修改服务bug漏洞及未修改的服务
This commit is contained in:
parent
f183fea015
commit
73de1acaef
|
|
@ -27,7 +27,10 @@
|
||||||
<groupId>com.bonus</groupId>
|
<groupId>com.bonus</groupId>
|
||||||
<artifactId>api-system</artifactId>
|
<artifactId>api-system</artifactId>
|
||||||
</dependency>
|
</dependency>
|
||||||
|
<dependency>
|
||||||
|
<groupId>org.springframework.boot</groupId>
|
||||||
|
<artifactId>spring-boot-starter-security</artifactId>
|
||||||
|
</dependency>
|
||||||
<!-- Common Redis-->
|
<!-- Common Redis-->
|
||||||
<dependency>
|
<dependency>
|
||||||
<groupId>com.bonus</groupId>
|
<groupId>com.bonus</groupId>
|
||||||
|
|
|
||||||
|
|
@ -31,8 +31,7 @@ public class HeaderInterceptor implements AsyncHandlerInterceptor
|
||||||
SecurityContextHolder.setUserId(ServletUtils.getHeader(request, SecurityConstants.DETAILS_USER_ID));
|
SecurityContextHolder.setUserId(ServletUtils.getHeader(request, SecurityConstants.DETAILS_USER_ID));
|
||||||
SecurityContextHolder.setUserName(ServletUtils.getHeader(request, SecurityConstants.DETAILS_USERNAME));
|
SecurityContextHolder.setUserName(ServletUtils.getHeader(request, SecurityConstants.DETAILS_USERNAME));
|
||||||
SecurityContextHolder.setUserKey(ServletUtils.getHeader(request, SecurityConstants.USER_KEY));
|
SecurityContextHolder.setUserKey(ServletUtils.getHeader(request, SecurityConstants.USER_KEY));
|
||||||
|
String token = SecurityUtils.getTokenFromParams();
|
||||||
String token = SecurityUtils.getToken();
|
|
||||||
if (StringUtils.isNotEmpty(token))
|
if (StringUtils.isNotEmpty(token))
|
||||||
{
|
{
|
||||||
LoginUser loginUser = AuthUtil.getLoginUser(token);
|
LoginUser loginUser = AuthUtil.getLoginUser(token);
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,19 @@
|
||||||
|
package com.bonus.common.security.interceptor;
|
||||||
|
|
||||||
|
|
||||||
|
import org.springframework.context.annotation.Configuration;
|
||||||
|
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||||
|
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @author 黑子
|
||||||
|
*/
|
||||||
|
@Configuration
|
||||||
|
public class SecurityConfig extends WebSecurityConfigurerAdapter {
|
||||||
|
@Override
|
||||||
|
protected void configure(HttpSecurity http) throws Exception {
|
||||||
|
http.headers()
|
||||||
|
.contentSecurityPolicy("default-src 'self'; script-src 'self' https://trusted.cdn.com;");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
@ -65,7 +65,16 @@ public class SecurityUtils
|
||||||
String token = request.getHeader(TokenConstants.AUTHENTICATION);
|
String token = request.getHeader(TokenConstants.AUTHENTICATION);
|
||||||
return replaceTokenPrefix(token);
|
return replaceTokenPrefix(token);
|
||||||
}
|
}
|
||||||
|
public static String getTokenFromParams() {
|
||||||
|
HttpServletRequest request = ServletUtils.getRequest();
|
||||||
|
assert request != null;
|
||||||
|
// 从header获取token标识
|
||||||
|
String token = request.getHeader(TokenConstants.AUTHENTICATION);
|
||||||
|
if(StringUtils.isEmpty(token)){
|
||||||
|
token= request.getParameter("token");
|
||||||
|
}
|
||||||
|
return replaceTokenPrefix(token);
|
||||||
|
}
|
||||||
/**
|
/**
|
||||||
* 裁剪token前缀
|
* 裁剪token前缀
|
||||||
*/
|
*/
|
||||||
|
|
|
||||||
|
|
@ -2,6 +2,7 @@ package com.bonus.common.security.xss;
|
||||||
|
|
||||||
import javax.servlet.*;
|
import javax.servlet.*;
|
||||||
import javax.servlet.http.HttpServletRequest;
|
import javax.servlet.http.HttpServletRequest;
|
||||||
|
import javax.servlet.http.HttpServletResponse;
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
@ -9,19 +10,23 @@ import java.io.IOException;
|
||||||
* @author zys
|
* @author zys
|
||||||
*/
|
*/
|
||||||
public class XssFilter implements Filter {
|
public class XssFilter implements Filter {
|
||||||
|
private String mode = "DENY";
|
||||||
@Override
|
@Override
|
||||||
public void init(FilterConfig filterConfig) throws ServletException {
|
public void init(FilterConfig filterConfig) throws ServletException {
|
||||||
|
System.out.println("限制mode init============"+mode);
|
||||||
|
String configMode = filterConfig.getInitParameter("mode");
|
||||||
|
if ( configMode != null ) {
|
||||||
|
mode = configMode;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
|
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
|
||||||
|
HttpServletResponse res = (HttpServletResponse)servletResponse;
|
||||||
HttpServletRequest request = (HttpServletRequest)servletRequest;
|
HttpServletRequest request = (HttpServletRequest)servletRequest;
|
||||||
XssHttpRequestWrapper requestWrapper = new XssHttpRequestWrapper(request);
|
XssHttpRequestWrapper requestWrapper = new XssHttpRequestWrapper(request);
|
||||||
filterChain.doFilter(requestWrapper,servletResponse);
|
filterChain.doFilter(requestWrapper,servletResponse);
|
||||||
|
res.addHeader("X-FRAME-OPTIONS",mode );
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void destroy() {
|
public void destroy() {
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -12,7 +12,7 @@ import org.springframework.context.annotation.Configuration;
|
||||||
public class XssFilterRegister {
|
public class XssFilterRegister {
|
||||||
|
|
||||||
@Bean
|
@Bean
|
||||||
public FilterRegistrationBean<XssFilter> RegistTest1(){
|
public FilterRegistrationBean<XssFilter> registTest1(){
|
||||||
//通过FilterRegistrationBean实例设置优先级可以生效
|
//通过FilterRegistrationBean实例设置优先级可以生效
|
||||||
FilterRegistrationBean<XssFilter> bean = new FilterRegistrationBean<XssFilter>();
|
FilterRegistrationBean<XssFilter> bean = new FilterRegistrationBean<XssFilter>();
|
||||||
//注册自定义过滤器
|
//注册自定义过滤器
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue