From 73de1acaef2e6f050da8d2377255471ee884b646 Mon Sep 17 00:00:00 2001
From: haozq <1611483981@qq.com>
Date: Mon, 25 Aug 2025 15:02:34 +0800
Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E6=94=B9=E6=9C=8D=E5=8A=A1bug?=
 =?UTF-8?q?=E6=BC=8F=E6=B4=9E=E5=8F=8A=E6=9C=AA=E4=BF=AE=E6=94=B9=E7=9A=84?=
 =?UTF-8?q?=E6=9C=8D=E5=8A=A1?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 common/common-security/pom.xml                |  5 ++++-
 .../interceptor/HeaderInterceptor.java        |  3 +--
 .../security/interceptor/SecurityConfig.java  | 19 +++++++++++++++++++
 .../common/security/utils/SecurityUtils.java  | 11 ++++++++++-
 .../bonus/common/security/xss/XssFilter.java  | 13 +++++++++----
 .../security/xss/XssFilterRegister.java       |  2 +-
 6 files changed, 44 insertions(+), 9 deletions(-)
 create mode 100644 common/common-security/src/main/java/com/bonus/common/security/interceptor/SecurityConfig.java

diff --git a/common/common-security/pom.xml b/common/common-security/pom.xml
index 26b7e57..74be71f 100644
--- a/common/common-security/pom.xml
+++ b/common/common-security/pom.xml
@@ -27,7 +27,10 @@
             <groupId>com.bonus</groupId>
             <artifactId>api-system</artifactId>
         </dependency>
-
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-security</artifactId>
+        </dependency>
         <!-- Common Redis-->
         <dependency>
             <groupId>com.bonus</groupId>
diff --git a/common/common-security/src/main/java/com/bonus/common/security/interceptor/HeaderInterceptor.java b/common/common-security/src/main/java/com/bonus/common/security/interceptor/HeaderInterceptor.java
index 2d977ca..0a8e2f6 100644
--- a/common/common-security/src/main/java/com/bonus/common/security/interceptor/HeaderInterceptor.java
+++ b/common/common-security/src/main/java/com/bonus/common/security/interceptor/HeaderInterceptor.java
@@ -31,8 +31,7 @@ public class HeaderInterceptor implements AsyncHandlerInterceptor
         SecurityContextHolder.setUserId(ServletUtils.getHeader(request, SecurityConstants.DETAILS_USER_ID));
         SecurityContextHolder.setUserName(ServletUtils.getHeader(request, SecurityConstants.DETAILS_USERNAME));
         SecurityContextHolder.setUserKey(ServletUtils.getHeader(request, SecurityConstants.USER_KEY));
-
-        String token = SecurityUtils.getToken();
+        String token = SecurityUtils.getTokenFromParams();
         if (StringUtils.isNotEmpty(token))
         {
             LoginUser loginUser = AuthUtil.getLoginUser(token);
diff --git a/common/common-security/src/main/java/com/bonus/common/security/interceptor/SecurityConfig.java b/common/common-security/src/main/java/com/bonus/common/security/interceptor/SecurityConfig.java
new file mode 100644
index 0000000..4163cfc
--- /dev/null
+++ b/common/common-security/src/main/java/com/bonus/common/security/interceptor/SecurityConfig.java
@@ -0,0 +1,19 @@
+package com.bonus.common.security.interceptor;
+
+
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+
+
+/**
+ * @author 黑子
+ */
+@Configuration
+public class SecurityConfig extends WebSecurityConfigurerAdapter {
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        http.headers()
+                .contentSecurityPolicy("default-src 'self'; script-src 'self' https://trusted.cdn.com;");
+    }
+}
diff --git a/common/common-security/src/main/java/com/bonus/common/security/utils/SecurityUtils.java b/common/common-security/src/main/java/com/bonus/common/security/utils/SecurityUtils.java
index ddba729..95f9b9d 100644
--- a/common/common-security/src/main/java/com/bonus/common/security/utils/SecurityUtils.java
+++ b/common/common-security/src/main/java/com/bonus/common/security/utils/SecurityUtils.java
@@ -65,7 +65,16 @@ public class SecurityUtils
         String token = request.getHeader(TokenConstants.AUTHENTICATION);
         return replaceTokenPrefix(token);
     }
-
+    public static String getTokenFromParams() {
+        HttpServletRequest request = ServletUtils.getRequest();
+        assert request != null;
+        // 从header获取token标识
+        String token = request.getHeader(TokenConstants.AUTHENTICATION);
+        if(StringUtils.isEmpty(token)){
+            token= request.getParameter("token");
+        }
+        return replaceTokenPrefix(token);
+    }
     /**
      * 裁剪token前缀
      */
diff --git a/common/common-security/src/main/java/com/bonus/common/security/xss/XssFilter.java b/common/common-security/src/main/java/com/bonus/common/security/xss/XssFilter.java
index 39b5679..432150d 100644
--- a/common/common-security/src/main/java/com/bonus/common/security/xss/XssFilter.java
+++ b/common/common-security/src/main/java/com/bonus/common/security/xss/XssFilter.java
@@ -2,6 +2,7 @@ package com.bonus.common.security.xss;
 
 import javax.servlet.*;
 import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 
 /**
@@ -9,19 +10,23 @@ import java.io.IOException;
  * @author zys
  */
 public class XssFilter implements Filter {
-
+    private String mode = "DENY";
     @Override
     public void init(FilterConfig filterConfig) throws ServletException {
-
+        System.out.println("限制mode   init============"+mode);
+        String configMode = filterConfig.getInitParameter("mode");
+        if ( configMode != null ) {
+            mode = configMode;
+        }
     }
-
     @Override
     public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
+        HttpServletResponse res = (HttpServletResponse)servletResponse;
         HttpServletRequest request = (HttpServletRequest)servletRequest;
         XssHttpRequestWrapper requestWrapper = new XssHttpRequestWrapper(request);
         filterChain.doFilter(requestWrapper,servletResponse);
+        res.addHeader("X-FRAME-OPTIONS",mode );
     }
-
     @Override
     public void destroy() {
 
diff --git a/common/common-security/src/main/java/com/bonus/common/security/xss/XssFilterRegister.java b/common/common-security/src/main/java/com/bonus/common/security/xss/XssFilterRegister.java
index 77f5d7a..ebb85cd 100644
--- a/common/common-security/src/main/java/com/bonus/common/security/xss/XssFilterRegister.java
+++ b/common/common-security/src/main/java/com/bonus/common/security/xss/XssFilterRegister.java
@@ -12,7 +12,7 @@ import org.springframework.context.annotation.Configuration;
 public class XssFilterRegister {
 
     @Bean
-    public FilterRegistrationBean<XssFilter> RegistTest1(){
+    public FilterRegistrationBean<XssFilter> registTest1(){
         //通过FilterRegistrationBean实例设置优先级可以生效
         FilterRegistrationBean<XssFilter> bean = new FilterRegistrationBean<XssFilter>();
         //注册自定义过滤器