利用过滤器拦截用户pdf隐私信息暴露

a20b6a44 · WeiCong · abd2f245 · a20b6a44 · a20b6a44
Commit a20b6a44 authored Sep 23, 2020 by WeiCong
Show whitespace changes
Inline Side-by-side

Showing with 53 additions and 18 deletions

ResourceAccessFilter.java ...rg/sss/presentation/noui/filter/ResourceAccessFilter.java +51 -16

web.xml src/main/webapp/WEB-INF/web.xml +2 -2

No files found.
--- a/src/main/java/org/sss/presentation/noui/filter/ResourceAccessFilter.java
+++ b/src/main/java/org/sss/presentation/noui/filter/ResourceAccessFilter.java
@@ -2,7 +2,6 @@ package org.sss.presentation.noui.filter;
 import log.Log;
 import log.LogFactory;
-import org.apache.commons.lang.ArrayUtils;
 import org.sss.presentation.noui.jwt.RedisLoginInfo;
 import org.sss.presentation.noui.util.RedisUtil;
 import org.sss.presentation.noui.util.StringUtil;
@@ -11,8 +10,10 @@ import javax.servlet.*;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
+import java.io.InputStream;
 public class ResourceAccessFilter implements Filter {
+    public static final String FORBIDDEN = "forbidden.pdf";
    protected static final Log log = LogFactory.getLog(ResourceAccessFilter.class);
    private static final String KEY = "session.##.WEB";
    private static final String SALT = "1314520@Wc;";
@@ -20,8 +21,9 @@ public class ResourceAccessFilter implements Filter {
    private static final String _HTML_CONTENT = "text/html; charset=UTF-8";
    private static final String _403_JSON = "{'code': '403', 'msg': 'Access Forbidden, Unauthorized!'}";
    private static final String _403_HTML = "<html><body><div style='text-align:center'><h1 style='margin-top: 10px;'>Access Forbidden, Unauthorized!</h1></div></body></html>";
-    public static String pdfpth;
+    public static String[] pdfpth;
    public static String[] exclude;
+    public static final String NO_FOUND_PDF="/WEB-INF/classes/forbidden.pdf";
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
            throws IOException, ServletException {
@@ -29,9 +31,10 @@ public class ResourceAccessFilter implements Filter {
            HttpServletRequest request = (HttpServletRequest) req;
            HttpServletResponse response = (HttpServletResponse) res;
            String uri = request.getRequestURI();
-            if (needPdfsFilter(uri)) {
+            String servletPath = request.getServletPath();
-                if (!doPdfsFilter(request, response)) {
+            if (needPdfsFilter(servletPath)) {
-                    chain.doFilter(req, res);
+                if (!doPdfsFilter(servletPath, request, response)) {
+                    return;
                }
            } else if (isExcludeRes(uri)) {
                response.setStatus(403);
@@ -45,20 +48,26 @@ public class ResourceAccessFilter implements Filter {
        }
    }
-    private boolean doPdfsFilter(HttpServletRequest request, HttpServletResponse response) throws Exception {
+    private boolean doPdfsFilter(String uri, HttpServletRequest request, HttpServletResponse response) throws Exception {
-        String[] sec = request.getParameterValues("sec");
+        String[] parts = uri.split("_");
-        String[] uid = request.getParameterValues("uid");
+        if (parts.length != 3) {
-        String[] res = request.getParameterValues("file");
-        if (ArrayUtils.isEmpty(sec) || ArrayUtils.isEmpty(uid) || ArrayUtils.isEmpty(res)) {
            log.warn("Access Pdfs Forbidden");
            return forbidden403(request, response);
+        }
+        String res = parts[0];
+        String uid = parts[1];
+        String sec = parts[2];
+        if (StringUtil.isEmpty(sec) || StringUtil.isEmpty(uid) || StringUtil.isEmpty(res)) {
+            log.warn("Access Pdfs Forbidden");
+            return forbiddenPdf(request, response);
        } else {
            //校验usrid+token+固定值的加密
-            if (!isLegalSec(sec[0], uid[0], res[0])) {
+            if (!isLegalSec(sec, uid, res)) {
                log.warn("Access Pdfs Forbidden");
-                return forbidden403(request, response);
+                return forbiddenPdf(request, response);
            }
        }
+        pdfWriter(request.getSession().getServletContext().getResourceAsStream(res), response);
        return false;
    }
@@ -86,15 +95,17 @@ public class ResourceAccessFilter implements Filter {
    }
    private boolean needPdfsFilter(String uri) {
-        if (pdfpth.equals(uri)) {
+        for (String pdf : pdfpth) {
+            if (uri.startsWith(pdf)) {
                return true;
            }
+        }
        return false;
    }
    private boolean isExcludeRes(String uri) {
-        for(String pth:exclude){
+        for (String pth : exclude) {
-            if(uri.startsWith(pth)){
+            if (uri.startsWith(pth)) {
                return true;
            }
@@ -127,9 +138,33 @@ public class ResourceAccessFilter implements Filter {
        return false;
    }
+    private boolean forbiddenPdf(HttpServletRequest request, HttpServletResponse response) throws IOException {
+        pdfWriter(request.getSession().getServletContext().getResourceAsStream(NO_FOUND_PDF), response);
+        return true;
+    }
+    private void pdfWriter(InputStream inputStream, HttpServletResponse response) {
+        response.reset();
+        ServletOutputStream out;
+        try {
+            out = response.getOutputStream();
+            int b = 0;
+            byte[] buffer = new byte[512];
+            while (b != -1) {
+                b = inputStream.read(buffer);
+                out.write(buffer, 0, b);
+            }
+            inputStream.close();
+            out.close();
+            out.flush();
+        } catch (IOException e) {
+            log.warn("Access Pdfs IOException");
+        }
+    }
    public void init(FilterConfig filterConfig) {
        if (filterConfig.getInitParameter("pdfpth") != null) {
-            pdfpth = filterConfig.getInitParameter("pdfpth");
+            pdfpth = filterConfig.getInitParameter("pdfpth").split(";");
        }
        if (!StringUtil.isEmpty(filterConfig.getInitParameter("exclude"))) {
            exclude = filterConfig.getInitParameter("exclude").split(";");

--- a/src/main/webapp/WEB-INF/web.xml
+++ b/src/main/webapp/WEB-INF/web.xml
@@ -65,11 +65,11 @@
 		<filter-class>org.sss.presentation.noui.filter.ResourceAccessFilter</filter-class>
 		<init-param>
 			<param-name>pdfpth</param-name>
-			<param-value>/esfeserver/pdfjs/web/viewer.html</param-value>
+			<param-value>/data/files;/data/docpdf</param-value>
 		</init-param>
 		<init-param>
 			<param-name>exclude</param-name>
-			<param-value>/esfeserver/data/docpdf;/esfeserver/data/dsp;/esfeserver/data/bimdata;/esfeserver/data/delete;/esfeserver/data/elcin;/esfeserver/data/elcout;/esfeserver/data/files;/esfeserver/data/trndata;</param-value>
+			<param-value>/esfeserver/data/bimdata;/esfeserver/data/delete;/esfeserver/data/elcin;/esfeserver/data/elcout;/esfeserver/data/trndata;</param-value>
 		</init-param>
 	</filter>
 	<filter-mapping>