From e2ee2937e0593bdb206adf0350524013b1b06ba9 Mon Sep 17 00:00:00 2001 From: haozq <1611483981@qq.com> Date: Mon, 9 Sep 2024 09:25:16 +0800 Subject: [PATCH] =?UTF-8?q?=E6=8B=A6=E6=88=AA=E5=99=A8=E4=BF=AE=E6=94=B9?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../common/security/interceptor/IPWhites.java | 31 +++++++++++++ .../common/security/interceptor/MyFilter.java | 45 ++++++++++++++++++- .../interceptor/ParamSecureHandler.java | 24 ++++++---- .../common/security/service/TokenService.java | 2 +- .../gateway/config/CorsConfig.java | 2 +- .../gateway/config/CorsFilter.java | 2 + .../gateway/filter/AuthFilter.java | 6 +-- .../src/main/resources/bootstrap.yml | 22 ++++----- 8 files changed, 108 insertions(+), 26 deletions(-) create mode 100644 securitycontrol-commons/securitycontrol-commons-security/src/main/java/com/securitycontrol/common/security/interceptor/IPWhites.java diff --git a/securitycontrol-commons/securitycontrol-commons-security/src/main/java/com/securitycontrol/common/security/interceptor/IPWhites.java b/securitycontrol-commons/securitycontrol-commons-security/src/main/java/com/securitycontrol/common/security/interceptor/IPWhites.java new file mode 100644 index 0000000..8c87556 --- /dev/null +++ b/securitycontrol-commons/securitycontrol-commons-security/src/main/java/com/securitycontrol/common/security/interceptor/IPWhites.java @@ -0,0 +1,31 @@ +package com.securitycontrol.common.security.interceptor; + +import org.apache.xmlbeans.impl.xb.xsdschema.Public; + +import java.util.ArrayList; +import java.util.Arrays; +import java.util.List; + +/** + * + */ +public class IPWhites { + + public static String ips="27.50.227.1,27.50.227.2,27.50.227.3,27.50.227.4,27.50.227.5,27.50.227.6,27.50.227.7,27.50.227.8,27.50.227.9,27.50.227.10,27.50.227.11,27.50.227.12,27.50.227.13,27.50.227.14,27.50.227.15,27.50.227.16,27.50.227.17,27.50.227.18,27.50.227.19,27.50.227.20,27.50.227.21,27.50.227.22,27.50.227.23,27.50.227.24,27.50.227.25,27.50.227.26,27.50.227.27,27.50.227.28,27.50.227.29,27.50.227.30,27.50.227.31,27.50.227.32,27.50.227.33,27.50.227.34,27.50.227.35,27.50.227.36,27.50.227.37,27.50.227.38,27.50.227.39,27.50.227.40,27.50.227.41,27.50.227.42,27.50.227.43,27.50.227.44,27.50.227.45,27.50.227.46,27.50.227.47,27.50.227.48,27.50.227.49,27.50.227.50,27.50.227.51,27.50.227.52,27.50.227.53,27.50.227.54,27.50.227.55,27.50.227.56,27.50.227.57,27.50.227.58,27.50.227.59,27.50.227.60,27.50.227.61,27.50.227.62,27.50.227.63,27.50.227.64,27.50.227.65,27.50.227.66,27.50.227.67,27.50.227.68,27.50.227.69,27.50.227.70,27.50.227.71,27.50.227.72,27.50.227.73,27.50.227.74,27.50.227.75,27.50.227.76,27.50.227.77,27.50.227.78,27.50.227.79,27.50.227.80,27.50.227.81,27.50.227.82,27.50.227.83,27.50.227.84,27.50.227.85,27.50.227.86,27.50.227.87,27.50.227.88,27.50.227.89,27.50.227.90,27.50.227.91,27.50.227.92,27.50.227.93,27.50.227.94,27.50.227.95,27.50.227.96,27.50.227.97,27.50.227.98,27.50.227.99,27.50.227.100,27.50.227.101,27.50.227.102,27.50.227.103,27.50.227.104,27.50.227.105,27.50.227.106,27.50.227.107,27.50.227.108,27.50.227.109,27.50.227.110,27.50.227.111,27.50.227.112,27.50.227.113,27.50.227.114,27.50.227.115,27.50.227.116,27.50.227.117,27.50.227.118,27.50.227.119,27.50.227.120,27.50.227.121,27.50.227.122,27.50.227.123,27.50.227.124,27.50.227.125,27.50.227.126"; + public static void main(String[] args) { + + + } + + public static List getIps(){ + List list=new ArrayList<>(); + String[] str=ips.split(","); + List list2=Arrays.asList(str); + list.addAll(list2); + list.add("127.0.0.1"); + list.add("27.50.49.56"); + return list; + + } + +} diff --git a/securitycontrol-commons/securitycontrol-commons-security/src/main/java/com/securitycontrol/common/security/interceptor/MyFilter.java b/securitycontrol-commons/securitycontrol-commons-security/src/main/java/com/securitycontrol/common/security/interceptor/MyFilter.java index 114e49e..aa9d6e2 100644 --- a/securitycontrol-commons/securitycontrol-commons-security/src/main/java/com/securitycontrol/common/security/interceptor/MyFilter.java +++ b/securitycontrol-commons/securitycontrol-commons-security/src/main/java/com/securitycontrol/common/security/interceptor/MyFilter.java @@ -1,11 +1,15 @@ package com.securitycontrol.common.security.interceptor; +import com.securitycontrol.common.core.utils.aes.StringHelper; import com.securitycontrol.common.security.utils.XssRequestWrapper; import javax.servlet.*; import javax.servlet.annotation.WebFilter; import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; import java.io.IOException; +import java.util.Arrays; +import java.util.List; import java.util.Objects; /** @@ -21,7 +25,46 @@ public class MyFilter implements Filter { @Override public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException { ServletRequest requestWrapper = null; - HttpServletRequest request = (HttpServletRequest) servletRequest; + HttpServletResponse response = (HttpServletResponse) servletResponse; + HttpServletRequest request = (HttpServletRequest) servletRequest; + String xForwardedFor = request.getHeader("X-Forwarded-For"); + // 这里添加你的验证逻辑,例如检查是否包含特定的值或格式 + if (StringHelper.isNotEmpty(xForwardedFor)) { + String[] ipAddresses = xForwardedFor.split(","); + if (ipAddresses.length > 0) { + boolean isAllowed = false; + for (String ip : ipAddresses) { + if (IPWhites.getIps().contains(ip.trim())) { + isAllowed = true; + break; + } + } + if (!isAllowed) { + // 如果头部不匹配,可以抛出异常或返回错误响应 + response.setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED); + ServletOutputStream outputStream = response.getOutputStream(); + outputStream.write(new String("错误的XFF".getBytes(),"utf-8").getBytes()); + outputStream.flush(); + return; + } + } + } + response.setHeader("Access-Control-Allow-Origin", "*"); + // 当前只支持POST 跟GET + response.setHeader("Access-Control-Allow-Methods", + "POST, GET"); + response.setHeader("Access-Control-Max-Age", "3600"); + response.setHeader("Access-Control-Allow-Headers", + "Content-Type, x-requested-with, X-Custom-Header, Authorization"); + // 对OPTIONS请求进行拦截处理 + String options="OPTIONS"; + if(options.equalsIgnoreCase(request.getMethod())){ + response.setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED); + ServletOutputStream outputStream = response.getOutputStream(); + outputStream.write(new String("不安全的请求".getBytes(),"utf-8").getBytes()); + outputStream.flush(); + return; + } if (servletRequest instanceof HttpServletRequest && !isFileUpload(request)) { requestWrapper = new XssRequestWrapper((HttpServletRequest) servletRequest); } diff --git a/securitycontrol-commons/securitycontrol-commons-security/src/main/java/com/securitycontrol/common/security/interceptor/ParamSecureHandler.java b/securitycontrol-commons/securitycontrol-commons-security/src/main/java/com/securitycontrol/common/security/interceptor/ParamSecureHandler.java index 1947fc9..ac20a4e 100644 --- a/securitycontrol-commons/securitycontrol-commons-security/src/main/java/com/securitycontrol/common/security/interceptor/ParamSecureHandler.java +++ b/securitycontrol-commons/securitycontrol-commons-security/src/main/java/com/securitycontrol/common/security/interceptor/ParamSecureHandler.java @@ -84,6 +84,11 @@ public class ParamSecureHandler implements AsyncHandlerInterceptor { public static final String[] EXCLUDE_URLS = {"/sys/pro/addPro","/sys/pro/editPro","/sys/pro/importProData","/back/personnel/addPersonnel","/back/personnel/editPersonnel","/pageJump","/validateToken"}; + + public static final String[] activeFile={"/back/area/deleteSwFile","/sys/pro/viewProFile","/back/area/deleteSwFile", + "/back/area/downLoadFile" + }; + public boolean isFileUpload(HttpServletRequest request) { for (String excludeUrl : EXCLUDE_URLS) { @@ -97,13 +102,21 @@ public class ParamSecureHandler implements AsyncHandlerInterceptor { @Override public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception { + XssRequestWrapper requestWrapper = new XssRequestWrapper(request); + try{ + if (!checkIsYq(request, requestWrapper)) { + returnJson(response, "越权访问,接口未授权", 401); + return false; + } + }catch (Exception e){ + returnJson(response, "令牌不能为空", 401); + } // 过滤文件上传功能 if(isFileUpload(request)){ return true; } System.out.println("进入了拦截器"); System.err.println(request.getRequestURI()); - XssRequestWrapper requestWrapper = new XssRequestWrapper(request); String requestUrl = requestWrapper.getRequestURI(); /** @@ -162,14 +175,7 @@ public class ParamSecureHandler implements AsyncHandlerInterceptor { returnJson(response,"请求参数丢失",500); return false; }*/ - try{ - if (!checkIsYq(request, requestWrapper)) { - returnJson(response, "越权访问,接口未授权", 401); - return false; - } - }catch (Exception e){ - returnJson(response, "令牌不能为空", 401); - } + return true; } diff --git a/securitycontrol-commons/securitycontrol-commons-security/src/main/java/com/securitycontrol/common/security/service/TokenService.java b/securitycontrol-commons/securitycontrol-commons-security/src/main/java/com/securitycontrol/common/security/service/TokenService.java index 7641062..3bcf17e 100644 --- a/securitycontrol-commons/securitycontrol-commons-security/src/main/java/com/securitycontrol/common/security/service/TokenService.java +++ b/securitycontrol-commons/securitycontrol-commons-security/src/main/java/com/securitycontrol/common/security/service/TokenService.java @@ -60,7 +60,7 @@ public class TokenService { claimsMap.put(SecurityConstants.USER_KEY, token); claimsMap.put(SecurityConstants.DETAILS_USER_ID, userId); claimsMap.put(SecurityConstants.DETAILS_ISC_USER_ID, loginUser.getSysUser().getIscUserId()); - claimsMap.put(SecurityConstants.DETAILS_USERNAME, userName); + // claimsMap.put(SecurityConstants.DETAILS_USERNAME, userName); // 接口返回信息 Map rspMap = new HashMap(50); String jwtToken=JwtUtils.createToken(claimsMap); diff --git a/securitycontrol-gateway/src/main/java/com/securitycontrol/gateway/config/CorsConfig.java b/securitycontrol-gateway/src/main/java/com/securitycontrol/gateway/config/CorsConfig.java index 2ce93f7..eb51e90 100644 --- a/securitycontrol-gateway/src/main/java/com/securitycontrol/gateway/config/CorsConfig.java +++ b/securitycontrol-gateway/src/main/java/com/securitycontrol/gateway/config/CorsConfig.java @@ -14,7 +14,7 @@ import org.springframework.web.util.pattern.PathPatternParser; @Configuration public class CorsConfig { @Bean - public CorsWebFilter corsFilter() { + public CorsWebFilter CorsFilter() { CorsConfiguration config = new CorsConfiguration(); config.addAllowedMethod("*"); config.addAllowedOrigin("*"); diff --git a/securitycontrol-gateway/src/main/java/com/securitycontrol/gateway/config/CorsFilter.java b/securitycontrol-gateway/src/main/java/com/securitycontrol/gateway/config/CorsFilter.java index 1174dcd..f62450b 100644 --- a/securitycontrol-gateway/src/main/java/com/securitycontrol/gateway/config/CorsFilter.java +++ b/securitycontrol-gateway/src/main/java/com/securitycontrol/gateway/config/CorsFilter.java @@ -1,5 +1,7 @@ package com.securitycontrol.gateway.config; +import org.springframework.stereotype.Component; + import javax.servlet.*; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; diff --git a/securitycontrol-gateway/src/main/java/com/securitycontrol/gateway/filter/AuthFilter.java b/securitycontrol-gateway/src/main/java/com/securitycontrol/gateway/filter/AuthFilter.java index 6b51454..3469b89 100644 --- a/securitycontrol-gateway/src/main/java/com/securitycontrol/gateway/filter/AuthFilter.java +++ b/securitycontrol-gateway/src/main/java/com/securitycontrol/gateway/filter/AuthFilter.java @@ -76,17 +76,17 @@ public class AuthFilter implements GlobalFilter, Ordered Claims claims1=JwtUtils.parseToken(token); Integer userId=(Integer) claims1.get(SecurityConstants.DETAILS_USER_ID); String iscUser=(String) claims1.get(SecurityConstants.DETAILS_ISC_USER_ID); - String userName=(String) claims1.get(SecurityConstants.DETAILS_USERNAME); + // String userName=(String) claims1.get(SecurityConstants.DETAILS_USERNAME); int times =60*30; redisService.set("token:"+jwtToken,jwtToken,times); redisService.set("userId::"+userId,jwtToken,times); redisService.set("ISCUserId:"+jwtToken,iscUser,times); - redisService.set("userName:"+jwtToken,userName,times); + // redisService.set("userName:"+jwtToken,userName,times); String userid = JwtUtils.getUserId(claims); String username = JwtUtils.getUserName(claims); String iscUserId= JwtUtils.getIscUserId(claims); - if (StringUtils.isEmpty(userid) || StringUtils.isEmpty(username)) + if (StringUtils.isEmpty(userid)) { return unauthorizedResponse(exchange, "令牌验证失败"); } diff --git a/securitycontrol-model/securitycontrol-files/src/main/resources/bootstrap.yml b/securitycontrol-model/securitycontrol-files/src/main/resources/bootstrap.yml index 54adc4c..a1e49c9 100644 --- a/securitycontrol-model/securitycontrol-files/src/main/resources/bootstrap.yml +++ b/securitycontrol-model/securitycontrol-files/src/main/resources/bootstrap.yml @@ -30,20 +30,20 @@ spring: # 共享配置 shared-configs: - vsc-dev.yml - data: - mongodb: - host: 192.168.0.56 - port: 27017 - database: zhgd - username: zhgd - password: Bonus@admin123 # data: # mongodb: -# host: 47.115.207.135 +# host: 192.168.0.56 # port: 27017 -# database: admin -# username: admin -# password: Bonus@admin123! +# database: zhgd +# username: zhgd +# password: Bonus@admin123 + data: + mongodb: + host: 47.115.207.135 + port: 27017 + database: admin + username: admin + password: Bonus@admin123! #加密组件 jasypt: encryptor: