sql通配符过滤和具有审计管理和系统管理角色的用户应不允许被修改和删除
This commit is contained in:
weiweiw
parent
d76808d79c
commit
9145bb86ba
|
|
@ -31,7 +31,7 @@ public class JwtUtils
|
|||
if (!StringUtils.isEmpty(username)){
|
||||
String encyrptUserName = Sm4Utils.encrypt(username);
|
||||
claims.put(SecurityConstants.DETAILS_USERNAME, encyrptUserName);
|
||||
System.out.print("****createToken里加密用户名是:" + encyrptUserName);
|
||||
// System.out.print("****createToken里加密用户名是:" + encyrptUserName);
|
||||
}
|
||||
return Jwts.builder().setClaims(claims).signWith(SignatureAlgorithm.HS512, secret).compact();
|
||||
}
|
||||
|
|
@ -48,7 +48,7 @@ public class JwtUtils
|
|||
String username = getValue(claims, SecurityConstants.DETAILS_USERNAME);
|
||||
if (!StringUtils.isEmpty(username)){
|
||||
String decryUsername = Sm4Utils.decrypt(username);
|
||||
System.out.print("****parseToken里解密用户名是:" + decryUsername);
|
||||
// System.out.print("****parseToken里解密用户名是:" + decryUsername);
|
||||
claims.put(SecurityConstants.DETAILS_USERNAME, decryUsername);
|
||||
}
|
||||
return claims;
|
||||
|
|
|
|||
|
|
@ -25,7 +25,7 @@ import static org.springframework.http.MediaType.MULTIPART_FORM_DATA_VALUE;
|
|||
public class ParamSecureHandler implements AsyncHandlerInterceptor {
|
||||
|
||||
private static final String [] WHITE_URL = {
|
||||
"/login", "/isAdmin", "/isLogin" ,"/register","/user/register","/operlog/addLogs","/job/edit","/user/resetPwd","/user/profile/updatePwd","/user/confirmPassword"};
|
||||
"/login", "/isAdmin", "/isLogin" ,"/register","/user/register","/operlog/addLogs","/job/edit","/user","/user/resetPwd","/user/profile/updatePwd","/user/confirmPassword"};
|
||||
private String rnd = null;
|
||||
|
||||
public static String ur = "/";
|
||||
|
|
|
|||
|
|
@ -119,9 +119,10 @@ public class SecurityUtils
|
|||
//$2a$10$7JB720yubVSZvUI0rEqK/.VqGOZTH.ulu33dHOiBE8ByOhJIrdAu2
|
||||
//$2a$10$zvlw3Mu8M.j.MhAChrYwluj88ziX6lVD3AoRrBQpwKMcdIZvKMoR2
|
||||
// String msg= encryptPassword("Admin@1234");
|
||||
String msg= encryptPassword("15888888888");
|
||||
// String msg= encryptPassword("15888888888");
|
||||
// boolean rest = matchesPassword("Bonus$2024","$2a$10$8JaKSUAU.K.mceU1.YQbd.wP4EJzbrsIscjAwPlfDR7wAWV6s/BGa");
|
||||
// String msg = Sm4Utils.encrypt("Bonus$2026");
|
||||
String msg = Sm4Utils.encrypt("Bonus$2026");
|
||||
// String msg = Sm4Utils.decrypt("4eb762402e0ce5ef9d0028e2d622c53bc8ea1d7680ea4416975e4cc23b4ef7f0");
|
||||
System.err.println(msg);
|
||||
// System.err.println(rest);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -24,10 +24,13 @@ public class SysTask
|
|||
/**
|
||||
* 30天
|
||||
*/
|
||||
final static int LAST_LOGIN_TIME_INTERVAL = 30*24*60;
|
||||
final static int LAST_LOGIN_TIME_INTERVAL = 90*24*60;
|
||||
@Resource
|
||||
private SysJobMapper mapper;
|
||||
|
||||
/**
|
||||
*如果用户超过3个月未登录,则修改为停用状态
|
||||
*/
|
||||
public void checkUserLastLoginTime(){
|
||||
try{
|
||||
SysUser user = new SysUser();
|
||||
|
|
@ -54,6 +57,9 @@ public class SysTask
|
|||
}
|
||||
}
|
||||
|
||||
/**
|
||||
*临时用户有时间限制,自创建起三个月则修改为停用状态
|
||||
*/
|
||||
public void checkUserPermanent(){
|
||||
try{
|
||||
SysUser user = new SysUser();
|
||||
|
|
@ -61,7 +67,7 @@ public class SysTask
|
|||
List<SysUser> sysUsers = mapper.selectUserList(user);
|
||||
sysUsers.forEach(item -> {
|
||||
long minutes = DateUtils.minutesBetween(item.getCreateTime(), DateUtils.getNowDate());
|
||||
if (minutes >= LAST_LOGIN_TIME_INTERVAL*3){
|
||||
if (minutes >= LAST_LOGIN_TIME_INTERVAL){
|
||||
int i = mapper.updateUser(item.getUserId());
|
||||
if (i>0){
|
||||
logger.error("修改用户状态,用户id为:{},用户名为:{}",item.getUserId(),item.getUserName());
|
||||
|
|
|
|||
|
|
@ -87,6 +87,14 @@ public class SysConfigServiceImpl implements ISysConfigService
|
|||
@Override
|
||||
public List<SysConfig> selectConfigList(SysConfig config)
|
||||
{
|
||||
if (config.getConfigName() != null) {
|
||||
String str = config.getConfigName().replace("\\", "\\\\").replace("%", "\\%").replace("_", "\\_");
|
||||
config.setConfigName(str);
|
||||
}
|
||||
if (config.getConfigKey() != null) {
|
||||
String str = config.getConfigKey().replace("\\", "\\\\").replace("%", "\\%").replace("_", "\\_");
|
||||
config.setConfigKey(str);
|
||||
}
|
||||
return configMapper.selectConfigList(config);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -60,6 +60,10 @@ public class SysDeptServiceImpl implements ISysDeptService
|
|||
} catch (Exception e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
if (dept.getDeptName() != null) {
|
||||
String str = dept.getDeptName().replace("\\", "\\\\").replace("%", "\\%").replace("_", "\\_");
|
||||
dept.setDeptName(str);
|
||||
}
|
||||
return deptMapper.selectDeptList(dept);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -50,6 +50,15 @@ public class SysDictTypeServiceImpl implements ISysDictTypeService
|
|||
@Override
|
||||
public List<SysDictType> selectDictTypeList(SysDictType dictType)
|
||||
{
|
||||
if (dictType.getDictName() != null) {
|
||||
String str = dictType.getDictName().replace("\\", "\\\\").replace("%", "\\%").replace("_", "\\_");
|
||||
dictType.setDictName(str);
|
||||
}
|
||||
if (dictType.getDictType() != null) {
|
||||
String str = dictType.getDictType().replace("\\", "\\\\").replace("%", "\\%").replace("_", "\\_");
|
||||
dictType.setDictType(str);
|
||||
}
|
||||
|
||||
return dictTypeMapper.selectDictTypeList(dictType);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -1,6 +1,5 @@
|
|||
package com.bonus.system.service.impl;
|
||||
|
||||
import com.bonus.config.SystemConfig;
|
||||
import com.bonus.system.warning.SysWarning;
|
||||
import com.bonus.system.warning.WaringLogEvent;
|
||||
import com.google.common.collect.Maps;
|
||||
|
|
@ -17,9 +16,7 @@ import com.bonus.common.core.utils.global.SystemGlobal;
|
|||
import com.bonus.system.api.domain.SysLogsVo;
|
||||
import com.bonus.system.api.model.LoginUser;
|
||||
import com.bonus.system.mapper.SysLogMapper;
|
||||
import com.mysql.cj.xdevapi.Warning;
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
import org.apache.ibatis.scripting.xmltags.ForEachSqlNode;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.context.ApplicationEventPublisher;
|
||||
import org.springframework.scheduling.annotation.Async;
|
||||
|
|
@ -54,6 +51,7 @@ public class SysLogServiceImpl implements ISysLogService {
|
|||
@Transactional(rollbackFor = Exception.class)
|
||||
public AjaxResult saveLogs(SysLogsVo sysLog) {
|
||||
try {
|
||||
|
||||
//如果是异常日志
|
||||
if(SystemGlobal.LOG_ERR.equals(sysLog.getErrType()) && StringUtils.isEmpty(sysLog.getModel())) {
|
||||
SysLogsVo sysLog1=mapper.getModule(sysLog.getOperUri());
|
||||
|
|
@ -69,6 +67,14 @@ public class SysLogServiceImpl implements ISysLogService {
|
|||
if (sysLog.getLogType() == 2) {
|
||||
sysLog.setWarningStatus("0");
|
||||
}
|
||||
if (sysLog.getOperaUserName() != null) {
|
||||
String str = sysLog.getOperaUserName().replace("\\", "\\\\").replace("%", "\\%").replace("_", "\\_");
|
||||
sysLog.setOperaUserName(str);
|
||||
}
|
||||
if (sysLog.getIp() != null) {
|
||||
String str = sysLog.getIp().replace("\\", "\\\\").replace("%", "\\%").replace("_", "\\_");
|
||||
sysLog.setIp(str);
|
||||
}
|
||||
mapper.saveLogs(sysLog);
|
||||
if (sysLog.getLogType() == 2) {
|
||||
eventPublisher.publishEvent(new WaringLogEvent(new SysWarning(sysLog.getLogId(),sysLog.getErrType() ,sysLog.getIp(),sysLog.getOperaUserName(),sysLog.getOperTime(),"0")));
|
||||
|
|
@ -110,6 +116,14 @@ public class SysLogServiceImpl implements ISysLogService {
|
|||
if (sysLog.getLogType() == 2) {
|
||||
sysLog.setWarningStatus("0");
|
||||
}
|
||||
if (sysLog.getOperaUserName() != null) {
|
||||
String str = sysLog.getOperaUserName().replace("\\", "\\\\").replace("%", "\\%").replace("_", "\\_");
|
||||
sysLog.setOperaUserName(str);
|
||||
}
|
||||
if (sysLog.getIp() != null) {
|
||||
String str = sysLog.getIp().replace("\\", "\\\\").replace("%", "\\%").replace("_", "\\_");
|
||||
sysLog.setIp(str);
|
||||
}
|
||||
mapper.saveLogs(sysLog);
|
||||
if (sysLog.getLogType() == 2) {
|
||||
eventPublisher.publishEvent(new WaringLogEvent(new SysWarning(loginUuid, "越权访问", ip, user.getUsername(), DateUtils.getTime(),"0")));
|
||||
|
|
|
|||
|
|
@ -66,6 +66,10 @@ public class SysMenuServiceImpl implements ISysMenuService
|
|||
@Override
|
||||
public List<SysMenu> selectMenuList(SysMenu menu, Long userId)
|
||||
{
|
||||
if (menu.getMenuName() != null) {
|
||||
String str = menu.getMenuName().replace("\\", "\\\\").replace("%", "\\%").replace("_", "\\_");
|
||||
menu.setMenuName(str);
|
||||
}
|
||||
List<SysMenu> menuList = menuMapper.selectMenuList(menu);
|
||||
return menuList;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -106,6 +106,14 @@ public class SysOperLogServiceImpl implements ISysOperLogService
|
|||
sysLogsVo.setWarningStatus("0");
|
||||
eventPublisher.publishEvent(new WaringLogEvent(new SysWarning(sysLogsVo.getLogId(), sysLogsVo.getErrType(), sysLogsVo.getIp(), sysLogsVo.getOperaUserName(), sysLogsVo.getOperTime(), "0")));
|
||||
}
|
||||
if (sysLogsVo.getOperaUserName() != null) {
|
||||
String str = sysLogsVo.getOperaUserName().replace("\\", "\\\\").replace("%", "\\%").replace("_", "\\_");
|
||||
sysLogsVo.setOperaUserName(str);
|
||||
}
|
||||
if (sysLogsVo.getIp() != null) {
|
||||
String str = sysLogsVo.getIp().replace("\\", "\\\\").replace("%", "\\%").replace("_", "\\_");
|
||||
sysLogsVo.setIp(str);
|
||||
}
|
||||
return operLogMapper.addLogs(sysLogsVo);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -35,6 +35,15 @@ public class SysPostServiceImpl implements ISysPostService
|
|||
@Override
|
||||
public List<SysPost> selectPostList(SysPost post)
|
||||
{
|
||||
if (post.getPostCode() != null) {
|
||||
String str = post.getPostCode().replace("\\", "\\\\").replace("%", "\\%").replace("_", "\\_");
|
||||
post.setPostCode(str);
|
||||
}
|
||||
if (post.getPostName() != null) {
|
||||
String str = post.getPostName().replace("\\", "\\\\").replace("%", "\\%").replace("_", "\\_");
|
||||
post.setPostName(str);
|
||||
}
|
||||
|
||||
return postMapper.selectPostList(post);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -65,6 +65,14 @@ public class SysRoleServiceImpl implements ISysRoleService
|
|||
} catch (Exception e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
if (role.getRoleName() != null) {
|
||||
String str = role.getRoleName().replace("\\", "\\\\").replace("%", "\\%").replace("_", "\\_");
|
||||
role.setRoleName(str);
|
||||
}
|
||||
if (role.getRoleKey() != null) {
|
||||
String str = role.getRoleKey().replace("\\", "\\\\").replace("%", "\\%").replace("_", "\\_");
|
||||
role.setRoleKey(str);
|
||||
}
|
||||
return roleMapper.selectRoleList(role);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
package com.bonus.system.service.impl;
|
||||
|
||||
import com.bonus.common.core.constant.Constants;
|
||||
import com.bonus.common.core.constant.UserConstants;
|
||||
import com.bonus.common.core.domain.R;
|
||||
import com.bonus.common.core.exception.ServiceException;
|
||||
|
|
@ -93,6 +94,14 @@ public class SysUserServiceImpl implements ISysUserService {
|
|||
} catch (Exception e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
if (user.getUserName() != null) {
|
||||
String userName =user.getUserName().replace("\\", "\\\\").replace("%", "\\%").replace("_", "\\_");
|
||||
user.setUserName(userName);
|
||||
}
|
||||
if (user.getPhonenumber() != null) {
|
||||
String phone =user.getPhonenumber().replace("\\", "\\\\").replace("%", "\\%").replace("_", "\\_");
|
||||
user.setPhonenumber(phone);
|
||||
}
|
||||
List<SysUser> sysUsers = userMapper.selectUserList(user);
|
||||
return sysUsers;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -94,9 +94,16 @@
|
|||
<select id="selectUserList" parameterType="SysUser" resultMap="SysUserResult">
|
||||
select u.user_id, u.dept_id, u.nick_name, u.user_name, u.email, u.avatar, u.phonenumber,u.sex, u.status,
|
||||
u.del_flag, u.login_ip, u.login_date, u.create_by, u.create_time, u.remark,u.approval_status,u.is_permanent,u.is_built_in, d.dept_name,
|
||||
d.leader from sys_user
|
||||
u
|
||||
d.leader,r.role_id,
|
||||
r.role_name,
|
||||
r.role_key,
|
||||
r.role_sort,
|
||||
r.data_scope,
|
||||
r.status as role_status
|
||||
from sys_user u
|
||||
left join sys_dept d on u.dept_id = d.dept_id
|
||||
left join sys_user_role ur on u.user_id = ur.user_id
|
||||
left join sys_role r on r.role_id = ur.role_id
|
||||
where u.del_flag = '0'
|
||||
<if test="userId != null and userId != 0">
|
||||
AND u.user_id = #{userId}
|
||||
|
|
@ -124,6 +131,34 @@
|
|||
|
||||
</select>
|
||||
|
||||
<!-- <select id="selectUserList" parameterType="SysUser" resultMap="SysUserResult">-->
|
||||
<!-- <include refid="selectUserVo"/>-->
|
||||
<!-- where u.del_flag = '0' AND-->
|
||||
<!-- <if test="userId != null and userId != 0">-->
|
||||
<!-- AND u.user_id = #{userId}-->
|
||||
<!-- </if>-->
|
||||
<!-- <if test="userName != null and userName != ''">-->
|
||||
<!-- AND u.user_name like concat('%', #{userName}, '%')-->
|
||||
<!-- </if>-->
|
||||
<!-- <if test="status != null and status != ''">-->
|
||||
<!-- AND u.status = #{status}-->
|
||||
<!-- </if>-->
|
||||
<!-- <if test="phonenumber != null and phonenumber != ''">-->
|
||||
<!-- AND u.phonenumber like concat('%', #{phonenumber}, '%')-->
|
||||
<!-- </if>-->
|
||||
<!-- <if test="params.beginTime != null and params.beginTime != ''"><!– 开始时间检索 –>-->
|
||||
<!-- AND date_format(u.create_time,'%y%m%d') >= date_format(#{params.beginTime},'%y%m%d')-->
|
||||
<!-- </if>-->
|
||||
<!-- <if test="params.endTime != null and params.endTime != ''"><!– 结束时间检索 –>-->
|
||||
<!-- AND date_format(u.create_time,'%y%m%d') <= date_format(#{params.endTime},'%y%m%d')-->
|
||||
<!-- </if>-->
|
||||
<!-- <if test="deptId != null and deptId != 0">-->
|
||||
<!-- AND (u.dept_id = #{deptId} OR u.dept_id IN ( SELECT t.dept_id FROM sys_dept t WHERE find_in_set(#{deptId},-->
|
||||
<!-- ancestors) ))-->
|
||||
<!-- </if>-->
|
||||
<!-- <include refid="com.bonus.system.mapper.DataScopeMapper.dataScopeFilter"/>-->
|
||||
<!-- </select>-->
|
||||
|
||||
<select id="selectAllocatedList" parameterType="SysUser" resultMap="SysUserResult">
|
||||
select distinct u.user_id, u.dept_id, u.user_name, u.nick_name, u.email, u.phonenumber, u.status, u.create_time,u.is_built_in
|
||||
from sys_user u
|
||||
|
|
|
|||
Loading…
Reference in New Issue