安全框架不再对经办夹查询部分做安全防护

95150ec6 · WeiCong · e0c86083 · 95150ec6 · 95150ec6 · 95150ec6
Commit 95150ec6 authored Oct 09, 2020 by WeiCong
3 changed files
--- a/src/main/java/org/sss/presentation/noui/controller/AbstractCommonController.java
+++ b/src/main/java/org/sss/presentation/noui/controller/AbstractCommonController.java
@@ -92,6 +92,7 @@ public abstract class AbstractCommonController {
                if (DataSecurityUtil.needDecrypt(noUiRequest.getReqUrl())) {
                    String[] clientpars = DataSecurityUtil.getSafeConfigByReqUrl(context,noUiRequest, noUiRequest.getReqUrl() + DataSecurityUtil.DECRYPT_FIX);
                    if(!ArrayUtils.isEmpty(clientpars)){
+                        if(!DataSecurityUtil.isIgnoreCheck(paramsMap)){
                            if (paramsMap.containsKey(DataSecurityUtil.BACKGROUND_ID)) {
                                //合法性校验操作(场景:用户做修改、删除时调用)
                                serverEnc = (String) paramsMap.get(DataSecurityUtil.BACKGROUND_ID);
@@ -107,6 +108,7 @@ public abstract class AbstractCommonController {
                        }
                    }
                }
+            }
            if (eventType.equals(ON_CLICK)) {
                IBaseObject dataField = baseObject(context, noUiRequest, alias);

--- a/src/main/java/org/sss/presentation/noui/util/DataSecurityUtil.java
+++ b/src/main/java/org/sss/presentation/noui/util/DataSecurityUtil.java
@@ -19,7 +19,8 @@ import java.util.*;
 * 使用动态盐机制，每个盐只做一次双向校验后就失效
 */
 public class DataSecurityUtil {
-    public static final String DEFAULT_CHECK = "selinr";
+    private static final String[] DEFAULT_CHECK = {"selinr","didinr"};
+    private static final String[] DEFAULT_IGNOR_CHECK = {"sptinr"};
    public static final String ENCRYPT_FIX = "_encode";
    public static final String DECRYPT_FIX = "_decode";
    public static final String ENCRYPT_ERROR = "encrypt exception";
@@ -84,6 +85,17 @@ public class DataSecurityUtil {
        return securityConfig.containsKey(reqUrl + DECRYPT_FIX);
    }
+    public static boolean isIgnoreCheck(Map<String, ?> paramsMap){
+        for(String ig:DEFAULT_IGNOR_CHECK){
+            if(paramsMap.containsKey(ig)){
+                String iginr=paramsMap.get(ig).toString();
+                if(!StringUtil.isEmpty(iginr)){
+                    return true;
+                }
+            }
+        }
+        return false;
+    }
    /**
     * 获取指定交易的安全配置
     *
@@ -116,8 +128,10 @@ public class DataSecurityUtil {
                            Object valobj=dataField.getValue();
                            String val=null;
                            if(valobj==null){
-                                if(noUiRequest.getParamsMap().containsKey(DEFAULT_CHECK)){
+                                for(String ck:DEFAULT_CHECK){
-                                    val=noUiRequest.getParamsMap().get(DEFAULT_CHECK).toString();
+                                    if(noUiRequest.getParamsMap().containsKey(ck)){
+                                        val=noUiRequest.getParamsMap().get(ck).toString();
+                                    }
                                }
                            }else{
                                val= valobj.toString();

--- a/src/main/resources/security.properties
+++ b/src/main/resources/security.properties
@@ -153,7 +153,7 @@ switch=ON
 /trnrel/reprow_decode=\\trn\\inr
 #经办夹
-/sptsel/sel_encode=\\sptp\\lst[]\\objinr
+#/sptsel/sel_encode=\\sptp\\lst[]\\objinr