Skip to content

A
api
Commit c2757cd8 by Lenovo
Options

添加userSign校验

parent 0ba59b79
Showing with 47 additions and 49 deletions
src/com/ejweb/core/filter/BasicVerifyFilter.java
package com.ejweb.core.filter; package com.ejweb.core.filter;
import com.alibaba.fastjson.JSON; import com.alibaba.fastjson.JSON;
import com.ejweb.core.base.BaseBean;
import com.ejweb.core.base.BaseUserBean; import com.ejweb.core.base.BaseUserBean;
import com.ejweb.core.conf.GConstants; import com.ejweb.core.conf.GConstants;
import com.ejweb.core.security.GlobalUtil;
import com.ejweb.modules.user.entity.User; import com.ejweb.modules.user.entity.User;
import com.ejweb.modules.user.entity.UserEntity; import com.ejweb.modules.user.entity.UserEntity;
import com.ejweb.modules.user.service.UserService; import com.ejweb.modules.user.service.UserService;
...@@ -42,19 +40,18 @@ public class BasicVerifyFilter implements Filter { ...@@ -42,19 +40,18 @@ public class BasicVerifyFilter implements Filter {
// 由于tomcat漏洞,在不升级的情况下,过滤PUT请求,直接返回 // 由于tomcat漏洞,在不升级的情况下,过滤PUT请求,直接返回
if ("PUT".equals(((HttpServletRequest) request).getMethod())) { if ("PUT".equals(((HttpServletRequest) request).getMethod())) {
request.getRequestDispatcher("/WEB-INF/views/errors/401.jsp").forward(request, response);// 跳转到验证错误页面 // 跳转到验证错误页面
request.getRequestDispatcher("/WEB-INF/views/errors/401.jsp").forward(request, response);
return; return;
} }
long maxFileSize = Long.valueOf(GConstants.getValue("file.max.upload.size")); long maxFileSize = Long.valueOf(GConstants.getValue("file.max.upload.size"));
// HttpServletRequest reqs = (HttpServletRequest)request; long fileSize = request.getContentLength();
long fileSize = ((HttpServletRequest) request).getContentLength();
if (fileSize > maxFileSize) { if (fileSize > maxFileSize) {
request.setAttribute("message", "文件大小超出限制"); request.setAttribute("message", "文件大小超出限制");
request.getRequestDispatcher("/WEB-INF/views/errors/401.jsp").forward(request, response);// 跳转到验证错误页面 // 跳转到验证错误页面
// response.getOutputStream().print("file"); request.getRequestDispatcher("/WEB-INF/views/errors/401.jsp").forward(request, response);
return; return;
} }
...@@ -63,48 +60,43 @@ public class BasicVerifyFilter implements Filter { ...@@ -63,48 +60,43 @@ public class BasicVerifyFilter implements Filter {
rep.setHeader("Access-Control-Allow-Origin", "*"); rep.setHeader("Access-Control-Allow-Origin", "*");
} }
boolean isMultipart = ServletFileUpload.isMultipartContent((HttpServletRequest) request); boolean isMultipart = ServletFileUpload.isMultipartContent((HttpServletRequest) request);
if (isMultipart == false) { // 判断enctype属性是否为multipart/form-data // 判断enctype属性是否为multipart/form-data
String sign = request.getParameter("sign");// .getAttribute("sign"); if (isMultipart == false) {
String sign = request.getParameter("sign");
String content = request.getParameter("content"); String content = request.getParameter("content");
if (StringUtils.isBlank(sign)) { // if (StringUtils.isBlank(sign)) {
//
request.setAttribute("message", "参数sign不能为NULL"); // request.setAttribute("message", "参数sign不能为NULL");
request.getRequestDispatcher("/WEB-INF/views/errors/401.jsp").forward(request, response);// 跳转到验证错误页面 // request.getRequestDispatcher("/WEB-INF/views/errors/401.jsp").forward(request, response);// 跳转到验证错误页面
return; // return;
} else if (StringUtils.isBlank(content)) { if (StringUtils.isBlank(content)) {
request.setAttribute("message", "参数content不能为NULL"); request.setAttribute("message", "参数content不能为NULL");
request.getRequestDispatcher("/WEB-INF/views/errors/401.jsp").forward(request, response);// 跳转到验证错误页面 // 跳转到验证错误页面
request.getRequestDispatcher("/WEB-INF/views/errors/401.jsp").forward(request, response);
return; return;
} }
/**
* 对有签名的进行DES签名验证,不使用下面的sha验证
*/
/*
* sign = request.getParameter("sign"); if
* (StringUtils.isNotBlank(sign)) { if (!validateSign(sign)) {
* request.setAttribute("message", "签名错误,禁止访问");
* request.getRequestDispatcher("/WEB-INF/views/errors/405.jsp").
* forward(request, response);// 跳转到验证错误页面 return; } }
*/
} }
// 所有请求通过, 不做数据验证
if (isAllowAllPage) {// 所有请求通过, 不做数据验证 if (isAllowAllPage) {
filterChain.doFilter(request, response); filterChain.doFilter(request, response);
return; return;
} }
if (isExcludedPage) { // 有例外请求链接 // 有例外请求链接
if (isExcludedPage) {
HttpServletRequest req = (HttpServletRequest) request; HttpServletRequest req = (HttpServletRequest) request;
String uri = req.getServletPath(); String uri = req.getServletPath();
if (excludedPageArray != null && uri != null && uri.length() != 0) { if (excludedPageArray != null && uri != null && uri.length() != 0) {
if (excludedPageSet.contains(uri)) {// 直接包含 // 直接包含
if (excludedPageSet.contains(uri)) {
filterChain.doFilter(request, response); filterChain.doFilter(request, response);
return; return;
} }
for (String page : excludedPageArray) {// 遍历例外url数组 // 遍历例外url数组
if (uri.matches(page)) {// 在过滤url之外 for (String page : excludedPageArray) {
// 在过滤url之外
if (uri.matches(page)) {
filterChain.doFilter(request, response); filterChain.doFilter(request, response);
return; return;
} }
...@@ -113,13 +105,14 @@ public class BasicVerifyFilter implements Filter { ...@@ -113,13 +105,14 @@ public class BasicVerifyFilter implements Filter {
} }
// 对基本数据域进行验证 // 对基本数据域进行验证
String content = request.getParameter("content"); String content = request.getParameter("content");
String sign = request.getParameter("sign"); // String sign = request.getParameter("sign");
String message = "content及sign不允许为空"; String message = "content及sign不允许为空";
if (content != null && sign != null) { // 基本参数不为NULL // 基本参数不为NULL
BaseBean baseBean = JSON.parseObject(content, BaseBean.class); if (content != null) {
message = "无效请求"; message = "无效请求";
BaseUserBean baseUserBean = JSON.parseObject(content, BaseUserBean.class); BaseUserBean baseUserBean = JSON.parseObject(content, BaseUserBean.class);
String userSign = baseUserBean.getUserSign(); String userSign = baseUserBean.getUserSign();
System.out.println("userSign:" + userSign);
if (userSign != null && !"".equals(userSign) && !"undefind".equals(userSign)) { if (userSign != null && !"".equals(userSign) && !"undefind".equals(userSign)) {
ServletContext context = request.getServletContext(); ServletContext context = request.getServletContext();
ApplicationContext ctx = WebApplicationContextUtils.getWebApplicationContext(context); ApplicationContext ctx = WebApplicationContextUtils.getWebApplicationContext(context);
...@@ -129,21 +122,24 @@ public class BasicVerifyFilter implements Filter { ...@@ -129,21 +122,24 @@ public class BasicVerifyFilter implements Filter {
User user = userService.getUserByUserCode(ue); User user = userService.getUserByUserCode(ue);
message = "无效请求"; message = "无效请求";
if (user != null) { if (user != null) {
if (baseBean.getAppCode() != null) { // 基本必要参数验证通过 filterChain.doFilter(request, response);
message = "签名验证不匹配"; return;
if (GConstants.IS_VERIFY_CONTENT_SIGN == false // if (baseBean.getAppCode() != null) { // 基本必要参数验证通过
|| GlobalUtil.verifySign(content, GConstants.SIGN_PRIVATE_KEY, sign)) {// 签名验证通过 // message = "签名验证不匹配";
filterChain.doFilter(request, response); // if (GConstants.IS_VERIFY_CONTENT_SIGN == false
return; // || GlobalUtil.verifySign(content, GConstants.SIGN_PRIVATE_KEY, sign)) {// 签名验证通过
} // filterChain.doFilter(request, response);
} // return;
// }
// }
} }
} }
} }
System.out.println("userSign为空或查不到用户");
request.setAttribute("message", message); request.setAttribute("message", message);
request.getRequestDispatcher("/WEB-INF/views/errors/401.jsp").forward(request, response);// 跳转到验证错误页面 // 跳转到验证错误页面
request.getRequestDispatcher("/WEB-INF/views/errors/401.jsp").forward(request, response);
} }
@Override @Override
...@@ -151,9 +147,11 @@ public class BasicVerifyFilter implements Filter { ...@@ -151,9 +147,11 @@ public class BasicVerifyFilter implements Filter {
// TODO Auto-generated method stub // TODO Auto-generated method stub
excludedPages = filterConfig.getInitParameter("excludedPages"); excludedPages = filterConfig.getInitParameter("excludedPages");
if (excludedPages != null && excludedPages.length() != 0) { if (excludedPages != null && excludedPages.length() != 0) {
excludedPages = excludedPages.replaceAll("\\s+|^;+|;+$", "");// 替换前后分号及所有空格 // 替换前后分号及所有空格
excludedPages = excludedPages.replaceAll("\\s+|^;+|;+$", "");
if (excludedPages.length() != 0) { if (excludedPages.length() != 0) {
if (excludedPages.equals("*") || excludedPages.equals(".*") || excludedPages.equals(".+")) {// 全部不验证 // 全部不验证
if (excludedPages.equals("*") || excludedPages.equals(".*") || excludedPages.equals(".+")) {
isAllowAllPage = true; isAllowAllPage = true;
} else { } else {
excludedPageArray = excludedPages.split(";"); excludedPageArray = excludedPages.split(";");
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment