From 30503ae08beb8aa67f39fd08afe1472c6c705dd5 Mon Sep 17 00:00:00 2001
From: haozq <1611483981@qq.com>
Date: Mon, 25 Aug 2025 14:59:51 +0800
Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E6=94=B9=E8=B7=AF=E5=BE=84?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 common/common-security/pom.xml                |  5 +-
 .../common/security/config/WebMvcConfig.java  |  4 ++
 .../handler/GlobalExceptionHandler.java       |  4 +-
 .../interceptor/HeaderInterceptor.java        |  4 +-
 .../security/interceptor/SecurityConfig.java  | 19 ++++++
 .../common/security/utils/SecurityUtils.java  | 11 +++-
 .../bonus/common/security/xss/XssFilter.java  | 11 +++-
 .../security/xss/XssFilterRegister.java       |  2 +-
 .../com/bonus/gateway/config/CorsConfig.java  | 60 +++++++++----------
 9 files changed, 80 insertions(+), 40 deletions(-)
 create mode 100644 common/common-security/src/main/java/com/bonus/common/security/interceptor/SecurityConfig.java

diff --git a/common/common-security/pom.xml b/common/common-security/pom.xml
index 26b7e57..74be71f 100644
--- a/common/common-security/pom.xml
+++ b/common/common-security/pom.xml
@@ -27,7 +27,10 @@
             <groupId>com.bonus</groupId>
             <artifactId>api-system</artifactId>
         </dependency>
-
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-security</artifactId>
+        </dependency>
         <!-- Common Redis-->
         <dependency>
             <groupId>com.bonus</groupId>
diff --git a/common/common-security/src/main/java/com/bonus/common/security/config/WebMvcConfig.java b/common/common-security/src/main/java/com/bonus/common/security/config/WebMvcConfig.java
index 1ce4451..522b6cb 100644
--- a/common/common-security/src/main/java/com/bonus/common/security/config/WebMvcConfig.java
+++ b/common/common-security/src/main/java/com/bonus/common/security/config/WebMvcConfig.java
@@ -2,6 +2,7 @@ package com.bonus.common.security.config;
 
 import com.bonus.common.core.table.PageTableArgumentResolver;
 import com.bonus.common.security.interceptor.HeaderInterceptor;
+import com.bonus.common.security.interceptor.SecurityConfig;
 import org.springframework.boot.web.servlet.MultipartConfigFactory;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@@ -32,6 +33,7 @@ public class WebMvcConfig implements WebMvcConfigurer
                 .addPathPatterns("/**")
                 .excludePathPatterns(excludeUrls)
                 .order(-10);
+
     }
 
     /**
@@ -42,6 +44,8 @@ public class WebMvcConfig implements WebMvcConfigurer
         return new HeaderInterceptor();
     }
 
+
+
     /**
      * 外部文件访问
      */
diff --git a/common/common-security/src/main/java/com/bonus/common/security/handler/GlobalExceptionHandler.java b/common/common-security/src/main/java/com/bonus/common/security/handler/GlobalExceptionHandler.java
index 5669b65..1b16bcc 100644
--- a/common/common-security/src/main/java/com/bonus/common/security/handler/GlobalExceptionHandler.java
+++ b/common/common-security/src/main/java/com/bonus/common/security/handler/GlobalExceptionHandler.java
@@ -30,7 +30,7 @@ public class GlobalExceptionHandler
 
     public  final static String DATA_ERROR="Data truncation: Data too long for";
 
-    public  final static String NumberFormatException="java.lang.NumberFormatException";
+    public  final static String NUMBER_FORMAT_EXCEPTION ="java.lang.NumberFormatException";
     /**
      * 权限码异常r
      */
@@ -128,7 +128,7 @@ public class GlobalExceptionHandler
         String message = e.getAllErrors().get(0).getDefaultMessage();
         System.err.println(message);
         assert message != null;
-        if(message.contains(NumberFormatException)){
+        if(message.contains(NUMBER_FORMAT_EXCEPTION)){
             return AjaxResult.error(HttpStatus.FORBIDDEN, "请求参数不正确");
         }
         return AjaxResult.error(message);
diff --git a/common/common-security/src/main/java/com/bonus/common/security/interceptor/HeaderInterceptor.java b/common/common-security/src/main/java/com/bonus/common/security/interceptor/HeaderInterceptor.java
index 2d977ca..3bf3515 100644
--- a/common/common-security/src/main/java/com/bonus/common/security/interceptor/HeaderInterceptor.java
+++ b/common/common-security/src/main/java/com/bonus/common/security/interceptor/HeaderInterceptor.java
@@ -27,12 +27,10 @@ public class HeaderInterceptor implements AsyncHandlerInterceptor
         {
             return true;
         }
-
         SecurityContextHolder.setUserId(ServletUtils.getHeader(request, SecurityConstants.DETAILS_USER_ID));
         SecurityContextHolder.setUserName(ServletUtils.getHeader(request, SecurityConstants.DETAILS_USERNAME));
         SecurityContextHolder.setUserKey(ServletUtils.getHeader(request, SecurityConstants.USER_KEY));
-
-        String token = SecurityUtils.getToken();
+        String token = SecurityUtils.getTokenFromParams();
         if (StringUtils.isNotEmpty(token))
         {
             LoginUser loginUser = AuthUtil.getLoginUser(token);
diff --git a/common/common-security/src/main/java/com/bonus/common/security/interceptor/SecurityConfig.java b/common/common-security/src/main/java/com/bonus/common/security/interceptor/SecurityConfig.java
new file mode 100644
index 0000000..c70cc00
--- /dev/null
+++ b/common/common-security/src/main/java/com/bonus/common/security/interceptor/SecurityConfig.java
@@ -0,0 +1,19 @@
+package com.bonus.common.security.interceptor;
+
+
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.stereotype.Component;
+
+/**
+ * @author 黑子
+ */
+@Configuration
+public class SecurityConfig extends WebSecurityConfigurerAdapter {
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        http.headers()
+                .contentSecurityPolicy("default-src 'self'; script-src 'self' https://trusted.cdn.com;");
+    }
+}
diff --git a/common/common-security/src/main/java/com/bonus/common/security/utils/SecurityUtils.java b/common/common-security/src/main/java/com/bonus/common/security/utils/SecurityUtils.java
index ddba729..8747a39 100644
--- a/common/common-security/src/main/java/com/bonus/common/security/utils/SecurityUtils.java
+++ b/common/common-security/src/main/java/com/bonus/common/security/utils/SecurityUtils.java
@@ -65,7 +65,16 @@ public class SecurityUtils
         String token = request.getHeader(TokenConstants.AUTHENTICATION);
         return replaceTokenPrefix(token);
     }
-
+    public static String getTokenFromParams() {
+        HttpServletRequest request = ServletUtils.getRequest();
+        assert request != null;
+        // 从header获取token标识
+        String token = request.getHeader(TokenConstants.AUTHENTICATION);
+        if(StringUtils.isEmpty(token)){
+             token= request.getParameter("token");
+        }
+        return replaceTokenPrefix(token);
+    }
     /**
      * 裁剪token前缀
      */
diff --git a/common/common-security/src/main/java/com/bonus/common/security/xss/XssFilter.java b/common/common-security/src/main/java/com/bonus/common/security/xss/XssFilter.java
index 39b5679..99246e1 100644
--- a/common/common-security/src/main/java/com/bonus/common/security/xss/XssFilter.java
+++ b/common/common-security/src/main/java/com/bonus/common/security/xss/XssFilter.java
@@ -2,6 +2,7 @@ package com.bonus.common.security.xss;
 
 import javax.servlet.*;
 import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 
 /**
@@ -9,17 +10,23 @@ import java.io.IOException;
  * @author zys
  */
 public class XssFilter implements Filter {
-
+    private String mode = "DENY";
     @Override
     public void init(FilterConfig filterConfig) throws ServletException {
-
+        System.out.println("限制mode   init============"+mode);
+        String configMode = filterConfig.getInitParameter("mode");
+        if ( configMode != null ) {
+            mode = configMode;
+        }
     }
 
     @Override
     public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
+        HttpServletResponse res = (HttpServletResponse)servletResponse;
         HttpServletRequest request = (HttpServletRequest)servletRequest;
         XssHttpRequestWrapper requestWrapper = new XssHttpRequestWrapper(request);
         filterChain.doFilter(requestWrapper,servletResponse);
+        res.addHeader("X-FRAME-OPTIONS",mode );
     }
 
     @Override
diff --git a/common/common-security/src/main/java/com/bonus/common/security/xss/XssFilterRegister.java b/common/common-security/src/main/java/com/bonus/common/security/xss/XssFilterRegister.java
index 77f5d7a..ebb85cd 100644
--- a/common/common-security/src/main/java/com/bonus/common/security/xss/XssFilterRegister.java
+++ b/common/common-security/src/main/java/com/bonus/common/security/xss/XssFilterRegister.java
@@ -12,7 +12,7 @@ import org.springframework.context.annotation.Configuration;
 public class XssFilterRegister {
 
     @Bean
-    public FilterRegistrationBean<XssFilter> RegistTest1(){
+    public FilterRegistrationBean<XssFilter> registTest1(){
         //通过FilterRegistrationBean实例设置优先级可以生效
         FilterRegistrationBean<XssFilter> bean = new FilterRegistrationBean<XssFilter>();
         //注册自定义过滤器
diff --git a/gateway/src/main/java/com/bonus/gateway/config/CorsConfig.java b/gateway/src/main/java/com/bonus/gateway/config/CorsConfig.java
index 4fe7108..dd84461 100644
--- a/gateway/src/main/java/com/bonus/gateway/config/CorsConfig.java
+++ b/gateway/src/main/java/com/bonus/gateway/config/CorsConfig.java
@@ -1,30 +1,30 @@
-//package com.bonus.gateway.config;
-//import org.springframework.context.annotation.Bean;
-//import org.springframework.context.annotation.Configuration;
-//import org.springframework.web.cors.CorsConfiguration;
-//import org.springframework.web.cors.reactive.CorsWebFilter;
-//import org.springframework.web.cors.reactive.UrlBasedCorsConfigurationSource;
-//import org.springframework.web.util.pattern.PathPatternParser;
-//
-///**
-// * 跨域处理请求配置
-// * @author 黑子
-// */
-//@Configuration
-//public class CorsConfig {
-//
-//    @Bean
-//    public CorsWebFilter corsWebFilter() {
-//        CorsConfiguration config = new CorsConfiguration();
-//        config.addAllowedOrigin("*");
-//        config.addAllowedMethod("*");
-//        config.addAllowedHeader("*");
-//        config.addAllowedOriginPattern("*");
-//        config.setAllowCredentials(false);
-//        config.setMaxAge(3600L);
-//
-//        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
-//        source.registerCorsConfiguration("/**", config);
-//        return new CorsWebFilter(source);
-//    }
-//}
\ No newline at end of file
+package com.bonus.gateway.config;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.cors.reactive.CorsWebFilter;
+import org.springframework.web.cors.reactive.UrlBasedCorsConfigurationSource;
+import org.springframework.web.util.pattern.PathPatternParser;
+
+/**
+ * 跨域处理请求配置
+ * @author 黑子
+ */
+@Configuration
+public class CorsConfig {
+
+    @Bean
+    public CorsWebFilter corsWebFilter() {
+        CorsConfiguration config = new CorsConfiguration();
+        config.addAllowedOrigin("*");
+        config.addAllowedMethod("*");
+        config.addAllowedHeader("*");
+        config.addAllowedOriginPattern("*");
+        config.setAllowCredentials(false);
+        config.setMaxAge(3600L);
+
+        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
+        source.registerCorsConfiguration("/**", config);
+        return new CorsWebFilter(source);
+    }
+}
\ No newline at end of file