增加对报文资源浏览放越权得安全优化

dffafa30 · WeiCong · e47c9cad · dffafa30
Commit dffafa30 authored Oct 27, 2020 by WeiCong
Hide whitespace changes
Inline Side-by-side

Showing with 49 additions and 0 deletions

ResourceAccessFilter.java ...rg/sss/presentation/noui/filter/ResourceAccessFilter.java +49 -0

No files found.
--- a/src/main/java/org/sss/presentation/noui/filter/ResourceAccessFilter.java
+++ b/src/main/java/org/sss/presentation/noui/filter/ResourceAccessFilter.java
@@ -28,6 +28,7 @@ public class ResourceAccessFilter implements Filter {
    private static final String _403_JSON = "{\"code\": \"403\", \"msg\": \"Access Forbidden, Unauthorized!\"}";
    private static final String _403_HTML = "<html><body><div style='text-align:center'><h1 style='margin-top: 10px;'>Access Forbidden, Unauthorized!</h1></div></body></html>";
    private static final String DSPPTH = "/data/dsp/";
+    private static final String MSGPTH = "/infsmh/recpan_show";
    public static String[] pdfpth;
    public static String[] exclude;

@@ -48,6 +49,11 @@ public class ResourceAccessFilter implements Filter {
                }
            } else if (uri.contains(DSPPTH)) {
                doDspFilter(uri, request, response);
+            } else if (uri.contains(MSGPTH)) {
+                if (doMsgFilter(request, response)) {
+                    chain.doFilter(req, res);
+                }
+
            } else if (isExcludeRes(uri)) {
                response.setStatus(403);
                forbidden(request, response);
@@ -60,6 +66,25 @@ public class ResourceAccessFilter implements Filter {
        }
    }

+    private boolean doMsgFilter(HttpServletRequest request, HttpServletResponse response) throws Exception {
+        String res = request.getHeader("res");
+        String uid = request.getHeader("userId");
+        String sec = request.getHeader("sec");
+        if (StringUtil.isEmpty(sec) || StringUtil.isEmpty(uid) || StringUtil.isEmpty(res)) {
+            log.warn("Access Msg Forbidden,sec_uid_res may null");
+            forbidden(request, response);
+            return false;
+        } else {
+            //校验usrid+token+固定值的加密
+            if (!isLegalSecForMsg(sec, uid, res, request)) {
+                log.warn("Access Msg Forbidden,LegalSec");
+                forbidden(request, response);
+                return false;
+            }
+        }
+        return true;
+    }
+
    private void doDspFilter(String uri, HttpServletRequest request, HttpServletResponse response) throws Exception {
        String[] parts = uri.split("_");
        if (parts.length != 3) {
@@ -143,6 +168,30 @@ public class ResourceAccessFilter implements Filter {
        }
    }

+    private boolean isLegalSecForMsg(String sec, String rawuid, String res, HttpServletRequest request) throws Exception {
+        if (isNotSameSessionId(rawuid, request)) {
+            return false;
+        }
+        Object obj = RedisUtil.get(KEY.replace("##", rawuid));
+        if (obj == null) {
+            log.warn(KEY.replace("##", rawuid) + "get logininfo is null");
+            return false;
+        }
+        RedisLoginInfo redisLoginInfo = (RedisLoginInfo) obj;
+        StringBuilder raw = new StringBuilder();
+        raw.append(redisLoginInfo.getToken());
+        raw.append(SALT);
+        raw.append(rawuid);
+        raw.append(SALT);
+        raw.append(res);
+        String rawsec = StringUtil.encryptMD5(raw.toString());
+        if (!rawsec.equals(sec)) {
+            log.warn("rawsec is:" + rawsec + ",sec is:" + sec);
+            return false;
+        }
+        return true;
+    }
+
    private boolean isLegalSec(String sec, String uid, String res, HttpServletRequest request) throws Exception {
        if (res.lastIndexOf("/") > 0) {
            res = res.substring(res.lastIndexOf("/") + 1);