diff --git a/common/common-security/pom.xml b/common/common-security/pom.xml
index 26b7e57..74be71f 100644
--- a/common/common-security/pom.xml
+++ b/common/common-security/pom.xml
@@ -27,7 +27,10 @@
com.bonus
api-system
-
+
+ org.springframework.boot
+ spring-boot-starter-security
+
com.bonus
diff --git a/common/common-security/src/main/java/com/bonus/common/security/interceptor/HeaderInterceptor.java b/common/common-security/src/main/java/com/bonus/common/security/interceptor/HeaderInterceptor.java
index 2d977ca..0a8e2f6 100644
--- a/common/common-security/src/main/java/com/bonus/common/security/interceptor/HeaderInterceptor.java
+++ b/common/common-security/src/main/java/com/bonus/common/security/interceptor/HeaderInterceptor.java
@@ -31,8 +31,7 @@ public class HeaderInterceptor implements AsyncHandlerInterceptor
SecurityContextHolder.setUserId(ServletUtils.getHeader(request, SecurityConstants.DETAILS_USER_ID));
SecurityContextHolder.setUserName(ServletUtils.getHeader(request, SecurityConstants.DETAILS_USERNAME));
SecurityContextHolder.setUserKey(ServletUtils.getHeader(request, SecurityConstants.USER_KEY));
-
- String token = SecurityUtils.getToken();
+ String token = SecurityUtils.getTokenFromParams();
if (StringUtils.isNotEmpty(token))
{
LoginUser loginUser = AuthUtil.getLoginUser(token);
diff --git a/common/common-security/src/main/java/com/bonus/common/security/interceptor/SecurityConfig.java b/common/common-security/src/main/java/com/bonus/common/security/interceptor/SecurityConfig.java
new file mode 100644
index 0000000..4163cfc
--- /dev/null
+++ b/common/common-security/src/main/java/com/bonus/common/security/interceptor/SecurityConfig.java
@@ -0,0 +1,19 @@
+package com.bonus.common.security.interceptor;
+
+
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+
+
+/**
+ * @author 黑子
+ */
+@Configuration
+public class SecurityConfig extends WebSecurityConfigurerAdapter {
+ @Override
+ protected void configure(HttpSecurity http) throws Exception {
+ http.headers()
+ .contentSecurityPolicy("default-src 'self'; script-src 'self' https://trusted.cdn.com;");
+ }
+}
diff --git a/common/common-security/src/main/java/com/bonus/common/security/utils/SecurityUtils.java b/common/common-security/src/main/java/com/bonus/common/security/utils/SecurityUtils.java
index ddba729..95f9b9d 100644
--- a/common/common-security/src/main/java/com/bonus/common/security/utils/SecurityUtils.java
+++ b/common/common-security/src/main/java/com/bonus/common/security/utils/SecurityUtils.java
@@ -65,7 +65,16 @@ public class SecurityUtils
String token = request.getHeader(TokenConstants.AUTHENTICATION);
return replaceTokenPrefix(token);
}
-
+ public static String getTokenFromParams() {
+ HttpServletRequest request = ServletUtils.getRequest();
+ assert request != null;
+ // 从header获取token标识
+ String token = request.getHeader(TokenConstants.AUTHENTICATION);
+ if(StringUtils.isEmpty(token)){
+ token= request.getParameter("token");
+ }
+ return replaceTokenPrefix(token);
+ }
/**
* 裁剪token前缀
*/
diff --git a/common/common-security/src/main/java/com/bonus/common/security/xss/XssFilter.java b/common/common-security/src/main/java/com/bonus/common/security/xss/XssFilter.java
index 39b5679..432150d 100644
--- a/common/common-security/src/main/java/com/bonus/common/security/xss/XssFilter.java
+++ b/common/common-security/src/main/java/com/bonus/common/security/xss/XssFilter.java
@@ -2,6 +2,7 @@ package com.bonus.common.security.xss;
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
/**
@@ -9,19 +10,23 @@ import java.io.IOException;
* @author zys
*/
public class XssFilter implements Filter {
-
+ private String mode = "DENY";
@Override
public void init(FilterConfig filterConfig) throws ServletException {
-
+ System.out.println("限制mode init============"+mode);
+ String configMode = filterConfig.getInitParameter("mode");
+ if ( configMode != null ) {
+ mode = configMode;
+ }
}
-
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
+ HttpServletResponse res = (HttpServletResponse)servletResponse;
HttpServletRequest request = (HttpServletRequest)servletRequest;
XssHttpRequestWrapper requestWrapper = new XssHttpRequestWrapper(request);
filterChain.doFilter(requestWrapper,servletResponse);
+ res.addHeader("X-FRAME-OPTIONS",mode );
}
-
@Override
public void destroy() {
diff --git a/common/common-security/src/main/java/com/bonus/common/security/xss/XssFilterRegister.java b/common/common-security/src/main/java/com/bonus/common/security/xss/XssFilterRegister.java
index 77f5d7a..ebb85cd 100644
--- a/common/common-security/src/main/java/com/bonus/common/security/xss/XssFilterRegister.java
+++ b/common/common-security/src/main/java/com/bonus/common/security/xss/XssFilterRegister.java
@@ -12,7 +12,7 @@ import org.springframework.context.annotation.Configuration;
public class XssFilterRegister {
@Bean
- public FilterRegistrationBean RegistTest1(){
+ public FilterRegistrationBean registTest1(){
//通过FilterRegistrationBean实例设置优先级可以生效
FilterRegistrationBean bean = new FilterRegistrationBean();
//注册自定义过滤器