From 6a6d1d4c5e5e251d35a355bd91ea9f773327e08c Mon Sep 17 00:00:00 2001 From: weiweiw <14335254+weiweiw22@user.noreply.gitee.com> Date: Wed, 13 Nov 2024 13:17:35 +0800 Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E5=A4=8DX-Forwarded-For=20ip=E5=9C=B0?= =?UTF-8?q?=E5=9D=80=E4=BC=AA=E9=80=A0=20=E5=AE=89=E5=85=A8=E9=97=AE?= =?UTF-8?q?=E9=A2=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../bonus/system/api/domain/SysLogsVo.java | 2 +- .../service/PasswordValidatorService.java | 7 +++--- .../auth/service/SysRecordLogService.java | 17 ++++++++----- .../java/com/bonus/config/SystemConfig.java | 6 +++++ .../bonus/common/core/utils/ip/IpUtils.java | 25 +++++++++++++------ .../bonus/common/log/aspect/LogAspect.java | 9 ++++++- .../bonus/common/security/auth/AuthLogic.java | 5 ++++ .../feign/FeignRequestInterceptor.java | 7 +++++- .../common/security/service/TokenService.java | 3 ++- .../system/controller/SysUserController.java | 2 +- .../service/impl/SysLogServiceImpl.java | 8 ++++-- 11 files changed, 68 insertions(+), 23 deletions(-) diff --git a/bonus-api/bonus-api-system/src/main/java/com/bonus/system/api/domain/SysLogsVo.java b/bonus-api/bonus-api-system/src/main/java/com/bonus/system/api/domain/SysLogsVo.java index b08431b..99fa4eb 100644 --- a/bonus-api/bonus-api-system/src/main/java/com/bonus/system/api/domain/SysLogsVo.java +++ b/bonus-api/bonus-api-system/src/main/java/com/bonus/system/api/domain/SysLogsVo.java @@ -164,7 +164,7 @@ public class SysLogsVo { try{ String uuid= UUID.randomUUID().toString().replace("-","").toUpperCase(); vo.setLogId(uuid); - String ip = IpUtils.getIpAddr(); + String ip = loginUser.getIpaddr(); vo.setIp(ip); // 设置方法名称 String className = joinPoint.getTarget().getClass().getName(); diff --git a/bonus-auth/src/main/java/com/bonus/auth/service/PasswordValidatorService.java b/bonus-auth/src/main/java/com/bonus/auth/service/PasswordValidatorService.java index 2dcf1b1..81e9734 100644 --- a/bonus-auth/src/main/java/com/bonus/auth/service/PasswordValidatorService.java +++ b/bonus-auth/src/main/java/com/bonus/auth/service/PasswordValidatorService.java @@ -238,7 +238,8 @@ public class PasswordValidatorService { long startTime = System.currentTimeMillis(); try { String blackStr = Convert.toStr(redisService.getCacheObject(CacheConstants.SYS_LOGIN_BLACKIPLIST)); - if (IpUtils.isMatchedIp(blackStr, IpUtils.getIpAddr())) { + String ip = IpUtils.getIpAddr(systemConfig.getTrustedProxyIps()); + if (IpUtils.isMatchedIp(blackStr,ip )) { logAndThrowError(username, "访问IP已被列入系统黑名单", "访问IP已被列入系统黑名单"); } } catch (Exception e) { @@ -269,7 +270,7 @@ public class PasswordValidatorService { */ public void handleIpValidation(String username, SysUser user) { try { - String nowIp = IpUtils.getIpAddr(); + String nowIp = IpUtils.getIpAddr(systemConfig.getTrustedProxyIps()); String hisIp = redisService.getCacheObject("IP:" + user.getUserId()); if (!nowIp.equals(hisIp)) { recordLogService.saveErrorLogs(username, System.currentTimeMillis(), user.getUserId().toString(),"用户连续两次在不同IP登录"); @@ -285,7 +286,7 @@ public class PasswordValidatorService { List> cacheList = redisService.getCacheObject(CacheConstants.SYS_LOGIN_BLACKIPLIST); // 获取客户端的 IP 地址 - String ip = IpUtils.getIpAddr(); + String ip = IpUtils.getIpAddr(systemConfig.getTrustedProxyIps()); // 遍历黑名单 for (Map map : cacheList) { diff --git a/bonus-auth/src/main/java/com/bonus/auth/service/SysRecordLogService.java b/bonus-auth/src/main/java/com/bonus/auth/service/SysRecordLogService.java index 57ec8f8..3945356 100644 --- a/bonus-auth/src/main/java/com/bonus/auth/service/SysRecordLogService.java +++ b/bonus-auth/src/main/java/com/bonus/auth/service/SysRecordLogService.java @@ -5,6 +5,7 @@ import com.bonus.common.core.utils.DateUtils; import com.bonus.common.core.utils.global.SystemGlobal; import com.bonus.common.log.enums.OperaResult; import com.bonus.common.log.enums.OperaType; +import com.bonus.config.SystemConfig; import com.bonus.system.api.domain.SysLogsVo; import lombok.extern.slf4j.Slf4j; import org.springframework.beans.factory.annotation.Autowired; @@ -15,6 +16,7 @@ import com.bonus.common.core.utils.StringUtils; import com.bonus.common.core.utils.ip.IpUtils; import com.bonus.system.api.RemoteLogService; import com.bonus.system.api.domain.SysLogininfor; +import org.springframework.util.ObjectUtils; import java.util.UUID; @@ -29,6 +31,8 @@ public class SysRecordLogService { @Autowired private RemoteLogService remoteLogService; + @Autowired + private SystemConfig systemConfig; /** * 记录登录信息 @@ -42,7 +46,7 @@ public class SysRecordLogService { SysLogininfor logininfor = new SysLogininfor(); logininfor.setUserName(username); - logininfor.setIpaddr(IpUtils.getIpAddr()); + logininfor.setIpaddr(IpUtils.getIpAddr(systemConfig.getTrustedProxyIps())); logininfor.setMsg(message); // 日志状态 if (StringUtils.equalsAny(status, Constants.LOGIN_SUCCESS, Constants.LOGOUT, Constants.REGISTER)) @@ -70,7 +74,7 @@ public class SysRecordLogService String uuid= UUID.randomUUID().toString().replace("-","").toUpperCase(); sysLogsVo.setLogId(uuid); sysLogsVo.setOperaUserName(username); - sysLogsVo.setIp(IpUtils.getIpAddr()); + sysLogsVo.setIp(IpUtils.getIpAddr(systemConfig.getTrustedProxyIps())); sysLogsVo.setModel("系统认证模块"); sysLogsVo.setOperTime(DateUtils.getTime()); sysLogsVo.setMethodType(SystemGlobal.POST); @@ -119,6 +123,7 @@ public class SysRecordLogService if (StringUtils.isNotEmpty(userId)){ sysLogsVo.setUserId(userId); } + sysLogsVo.setIp(IpUtils.getIpAddr(systemConfig.getTrustedProxyIps())); sysLogsVo.setResultData("用户登录成功"); sysLogsVo.setTitle("系统登录"); sysLogsVo.setModel("系统认证模块"); @@ -127,7 +132,7 @@ public class SysRecordLogService sysLogsVo.setMethod("login()"); sysLogsVo.setLogId(uuid); sysLogsVo.setOperaUserName(username); - sysLogsVo.setIp(IpUtils.getIpAddr()); + sysLogsVo.setIp(IpUtils.getIpAddr(systemConfig.getTrustedProxyIps())); sysLogsVo.setParams("{\"username\":\""+username+"\"}"); sysLogsVo.setOperateDetail("用户登录系统"); sysLogsVo.setErrType(errMessage); @@ -154,7 +159,7 @@ public class SysRecordLogService String uuid= UUID.randomUUID().toString().replace("-","").toUpperCase(); sysLogsVo.setLogId(uuid); sysLogsVo.setOperaUserName(username); - sysLogsVo.setIp(IpUtils.getIpAddr()); + sysLogsVo.setIp(IpUtils.getIpAddr(systemConfig.getTrustedProxyIps())); sysLogsVo.setModel("系统认证模块"); sysLogsVo.setLogType(0); if (StringUtils.isNotEmpty(userId)){ @@ -195,7 +200,7 @@ public class SysRecordLogService String uuid= UUID.randomUUID().toString().replace("-","").toUpperCase(); sysLogsVo.setLogId(uuid); sysLogsVo.setOperaUserName(username); - sysLogsVo.setIp(IpUtils.getIpAddr()); + sysLogsVo.setIp(IpUtils.getIpAddr(systemConfig.getTrustedProxyIps())); sysLogsVo.setModel("系统认证模块"); sysLogsVo.setLogType(0); if (StringUtils.isNotEmpty(userId)){ @@ -228,7 +233,7 @@ public class SysRecordLogService String uuid= UUID.randomUUID().toString().replace("-","").toUpperCase(); sysLogsVo.setLogId(uuid); sysLogsVo.setOperaUserName(username); - sysLogsVo.setIp(IpUtils.getIpAddr()); + sysLogsVo.setIp(IpUtils.getIpAddr(systemConfig.getTrustedProxyIps())); sysLogsVo.setModel("系统认证模块"); sysLogsVo.setLogType(0); if (StringUtils.isNotEmpty(userId)){ diff --git a/bonus-common/bonus-common-config/src/main/java/com/bonus/config/SystemConfig.java b/bonus-common/bonus-common-config/src/main/java/com/bonus/config/SystemConfig.java index 7a5bdc4..47253f5 100644 --- a/bonus-common/bonus-common-config/src/main/java/com/bonus/config/SystemConfig.java +++ b/bonus-common/bonus-common-config/src/main/java/com/bonus/config/SystemConfig.java @@ -49,6 +49,12 @@ public class SystemConfig { * websocketUrl */ private String websocketurl; + + /** + * 信任的代理ip list + */ + private List trustedProxyIps; + @Data @RefreshScope diff --git a/bonus-common/bonus-common-core/src/main/java/com/bonus/common/core/utils/ip/IpUtils.java b/bonus-common/bonus-common-core/src/main/java/com/bonus/common/core/utils/ip/IpUtils.java index 341a4bc..e068065 100644 --- a/bonus-common/bonus-common-core/src/main/java/com/bonus/common/core/utils/ip/IpUtils.java +++ b/bonus-common/bonus-common-core/src/main/java/com/bonus/common/core/utils/ip/IpUtils.java @@ -2,9 +2,11 @@ package com.bonus.common.core.utils.ip; import java.net.InetAddress; import java.net.UnknownHostException; +import java.util.List; import javax.servlet.http.HttpServletRequest; import com.bonus.common.core.utils.ServletUtils; import com.bonus.common.core.utils.StringUtils; +import org.springframework.util.ObjectUtils; /** * 获取IP方法 @@ -35,9 +37,9 @@ public class IpUtils * * @return IP地址 */ - public static String getIpAddr() + public static String getIpAddr(List trustedProxy) { - return getIpAddr(ServletUtils.getRequest()); + return getIpAddr(ServletUtils.getRequest(), trustedProxy); } /** @@ -46,7 +48,7 @@ public class IpUtils * @param request 请求对象 * @return IP地址 */ - public static String getIpAddr(HttpServletRequest request) + public static String getIpAddr(HttpServletRequest request,List trustedProxy) { if (request == null) { @@ -70,12 +72,21 @@ public class IpUtils ip = request.getHeader("X-Real-IP"); } - if (ip == null || ip.length() == 0 || IP_UNKNOWN.equalsIgnoreCase(ip)) - { + + if (ip == null || ip.length() == 0 || IP_UNKNOWN.equalsIgnoreCase(ip)){ ip = request.getRemoteAddr(); } - - return "0:0:0:0:0:0:0:1".equals(ip) ? "127.0.0.1" : getMultistageReverseProxyIp(ip); + String remoteAddr = request.getRemoteAddr(); + if (!StringUtils.isEmpty(ip) && !StringUtils.isEmpty(remoteAddr) && !ObjectUtils.isEmpty(trustedProxy)) { + //使用代理的情况下确定代理是可信的 + if (trustedProxy.contains(remoteAddr)) { + return "0:0:0:0:0:0:0:1".equals(ip) ? "127.0.0.1" : getMultistageReverseProxyIp(ip); + } + } + if (!StringUtils.isEmpty(remoteAddr)) { + return "0:0:0:0:0:0:0:1".equals(remoteAddr) ? "127.0.0.1" : getMultistageReverseProxyIp(remoteAddr); + } + return IP_UNKNOWN; } /** diff --git a/bonus-common/bonus-common-log/src/main/java/com/bonus/common/log/aspect/LogAspect.java b/bonus-common/bonus-common-log/src/main/java/com/bonus/common/log/aspect/LogAspect.java index 5f293c6..e77aa8b 100644 --- a/bonus-common/bonus-common-log/src/main/java/com/bonus/common/log/aspect/LogAspect.java +++ b/bonus-common/bonus-common-log/src/main/java/com/bonus/common/log/aspect/LogAspect.java @@ -3,13 +3,16 @@ package com.bonus.common.log.aspect; import java.util.Collection; import java.util.Map; import java.util.UUID; +import javax.annotation.Resource; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import com.alibaba.fastjson2.JSONObject; import com.bonus.common.core.utils.DateUtils; +import com.bonus.common.core.utils.SpringUtils; import com.bonus.common.core.utils.global.SystemGlobal; import com.bonus.common.log.annotation.SysLog; +import com.bonus.config.SystemConfig; import com.bonus.system.api.domain.SysLogsVo; import org.apache.commons.lang3.ArrayUtils; import org.aspectj.lang.JoinPoint; @@ -23,6 +26,7 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.core.NamedThreadLocal; import org.springframework.http.HttpMethod; import org.springframework.stereotype.Component; +import org.springframework.util.ObjectUtils; import org.springframework.validation.BindingResult; import org.springframework.web.multipart.MultipartFile; import com.alibaba.fastjson2.JSON; @@ -53,6 +57,9 @@ public class LogAspect @Autowired private AsyncLogService asyncLogService; + @Resource + private SystemConfig systemConfig; + /** * 处理请求前执行 */ @@ -118,7 +125,7 @@ public class LogAspect sysLogsVo.setOperateDetail(controllerLog.details()); } - sysLogsVo.setIp(IpUtils.getIpAddr()); + sysLogsVo.setIp(IpUtils.getIpAddr(systemConfig.getTrustedProxyIps())); // 设置方法名称 String className = joinPoint.getTarget().getClass().getName(); String methodName = joinPoint.getSignature().getName(); diff --git a/bonus-common/bonus-common-security/src/main/java/com/bonus/common/security/auth/AuthLogic.java b/bonus-common/bonus-common-security/src/main/java/com/bonus/common/security/auth/AuthLogic.java index bbc22ab..39138db 100644 --- a/bonus-common/bonus-common-security/src/main/java/com/bonus/common/security/auth/AuthLogic.java +++ b/bonus-common/bonus-common-security/src/main/java/com/bonus/common/security/auth/AuthLogic.java @@ -6,7 +6,9 @@ import cn.hutool.json.JSONObject; import com.bonus.common.core.constant.SecurityConstants; import com.bonus.common.core.domain.R; import com.bonus.common.core.utils.DateUtils; +import com.bonus.common.core.utils.ip.IpUtils; import com.bonus.common.security.utils.LogsUtils; +import com.bonus.config.SystemConfig; import com.bonus.system.api.RemoteLogService; import com.bonus.system.api.domain.SysLogsVo; import org.aspectj.lang.ProceedingJoinPoint; @@ -42,6 +44,8 @@ public class AuthLogic public RemoteLogService logService = SpringUtils.getBean(RemoteLogService.class); + + public SystemConfig systemConfig = SpringUtils.getBean(SystemConfig.class); /** * 会话注销 */ @@ -180,6 +184,7 @@ public class AuthLogic public void addErrorLogs(ProceedingJoinPoint joinPoint,RequiresPermissions requiresPermissions){ try{ LoginUser loginUser = getLoginUser(); + loginUser.setIpaddr(IpUtils.getIpAddr(systemConfig.getTrustedProxyIps())); SysLogsVo vo=SysLogsVo.getExceedAuthorithSysLogsVo(loginUser,joinPoint); LogsUtils.setRequestValue(joinPoint,vo,null); SysLogsVo sysLogsVo=new SysLogsVo(); diff --git a/bonus-common/bonus-common-security/src/main/java/com/bonus/common/security/feign/FeignRequestInterceptor.java b/bonus-common/bonus-common-security/src/main/java/com/bonus/common/security/feign/FeignRequestInterceptor.java index 44fa59a..16ae0e4 100644 --- a/bonus-common/bonus-common-security/src/main/java/com/bonus/common/security/feign/FeignRequestInterceptor.java +++ b/bonus-common/bonus-common-security/src/main/java/com/bonus/common/security/feign/FeignRequestInterceptor.java @@ -2,6 +2,9 @@ package com.bonus.common.security.feign; import java.util.Map; import javax.servlet.http.HttpServletRequest; + +import com.bonus.common.core.utils.SpringUtils; +import com.bonus.config.SystemConfig; import org.springframework.stereotype.Component; import com.bonus.common.core.constant.SecurityConstants; import com.bonus.common.core.utils.ServletUtils; @@ -18,6 +21,8 @@ import feign.RequestTemplate; @Component public class FeignRequestInterceptor implements RequestInterceptor { + public SystemConfig systemConfig = SpringUtils.getBean(SystemConfig.class); + @Override public void apply(RequestTemplate requestTemplate) { @@ -48,7 +53,7 @@ public class FeignRequestInterceptor implements RequestInterceptor } // 配置客户端IP - requestTemplate.header("X-Forwarded-For", IpUtils.getIpAddr()); + requestTemplate.header("X-Forwarded-For", IpUtils.getIpAddr(systemConfig.getTrustedProxyIps())); } } } \ No newline at end of file diff --git a/bonus-common/bonus-common-security/src/main/java/com/bonus/common/security/service/TokenService.java b/bonus-common/bonus-common-security/src/main/java/com/bonus/common/security/service/TokenService.java index be88e7b..b719143 100644 --- a/bonus-common/bonus-common-security/src/main/java/com/bonus/common/security/service/TokenService.java +++ b/bonus-common/bonus-common-security/src/main/java/com/bonus/common/security/service/TokenService.java @@ -20,6 +20,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; +import org.springframework.util.ObjectUtils; import javax.annotation.Resource; import javax.servlet.http.HttpServletRequest; @@ -71,7 +72,7 @@ public class TokenService { loginUser.setToken(token); loginUser.setUserid(userId); loginUser.setUsername(userName); - loginUser.setIpaddr(IpUtils.getIpAddr()); + loginUser.setIpaddr(IpUtils.getIpAddr(systemConfig.getTrustedProxyIps())); refreshToken(loginUser); // Jwt存储信息 Map claimsMap = new HashMap(16); diff --git a/bonus-modules/bonus-system/src/main/java/com/bonus/system/controller/SysUserController.java b/bonus-modules/bonus-system/src/main/java/com/bonus/system/controller/SysUserController.java index 5fd913a..b727e3e 100644 --- a/bonus-modules/bonus-system/src/main/java/com/bonus/system/controller/SysUserController.java +++ b/bonus-modules/bonus-system/src/main/java/com/bonus/system/controller/SysUserController.java @@ -76,7 +76,7 @@ public class SysUserController extends BaseController { @RequiresPermissionsOrInnerAuth(innerAuth = @InnerAuth, requiresPermissions = @RequiresPermissions("system:user:list")) @GetMapping("/list") @PreventRepeatSubmit - // @SysLog(title = "用户管理", businessType = OperaType.QUERY, logType = 0, module = "系统管理->用户管理", details = "查询用户列表") + @SysLog(title = "用户管理", businessType = OperaType.QUERY, logType = 0, module = "系统管理->用户管理", details = "查询用户列表") public TableDataInfo list(SysUser user) { try { startPage(); diff --git a/bonus-modules/bonus-system/src/main/java/com/bonus/system/service/impl/SysLogServiceImpl.java b/bonus-modules/bonus-system/src/main/java/com/bonus/system/service/impl/SysLogServiceImpl.java index 23f77df..c2514e7 100644 --- a/bonus-modules/bonus-system/src/main/java/com/bonus/system/service/impl/SysLogServiceImpl.java +++ b/bonus-modules/bonus-system/src/main/java/com/bonus/system/service/impl/SysLogServiceImpl.java @@ -1,5 +1,6 @@ package com.bonus.system.service.impl; +import com.bonus.config.SystemConfig; import com.bonus.system.warning.SysWarning; import com.bonus.system.warning.WaringLogEvent; import com.google.common.collect.Maps; @@ -25,6 +26,7 @@ import org.springframework.scheduling.annotation.Async; import org.springframework.stereotype.Service; import org.springframework.transaction.annotation.Transactional; import org.springframework.transaction.interceptor.TransactionAspectSupport; +import org.springframework.util.ObjectUtils; import javax.annotation.Resource; import javax.servlet.http.HttpServletRequest; @@ -47,6 +49,8 @@ public class SysLogServiceImpl implements ISysLogService { @Autowired private ApplicationEventPublisher eventPublisher; + @Autowired + private SystemConfig systemConfig; @Override @Transactional(rollbackFor = Exception.class) @@ -82,9 +86,9 @@ public class SysLogServiceImpl implements ISysLogService { public void saveLogs(SysLogsVo sysLog, HttpServletRequest request) { try{ String loginUuid = IdUtils.fastUUID(); - String ip = IpUtils.getIpAddr(request); - sysLog.setLogId(loginUuid); + String ip = IpUtils.getIpAddr(request, systemConfig.getTrustedProxyIps()); sysLog.setIp(ip); + sysLog.setLogId(loginUuid); sysLog.setGrade("高"); sysLog.setErrType("越权访问"); sysLog.setFailureReason("页面未授权");