From 0b1dc5e473c0a40aad1bd50e591b2bdff214fd9a Mon Sep 17 00:00:00 2001 From: cwchen <1048842385@qq.com> Date: Fri, 1 Mar 2024 18:04:49 +0800 Subject: [PATCH] =?UTF-8?q?=E7=B3=BB=E7=BB=9F=E6=97=A5=E5=BF=97/=E4=B8=9A?= =?UTF-8?q?=E5=8A=A1=E6=97=A5=E5=BF=97?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../common/core/constant/Constant.java | 2 +- .../common/security/config/WebMvcConfig.java | 10 +- .../common/security/enums/UrlEnums.java | 24 +-- .../common/security/interceptor/MyFilter.java | 29 ++++ .../interceptor/ParamSecureHandler.java | 147 ++++++++++-------- ...ot.autoconfigure.AutoConfiguration.imports | 1 + .../src/main/resources/mapper/LoginMapper.xml | 4 +- 7 files changed, 130 insertions(+), 87 deletions(-) create mode 100644 securitycontrol-commons/securitycontrol-commons-security/src/main/java/com/securitycontrol/common/security/interceptor/MyFilter.java diff --git a/securitycontrol-commons/securitycontrol-commons-core/src/main/java/com/securitycontrol/common/core/constant/Constant.java b/securitycontrol-commons/securitycontrol-commons-core/src/main/java/com/securitycontrol/common/core/constant/Constant.java index bb0e60e..37fb096 100644 --- a/securitycontrol-commons/securitycontrol-commons-core/src/main/java/com/securitycontrol/common/core/constant/Constant.java +++ b/securitycontrol-commons/securitycontrol-commons-core/src/main/java/com/securitycontrol/common/core/constant/Constant.java @@ -10,5 +10,5 @@ public class Constant { public final static Integer PARENT_ID = 0; - public final static Integer MENU_TYPE = 3; + public final static Integer MENU_TYPE = 2; } diff --git a/securitycontrol-commons/securitycontrol-commons-security/src/main/java/com/securitycontrol/common/security/config/WebMvcConfig.java b/securitycontrol-commons/securitycontrol-commons-security/src/main/java/com/securitycontrol/common/security/config/WebMvcConfig.java index 7bea502..91ac062 100644 --- a/securitycontrol-commons/securitycontrol-commons-security/src/main/java/com/securitycontrol/common/security/config/WebMvcConfig.java +++ b/securitycontrol-commons/securitycontrol-commons-security/src/main/java/com/securitycontrol/common/security/config/WebMvcConfig.java @@ -19,18 +19,18 @@ import com.securitycontrol.common.security.interceptor.HeaderInterceptor; public class WebMvcConfig implements WebMvcConfigurer { /** 不需要拦截地址 */ - public static final String[] EXCLUDE_URLS = { "/login", "/logout", "/refresh","/getUserTicket","/sys/logs/saveLogs","/error","/api/ballrisk/findBallGb","/api/ballrisk/getDeviceState","/api/ballrisk/findDeviceStatus" }; + public static final String[] EXCLUDE_URLS = { "/login/**","/userLogin/**","/sys/sysLog/saveLogs", "/logout", "/refresh","/getUserTicket","/sys/logs/saveLogs","/error","/sys/select/**" }; @Override public void addInterceptors(InterceptorRegistry registry) { -/* registry.addInterceptor(getParamSecureInterceptor()) - .addPathPatterns("/**") - .excludePathPatterns(excludeUrls) - .order(-10);*/ registry.addInterceptor(getHeaderInterceptor()) .addPathPatterns("/**") .excludePathPatterns(EXCLUDE_URLS) .order(-10); + registry.addInterceptor(getParamSecureInterceptor()) + .addPathPatterns("/**") + .excludePathPatterns(EXCLUDE_URLS) + .order(-10); } diff --git a/securitycontrol-commons/securitycontrol-commons-security/src/main/java/com/securitycontrol/common/security/enums/UrlEnums.java b/securitycontrol-commons/securitycontrol-commons-security/src/main/java/com/securitycontrol/common/security/enums/UrlEnums.java index 1c5d071..5b428bd 100644 --- a/securitycontrol-commons/securitycontrol-commons-security/src/main/java/com/securitycontrol/common/security/enums/UrlEnums.java +++ b/securitycontrol-commons/securitycontrol-commons-security/src/main/java/com/securitycontrol/common/security/enums/UrlEnums.java @@ -6,24 +6,12 @@ package com.securitycontrol.common.security.enums; public enum UrlEnums { //注释 - DICT_URL("/sys/dict/", "字典管理"), - LOG_URL("/sys/logs/", "日志管理"), - menu_url("/sys/menu/", "菜单管理"), - ROLE_URL("/sys/role/", "角色管理"), - USER_URL("/userManage/", "用户管理"), - DEVICE_URL("/device/", "设备管理"), - LEDGER_URL("/ledger", "设备流转台帐"), - DEVICE_TYPE_URL("/dev/type/", "设备类型管理"), - HOME_URL("/home", "综合展示"), - NEW_PRO_URL("/newPro", "工程明细"), - TEAM_URL("/team", "班组明细"), - RISK_URL("/TRiskPressDropRate", "压降率计算"), - UAV_URL("/uav", "无人机巡视"), - DAILY_URL("/dailyDutyReport/", "值班日报"), - DAILY_STATISTIC_URL("/dutyStatistics/", "值班统计"), - SUPER_STATISTICS_URL("/superStatistics/", "违章统计"), - TODAY_TASK_URL("/todayTask/", "今日任务"), - VOI_PHOTO_LIBRARY_URL("/voiPhotoLibrary/", "违章库照片"), + DICT_URL("/sys/dict/", "系统管理-字典管理"), + LOG_URL("/sys/logs/", "系统管理-日志管理"), + menu_url("/sys/menu/", "系统管理-菜单管理"), + ROLE_URL("/sys/role/", "系统管理-角色管理"), + USER_URL("/sys/role/", "系统管理-用户管理"), + ORG_URL("/sys/role/", "系统管理-组织机构"), ; private final String url; diff --git a/securitycontrol-commons/securitycontrol-commons-security/src/main/java/com/securitycontrol/common/security/interceptor/MyFilter.java b/securitycontrol-commons/securitycontrol-commons-security/src/main/java/com/securitycontrol/common/security/interceptor/MyFilter.java new file mode 100644 index 0000000..b431dbd --- /dev/null +++ b/securitycontrol-commons/securitycontrol-commons-security/src/main/java/com/securitycontrol/common/security/interceptor/MyFilter.java @@ -0,0 +1,29 @@ +package com.securitycontrol.common.security.interceptor; + +import com.securitycontrol.common.security.utils.XssRequestWrapper; + +import javax.servlet.*; +import javax.servlet.annotation.WebFilter; +import javax.servlet.http.HttpServletRequest; +import java.io.IOException; +/** + * @author:cwchen + * @date:2024-03-01-15:07 + * @version:1.0 + * @description:过滤器,处理request + */ +@WebFilter +public class MyFilter implements Filter{ + @Override + public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException { + ServletRequest requestWrapper = null; + if(servletRequest instanceof HttpServletRequest) { + requestWrapper = new XssRequestWrapper((HttpServletRequest) servletRequest); + } + if(requestWrapper == null) { + filterChain.doFilter(servletRequest, servletResponse); + } else { + filterChain.doFilter(requestWrapper, servletResponse); + } + } +} diff --git a/securitycontrol-commons/securitycontrol-commons-security/src/main/java/com/securitycontrol/common/security/interceptor/ParamSecureHandler.java b/securitycontrol-commons/securitycontrol-commons-security/src/main/java/com/securitycontrol/common/security/interceptor/ParamSecureHandler.java index a6c7923..5f4ab5b 100644 --- a/securitycontrol-commons/securitycontrol-commons-security/src/main/java/com/securitycontrol/common/security/interceptor/ParamSecureHandler.java +++ b/securitycontrol-commons/securitycontrol-commons-security/src/main/java/com/securitycontrol/common/security/interceptor/ParamSecureHandler.java @@ -12,11 +12,16 @@ import com.securitycontrol.common.core.utils.ip.IpUtils; import com.securitycontrol.common.core.web.domain.AjaxResult; import com.securitycontrol.common.security.enums.UrlEnums; import com.securitycontrol.common.security.utils.SafeUtil; +import com.securitycontrol.common.security.utils.SecurityUtils; import com.securitycontrol.common.security.utils.Sm3Utils; import com.securitycontrol.common.security.utils.XssRequestWrapper; import com.securitycontrol.system.api.RemoteLogService; +import com.securitycontrol.system.api.RemoteUserService; +import com.securitycontrol.system.api.domain.SysLog; import com.securitycontrol.system.api.domain.SysOperLog; +import com.securitycontrol.system.api.model.LoginUser; import lombok.extern.slf4j.Slf4j; +import org.apache.commons.collections4.CollectionUtils; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.util.AntPathMatcher; import org.springframework.util.PathMatcher; @@ -43,51 +48,33 @@ public class ParamSecureHandler implements AsyncHandlerInterceptor { private String rnd = null; - private final String whiteURL ="http://10.145.34.32:21001/"; + private final String whiteURL = "http://127.0.0.1:18080/"; @Autowired private RemoteLogService remoteLogService; + @Autowired + private RemoteUserService remoteUserService; + private static Map> requestLogMap = null; - // IResourceService resourceService = (IResourceService) AdapterFactory.getInstance(Constants.CLASS_RESOURCE); +// IResourceService resourceService = (IResourceService) AdapterFactory.getInstance(Constants.CLASS_RESOURCE); - String urls="/pot/superStatistics/importExcel"; - String urls1="/pot/todayTask/uploadNoticeVio"; - String urls2="/userManage/info/"; - String url3="/files/"; @Override public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception { System.out.println("进入了拦截器"); System.err.println(request.getRequestURI()); - if(Objects.equals(urls,request.getRequestURI()) || - Objects.equals(urls1,request.getRequestURI()) || - request.getRequestURI().contains(urls2) - ){ - return true; - } - - if(StringUtils.isNotBlank(request.getRequestURI())){ - if(request.getRequestURI().contains(url3)){ - return true; - } - } - XssRequestWrapper requestWrapper = new XssRequestWrapper(request); String requestUrl = requestWrapper.getRequestURI(); - /*if (StringUtil.isEmpty(requestUrl.trim())) { - return false; - }*/ - /** * 防止refer篡改 */ - String referUrl= request.getHeader("Referer"); - if(!whiteURL.equals(referUrl)){ + /*String referUrl= request.getHeader("Referer"); + if(!Objects.equals(whiteURL,referUrl)){ returnJson(response,"请求来源不正确!",500); return false; - } + }*/ /** * 白名单中不验证参数 */ @@ -98,7 +85,7 @@ public class ParamSecureHandler implements AsyncHandlerInterceptor { if (!requestWrapper.isChecked()) { log.error("输入值非法{}", requestWrapper.getQueryString()); - returnJson(response,"输入值非法!",500); + returnJson(response, "输入值非法!", 500); return false; } @@ -109,7 +96,7 @@ public class ParamSecureHandler implements AsyncHandlerInterceptor { Map map = requestWrapper.getParameterMap(); boolean checkParameterMap = checkParameterMap(map, requestUrl); if (!checkParameterMap) { - returnJson(response,"输入值非法",500); + returnJson(response, "输入值非法", 500); return false; } /** @@ -123,65 +110,103 @@ public class ParamSecureHandler implements AsyncHandlerInterceptor { */ String readerParam = requestWrapper.getReaderParam(); // 判断是否是文件上传,是不对流参数进行验证 - String uplFile="uploadFile",upImage="uploadImage"; + String uplFile = "uploadFile", upImage = "uploadImage"; if (!requestUrl.contains(uplFile) && !requestUrl.contains(upImage)) { boolean checkReader = checkReader(readerParam, requestUrl); if (!checkReader) { - returnJson(response,"请求重复",500); + returnJson(response, "请求重复", 500); return false; } } - if (!sm3Check(request)) { + /*if (!sm3Check(request)) { returnJson(response,"请求参数丢失",500); return false; + }*/ + if (!checkIsYq(request, requestWrapper)) { + returnJson(response, "请求越权,请检查用户权限", 500); + return false; } return true; } - private void returnJson(HttpServletResponse response,String msg,int code){ - PrintWriter writer=null; + private void returnJson(HttpServletResponse response, String msg, int code) { + PrintWriter writer = null; response.setCharacterEncoding("UTF-8"); response.setContentType("applicatiopn/json;charset=utf-8"); - AjaxResult a=AjaxResult.error(code,msg); - String res=JSON.toJSONString(a); + AjaxResult a = AjaxResult.error(code, msg); + String res = JSON.toJSONString(a); try { - writer=response.getWriter(); + writer = response.getWriter(); writer.println(res); - }catch (IOException e){ + } catch (IOException e) { e.printStackTrace(); } } + /** + * 判断是否越权 + */ + private boolean checkIsYq(HttpServletRequest request, XssRequestWrapper requestWrapper) throws Exception { + String requestURI = request.getRequestURI(); + String[] headUrls = requestURI.split("/"); + String url = "/" + headUrls[1] + "/" + headUrls[2]; + Boolean result = true; +// String token = requestWrapper.getParameter("token"); + String token = SecurityUtils.getToken(request); + if (StringUtils.isNotEmpty(token)) { + +// String userId = JwtUtils.getIscUserId(token); + String userId = JwtUtils.getUserId(token); + System.out.println("拦截器userId:" + userId); + if (StringUtil.isEmpty(userId)) { + result = false; + } else { + LoginUser loginUser = SecurityUtils.getLoginUser(); + if (loginUser != null && loginUser.getSysUser() != null) { + if(CollectionUtils.isNotEmpty(loginUser.getSysUser().getMenus())){ + + } + }else{ +// return false; + } +// result = resourceService.hasPermitURLObj(userId, "9b4483c383538275018615493e1451ea", url); + } + System.out.println("==================越狱记录:========================userId:" + userId + "============是否越狱:" + result); + } else { + result = false; + } + + if (!result) { + addExceedsAccessLog(url, token); + return false; + //添加弹框 + } + return true; + } private void addExceedsAccessLog(String url, String token) { - SysOperLog sysOperLog = new SysOperLog(); - sysOperLog.setGrade("越权访问"); - sysOperLog.setOperName(JwtUtils.getUserName(token)); - sysOperLog.setTimes(DateTimeHelper.getNowTime()); - sysOperLog.setRoleName("继远管理员"); - sysOperLog.setDeptName("建设分公司"); - sysOperLog.setOperIp(IpUtils.getIpAddr(ServletUtils.getRequest())); + SysLog sysLog = new SysLog(); + String id = UUID.randomUUID().toString().replaceAll("-", ""); + sysLog.setLogId(id); + sysLog.setUserId(Long.valueOf(JwtUtils.getUserId(token))); + sysLog.setOperaUserName(JwtUtils.getUserName(token)); + sysLog.setOperTime(DateTimeHelper.getNowTime()); + sysLog.setIp(IpUtils.getIpAddr(ServletUtils.getRequest())); UrlEnums[] enums = UrlEnums.values(); for (UrlEnums anEnum : enums) { if (url.startsWith(anEnum.getUrl())) { - sysOperLog.setTitle(anEnum.getInfo()); + sysLog.setModel(anEnum.getInfo()); } } - if (StringUtils.isEmpty(sysOperLog.getTitle())) { - sysOperLog.setTitle("系统管理"); - } - sysOperLog.setRequestMethod(""); - sysOperLog.setMethod(""); - sysOperLog.setBusinessType(1); - sysOperLog.setOperUrl(""); - sysOperLog.setOperParam(""); - sysOperLog.setDetail("用户越权访问地址:" + url); - sysOperLog.setLogType("系统日志"); - sysOperLog.setSysMenu(""); - sysOperLog.setStatus(1); - remoteLogService.saveLogs(sysOperLog, SecurityConstants.INNER); + sysLog.setLogType(2); + sysLog.setOperUri(url); + sysLog.setFailureReason("用户越权访问地址"); + sysLog.setGrade("高"); + sysLog.setErrType("越权访问"); + sysLog.setResult(1); + remoteLogService.saveSysLog(sysLog, SecurityConstants.INNER); } /** @@ -192,9 +217,9 @@ public class ParamSecureHandler implements AsyncHandlerInterceptor { */ private boolean sm3Check(HttpServletRequest request) { Map map = new LinkedHashMap<>(); - String tok="token"; + String tok = "token"; request.getParameterMap().forEach((key, value) -> { - if (!Objects.equals(key, tok) ) { + if (!Objects.equals(key, tok)) { map.put(key, String.join(" ", value)); } }); @@ -289,7 +314,7 @@ public class ParamSecureHandler implements AsyncHandlerInterceptor { } list.add(newRnd); requestLogMap.put(currentRequest, list); - String brute="requestLogMap"; + String brute = "requestLogMap"; if (session.getAttribute(brute) != null) { session.removeAttribute(brute); } diff --git a/securitycontrol-commons/securitycontrol-commons-security/src/main/resources/META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports b/securitycontrol-commons/securitycontrol-commons-security/src/main/resources/META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports index 4f3b1e7..359810e 100644 --- a/securitycontrol-commons/securitycontrol-commons-security/src/main/resources/META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports +++ b/securitycontrol-commons/securitycontrol-commons-security/src/main/resources/META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports @@ -3,3 +3,4 @@ com.securitycontrol.common.security.service.TokenService com.securitycontrol.common.security.aspect.PreAuthorizeAspect com.securitycontrol.common.security.aspect.InnerAuthAspect com.securitycontrol.common.security.handler.GlobalExceptionHandler +com.securitycontrol.common.security.interceptor.MyFilter diff --git a/securitycontrol-model/securitycontrol-system/src/main/resources/mapper/LoginMapper.xml b/securitycontrol-model/securitycontrol-system/src/main/resources/mapper/LoginMapper.xml index 971836d..0b937be 100644 --- a/securitycontrol-model/securitycontrol-system/src/main/resources/mapper/LoginMapper.xml +++ b/securitycontrol-model/securitycontrol-system/src/main/resources/mapper/LoginMapper.xml @@ -21,14 +21,14 @@ select DISTINCT sm.menu_auth FROM sys_user su left join sys_role_menu srm on srm .role_id=su.role_id - left join sys_menu sm on sm.menu_id=srm.menu_id and sm.menu_type=1 AND sm.del_flag=0 + left join sys_menu sm on sm.menu_id=srm.menu_id and sm.menu_type=2 AND sm.del_flag=0 where su.user_id=#{userId}