Skip to content

N
nouiWithSpringMVC
Commit 9c731c0d by WeiCong
Options

资源访问过滤优化

parent d9340b71
Showing with 60 additions and 39 deletions
src/main/java/org/sss/presentation/noui/filter/ResourceAccessFilter.java
...@@ -13,88 +13,102 @@ import javax.servlet.http.HttpServletResponse; ...@@ -13,88 +13,102 @@ import javax.servlet.http.HttpServletResponse;
import java.io.IOException; import java.io.IOException;
public class ResourceAccessFilter implements Filter { public class ResourceAccessFilter implements Filter {
public static String pdfpth;
protected static final Log log = LogFactory.getLog(ResourceAccessFilter.class); protected static final Log log = LogFactory.getLog(ResourceAccessFilter.class);
private static final String KEY = "session.##.WEB"; private static final String KEY = "session.##.WEB";
private static final String SALT="1314520@Wc;"; private static final String SALT = "1314520@Wc;";
private static final String _JSON_CONTENT = "application/json; charset=UTF-8"; private static final String _JSON_CONTENT = "application/json; charset=UTF-8";
private static final String _HTML_CONTENT = "text/html; charset=UTF-8"; private static final String _HTML_CONTENT = "text/html; charset=UTF-8";
private static final String _403_JSON = "{'code': '403', 'msg': 'Access Forbidden, Unauthorized!'}"; private static final String _403_JSON = "{'code': '403', 'msg': 'Access Forbidden, Unauthorized!'}";
private static final String _403_HTML = "<html><body><div style='text-align:center'><h1 style='margin-top: 10px;'>Access Forbidden, Unauthorized!</h1><hr><span>@lichmama</span></div></body></html>"; private static final String _403_HTML = "<html><body><div style='text-align:center'><h1 style='margin-top: 10px;'>Access Forbidden, Unauthorized!</h1></div></body></html>";
public static String pdfpth;
public static String[] exclude;
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
throws IOException, ServletException { throws IOException, ServletException {
try{ try {
HttpServletRequest request=(HttpServletRequest) req; HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response=(HttpServletResponse) res; HttpServletResponse response = (HttpServletResponse) res;
String uri=request.getRequestURI(); String uri = request.getRequestURI();
if(needPdfsFilter(uri)){ if (needPdfsFilter(uri)) {
if(!doPdfsFilter(request,response)){ if (!doPdfsFilter(request, response)) {
chain.doFilter(req, res); chain.doFilter(req, res);
} }
}else{ } else if (isExcludeRes(uri)) {
response.setStatus(403);
forbidden(request, response);
} else {
chain.doFilter(req, res); chain.doFilter(req, res);
} }
}catch (Throwable b){ } catch (Throwable b) {
log.warn("资源访问过滤器执行异常:"+b.getMessage()); log.warn("资源访问过滤器执行异常:" + b.getMessage());
chain.doFilter(req, res); chain.doFilter(req, res);
} }
} }
private boolean doPdfsFilter(HttpServletRequest request,HttpServletResponse response) throws Exception { private boolean doPdfsFilter(HttpServletRequest request, HttpServletResponse response) throws Exception {
String[] sec=request.getParameterValues("sec"); String[] sec = request.getParameterValues("sec");
String[] uid=request.getParameterValues("uid"); String[] uid = request.getParameterValues("uid");
String[] res=request.getParameterValues("file"); String[] res = request.getParameterValues("file");
if(ArrayUtils.isEmpty(sec) || ArrayUtils.isEmpty(uid) || ArrayUtils.isEmpty(res)){ if (ArrayUtils.isEmpty(sec) || ArrayUtils.isEmpty(uid) || ArrayUtils.isEmpty(res)) {
log.warn("Access Pdfs Forbidden"); log.warn("Access Pdfs Forbidden");
return forbidden403(request,response); return forbidden403(request, response);
}else{ } else {
//校验usrid+token+固定值的加密 //校验usrid+token+固定值的加密
if(!isLegalSec(sec[0],uid[0],res[0])){ if (!isLegalSec(sec[0], uid[0], res[0])) {
log.warn("Access Pdfs Forbidden"); log.warn("Access Pdfs Forbidden");
return forbidden403(request,response); return forbidden403(request, response);
} }
} }
return false; return false;
} }
private boolean isLegalSec(String sec, String uid, String res) throws Exception { private boolean isLegalSec(String sec, String uid, String res) throws Exception {
if(res.lastIndexOf("/")>0){ if (res.lastIndexOf("/") > 0) {
res=res.substring(res.lastIndexOf("/")+1); res = res.substring(res.lastIndexOf("/") + 1);
} }
String rawuid=new StringBuilder(uid).reverse().toString(); String rawuid = new StringBuilder(uid).reverse().toString();
Object obj = RedisUtil.get(KEY.replace("##",rawuid)); Object obj = RedisUtil.get(KEY.replace("##", rawuid));
if (obj == null){ if (obj == null) {
return false; return false;
} }
RedisLoginInfo redisLoginInfo= (RedisLoginInfo) obj; RedisLoginInfo redisLoginInfo = (RedisLoginInfo) obj;
StringBuilder raw=new StringBuilder(); StringBuilder raw = new StringBuilder();
raw.append(redisLoginInfo.getToken()); raw.append(redisLoginInfo.getToken());
raw.append(SALT); raw.append(SALT);
raw.append(rawuid); raw.append(rawuid);
raw.append(SALT); raw.append(SALT);
raw.append(res); raw.append(res);
String rawsec= StringUtil.encryptMD5(raw.toString()); String rawsec = StringUtil.encryptMD5(raw.toString());
if(!rawsec.equals(sec)){ if (!rawsec.equals(sec)) {
return false; return false;
} }
return true; return true;
} }
private boolean needPdfsFilter(String uri){ private boolean needPdfsFilter(String uri) {
if(pdfpth.equals(uri)){ if (pdfpth.equals(uri)) {
return true; return true;
} }
return false; return false;
} }
private boolean forbidden403(HttpServletRequest request,HttpServletResponse response) throws IOException, ServletException{ private boolean isExcludeRes(String uri) {
for(String pth:exclude){
if(uri.startsWith(pth)){
return true;
}
}
return false;
}
private boolean forbidden403(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
response.setStatus(403); response.setStatus(403);
forbidden(request,response); forbidden(request, response);
return true; return true;
} }
private void forbidden(HttpServletRequest request,HttpServletResponse response) throws IOException, ServletException{ private void forbidden(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
if (isAjaxRequest(request)) { if (isAjaxRequest(request)) {
response.setContentType(_JSON_CONTENT); response.setContentType(_JSON_CONTENT);
response.getWriter().print(_403_JSON); response.getWriter().print(_403_JSON);
...@@ -114,11 +128,14 @@ public class ResourceAccessFilter implements Filter { ...@@ -114,11 +128,14 @@ public class ResourceAccessFilter implements Filter {
} }
public void init(FilterConfig filterConfig) { public void init(FilterConfig filterConfig) {
if(filterConfig.getInitParameter("pdfpth")!=null){ if (filterConfig.getInitParameter("pdfpth") != null) {
pdfpth=filterConfig.getInitParameter("pdfpth"); pdfpth = filterConfig.getInitParameter("pdfpth");
}
if (!StringUtil.isEmpty(filterConfig.getInitParameter("exclude"))) {
exclude = filterConfig.getInitParameter("exclude").split(";");
} }
} }
public void destroy() {} public void destroy() {
}
} }
src/main/webapp/WEB-INF/web.xml
...@@ -67,6 +67,10 @@ ...@@ -67,6 +67,10 @@
<param-name>pdfpth</param-name> <param-name>pdfpth</param-name>
<param-value>/esfeserver/pdfjs/web/viewer.html</param-value> <param-value>/esfeserver/pdfjs/web/viewer.html</param-value>
</init-param> </init-param>
<init-param>
<param-name>exclude</param-name>
<param-value>/esfeserver/data/docpdf;/esfeserver/data/dsp;/esfeserver/data/bimdata;/esfeserver/data/delete;/esfeserver/data/elcin;/esfeserver/data/elcout;/esfeserver/data/files;/esfeserver/data/trndata;</param-value>
</init-param>
</filter> </filter>
<filter-mapping> <filter-mapping>
<filter-name>resaccess</filter-name> <filter-name>resaccess</filter-name>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment