diff --git a/bonus-auth/src/main/java/com/bonus/auth/controller/TokenController.java b/bonus-auth/src/main/java/com/bonus/auth/controller/TokenController.java index 4232f61..b85bb13 100644 --- a/bonus-auth/src/main/java/com/bonus/auth/controller/TokenController.java +++ b/bonus-auth/src/main/java/com/bonus/auth/controller/TokenController.java @@ -4,6 +4,7 @@ import com.alibaba.fastjson.JSONObject; import com.bonus.auth.config.LoginType; import com.bonus.auth.factory.LoginStrategyFactory; import com.bonus.auth.form.LoginBody; +import com.bonus.auth.form.LoginIsAdminBody; import com.bonus.auth.form.RegisterBody; import com.bonus.auth.service.*; import com.bonus.common.core.constant.CacheConstants; @@ -92,7 +93,7 @@ public class TokenController { private String iwsH5Url; @PostMapping("isAdmin") - public R isAdmin(@RequestBody LoginBody form) { + public R isAdmin(@RequestBody LoginIsAdminBody form) { if (!config.isAdmin()) { return R.ok(false); } diff --git a/bonus-auth/src/main/java/com/bonus/auth/form/LoginIsAdminBody.java b/bonus-auth/src/main/java/com/bonus/auth/form/LoginIsAdminBody.java new file mode 100644 index 0000000..cdcb219 --- /dev/null +++ b/bonus-auth/src/main/java/com/bonus/auth/form/LoginIsAdminBody.java @@ -0,0 +1,23 @@ +package com.bonus.auth.form; + +import com.bonus.auth.config.LoginType; +import com.bonus.auth.config.VerificationCodeType; +import lombok.Data; + +/** + * 用户登录对象 + * + * @author bonus + */ +@Data +public class LoginIsAdminBody { + /** + * 用户名 + */ + private String username; + + /** + * 用户密码 + */ + private String password; +} diff --git a/bonus-common/bonus-common-core/src/main/java/com/bonus/common/core/web/page/TableSupport.java b/bonus-common/bonus-common-core/src/main/java/com/bonus/common/core/web/page/TableSupport.java index 895f95c..3da3380 100644 --- a/bonus-common/bonus-common-core/src/main/java/com/bonus/common/core/web/page/TableSupport.java +++ b/bonus-common/bonus-common-core/src/main/java/com/bonus/common/core/web/page/TableSupport.java @@ -1,7 +1,9 @@ package com.bonus.common.core.web.page; +import com.bonus.common.core.exception.ServiceException; import com.bonus.common.core.text.Convert; import com.bonus.common.core.utils.ServletUtils; +import com.bonus.common.core.utils.StringUtils; /** * 表格数据处理 @@ -41,6 +43,7 @@ public class TableSupport */ public static PageDomain getPageDomain() { + isValidPageParams(PAGE_SIZE, PAGE_NUM); PageDomain pageDomain = new PageDomain(); pageDomain.setPageNum(Convert.toInt(ServletUtils.getParameter(PAGE_NUM), 1)); pageDomain.setPageSize(Convert.toInt(ServletUtils.getParameter(PAGE_SIZE), 10)); @@ -54,4 +57,18 @@ public class TableSupport { return getPageDomain(); } + + public static void isValidPageParams(String... paramNames) { + for(String paramName : paramNames) { + String valueStr = ServletUtils.getParameter(paramName); + if (StringUtils.isNotBlank(valueStr)) { + try { + Integer.parseInt(valueStr.trim()); + } catch (NumberFormatException e) { + throw new ServiceException("无效的分页参数"); + } + } + } + } + } diff --git a/bonus-gateway/src/main/java/com/bonus/gateway/config/GlobalCorsConfig.java b/bonus-gateway/src/main/java/com/bonus/gateway/config/GlobalCorsConfig.java index 223ee47..a79daaa 100644 --- a/bonus-gateway/src/main/java/com/bonus/gateway/config/GlobalCorsConfig.java +++ b/bonus-gateway/src/main/java/com/bonus/gateway/config/GlobalCorsConfig.java @@ -1,5 +1,10 @@ package com.bonus.gateway.config; +import cn.hutool.core.collection.CollUtil; +import com.alibaba.nacos.common.utils.JacksonUtils; +import com.bonus.gateway.config.properties.CorsProperties; +import lombok.extern.slf4j.Slf4j; +import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.web.cors.CorsConfiguration; @@ -11,7 +16,10 @@ import org.springframework.web.util.pattern.PathPatternParser; * Description: 全局跨域配置 */ @Configuration +@Slf4j public class GlobalCorsConfig { + @Autowired + private CorsProperties corsProperties; @Bean public CorsWebFilter corsFilter() { // 创建一个新的CorsConfiguration对象,用于配置跨域请求 @@ -19,9 +27,16 @@ public class GlobalCorsConfig { // 允许所有的HTTP请求方法(GET, POST, PUT, DELETE等) config.addAllowedMethod("*"); // 允许所有的域名发起的请求 比如http://localhost:8080、 - config.addAllowedOrigin("*"); - // 允许所有的域名发起的请求(支持正则表达式) 比如http://localhost:8080 - config.addAllowedOriginPattern("*"); + log.info("允许的域名:{}", corsProperties.getAllowedOrigins()); + if(CollUtil.isNotEmpty(corsProperties.getAllowedOrigins())) { + for(String cors : corsProperties.getAllowedOrigins()) { + config.addAllowedOrigin(cors); + } + }else { + config.addAllowedOrigin("*"); + // 允许所有的域名发起的请求(支持正则表达式) 比如http://localhost:8080 + config.addAllowedOriginPattern("*"); + } // 允许所有的请求头部信息 比如token、Content-Type config.addAllowedHeader("*"); // 创建一个UrlBasedCorsConfigurationSource对象,并使用PathPatternParser进行路径匹配 diff --git a/bonus-gateway/src/main/java/com/bonus/gateway/config/properties/CorsProperties.java b/bonus-gateway/src/main/java/com/bonus/gateway/config/properties/CorsProperties.java new file mode 100644 index 0000000..b0003a1 --- /dev/null +++ b/bonus-gateway/src/main/java/com/bonus/gateway/config/properties/CorsProperties.java @@ -0,0 +1,32 @@ +package com.bonus.gateway.config.properties; + +import org.springframework.boot.context.properties.ConfigurationProperties; +import org.springframework.cloud.context.config.annotation.RefreshScope; +import org.springframework.context.annotation.Configuration; + +import java.util.ArrayList; +import java.util.List; + +/** + * XSS跨站脚本配置 + * + * @author bonus + */ +@Configuration +@RefreshScope +@ConfigurationProperties(prefix = "security.cors") +public class CorsProperties +{ + /** + * 合法源 + */ + private List allowedOrigins = new ArrayList<>(); + + public List getAllowedOrigins() { + return allowedOrigins; + } + + public void setAllowedOrigins(List allowedOrigins) { + this.allowedOrigins = allowedOrigins; + } +}