弱密码校验

2025-09-30 11:17:43 +08:00 · 2025-09-30 11:17:43 +08:00 · 11e1945217
parent 6423785eb1
commit 11e1945217
2 changed files with 84 additions and 0 deletions
--- a/bonus-admin/src/main/java/com/bonus/web/controller/system/SysUserController.java
+++ b/bonus-admin/src/main/java/com/bonus/web/controller/system/SysUserController.java
@ -9,6 +9,7 @@ import com.bonus.common.annotation.SysLog;
 import com.bonus.common.enums.OperaType;
 import com.bonus.common.utils.DesensitizedUtil;
 import com.bonus.common.utils.encryption.Sm4Utils;
+import com.bonus.web.core.config.WeakPasswordChecker;
 import org.apache.commons.lang3.ArrayUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.access.prepost.PreAuthorize;
@ -186,6 +187,10 @@ public class SysUserController extends BaseController {
    public AjaxResult resetPwd(@RequestBody SysUser user) {
        userService.checkUserAllowed(user);
        userService.checkUserDataScope(user.getUserId());
+        String s = WeakPasswordChecker.checkWeakPasswordAndGetMatch(user.getPassword());
+        if (s != null) {
+            return error("含有弱密码：" + s + "，请重新修改密码");
+        }
        user.setPassword(SecurityUtils.encryptPassword(user.getPassword()));
        user.setUpdateBy(getUsername());
        return toAjax(userService.resetPwd(user));
--- a/bonus-admin/src/main/java/com/bonus/web/core/config/WeakPasswordChecker.java
+++ b/bonus-admin/src/main/java/com/bonus/web/core/config/WeakPasswordChecker.java
@ -0,0 +1,79 @@
+package com.bonus.web.core.config;
+
+import org.springframework.stereotype.Component;
+
+import java.util.Arrays;
+import java.util.List;
+import java.util.Set;
+import java.util.HashSet;
+
+/**
+ * 密码弱密码校验工具类（仅校验是否为常见弱密码）
+ */
+@Component
+public class WeakPasswordChecker {
+
+    // 存储原始弱密码列表（保持大小写，用于返回提示）
+    private static final List<String> ORIGINAL_WEAK_PASSWORDS = Arrays.asList(
+            "123456",
+            "123456789",
+            "password",
+            "12345678",
+            "12345",
+            "1234567",
+            "1234567890",
+            "qwerty",
+            "abc123",
+            "111111",
+            "admin",
+            "letmein",
+            "monkey",
+            "welcome",
+            "123123",
+            "login",
+            "princess",
+            "dragon",
+            "sunshine",
+            "iloveyou",
+            "starwars",
+            "football",
+            "123qwe",
+            "password1",
+            "admin123"
+    );
+
+    // 使用 Set 存储小写版本，用于高效查找（O(1) 时间复杂度）
+    private static final Set<String> WEAK_PASSWORDS_SET = new HashSet<>();
+
+    static {
+        for (String pwd : ORIGINAL_WEAK_PASSWORDS) {
+            WEAK_PASSWORDS_SET.add(pwd.toLowerCase());
+        }
+    }
+
+    /**
+     * 校验密码是否为常见弱密码，并返回匹配到的具体弱密码。
+     *
+     * @param password 待校验的密码
+     * @return 如果是弱密码，返回匹配的原始弱密码（如 "password"）；
+     * 如果不是弱密码或输入为空，返回 null。
+     */
+    public static String checkWeakPasswordAndGetMatch(String password) {
+
+        String lowerCaseInput = password.toLowerCase();
+
+        // 快速检查是否存在于弱密码集合中
+        if (WEAK_PASSWORDS_SET.contains(lowerCaseInput)) {
+            // 找到匹配，遍历原始列表返回原始格式的密码
+            for (String original : ORIGINAL_WEAK_PASSWORDS) {
+                if (original.equalsIgnoreCase(password)) {
+                    return original;
+                }
+            }
+        }
+
+        // 未找到匹配
+        return null;
+    }
+
+}