Skip to content

N
nouiWithSpringMVC
Commit a20b6a44 by WeiCong
Options

利用过滤器拦截用户pdf隐私信息暴露

parent abd2f245
Showing with 54 additions and 19 deletions
src/main/java/org/sss/presentation/noui/filter/ResourceAccessFilter.java
......@@ -2,7 +2,6 @@ package org.sss.presentation.noui.filter;
import log.Log;
import log.LogFactory;
import org.apache.commons.lang.ArrayUtils;
import org.sss.presentation.noui.jwt.RedisLoginInfo;
import org.sss.presentation.noui.util.RedisUtil;
import org.sss.presentation.noui.util.StringUtil;
......@@ -11,8 +10,10 @@ import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.InputStream;
public class ResourceAccessFilter implements Filter {
public static final String FORBIDDEN = "forbidden.pdf";
protected static final Log log = LogFactory.getLog(ResourceAccessFilter.class);
private static final String KEY = "session.##.WEB";
private static final String SALT = "1314520@Wc;";
......@@ -20,8 +21,9 @@ public class ResourceAccessFilter implements Filter {
private static final String _HTML_CONTENT = "text/html; charset=UTF-8";
private static final String _403_JSON = "{'code': '403', 'msg': 'Access Forbidden, Unauthorized!'}";
private static final String _403_HTML = "<html><body><div style='text-align:center'><h1 style='margin-top: 10px;'>Access Forbidden, Unauthorized!</h1></div></body></html>";
public static String pdfpth;
public static String[] pdfpth;
public static String[] exclude;
public static final String NO_FOUND_PDF="/WEB-INF/classes/forbidden.pdf";
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
throws IOException, ServletException {
......@@ -29,9 +31,10 @@ public class ResourceAccessFilter implements Filter {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
String uri = request.getRequestURI();
if (needPdfsFilter(uri)) {
if (!doPdfsFilter(request, response)) {
chain.doFilter(req, res);
String servletPath = request.getServletPath();
if (needPdfsFilter(servletPath)) {
if (!doPdfsFilter(servletPath, request, response)) {
return;
}
} else if (isExcludeRes(uri)) {
response.setStatus(403);
......@@ -45,20 +48,26 @@ public class ResourceAccessFilter implements Filter {
}
}
private boolean doPdfsFilter(HttpServletRequest request, HttpServletResponse response) throws Exception {
String[] sec = request.getParameterValues("sec");
String[] uid = request.getParameterValues("uid");
String[] res = request.getParameterValues("file");
if (ArrayUtils.isEmpty(sec) || ArrayUtils.isEmpty(uid) || ArrayUtils.isEmpty(res)) {
private boolean doPdfsFilter(String uri, HttpServletRequest request, HttpServletResponse response) throws Exception {
String[] parts = uri.split("_");
if (parts.length != 3) {
log.warn("Access Pdfs Forbidden");
return forbidden403(request, response);
}
String res = parts[0];
String uid = parts[1];
String sec = parts[2];
if (StringUtil.isEmpty(sec) || StringUtil.isEmpty(uid) || StringUtil.isEmpty(res)) {
log.warn("Access Pdfs Forbidden");
return forbiddenPdf(request, response);
} else {
//校验usrid+token+固定值的加密
if (!isLegalSec(sec[0], uid[0], res[0])) {
if (!isLegalSec(sec, uid, res)) {
log.warn("Access Pdfs Forbidden");
return forbidden403(request, response);
return forbiddenPdf(request, response);
}
}
pdfWriter(request.getSession().getServletContext().getResourceAsStream(res), response);
return false;
}
......@@ -86,15 +95,17 @@ public class ResourceAccessFilter implements Filter {
}
private boolean needPdfsFilter(String uri) {
if (pdfpth.equals(uri)) {
return true;
for (String pdf : pdfpth) {
if (uri.startsWith(pdf)) {
return true;
}
}
return false;
}
private boolean isExcludeRes(String uri) {
for(String pth:exclude){
if(uri.startsWith(pth)){
for (String pth : exclude) {
if (uri.startsWith(pth)) {
return true;
}
......@@ -127,9 +138,33 @@ public class ResourceAccessFilter implements Filter {
return false;
}
private boolean forbiddenPdf(HttpServletRequest request, HttpServletResponse response) throws IOException {
pdfWriter(request.getSession().getServletContext().getResourceAsStream(NO_FOUND_PDF), response);
return true;
}
private void pdfWriter(InputStream inputStream, HttpServletResponse response) {
response.reset();
ServletOutputStream out;
try {
out = response.getOutputStream();
int b = 0;
byte[] buffer = new byte[512];
while (b != -1) {
b = inputStream.read(buffer);
out.write(buffer, 0, b);
}
inputStream.close();
out.close();
out.flush();
} catch (IOException e) {
log.warn("Access Pdfs IOException");
}
}
public void init(FilterConfig filterConfig) {
if (filterConfig.getInitParameter("pdfpth") != null) {
pdfpth = filterConfig.getInitParameter("pdfpth");
pdfpth = filterConfig.getInitParameter("pdfpth").split(";");
}
if (!StringUtil.isEmpty(filterConfig.getInitParameter("exclude"))) {
exclude = filterConfig.getInitParameter("exclude").split(";");
......
src/main/webapp/WEB-INF/web.xml
......@@ -65,11 +65,11 @@
<filter-class>org.sss.presentation.noui.filter.ResourceAccessFilter</filter-class>
<init-param>
<param-name>pdfpth</param-name>
<param-value>/esfeserver/pdfjs/web/viewer.html</param-value>
<param-value>/data/files;/data/docpdf</param-value>
</init-param>
<init-param>
<param-name>exclude</param-name>
<param-value>/esfeserver/data/docpdf;/esfeserver/data/dsp;/esfeserver/data/bimdata;/esfeserver/data/delete;/esfeserver/data/elcin;/esfeserver/data/elcout;/esfeserver/data/files;/esfeserver/data/trndata;</param-value>
<param-value>/esfeserver/data/bimdata;/esfeserver/data/delete;/esfeserver/data/elcin;/esfeserver/data/elcout;/esfeserver/data/trndata;</param-value>
</init-param>
</filter>
<filter-mapping>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment