漏洞修改
This commit is contained in:
jiang
parent
c82cae618c
commit
dee44396b0
|
|
@ -0,0 +1,36 @@
|
|||
package com.bonus.gzgqj.manager.common.config;
|
||||
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
|
||||
import javax.servlet.*;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
import java.io.IOException;
|
||||
|
||||
// 注册过滤器
|
||||
@Configuration
|
||||
public class CspFilter implements Filter {
|
||||
|
||||
@Override
|
||||
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
|
||||
throws IOException, ServletException {
|
||||
HttpServletResponse httpResponse = (HttpServletResponse) response;
|
||||
|
||||
// 配置 CSP 规则,添加 form-action 指令(根据需求调整允许的地址)
|
||||
String cspPolicy = "default-src 'self'; " +
|
||||
"script-src 'self' 'unsafe-inline'; " + // 保留原有配置(注意:'unsafe-inline' 有风险,建议后续优化)
|
||||
"style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com; " +
|
||||
"img-src 'self' data:; " +
|
||||
"font-src 'self' https://cdnjs.cloudflare.com; " +
|
||||
"form-action 'self';"; // 新增:限制表单仅提交到当前域名
|
||||
|
||||
httpResponse.setHeader("Content-Security-Policy", cspPolicy);
|
||||
chain.doFilter(request, response);
|
||||
}
|
||||
|
||||
// 初始化和销毁方法可留空
|
||||
@Override
|
||||
public void init(FilterConfig filterConfig) throws ServletException {}
|
||||
|
||||
@Override
|
||||
public void destroy() {}
|
||||
}
|
||||
|
|
@ -0,0 +1,22 @@
|
|||
package com.bonus.gzgqj.manager.common.config;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
import org.springframework.web.servlet.HandlerInterceptor;
|
||||
import org.springframework.stereotype.Component;
|
||||
|
||||
@Component
|
||||
public class CspInterceptor implements HandlerInterceptor {
|
||||
@Override
|
||||
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) {
|
||||
// 设置 CSP 头
|
||||
String csp = "default-src 'self'; " +
|
||||
"script-src 'self' 'unsafe-inline'; " +
|
||||
"style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com; " +
|
||||
"img-src 'self' data:; " +
|
||||
"font-src 'self' https://cdnjs.cloudflare.com; " +
|
||||
"form-action 'self';";
|
||||
response.setHeader("Content-Security-Policy", csp);
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
|
@ -2,46 +2,72 @@ package com.bonus.gzgqj.manager.common.config;
|
|||
|
||||
|
||||
import com.bonus.gzgqj.business.utils.SystemUtils;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.boot.web.servlet.FilterRegistrationBean;
|
||||
import org.springframework.context.annotation.Bean;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.core.Ordered;
|
||||
import org.springframework.web.servlet.config.annotation.CorsRegistry;
|
||||
import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
|
||||
import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;
|
||||
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
|
||||
|
||||
@Configuration
|
||||
public class WebMvcConfig implements WebMvcConfigurer {
|
||||
/**
|
||||
* 跨域支持
|
||||
* @return
|
||||
* @return
|
||||
*/
|
||||
@Bean
|
||||
public WebMvcConfigurer corsConfigurer() {
|
||||
return new WebMvcConfigurer() {
|
||||
@Override
|
||||
public void addCorsMappings(CorsRegistry registry) {
|
||||
registry.addMapping("/**").allowedMethods("*");
|
||||
|
||||
|
||||
@Autowired
|
||||
private CspInterceptor cspInterceptor;
|
||||
/**
|
||||
* 跨域支持
|
||||
*
|
||||
* @return
|
||||
* @return
|
||||
*/
|
||||
@Bean
|
||||
public WebMvcConfigurer corsConfigurer() {
|
||||
return new WebMvcConfigurer() {
|
||||
@Override
|
||||
public void addCorsMappings(CorsRegistry registry) {
|
||||
registry.addMapping("/**").allowedMethods("*");
|
||||
// registry.addMapping("/**")
|
||||
// .allowedOrigins("http://example.com")
|
||||
// .allowedMethods("GET", "POST", "PUT", "DELETE", "OPTIONS")
|
||||
// .allowedHeaders("*")
|
||||
// .allowCredentials(true);
|
||||
}
|
||||
};
|
||||
}
|
||||
}
|
||||
};
|
||||
}
|
||||
|
||||
@Bean
|
||||
public FilterRegistrationBean<CspFilter> cspFilterRegistration() {
|
||||
FilterRegistrationBean<CspFilter> registration = new FilterRegistrationBean<>();
|
||||
registration.setFilter(new CspFilter());
|
||||
registration.addUrlPatterns("/*"); // 对所有请求生效
|
||||
registration.setName("cspFilter");
|
||||
registration.setOrder(Ordered.HIGHEST_PRECEDENCE); // 确保优先级最高,避免被其他过滤器覆盖
|
||||
return registration;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* 外部文件访问
|
||||
*/
|
||||
@Override
|
||||
public void addResourceHandlers(ResourceHandlerRegistry registry) {
|
||||
String filePath = SystemUtils.getUploadPath();//获取文件上传路径
|
||||
/** 本地文件上传路径 */
|
||||
registry.addResourceHandler("/statics/**")
|
||||
.addResourceLocations("file:" + filePath + "/");
|
||||
registry.addResourceHandler("/files/**")
|
||||
.addResourceLocations("file:" + filePath);
|
||||
|
||||
/**
|
||||
* 外部文件访问
|
||||
*/
|
||||
@Override
|
||||
public void addResourceHandlers(ResourceHandlerRegistry registry) {
|
||||
String filePath= SystemUtils.getUploadPath();//获取文件上传路径
|
||||
/** 本地文件上传路径 */
|
||||
registry.addResourceHandler("/statics/**")
|
||||
.addResourceLocations("file:" + filePath+"/");
|
||||
registry.addResourceHandler("/files/**")
|
||||
.addResourceLocations("file:"+filePath);
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
public void addInterceptors(InterceptorRegistry registry) {
|
||||
// 对所有请求应用拦截器
|
||||
registry.addInterceptor(cspInterceptor).addPathPatterns("/**");
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,30 @@
|
|||
package com.bonus.gzgqj.manager.common.config;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
|
||||
import org.springframework.web.servlet.HandlerInterceptor;
|
||||
import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
|
||||
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
|
||||
@Configuration
|
||||
public class WebSecurityConfig implements WebMvcConfigurer {
|
||||
@Override
|
||||
public void addInterceptors(InterceptorRegistry registry) {
|
||||
registry.addInterceptor(new HandlerInterceptor() {
|
||||
@Override
|
||||
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) {
|
||||
// 禁止被任何页面嵌入(推荐)
|
||||
response.setHeader("X-Frame-Options", "DENY");
|
||||
// 或仅允许同源页面嵌入(若业务需要被自身域名下的页面嵌入)
|
||||
// response.setHeader("X-Frame-Options", "SAMEORIGIN");
|
||||
|
||||
// 补充 CSP 头(增强安全性,与 X-Frame-Options 配合)
|
||||
response.setHeader("Content-Security-Policy", "frame-ancestors 'none'"); // 禁止所有嵌入
|
||||
// 若允许同源:frame-ancestors 'self';
|
||||
return true;
|
||||
}
|
||||
}).addPathPatterns("/**"); // 对所有路径生效
|
||||
}
|
||||
}
|
||||
|
|
@ -44,8 +44,8 @@ public class UserAuthenticationProvider implements AuthenticationProvider {
|
|||
throw new UsernameNotFoundException("用户名不存在");
|
||||
}
|
||||
//密码加密
|
||||
String daya= Md5Utils.createPwdEncrypt(userName,password.toUpperCase(),userInfo.getSalt());
|
||||
if(!Md5Utils.validatePasswordBast64(daya, userInfo.getPassword())){
|
||||
String daya = Md5Utils.createPwdEncrypt(userName, password.toUpperCase(), userInfo.getSalt());
|
||||
if (!Md5Utils.validatePasswordBast64(daya, userInfo.getPassword())) {
|
||||
throw new BadCredentialsException("密码不正确");
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue