漏洞修复

src/main/java/com/bonus/gs/sub/evaluate/manager/config/WebMvcConfig.java

@@ -25,6 +25,7 @@ public class WebMvcConfig implements WebMvcConfigurer {
 	 *
 	 * @return
 	 */
+/*
 	@Bean
 	public WebMvcConfigurer corsConfigurer() {
 		return new WebMvcConfigurer() {
@@ -34,6 +35,7 @@ public class WebMvcConfig implements WebMvcConfigurer {
 			}
 		};
 	}
+*/
 
 	/**
 	 * datatable分页解析

src/main/resources/static/login.html

@@ -5,208 +5,158 @@
 	<meta http-equiv="Pragma" content="no-cache">
 	<meta http-equiv="Cache-Control" content="no-cache">
 	<meta http-equiv="Expires" content="0">
-	<title>登录 - 分包评价系统</title>
+	<title>登录</title>
 	<link href="css/login.css" type="text/css" rel="stylesheet">
-	<style>
-		.csrf-info {
-			background-color: #f8f9fa;
-			border-left: 4px solid #007bff;
-			padding: 10px 15px;
-			margin: 15px 0;
-			font-size: 14px;
-			display: none;
-		}
-		.csrf-token-field {
-			display: none;
-		}
-	</style>
 </head>
 <body>
+
 <div class="login">
 	<div class="message">分包评价</div>
 	<div id="darkbannerwrap"></div>
 
-	<div class="csrf-info" id="csrfInfo">
-		<strong>安全提示:</strong> 此表单包含CSRF保护令牌，防止跨站请求伪造攻击。
-	</div>
-
 	<form id="login-form" method="post" onsubmit="return false;">
-		<input id="username" name="username" placeholder="用户名" type="text" autocomplete="off">
+		<input id="username" name="username" placeholder="用户名" type="text"
+			   autocomplete="off">
 		<hr class="hr15">
-		<input id="password" name="password" placeholder="密码" type="password" autocomplete="off">
+		<input id="password" name="password" placeholder="密码" type="password"
+			   autocomplete="off">
 		<hr class="hr15">
-		<!-- CSRF令牌字段 -->
+		<button style="width: 100%;" type="submit"
-		<input type="hidden" id="csrfToken" name="csrfToken" value="">
+				onclick="login(this)">登录</button>
-		<button style="width: 100%;" type="submit" onclick="login(this)">登录</button>
 		<hr class="hr20">
 		<span id="info" style="color: red"></span>
 	</form>
+
+
 </div>
 
+</body>
 <script src="js/libs/jquery-2.1.1.min.js"></script>
 <script src="js/publicJs.js"></script>
 <script src="layui/layui.js"></script>
 <script src="layui/crypto-js.min.js"></script>
 
 <script type="text/javascript">
-	// 页面加载时获取CSRF令牌
+	// if (top != self) {
-	document.addEventListener('DOMContentLoaded', function() {
+	// 	parent.location.href = '/GsSubEvaluate/login.html';
-		fetchCSRFToken();
+	// }
-	});
+	// 获取查询参数
-
-	// 获取CSRF令牌
-	function fetchCSRFToken() {
-		$.ajax({
-			type: 'get',
-			url: ctxPath + '/csrf/token',
-			success: function(data) {
-				if (data && data.token) {
-					$('#csrfToken').val(data.token);
-					$('#csrfInfo').show();
-				}
-			},
-			error: function() {
-				// 如果获取令牌失败，生成一个客户端令牌作为备用
-				var clientToken = generateClientToken();
-				$('#csrfToken').val(clientToken);
-			}
-		});
-	}
-
-	// 生成客户端CSRF令牌
-	function generateClientToken() {
-		var timestamp = new Date().getTime();
-		var random = Math.random().toString(36).substring(2);
-		return CryptoJS.SHA256(timestamp + random).toString();
-	}
-
-	// 原有代码保持不变
 	let urlParams = new URLSearchParams(window.location.search);
-	let tokens = urlParams.get('tokens');
+	let tokens = urlParams.get('tokens');  // 假设 URL 为 https://example.com/path?query=1
 	let loginName = urlParams.get('loginName');
-
+	if(tokens && tokens!=='undefined'){
-	if(tokens && tokens !== 'undefined'){
+		tokenVerify(tokens,loginName);
-		tokenVerify(tokens, loginName);
 	}
 
-	function tokenVerify(tokens, loginName) {
+	// var token = localStorage.getItem("token");
+	// if (token != null && token.trim().length != 0) {
+	// 	$.ajax({
+	// 		type : 'get',
+	// 		url : ctxPath + '/users/current?token=' + token,
+	// 		success : function(data) {
+	// 			location.href = ctxPath + '/index.html';
+	// 		},
+	// 		error : function(xhr, textStatus, errorThrown) {
+	// 			var msg = xhr.responseText;
+	// 			var response = JSON.parse(msg);
+	// 			var code = response.code;
+	// 			var message = response.message;
+	// 			if (code == 401) {
+	// 				localStorage.removeItem("token");
+	// 			}
+	// 		}
+	// 	});
+	// }
+
+	function tokenVerify(tokens,loginName) {
 		$.ajax({
-			type: 'post',
+			type : 'post',
-			url: ctxPath + '/users/tokenVerify',
+			url : ctxPath + '/users/tokenVerify',
-			data: {tokens: tokens, loginName: loginName},
+			data : {tokens:tokens,loginName:loginName},
-			success: function(data) {
+			success : function(data) {
+				// debugger;
 				let res = data.res;
 				layer.msg(data.resMsg);
 				if(res === 1) {
 					login_2(loginName, data.resMsg);
-				} else {
+				}else{
 					layer.msg(data.resMsg);
 				}
 			},
-			error: function(xhr, textStatus, errorThrown) {
+			error : function(xhr, textStatus, errorThrown) {
-				// 错误处理
+
 			}
 		});
 	}
 
-	function login_2(username, password) {
+	function login_2(username,password) {
-		// 确保有CSRF令牌
-		if (!$('#csrfToken').val()) {
-			fetchCSRFToken();
-			setTimeout(function() {
-				login_2(username, password);
-			}, 100);
-			return;
-		}
-
 		$.ajax({
-			type: 'post',
+			type : 'post',
-			url: ctxPath + '/login',
+			url : ctxPath + '/login',
-			data: {
+			data : {username:username,password:password},
-				username: username,
+			success : function(data) {
-				password: password,
+				// debugger;
-				csrfToken: $('#csrfToken').val()
-			},
-			success: function(data) {
 				localStorage.setItem("token", data.token);
+				localStorage.setItem("roleName", data.loginUser.roleName);
 				localStorage.setItem("loginUser", JSON.stringify(data.loginUser));
 				location.href = ctxPath + '/index.html';
 			},
-			error: function(xhr, textStatus, errorThrown) {
+			error : function(xhr, textStatus, errorThrown) {
 				var msg = xhr.responseText;
 				var response = JSON.parse(msg);
 				$("#info").html(response.message);
+				$(obj).attr("disabled", false);
 			}
 		});
 	}
-
 	// AES加密函数
 	function encryptData(data, key) {
 		const keyHex = CryptoJS.enc.Utf8.parse(key);
-		const ivHex = CryptoJS.enc.Utf8.parse(key.substring(0, 16));
+		const ivHex = CryptoJS.enc.Utf8.parse(key.substring(0, 16)); // 使用密钥前16位作为IV
 		return CryptoJS.AES.encrypt(data, keyHex, {
 			iv: ivHex,
 			mode: CryptoJS.mode.CBC,
 			padding: CryptoJS.pad.Pkcs7
 		}).toString();
 	}
-
 	function login(obj) {
 		$(obj).attr("disabled", true);
 
 		var username = $.trim($('#username').val());
 		var password = $.trim($('#password').val());
-
 		if (username == "" || password == "") {
 			$("#info").html('用户名或者密码不能为空');
 			$(obj).attr("disabled", false);
 		} else {
-			// 确保有CSRF令牌
+			// 加密密钥（需与后端一致）
-			if (!$('#csrfToken').val()) {
-				fetchCSRFToken();
-				setTimeout(function() {
-					login(obj);
-				}, 100);
-				return;
-			}
-
-			// 加密密钥
 			var secretKey = "zhgd@bonus@zhgd@bonus@1234567890";
 
 			// 加密用户名和密码
 			var encryptedData = {
 				username: encryptData(username, secretKey),
 				password: encryptData(password, secretKey),
-				csrfToken: $('#csrfToken').val()
 			};
 
 			$.ajax({
-				type: 'post',
+				type : 'post',
-				url: ctxPath + '/login',
+				url : ctxPath + '/login',
-				data: encryptedData,
+				data : encryptedData,
-				success: function(data) {
+				success : function(data) {
+					// debugger;
 					localStorage.setItem("token", data.token);
+					//	localStorage.setItem("roleName", data.loginUser.roleName);
 					localStorage.setItem("loginUser", JSON.stringify(data.loginUser));
 					location.href = ctxPath + '/index.html';
 				},
-				error: function(xhr, textStatus, errorThrown) {
+				error : function(xhr, textStatus, errorThrown) {
 					var msg = xhr.responseText;
-					try {
+					var response = JSON.parse(msg);
-						var response = JSON.parse(msg);
+					$("#info").html(response.message);
-						$("#info").html(response.message);
-
-						// 如果错误是由于CSRF令牌无效，重新获取令牌
-						if (response.code === 403 && response.message.includes("CSRF")) {
-							fetchCSRFToken();
-						}
-					} catch(e) {
-						$("#info").html("登录失败，请重试");
-					}
 					$(obj).attr("disabled", false);
 				}
 			});
+
 		}
 	}
 </script>
-</body>
 </html>