchaTextCreator extends DefaultTextCreator
public String getText() public String getText()
{ {
Integer result = 0; Integer result = 0;
Random random = new Random(); // Random random = new Random();
SecureRandom random = new SecureRandom();
int x = random.nextInt(10); int x = random.nextInt(10);
int y = random.nextInt(10); int y = random.nextInt(10);
StringBuilder suChinese = new StringBuilder(); StringBuilder suChinese = new StringBuilder();

33
LargeScreenServer(1)/large-generator/src/main/java/com/bonus/generator/service/GenTableServiceImpl.java
View File

@ -4,6 +4,8 @@ import java.io.ByteArrayOutputStream;
import java.io.File; import java.io.File;
import java.io.IOException; import java.io.IOException;
import java.io.StringWriter; import java.io.StringWriter;
import java.text.Normalizer;
import java.util.ArrayList;
import java.util.LinkedHashMap; import java.util.LinkedHashMap;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
@ -11,6 +13,8 @@ import java.util.function.Function;
import java.util.stream.Collectors; import java.util.stream.Collectors;
import java.util.zip.ZipEntry; import java.util.zip.ZipEntry;
import java.util.zip.ZipOutputStream; import java.util.zip.ZipOutputStream;
import com.bonus.generator.util.CleanPathUtil;
import org.apache.commons.io.FileUtils; import org.apache.commons.io.FileUtils;
import org.apache.commons.io.IOUtils; import org.apache.commons.io.IOUtils;
import org.apache.velocity.Template; import org.apache.velocity.Template;
@ -241,9 +245,9 @@ public class GenTableServiceImpl implements IGenTableService
*/ */
@Override @Override
public void generatorCode(String tableName) public void generatorCode(String tableName)
{ {
// 查询表信息 // 查询表信息
GenTable table = genTableMapper.selectGenTableByName(tableName); GenTable table = genTableMapper.selectGenTableByName(CleanPathUtil.cleanString(tableName));
// 设置主子表信息 // 设置主子表信息
setSubTable(table); setSubTable(table);
// 设置主键列信息 // 设置主键列信息
@ -266,6 +270,7 @@ public class GenTableServiceImpl implements IGenTableService
try try
{ {
String path = getGenPath(table, template); String path = getGenPath(table, template);
path = CleanPathUtil.cleanString(path);
FileUtils.writeStringToFile(new File(path), sw.toString(), CharsetKit.UTF_8); FileUtils.writeStringToFile(new File(path), sw.toString(), CharsetKit.UTF_8);
} }
catch (IOException e) catch (IOException e)
@ -275,7 +280,6 @@ public class GenTableServiceImpl implements IGenTableService
} }
} }
} }
/** /**
* 同步数据库 * 同步数据库
* *
@ -349,6 +353,25 @@ public class GenTableServiceImpl implements IGenTableService
IOUtils.closeQuietly(zip); IOUtils.closeQuietly(zip);
return outputStream.toByteArray(); return outputStream.toByteArray();
} }
/**
* Log Forging漏洞校验
* @param logs
* @return
*/
public static String vaildLog(String logs) {
List<String> list=new ArrayList<String>();
list.add("%0d");
list.add("%0a");
list.add("%0A");
list.add("%0D");
list.add("\r");
list.add("\n");
String normalize = Normalizer.normalize(logs, Normalizer.Form.NFKC);
for (String str : list) {
normalize=normalize.replace(str, "");
}
return normalize;
}
/** /**
* 查询表信息并生成代码 * 查询表信息并生成代码
@ -356,6 +379,7 @@ public class GenTableServiceImpl implements IGenTableService
private void generatorCode(String tableName, ZipOutputStream zip) private void generatorCode(String tableName, ZipOutputStream zip)
{ {
// 查询表信息 // 查询表信息
tableName = vaildLog(tableName);
GenTable table = genTableMapper.selectGenTableByName(tableName); GenTable table = genTableMapper.selectGenTableByName(tableName);
// 设置主子表信息 // 设置主子表信息
setSubTable(table); setSubTable(table);
@ -385,7 +409,7 @@ public class GenTableServiceImpl implements IGenTableService
} }
catch (IOException e) catch (IOException e)
{ {
log.error("渲染模板失败,表名:" + table.getTableName(), e); log.error("渲染模板失败,表名:" + vaildLog(table.getTableName()), e);
} }
} }
} }
@ -514,6 +538,7 @@ public class GenTableServiceImpl implements IGenTableService
String genPath = table.getGenPath(); String genPath = table.getGenPath();
if (StringUtils.equals(genPath, "/")) if (StringUtils.equals(genPath, "/"))
{ {
template = CleanPathUtil.cleanString(template);
return System.getProperty("user.dir") + File.separator + "src" + File.separator + VelocityUtils.getFileName(template, table); return System.getProperty("user.dir") + File.separator + "src" + File.separator + VelocityUtils.getFileName(template, table);
} }
return genPath + File.separator + VelocityUtils.getFileName(template, table); return genPath + File.separator + VelocityUtils.getFileName(template, table);

3
LargeScreenServer(1)/large-system/src/main/java/com/bonus/system/service/impl/SysDeptServiceImpl.java
View File

@ -232,7 +232,8 @@ public class SysDeptServiceImpl implements ISysDeptService
public int updateDept(SysDept dept) public int updateDept(SysDept dept)
{ {
SysDept newParentDept = deptMapper.selectDeptById(dept.getParentId()); SysDept newParentDept = deptMapper.selectDeptById(dept.getParentId());
SysDept oldDept = deptMapper.selectDeptById(dept.getDeptId()); String team = StringUtils.regParaValidate(dept.getDeptId()+"");
SysDept oldDept = deptMapper.selectDeptById(Long.parseLong(team));
if (StringUtils.isNotNull(newParentDept) && StringUtils.isNotNull(oldDept)) if (StringUtils.isNotNull(newParentDept) && StringUtils.isNotNull(oldDept))
{ {
String newAncestors = newParentDept.getAncestors() + "," + newParentDept.getDeptId(); String newAncestors = newParentDept.getAncestors() + "," + newParentDept.getDeptId();

3
LargeScreenServer(1)/large-system/src/main/resources/mapper/system/SysDeptMapper.xml
View File

@ -42,8 +42,7 @@ PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
<if test="status != null and status != ''"> <if test="status != null and status != ''">
AND status = #{status} AND status = #{status}
</if> </if>
<!-- 数据范围过滤 --> <!-- 数据范围过滤 ${params.dataScope} -->
${params.dataScope}
order by d.parent_id, d.order_num order by d.parent_id, d.order_num
</select> </select>

4
LargeScreenServer(1)/large-system/src/main/resources/mapper/system/SysRoleMapper.xml
View File

@ -53,8 +53,8 @@ PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
<if test="params.endTime != null and params.endTime != ''"><!-- 结束时间检索 --> <if test="params.endTime != null and params.endTime != ''"><!-- 结束时间检索 -->
and date_format(r.create_time,'%y%m%d') &lt;= date_format(#{params.endTime},'%y%m%d') and date_format(r.create_time,'%y%m%d') &lt;= date_format(#{params.endTime},'%y%m%d')
</if> </if>
<!-- 数据范围过滤 --> <!-- 数据范围过滤 ${params.dataScope} -->
${params.dataScope}
order by r.role_sort order by r.role_sort
</select> </select>

9
LargeScreenServer(1)/large-system/src/main/resources/mapper/system/SysUserMapper.xml
View File

@ -86,8 +86,7 @@ PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
<if test="deptId != null and deptId != 0"> <if test="deptId != null and deptId != 0">
AND (u.dept_id = #{deptId} OR u.dept_id IN ( SELECT t.dept_id FROM sys_dept t WHERE find_in_set(#{deptId}, ancestors) )) AND (u.dept_id = #{deptId} OR u.dept_id IN ( SELECT t.dept_id FROM sys_dept t WHERE find_in_set(#{deptId}, ancestors) ))
</if> </if>
<!-- 数据范围过滤 --> <!-- 数据范围过滤 ${params.dataScope} -->
${params.dataScope}
</select> </select>
<select id="selectAllocatedList" parameterType="SysUser" resultMap="SysUserResult"> <select id="selectAllocatedList" parameterType="SysUser" resultMap="SysUserResult">
@ -103,8 +102,7 @@ PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
<if test="phonenumber != null and phonenumber != ''"> <if test="phonenumber != null and phonenumber != ''">
AND u.phonenumber like concat('%', #{phonenumber}, '%') AND u.phonenumber like concat('%', #{phonenumber}, '%')
</if> </if>
<!-- 数据范围过滤 --> <!-- 数据范围过滤 ${params.dataScope} -->
${params.dataScope}
</select> </select>
<select id="selectUnallocatedList" parameterType="SysUser" resultMap="SysUserResult"> <select id="selectUnallocatedList" parameterType="SysUser" resultMap="SysUserResult">
@ -121,8 +119,7 @@ PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
<if test="phonenumber != null and phonenumber != ''"> <if test="phonenumber != null and phonenumber != ''">
AND u.phonenumber like concat('%', #{phonenumber}, '%') AND u.phonenumber like concat('%', #{phonenumber}, '%')
</if> </if>
<!-- 数据范围过滤 --> <!-- 数据范围过滤 ${params.dataScope} -->
${params.dataScope}
</select> </select>
<select id="selectUserByUserName" parameterType="String" resultMap="SysUserResult"> <select id="selectUserByUserName" parameterType="String" resultMap="SysUserResult">