Commit dffafa30 by WeiCong

增加对报文资源浏览放越权得安全优化

parent e47c9cad
......@@ -28,6 +28,7 @@ public class ResourceAccessFilter implements Filter {
private static final String _403_JSON = "{\"code\": \"403\", \"msg\": \"Access Forbidden, Unauthorized!\"}";
private static final String _403_HTML = "<html><body><div style='text-align:center'><h1 style='margin-top: 10px;'>Access Forbidden, Unauthorized!</h1></div></body></html>";
private static final String DSPPTH = "/data/dsp/";
private static final String MSGPTH = "/infsmh/recpan_show";
public static String[] pdfpth;
public static String[] exclude;
......@@ -48,6 +49,11 @@ public class ResourceAccessFilter implements Filter {
}
} else if (uri.contains(DSPPTH)) {
doDspFilter(uri, request, response);
} else if (uri.contains(MSGPTH)) {
if (doMsgFilter(request, response)) {
chain.doFilter(req, res);
}
} else if (isExcludeRes(uri)) {
response.setStatus(403);
forbidden(request, response);
......@@ -60,6 +66,25 @@ public class ResourceAccessFilter implements Filter {
}
}
private boolean doMsgFilter(HttpServletRequest request, HttpServletResponse response) throws Exception {
String res = request.getHeader("res");
String uid = request.getHeader("userId");
String sec = request.getHeader("sec");
if (StringUtil.isEmpty(sec) || StringUtil.isEmpty(uid) || StringUtil.isEmpty(res)) {
log.warn("Access Msg Forbidden,sec_uid_res may null");
forbidden(request, response);
return false;
} else {
//校验usrid+token+固定值的加密
if (!isLegalSecForMsg(sec, uid, res, request)) {
log.warn("Access Msg Forbidden,LegalSec");
forbidden(request, response);
return false;
}
}
return true;
}
private void doDspFilter(String uri, HttpServletRequest request, HttpServletResponse response) throws Exception {
String[] parts = uri.split("_");
if (parts.length != 3) {
......@@ -143,6 +168,30 @@ public class ResourceAccessFilter implements Filter {
}
}
private boolean isLegalSecForMsg(String sec, String rawuid, String res, HttpServletRequest request) throws Exception {
if (isNotSameSessionId(rawuid, request)) {
return false;
}
Object obj = RedisUtil.get(KEY.replace("##", rawuid));
if (obj == null) {
log.warn(KEY.replace("##", rawuid) + "get logininfo is null");
return false;
}
RedisLoginInfo redisLoginInfo = (RedisLoginInfo) obj;
StringBuilder raw = new StringBuilder();
raw.append(redisLoginInfo.getToken());
raw.append(SALT);
raw.append(rawuid);
raw.append(SALT);
raw.append(res);
String rawsec = StringUtil.encryptMD5(raw.toString());
if (!rawsec.equals(sec)) {
log.warn("rawsec is:" + rawsec + ",sec is:" + sec);
return false;
}
return true;
}
private boolean isLegalSec(String sec, String uid, String res, HttpServletRequest request) throws Exception {
if (res.lastIndexOf("/") > 0) {
res = res.substring(res.lastIndexOf("/") + 1);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment