liux
/
gs_sub_evaluate
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: liux:291c6acb87b1d4a6447428349b3ce1427b90c3e9
Branches Tags
liux:master
..
compare: liux:989c4203e2fe9427d0ac9d7a556331da861bf44a
Branches Tags
liux:master

2 Commits
291c6acb87 ... 989c4203e2

Author SHA1 Message Date
liang.chao 989c4203e2 漏洞修复 2025-08-24 14:49:16 +08:00
liang.chao 4e75566cad 漏洞修复 2025-08-24 14:49:12 +08:00
2 changed files with 72 additions and 120 deletions
Show Stats Expand all files Collapse all files

6
src/main/java/com/bonus/gs/sub/evaluate/manager/config/WebMvcConfig.java
View File

@ -22,9 +22,10 @@ public class WebMvcConfig implements WebMvcConfigurer {
/**
* 跨域支持
*
*
* @return
*/
/*
@Bean
public WebMvcConfigurer corsConfigurer() {
return new WebMvcConfigurer() {
@ -34,10 +35,11 @@ public class WebMvcConfig implements WebMvcConfigurer {
}
};
}
*/
/**
* datatable分页解析
*
*
* @return
*/
@Bean

186
src/main/resources/static/login.html
View File

@ -5,208 +5,158 @@
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Cache-Control" content="no-cache">
<meta http-equiv="Expires" content="0">
<title>登录 - 分包评价系统</title>
<title>登录</title>
<link href="css/login.css" type="text/css" rel="stylesheet">
<style>
.csrf-info {
background-color: #f8f9fa;
border-left: 4px solid #007bff;
padding: 10px 15px;
margin: 15px 0;
font-size: 14px;
display: none;
}
.csrf-token-field {
display: none;
}
</style>
</head>
<body>
<div class="login">
<div class="message">分包评价</div>
<div id="darkbannerwrap"></div>
<div class="csrf-info" id="csrfInfo">
<strong>安全提示:</strong> 此表单包含CSRF保护令牌防止跨站请求伪造攻击。
</div>
<form id="login-form" method="post" onsubmit="return false;">
<input id="username" name="username" placeholder="用户名" type="text" autocomplete="off">
<input id="username" name="username" placeholder="用户名" type="text"
autocomplete="off">
<hr class="hr15">
<input id="password" name="password" placeholder="密码" type="password" autocomplete="off">
<input id="password" name="password" placeholder="密码" type="password"
autocomplete="off">
<hr class="hr15">
<!-- CSRF令牌字段 -->
<input type="hidden" id="csrfToken" name="csrfToken" value="">
<button style="width: 100%;" type="submit" onclick="login(this)">登录</button>
<button style="width: 100%;" type="submit"
onclick="login(this)">登录</button>
<hr class="hr20">
<span id="info" style="color: red"></span>
</form>
</div>
</body>
<script src="js/libs/jquery-2.1.1.min.js"></script>
<script src="js/publicJs.js"></script>
<script src="layui/layui.js"></script>
<script src="layui/crypto-js.min.js"></script>
<script type="text/javascript">
// 页面加载时获取CSRF令牌
document.addEventListener('DOMContentLoaded', function() {
fetchCSRFToken();
});
// 获取CSRF令牌
function fetchCSRFToken() {
$.ajax({
type: 'get',
url: ctxPath + '/csrf/token',
success: function(data) {
if (data && data.token) {
$('#csrfToken').val(data.token);
$('#csrfInfo').show();
}
},
error: function() {
// 如果获取令牌失败,生成一个客户端令牌作为备用
var clientToken = generateClientToken();
$('#csrfToken').val(clientToken);
}
});
}
// 生成客户端CSRF令牌
function generateClientToken() {
var timestamp = new Date().getTime();
var random = Math.random().toString(36).substring(2);
return CryptoJS.SHA256(timestamp + random).toString();
}
// 原有代码保持不变
// if (top != self) {
// parent.location.href = '/GsSubEvaluate/login.html';
// }
// 获取查询参数
let urlParams = new URLSearchParams(window.location.search);
let tokens = urlParams.get('tokens');
let tokens = urlParams.get('tokens'); // 假设 URL 为 https://example.com/path?query=1
let loginName = urlParams.get('loginName');
if(tokens && tokens !== 'undefined'){
tokenVerify(tokens, loginName);
if(tokens && tokens!=='undefined'){
tokenVerify(tokens,loginName);
}
function tokenVerify(tokens, loginName) {
// var token = localStorage.getItem("token");
// if (token != null && token.trim().length != 0) {
// $.ajax({
// type : 'get',
// url : ctxPath + '/users/current?token=' + token,
// success : function(data) {
// location.href = ctxPath + '/index.html';
// },
// error : function(xhr, textStatus, errorThrown) {
// var msg = xhr.responseText;
// var response = JSON.parse(msg);
// var code = response.code;
// var message = response.message;
// if (code == 401) {
// localStorage.removeItem("token");
// }
// }
// });
// }
function tokenVerify(tokens,loginName) {
$.ajax({
type: 'post',
url: ctxPath + '/users/tokenVerify',
data: {tokens: tokens, loginName: loginName},
success: function(data) {
type : 'post',
url : ctxPath + '/users/tokenVerify',
data : {tokens:tokens,loginName:loginName},
success : function(data) {
// debugger;
let res = data.res;
layer.msg(data.resMsg);
if(res === 1) {
login_2(loginName, data.resMsg);
} else {
}else{
layer.msg(data.resMsg);
}
},
error: function(xhr, textStatus, errorThrown) {
// 错误处理
error : function(xhr, textStatus, errorThrown) {
}
});
}
function login_2(username, password) {
// 确保有CSRF令牌
if (!$('#csrfToken').val()) {
fetchCSRFToken();
setTimeout(function() {
login_2(username, password);
}, 100);
return;
}
function login_2(username,password) {
$.ajax({
type: 'post',
url: ctxPath + '/login',
data: {
username: username,
password: password,
csrfToken: $('#csrfToken').val()
},
success: function(data) {
type : 'post',
url : ctxPath + '/login',
data : {username:username,password:password},
success : function(data) {
// debugger;
localStorage.setItem("token", data.token);
localStorage.setItem("roleName", data.loginUser.roleName);
localStorage.setItem("loginUser", JSON.stringify(data.loginUser));
location.href = ctxPath + '/index.html';
},
error: function(xhr, textStatus, errorThrown) {
error : function(xhr, textStatus, errorThrown) {
var msg = xhr.responseText;
var response = JSON.parse(msg);
$("#info").html(response.message);
$(obj).attr("disabled", false);
}
});
}
// AES加密函数
function encryptData(data, key) {
const keyHex = CryptoJS.enc.Utf8.parse(key);
const ivHex = CryptoJS.enc.Utf8.parse(key.substring(0, 16));
const ivHex = CryptoJS.enc.Utf8.parse(key.substring(0, 16)); // 使用密钥前16位作为IV
return CryptoJS.AES.encrypt(data, keyHex, {
iv: ivHex,
mode: CryptoJS.mode.CBC,
padding: CryptoJS.pad.Pkcs7
}).toString();
}
function login(obj) {
$(obj).attr("disabled", true);
var username = $.trim($('#username').val());
var password = $.trim($('#password').val());
if (username == "" || password == "") {
$("#info").html('用户名或者密码不能为空');
$(obj).attr("disabled", false);
} else {
// 确保有CSRF令牌
if (!$('#csrfToken').val()) {
fetchCSRFToken();
setTimeout(function() {
login(obj);
}, 100);
return;
}
// 加密密钥
// 加密密钥(需与后端一致)
var secretKey = "zhgd@bonus@zhgd@bonus@1234567890";
// 加密用户名和密码
var encryptedData = {
username: encryptData(username, secretKey),
password: encryptData(password, secretKey),
csrfToken: $('#csrfToken').val()
};
$.ajax({
type: 'post',
url: ctxPath + '/login',
data: encryptedData,
success: function(data) {
type : 'post',
url : ctxPath + '/login',
data : encryptedData,
success : function(data) {
// debugger;
localStorage.setItem("token", data.token);
// localStorage.setItem("roleName", data.loginUser.roleName);
localStorage.setItem("loginUser", JSON.stringify(data.loginUser));
location.href = ctxPath + '/index.html';
},
error: function(xhr, textStatus, errorThrown) {
error : function(xhr, textStatus, errorThrown) {
var msg = xhr.responseText;
try {
var response = JSON.parse(msg);
$("#info").html(response.message);
// 如果错误是由于CSRF令牌无效重新获取令牌
if (response.code === 403 && response.message.includes("CSRF")) {
fetchCSRFToken();
}
} catch(e) {
$("#info").html("登录失败,请重试");
}
var response = JSON.parse(msg);
$("#info").html(response.message);
$(obj).attr("disabled", false);
}
});
}
}
</script>
</body>
</html>