修改服务bug漏洞及未修改的服务

2025-08-25 15:02:34 +08:00 · 2025-08-25 15:02:34 +08:00 · 73de1acaef
parent f183fea015
commit 73de1acaef
6 changed files with 44 additions and 9 deletions
--- a/common/common-security/pom.xml
+++ b/common/common-security/pom.xml
@ -27,7 +27,10 @@
            <groupId>com.bonus</groupId>
            <artifactId>api-system</artifactId>
        </dependency>
-
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-security</artifactId>
+        </dependency>
        <!-- Common Redis-->
        <dependency>
            <groupId>com.bonus</groupId>
--- a/common/common-security/src/main/java/com/bonus/common/security/interceptor/HeaderInterceptor.java
+++ b/common/common-security/src/main/java/com/bonus/common/security/interceptor/HeaderInterceptor.java
@ -31,8 +31,7 @@ public class HeaderInterceptor implements AsyncHandlerInterceptor
        SecurityContextHolder.setUserId(ServletUtils.getHeader(request, SecurityConstants.DETAILS_USER_ID));
        SecurityContextHolder.setUserName(ServletUtils.getHeader(request, SecurityConstants.DETAILS_USERNAME));
        SecurityContextHolder.setUserKey(ServletUtils.getHeader(request, SecurityConstants.USER_KEY));
-
-        String token = SecurityUtils.getToken();
+        String token = SecurityUtils.getTokenFromParams();
        if (StringUtils.isNotEmpty(token))
        {
            LoginUser loginUser = AuthUtil.getLoginUser(token);
--- a/common/common-security/src/main/java/com/bonus/common/security/interceptor/SecurityConfig.java
+++ b/common/common-security/src/main/java/com/bonus/common/security/interceptor/SecurityConfig.java
@ -0,0 +1,19 @@
+package com.bonus.common.security.interceptor;
+
+
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+
+
+/**
+ * @author 黑子
+ */
+@Configuration
+public class SecurityConfig extends WebSecurityConfigurerAdapter {
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        http.headers()
+                .contentSecurityPolicy("default-src 'self'; script-src 'self' https://trusted.cdn.com;");
+    }
+}
--- a/common/common-security/src/main/java/com/bonus/common/security/utils/SecurityUtils.java
+++ b/common/common-security/src/main/java/com/bonus/common/security/utils/SecurityUtils.java
@ -65,7 +65,16 @@ public class SecurityUtils
        String token = request.getHeader(TokenConstants.AUTHENTICATION);
        return replaceTokenPrefix(token);
    }
-
+    public static String getTokenFromParams() {
+        HttpServletRequest request = ServletUtils.getRequest();
+        assert request != null;
+        // 从header获取token标识
+        String token = request.getHeader(TokenConstants.AUTHENTICATION);
+        if(StringUtils.isEmpty(token)){
+            token= request.getParameter("token");
+        }
+        return replaceTokenPrefix(token);
+    }
    /**
     * 裁剪token前缀
     */
--- a/common/common-security/src/main/java/com/bonus/common/security/xss/XssFilter.java
+++ b/common/common-security/src/main/java/com/bonus/common/security/xss/XssFilter.java
@ -2,6 +2,7 @@ package com.bonus.common.security.xss;

 import javax.servlet.*;
 import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;

 /**
@ -9,19 +10,23 @@ import java.io.IOException;
 * @author zys
 */
 public class XssFilter implements Filter {
-
+    private String mode = "DENY";
    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
-
+        System.out.println("限制mode   init============"+mode);
+        String configMode = filterConfig.getInitParameter("mode");
+        if ( configMode != null ) {
+            mode = configMode;
+        }
    }
-
    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
+        HttpServletResponse res = (HttpServletResponse)servletResponse;
        HttpServletRequest request = (HttpServletRequest)servletRequest;
        XssHttpRequestWrapper requestWrapper = new XssHttpRequestWrapper(request);
        filterChain.doFilter(requestWrapper,servletResponse);
+        res.addHeader("X-FRAME-OPTIONS",mode );
    }
-
    @Override
    public void destroy() {

--- a/common/common-security/src/main/java/com/bonus/common/security/xss/XssFilterRegister.java
+++ b/common/common-security/src/main/java/com/bonus/common/security/xss/XssFilterRegister.java
@ -12,7 +12,7 @@ import org.springframework.context.annotation.Configuration;
 public class XssFilterRegister {

    @Bean
-    public FilterRegistrationBean<XssFilter> RegistTest1(){
+    public FilterRegistrationBean<XssFilter> registTest1(){
        //通过FilterRegistrationBean实例设置优先级可以生效
        FilterRegistrationBean<XssFilter> bean = new FilterRegistrationBean<XssFilter>();
        //注册自定义过滤器