diff --git a/securitycontrol-commons/securitycontrol-commons-security/src/main/java/com/securitycontrol/common/security/interceptor/ParamSecureHandler.java b/securitycontrol-commons/securitycontrol-commons-security/src/main/java/com/securitycontrol/common/security/interceptor/ParamSecureHandler.java index 50d96d0..2652ae8 100644 --- a/securitycontrol-commons/securitycontrol-commons-security/src/main/java/com/securitycontrol/common/security/interceptor/ParamSecureHandler.java +++ b/securitycontrol-commons/securitycontrol-commons-security/src/main/java/com/securitycontrol/common/security/interceptor/ParamSecureHandler.java @@ -66,7 +66,7 @@ public class ParamSecureHandler implements AsyncHandlerInterceptor { public static String[] SC_URL= new String[]{"/app/index/","/largeScreen/accessMge/", "/largeScreen/alarmMge/","/largeScreen/constructionQuality/","/largeScreen/operatingEnvironment/", "/largeScreen/personnelControl/","/largeScreen/scIndex/","/largeScreen/towerAssInspect/", - "/largeScreen/video/","/largeScreen/xcIndex/","/largeScreen/dataAnalysis/","/largeScreen/workReport/","/largeScreen/constrDisplay/"}; + "/largeScreen/video/","/largeScreen/xcIndex/","/largeScreen/dataAnalysis/","/largeScreen/constrDisplay/","/largeScreen/workReport/"}; private final String whiteURL = "http://127.0.0.1:18080/"; @@ -103,20 +103,23 @@ public class ParamSecureHandler implements AsyncHandlerInterceptor { @Override public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception { try{ + + if (!checkIsYq(request)) { returnJson(response, "越权访问,接口未授权", 401); return false; } }catch (Exception e){ returnJson(response, "令牌不能为空", 401); + return false; } // 过滤文件上传功能 if(isFileUpload(request)){ return true; } XssRequestWrapper requestWrapper = new XssRequestWrapper(request); - System.out.println("进入了拦截器"); - System.err.println(request.getRequestURI()); + // System.out.println("进入了拦截器"); + // System.err.println(request.getRequestURI()); String requestUrl = requestWrapper.getRequestURI(); /** @@ -141,7 +144,7 @@ public class ParamSecureHandler implements AsyncHandlerInterceptor { return false; } - System.err.println(JSON.toJSONString(request.getParameterMap())); + // System.err.println(JSON.toJSONString(request.getParameterMap())); /** * 获取所有跳转路径参数,保留传入下个界面 */ @@ -162,8 +165,8 @@ public class ParamSecureHandler implements AsyncHandlerInterceptor { */ String readerParam = requestWrapper.getReaderParam(); // 判断是否是文件上传,是不对流参数进行验证 - String uplFile = "uploadFile", upImage = "uploadImage"; - if (!requestUrl.contains(uplFile) && !requestUrl.contains(upImage)) { + String uplFile = "uploadFile", upImage = "uploadImage", path="pushImageData"; + if (!requestUrl.contains(uplFile) && !requestUrl.contains(upImage) && !requestUrl.contains(path)) { boolean checkReader = checkReader(readerParam, requestUrl); if (!checkReader) { returnJson(response, "请求重复", 500); @@ -202,8 +205,12 @@ public class ParamSecureHandler implements AsyncHandlerInterceptor { if(SecurityConstants.INNER.equals(head)){ return true; } - String requestUri = request.getRequestURI(); + if(requestUri.contains("files") || requestUri.contains("file")){ + return true; + } + + if(Arrays.asList(WHITE_URLS).contains(requestUri)){ return true; } @@ -231,7 +238,7 @@ public class ParamSecureHandler implements AsyncHandlerInterceptor { } } } - System.out.println("==================越狱记录:========================userId:" + userId + "============是否越狱:" + result); + // System.out.println("==================越狱记录:========================userId:" + userId + "============是否越狱:" + result); } if (!result) { addExceedsAccessLog(requestUri, token); @@ -424,7 +431,7 @@ public class ParamSecureHandler implements AsyncHandlerInterceptor { */ private boolean checkReader(String readerParam, String requestUrl) { if (SafeUtil.checkScript(readerParam)) { - log.info("请求失败,当前请求参数不安全!请求地址:\n" + requestUrl + "\n不安全参数:数据流:" + readerParam); + // log.info("请求失败,当前请求参数不安全!请求地址:\n" + requestUrl + "\n不安全参数:数据流:" + readerParam); return false; } return true;