Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
N
nouiWithSpringMVC
Overview
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
gechengyang
nouiWithSpringMVC
Commits
e32e0dec
Commit
e32e0dec
authored
Oct 02, 2020
by
WeiCong
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
1.通过后端AES数据加密(动态盐)+二次校验,解决数据篡改问题
2.解决用户注销、关闭浏览器后依旧可以访问pdf的缺陷
parent
e58d0f03
Show whitespace changes
Inline
Side-by-side
Showing
8 changed files
with
362 additions
and
90 deletions
+362
-90
NoUiRequest.java
...va/org/sss/presentation/noui/api/request/NoUiRequest.java
+24
-16
AbstractCommonController.java
...resentation/noui/controller/AbstractCommonController.java
+34
-9
LoginController.java
...org/sss/presentation/noui/controller/LoginController.java
+1
-0
ResourceAccessFilter.java
...rg/sss/presentation/noui/filter/ResourceAccessFilter.java
+18
-7
TokenInterceptor.java
.../java/org/sss/presentation/noui/jwt/TokenInterceptor.java
+0
-48
AESUtil.java
src/main/java/org/sss/presentation/noui/util/AESUtil.java
+100
-5
DataSecurityUtil.java
...java/org/sss/presentation/noui/util/DataSecurityUtil.java
+169
-0
StringUtil.java
src/main/java/org/sss/presentation/noui/util/StringUtil.java
+16
-5
No files found.
src/main/java/org/sss/presentation/noui/api/request/NoUiRequest.java
View file @
e32e0dec
package
org
.
sss
.
presentation
.
noui
.
api
.
request
;
import
java.util.HashMap
;
import
java.util.Map
;
import
javax.servlet.http.HttpServletRequest
;
import
org.sss.presentation.noui.common.Constants
;
import
org.sss.presentation.noui.context.NoUiContextManager
;
import
org.sss.presentation.noui.util.StringUtil
;
import
javax.servlet.http.HttpServletRequest
;
import
java.util.HashMap
;
import
java.util.Map
;
public
class
NoUiRequest
{
private
HttpServletRequest
httpRequest
;
...
...
@@ -18,6 +18,7 @@ public class NoUiRequest {
private
Map
<
String
,
?>
paramsMap
=
new
HashMap
<
String
,
Object
>();
private
Map
<
String
,
?>
dataMap
=
new
HashMap
<
String
,
Object
>();
private
Map
<
String
,
?>
saveDisplayMap
=
new
HashMap
<
String
,
Object
>();
private
boolean
isSecurity
=
false
;
public
NoUiRequest
()
{
...
...
@@ -27,14 +28,17 @@ public class NoUiRequest {
String
tokenId
=
request
.
getHeader
(
"token"
);
String
userId
=
request
.
getHeader
(
"userId"
);
String
terminalType
=
request
.
getHeader
(
"terminalType"
);
String
security
=
request
.
getHeader
(
"security"
);
this
.
token
=
tokenId
;
this
.
userId
=
userId
;
this
.
terminalType
=
terminalType
;
this
.
mappingUrl
=
mappingUrl
;
if
(!
StringUtil
.
isEmpty
(
security
)){
this
.
isSecurity
=
true
;
}
if
(
request
.
getRequestURI
().
indexOf
(
NoUiContextManager
.
openSourcePrefix
+
"/"
)
>=
0
)
{
if
(
request
.
getRequestURI
().
indexOf
(
NoUiContextManager
.
openSourcePrefix
+
"/"
)
>=
0
)
{
this
.
openSource
=
true
;
//开放访问路径
}
if
(
requestData
!=
null
)
{
...
...
@@ -50,21 +54,22 @@ public class NoUiRequest {
}
}
public
boolean
isOpenSource
()
{
public
boolean
isOpenSource
()
{
return
this
.
openSource
;
}
public
String
getUserId
()
{
return
userId
;
}
public
String
getMappingUrl
()
{
return
mappingUrl
;
}
public
void
setUserId
(
String
userId
)
{
this
.
userId
=
userId
;
}
public
String
getMappingUrl
()
{
return
mappingUrl
;
}
public
void
setMappingUrl
(
String
mappingUrl
)
{
this
.
mappingUrl
=
mappingUrl
;
}
...
...
@@ -97,14 +102,14 @@ public class NoUiRequest {
return
paramsMap
;
}
public
Map
<
String
,
?>
getDataMap
()
{
return
dataMap
;
}
public
void
setParamsMap
(
Map
<
String
,
?>
paramsMap
)
{
this
.
paramsMap
=
paramsMap
;
}
public
Map
<
String
,
?>
getDataMap
()
{
return
dataMap
;
}
public
void
setDataMap
(
Map
<
String
,
?>
dataMap
)
{
this
.
dataMap
=
dataMap
;
}
...
...
@@ -117,4 +122,7 @@ public class NoUiRequest {
this
.
saveDisplayMap
=
saveDisplayMap
;
}
public
boolean
isSecurity
()
{
return
isSecurity
;
}
}
src/main/java/org/sss/presentation/noui/controller/AbstractCommonController.java
View file @
e32e0dec
...
...
@@ -3,6 +3,7 @@ package org.sss.presentation.noui.controller;
import
log.Log
;
import
log.LogFactory
;
import
org.apache.commons.io.IOUtils
;
import
org.apache.commons.lang.ArrayUtils
;
import
org.apache.commons.lang.StringUtils
;
import
org.springframework.beans.factory.annotation.Autowired
;
import
org.springframework.web.multipart.MultipartFile
;
...
...
@@ -19,7 +20,7 @@ import org.sss.presentation.noui.context.NoUiContext;
import
org.sss.presentation.noui.context.NoUiContextManager
;
import
org.sss.presentation.noui.context.NoUiPresentation
;
import
org.sss.presentation.noui.jwt.RedisLoginInfo
;
import
org.sss.presentation.noui.util.
BizKeySetManager
;
import
org.sss.presentation.noui.util.
DataSecurityUtil
;
import
org.sss.presentation.noui.util.NoUiPresentationUtil
;
import
org.sss.presentation.noui.util.RedisUtil
;
import
org.sss.presentation.noui.util.StringUtil
;
...
...
@@ -52,22 +53,42 @@ public abstract class AbstractCommonController {
NoUiContext
context
=
null
;
Result
ret
=
null
;
String
serverEnc
=
null
;
boolean
bgidflag
=
false
;
try
{
NoUiRequest
noUiRequest
=
new
NoUiRequest
(
request
,
mappingUrl
,
dataMap
);
//数据安全性拦截处理
if
(
noUiRequest
.
isSecurity
()){
Map
<
String
,
?>
paramsMap
=
noUiRequest
.
getParamsMap
();
if
(
paramsMap
.
containsKey
(
DataSecurityUtil
.
CHECK_KEY
)){
//加密操作(场景:用户查询指定信息时调用,后续会做修改,删除等操作)
List
<
String
>
parlst
=
(
List
<
String
>)
paramsMap
.
get
(
DataSecurityUtil
.
CHECK_KEY
);
String
[]
pars
=
parlst
.
toArray
(
new
String
[
0
]);
if
(
ArrayUtils
.
isEmpty
(
pars
)){
Result
rt
=
new
Result
(
ErrorCodes
.
ERROR
,
"调用安全请求方式,但未设置校验数据"
,
null
,
noUiVersion
.
getVersion
());
return
rt
;
}
serverEnc
=
DataSecurityUtil
.
encrypt
(
pars
,
noUiRequest
.
getUserId
());
bgidflag
=
true
;
}
else
{
//合法性校验操作(场景:用户做修改、删除时调用)
serverEnc
=
(
String
)
paramsMap
.
get
(
DataSecurityUtil
.
BACKGROUND_ID
);
String
clientEnc
=
(
String
)
paramsMap
.
get
(
DataSecurityUtil
.
FRONT_ID
);
String
errmsg
=
null
;
if
((
errmsg
=
DataSecurityUtil
.
checkIllegalData
(
serverEnc
,
clientEnc
,
noUiRequest
.
getUserId
()))!=
null
){
Result
rt
=
new
Result
(
ErrorCodes
.
ERROR
,
errmsg
,
null
,
noUiVersion
.
getVersion
());
return
rt
;
}
}
}
Alias
alias
=
new
Alias
(
mappingUrl
);
String
trnName
=
alias
.
getTrnName
();
//判断参数是否合法
Map
<
String
,
?>
paramsMap
=
noUiRequest
.
getParamsMap
();
if
(!
BizKeySetManager
.
validateParasMap
(
eventType
,
trnName
,
paramsMap
))
{
return
ResultUtil
.
result
(
ErrorCodes
.
ILLEGAL_ARGS
,
"不合法的参数"
,
""
,
noUiVersion
.
getVersion
());
}
context
=
NoUiContextManager
.
createNoUiContext
(
noUiRequest
);
// 交易参数赋值
for
(
String
key
:
paramsMap
.
keySet
())
{
context
.
getSession
().
storeData
(
key
,
paramsMap
.
get
(
key
));
}
...
...
@@ -136,9 +157,13 @@ public abstract class AbstractCommonController {
RedisUtil
.
set
(
StringUtil
.
userUniqueId
(
noUiRequest
),
redisLoginInfo
);
}
Map
<
String
,
Object
>
afterReturnData
=
handleReturnData
(
eventType
,
context
,
noUiRequest
,
alias
);
//增加数据安全性代码
if
(
bgidflag
){
afterReturnData
.
put
(
DataSecurityUtil
.
BACKGROUND_ID
,
serverEnc
);
}
ret
=
ResultUtil
.
result
(
NoUiPresentationUtil
.
retCode
(
context
),
NoUiPresentationUtil
.
retMsg
(
context
),
afterReturnData
,
NoUiPresentationUtil
.
handleErrorReturnData
(
context
,
alias
),
NoUiPresentationUtil
.
handleCodeTableReturnData
(
context
,
alias
),
noUiVersion
.
getVersion
());
}
catch
(
Exception
e
)
{
...
...
src/main/java/org/sss/presentation/noui/controller/LoginController.java
View file @
e32e0dec
...
...
@@ -97,6 +97,7 @@ public class LoginController {
NoUiUtils
.
logout
(
userId
,
"*"
);
//清理可能存在的历史缓存
RedisUtil
.
set
(
StringUtil
.
userUniqueId
(
noUiRequest
),
redisLoginInfo
);
RedisUtil
.
set
(
StringUtil
.
getCacheSessionId
(
noUiRequest
.
getUserId
()),
request
.
getSession
().
getId
());
//解决初次登陆,超期限登陆
final
Object
o
=
map
.
get
(
ERROR
);
...
...
src/main/java/org/sss/presentation/noui/filter/ResourceAccessFilter.java
View file @
e32e0dec
...
...
@@ -41,7 +41,7 @@ public class ResourceAccessFilter implements Filter {
if
(!
doPdfsFilter
(
uri
,
pdfres
,
request
,
response
))
{
return
;
}
}
else
if
(
isExcludeRes
(
uri
)
||
request
.
getSession
().
getAttribute
(
"token"
)
==
null
)
{
}
else
if
(
isExcludeRes
(
uri
))
{
response
.
setStatus
(
403
);
forbidden
(
request
,
response
);
}
else
{
...
...
@@ -53,11 +53,19 @@ public class ResourceAccessFilter implements Filter {
}
}
private
boolean
doPdfsFilter
(
String
uri
,
String
pdfres
,
HttpServletRequest
request
,
HttpServletResponse
response
)
throws
Exception
{
if
(
request
.
getSession
().
getAttribute
(
"token"
)
==
null
)
{
log
.
warn
(
"Access Pdfs Forbidden"
);
return
forbiddenPdf
(
request
,
response
);
private
boolean
isNotSameSessionId
(
String
userId
,
HttpServletRequest
request
)
throws
Exception
{
String
realSessionId
=
(
String
)
RedisUtil
.
get
(
StringUtil
.
getCacheSessionId
(
userId
));
String
sessionId
=
request
.
getSession
().
getId
();
if
(
StringUtil
.
isEmpty
(
realSessionId
))
{
return
true
;
}
if
(!
realSessionId
.
equals
(
sessionId
))
{
return
true
;
}
return
false
;
}
private
boolean
doPdfsFilter
(
String
uri
,
String
pdfres
,
HttpServletRequest
request
,
HttpServletResponse
response
)
throws
Exception
{
String
[]
parts
=
uri
.
split
(
"_"
);
if
(
parts
.
length
!=
3
)
{
log
.
warn
(
"Access Pdfs Forbidden"
);
...
...
@@ -71,7 +79,7 @@ public class ResourceAccessFilter implements Filter {
return
forbiddenPdf
(
request
,
response
);
}
else
{
//校验usrid+token+固定值的加密
if
(!
isLegalSec
(
sec
,
uid
,
res
))
{
if
(!
isLegalSec
(
sec
,
uid
,
res
,
request
))
{
log
.
warn
(
"Access Pdfs Forbidden"
);
return
forbiddenPdf
(
request
,
response
);
}
...
...
@@ -81,11 +89,14 @@ public class ResourceAccessFilter implements Filter {
return
false
;
}
private
boolean
isLegalSec
(
String
sec
,
String
uid
,
String
res
)
throws
Exception
{
private
boolean
isLegalSec
(
String
sec
,
String
uid
,
String
res
,
HttpServletRequest
request
)
throws
Exception
{
if
(
res
.
lastIndexOf
(
"/"
)
>
0
)
{
res
=
res
.
substring
(
res
.
lastIndexOf
(
"/"
)
+
1
);
}
String
rawuid
=
new
StringBuilder
(
uid
).
reverse
().
toString
();
if
(
isNotSameSessionId
(
rawuid
,
request
))
{
return
false
;
}
Object
obj
=
RedisUtil
.
get
(
KEY
.
replace
(
"##"
,
rawuid
));
if
(
obj
==
null
)
{
return
false
;
...
...
src/main/java/org/sss/presentation/noui/jwt/TokenInterceptor.java
View file @
e32e0dec
...
...
@@ -17,54 +17,12 @@ import org.sss.presentation.noui.util.StringUtil;
import
javax.servlet.http.HttpServletRequest
;
import
javax.servlet.http.HttpServletResponse
;
import
java.io.PrintWriter
;
import
java.util.Map
;
import
java.util.concurrent.ConcurrentHashMap
;
public
class
TokenInterceptor
implements
HandlerInterceptor
{
private
static
Map
<
String
,
Integer
>
CounterMap
=
new
ConcurrentHashMap
<>();
//计数map
@Autowired
private
NoUiVersion
noUiVersion
;
public
static
int
compareAndSet
(
String
token
,
int
cnt
,
int
max_curr_cnt
)
{
synchronized
(
CounterMap
)
{
int
count
=
getCount
(
token
);
if
(
count
>=
max_curr_cnt
)
return
-
1
;
count
+=
cnt
;
if
(
count
<=
0
)
CounterMap
.
remove
(
token
);
else
CounterMap
.
put
(
token
,
count
);
return
count
;
}
}
public
static
int
addCount
(
String
token
,
int
cnt
)
{
synchronized
(
CounterMap
)
{
int
count
=
getCount
(
token
);
count
+=
cnt
;
if
(
count
<=
0
)
CounterMap
.
remove
(
token
);
else
CounterMap
.
put
(
token
,
count
);
return
count
;
}
}
public
static
int
getCount
(
String
token
)
{
Integer
count
=
CounterMap
.
get
(
token
);
if
(
count
==
null
)
return
0
;
return
count
;
}
public
void
afterCompletion
(
HttpServletRequest
request
,
HttpServletResponse
response
,
Object
handler
,
Exception
arg3
)
throws
Exception
{
String
token
=
request
.
getHeader
(
"token"
);
if
(!
StringUtil
.
isEmpty
(
token
)
&&
!
token
.
startsWith
(
Constants
.
BACKGROUND_FLAG
)){
addCount
(
token
,
-
1
);
//计算器减1
}
NoUiUtils
.
clearLoginInfo
();
}
...
...
@@ -124,12 +82,6 @@ public class TokenInterceptor implements HandlerInterceptor {
responseMessage
(
response
,
response
.
getWriter
(),
rt
);
return
false
;
}
//超过最大并发数限制
if
(
compareAndSet
(
noUiRequest
.
getToken
(),
1
,
noUiVersion
.
getCurr_max_num
())
<
0
)
{
Result
rt
=
new
Result
(
ErrorCodes
.
GT_MAX_CURR_NUM
,
"超过单个会话并发数"
,
null
,
noUiVersion
.
getVersion
());
responseMessage
(
response
,
response
.
getWriter
(),
rt
);
return
false
;
}
// 重新刷入登陆时间
RedisLoginInfo
nweRedisLoginInfo
=
new
RedisLoginInfo
(
userId
,
token
,
NumericUtil
.
sessionTimeOut
(),
redisLoginInfo
.
getSysmod
(),
noUiRequest
.
getTerminalType
());
RedisUtil
.
set
(
Constants
.
SESSION
+
"."
+
userId
+
"."
+
terminalType
,
nweRedisLoginInfo
);
...
...
src/main/java/org/sss/presentation/noui/util/AESUtil.java
View file @
e32e0dec
package
org
.
sss
.
presentation
.
noui
.
util
;
import
com.auth0.jwt.internal.org.apache.commons.codec.binary.Hex
;
import
log.Log
;
import
log.LogFactory
;
import
sun.misc.BASE64Decoder
;
import
javax.crypto.Cipher
;
import
javax.crypto.spec.IvParameterSpec
;
import
javax.crypto.spec.SecretKeySpec
;
import
java.nio.charset.StandardCharsets
;
import
java.util.Arrays
;
import
java.util.List
;
public
class
AESUtil
{
private
static
final
Log
log
=
LogFactory
.
getLog
(
NoUiUtils
.
class
);
private
final
static
String
password
=
"1qaz@Wsx#eDC"
;
//目前使用
private
final
static
String
IV
=
"#EdcxSW@1qaz3rfv"
;
//目前使用
private
final
static
String
patten
=
"^[0-9]+$"
;
private
static
final
String
KEY_ALGORITHM
=
"AES"
;
private
static
final
String
DEFAULT_CIPHER_ALGORITHM
=
"AES/CBC/PKCS5Padding"
;
//默认的加密算法
public
static
String
decryptAES
(
String
content
,
String
code
)
throws
Exception
{
public
static
String
decryptAES
(
String
content
,
String
code
)
throws
Exception
{
//int len=content.length()-1;
SecretKeySpec
skeySpec
=
new
SecretKeySpec
(
getKey
(
code
).
getBytes
(
StandardCharsets
.
UTF_8
),
"AES"
);
Cipher
cipher
=
Cipher
.
getInstance
(
"AES/CBC/PKCS5Padding"
);
SecretKeySpec
skeySpec
=
new
SecretKeySpec
(
getKey
(
code
).
getBytes
(
StandardCharsets
.
UTF_8
),
KEY_ALGORITHM
);
Cipher
cipher
=
Cipher
.
getInstance
(
DEFAULT_CIPHER_ALGORITHM
);
IvParameterSpec
iv
=
new
IvParameterSpec
(
IV
.
getBytes
());
cipher
.
init
(
Cipher
.
DECRYPT_MODE
,
skeySpec
,
iv
);
/*if(content.substring(len,len+1).matches("^[0-9]+$")){
...
...
@@ -27,7 +35,7 @@ public class AESUtil {
}
}*/
byte
[]
encrypted1
=
new
BASE64Decoder
().
decodeBuffer
(
content
);
// 先用bAES64解密
return
new
String
(
cipher
.
doFinal
(
encrypted1
));
return
new
String
(
cipher
.
doFinal
(
encrypted1
)
,
StandardCharsets
.
UTF_8
);
}
public
static
String
getKey
(
String
code
)
{
...
...
@@ -43,9 +51,96 @@ public class AESUtil {
return
key
;
}
/**
* @param content 待加签串
* @param password 动态密码
* @param iv 动态向量iv
* @return aes加密后的16进制字符串
*/
public
static
String
encrypt
(
String
content
,
String
password
,
String
iv
)
{
if
(
unsatisfied
(
content
,
password
,
iv
))
{
return
null
;
}
try
{
Cipher
cipher
=
Cipher
.
getInstance
(
DEFAULT_CIPHER_ALGORITHM
);
SecretKeySpec
keySpec
=
new
SecretKeySpec
(
password
.
getBytes
(
StandardCharsets
.
UTF_8
),
KEY_ALGORITHM
);
IvParameterSpec
ivParameterSpec
=
new
IvParameterSpec
(
iv
.
getBytes
(
StandardCharsets
.
UTF_8
));
cipher
.
init
(
Cipher
.
ENCRYPT_MODE
,
keySpec
,
ivParameterSpec
);
byte
[]
byteContent
=
content
.
getBytes
(
StandardCharsets
.
UTF_8
);
byte
[]
result
=
cipher
.
doFinal
(
byteContent
);
return
Hex
.
encodeHexString
(
result
);
// return Base64.getEncoder().encodeToString(result);
}
catch
(
Exception
ex
)
{
log
.
warn
(
"对数据进行aes加密异常:"
+
ex
.
getMessage
(),
ex
);
}
return
null
;
}
/**
* @param content 待解签的16进制字符串
* @param password 动态密码
* @param iv 动态向量iv
* @return aes解密后的原始串
*/
public
static
String
decrypt
(
String
content
,
String
password
,
String
iv
)
{
if
(
unsatisfied
(
content
,
password
,
iv
))
{
return
null
;
}
try
{
Cipher
cipher
=
Cipher
.
getInstance
(
DEFAULT_CIPHER_ALGORITHM
);
SecretKeySpec
keySpec
=
new
SecretKeySpec
(
password
.
getBytes
(
StandardCharsets
.
UTF_8
),
KEY_ALGORITHM
);
IvParameterSpec
ivParameterSpec
=
new
IvParameterSpec
(
iv
.
getBytes
(
StandardCharsets
.
UTF_8
));
cipher
.
init
(
Cipher
.
DECRYPT_MODE
,
keySpec
,
ivParameterSpec
);
// byte[] result = cipher.doFinal(Base64.getDecoder().decode(content));
byte
[]
result
=
cipher
.
doFinal
(
Hex
.
decodeHex
(
content
.
toCharArray
()));
return
new
String
(
result
,
StandardCharsets
.
UTF_8
);
}
catch
(
Exception
ex
)
{
log
.
warn
(
"对数据进行aes加密异常:"
+
ex
.
getMessage
(),
ex
);
}
return
null
;
}
private
static
boolean
unsatisfied
(
String
content
,
String
password
,
String
iv
)
{
if
(
StringUtil
.
isEmpty
(
content
))
{
return
true
;
}
if
(
StringUtil
.
isEmpty
(
password
)
||
password
.
length
()
!=
16
)
{
return
true
;
}
if
(
StringUtil
.
isEmpty
(
iv
)
||
iv
.
length
()
!=
16
)
{
return
true
;
}
return
false
;
}
public
static
void
main
(
String
[]
args
)
{
try
{
System
.
out
.
println
(
decryptAES
(
"L2eRe4wOLeyqvUIayLs1NA=="
,
"7d9t"
));
//测登陆密码解密
// System.out.println(decryptAES("L2eRe4wOLeyqvUIayLs1NA==","7d9t"));
//测数据安全性加解密和相关性能
/*long beg=System.currentTimeMillis();
for(int i=0;i<1000;i++){
String enc=encrypt("hello 中国,13232",password+"0000",IV);
System.out.println("encrypt:"+enc);
String dec=decrypt(enc,password+"0000",IV);
System.out.println("decrypt:"+dec);
}
long end=System.currentTimeMillis();
System.out.println(end-beg);*/
//数据安全加解密逻辑验证
String
[]
str
=
new
String
[]{
"hello中国"
,
"13232"
};
List
<
String
>
lst
=
Arrays
.
asList
(
str
);
String
md5
=
String
.
join
(
"`wD4+-@hh"
,
lst
);
System
.
out
.
println
(
"md5前=="
+
md5
);
md5
=
StringUtil
.
encryptMD5
(
md5
);
System
.
out
.
println
(
"md5后=="
+
md5
);
String
enc
=
encrypt
(
md5
,
password
+
"0000"
,
IV
);
System
.
out
.
println
(
"encrypt:"
+
enc
);
String
dec
=
decrypt
(
enc
,
password
+
"0000"
,
IV
);
System
.
out
.
println
(
"decrypt:"
+
dec
);
}
catch
(
Exception
e
)
{
e
.
printStackTrace
();
}
...
...
src/main/java/org/sss/presentation/noui/util/DataSecurityUtil.java
0 → 100644
View file @
e32e0dec
package
org
.
sss
.
presentation
.
noui
.
util
;
import
log.Log
;
import
log.LogFactory
;
import
org.apache.commons.lang.ArrayUtils
;
import
org.sss.presentation.noui.common.Constants
;
import
java.util.Arrays
;
import
java.util.List
;
import
java.util.UUID
;
/**
* 前后端数据安全校验,用来防止前端数据被篡改后送到服务端引起的安全问题
* 使用动态盐机制,每个盐只做一次双向校验后就失效
*/
public
class
DataSecurityUtil
{
public
static
final
String
ENCRYPT_ERROR
=
"encrypt exception"
;
public
static
final
String
DECRYPT_ERROR
=
"decrypt exception"
;
public
static
final
String
FIX_STR
=
"`wD4+-@hh"
;
public
static
final
String
CHECK_KEY
=
"__checkkey__"
;
public
static
final
String
FRONT_ID
=
"__fid__"
;
public
static
final
String
BACKGROUND_ID
=
"__bgid__"
;
public
static
final
String
ERROR_SERVERENC_NULL
=
"[服务端密文串异常],数据存在篡改风险!"
;
public
static
final
String
ERROR_DYNAMICSALT_NULL
=
"[获取的动态盐不存在],可能存在后台暴力破解风险,从而导致数据存在篡改被篡改的风险!"
;
public
static
final
String
ERROR_DYNAMICSALT_EXCEPTION
=
"[获取动态盐异常],可能redis异常,从而导致数据存在篡改被篡改的风险!"
;
public
static
final
String
ERROR_AES_DECODE
=
"[服务端密文串解密失败],数据存在篡改风险!"
;
public
static
final
String
ERROR_NOTMATCH
=
"[服务端密文串解密后的值与客户端密文串不同],数据存在篡改风险!"
;
private
static
final
Log
log
=
LogFactory
.
getLog
(
DataSecurityUtil
.
class
);
/**
* 对不可篡改参数做加签处理
*
* @param pars 待加签参数
* @param userId 用户ID
* @return 参数加签串
*/
public
static
String
encrypt
(
String
[]
pars
,
String
userId
)
{
DynamicSalt
dynamicSalt
=
new
DynamicSalt
();
dynamicSalt
.
init
();
try
{
setDynamicSaltFromRedis
(
dynamicSalt
,
userId
);
}
catch
(
Exception
e
)
{
log
.
warn
(
"设置动态盐失败:"
+
e
.
getMessage
());
return
ENCRYPT_ERROR
;
}
String
content
=
null
;
try
{
content
=
preHandle
(
pars
);
}
catch
(
Exception
e
)
{
log
.
warn
(
"数据md5加密失败:"
+
e
.
getMessage
());
}
content
=
AESUtil
.
encrypt
(
content
,
dynamicSalt
.
pwd
,
dynamicSalt
.
iv
);
return
content
==
null
?
ENCRYPT_ERROR
:
content
;
}
/**
* 判断数据是否篡改
*
* @param serverEnc 服务端产生的密文串
* @param clientEnc 客户端产生的密文串
* @param userId 用户id
* @return 返回错误描述
*/
public
static
String
checkIllegalData
(
String
serverEnc
,
String
clientEnc
,
String
userId
)
{
//1.判断服务端的密文串是否异常
if
(
StringUtil
.
isEmpty
(
serverEnc
)
||
ENCRYPT_ERROR
.
equals
(
serverEnc
)){
log
.
warn
(
ERROR_SERVERENC_NULL
);
return
ERROR_SERVERENC_NULL
;
}
//2.用aes动态盐解密服务端密文串与客户端的密文串比对
DynamicSalt
dynamicSalt
;
try
{
dynamicSalt
=
getDynamicSaltFromRedis
(
userId
);
if
(
dynamicSalt
==
null
){
log
.
warn
(
ERROR_DYNAMICSALT_NULL
);
return
ERROR_DYNAMICSALT_NULL
;
}
}
catch
(
Exception
e
)
{
log
.
warn
(
ERROR_DYNAMICSALT_EXCEPTION
+
e
.
getMessage
());
return
ERROR_DYNAMICSALT_EXCEPTION
;
}
serverEnc
=
decrypt
(
serverEnc
,
dynamicSalt
);
if
(
StringUtil
.
isEmpty
(
serverEnc
)
||
DECRYPT_ERROR
.
equals
(
serverEnc
)){
log
.
warn
(
ERROR_AES_DECODE
);
return
ERROR_AES_DECODE
;
}
if
(!
serverEnc
.
equals
(
clientEnc
)){
log
.
warn
(
ERROR_NOTMATCH
);
return
ERROR_NOTMATCH
;
}
return
null
;
}
/**
* 获取指定用户缓存盐的key
* @param userId 用户ID
* @return 返回指定用户缓存盐的key
*/
public
static
String
getCacheSaltKey
(
String
userId
)
{
String
setKey
=
new
StringBuilder
(
Constants
.
SESSION
).
append
(
"."
).
append
(
userId
).
append
(
".CACHE_SALT"
).
toString
();
return
setKey
;
}
private
static
String
decrypt
(
String
content
,
DynamicSalt
dynamicSalt
)
{
content
=
AESUtil
.
decrypt
(
content
,
dynamicSalt
.
pwd
,
dynamicSalt
.
iv
);
return
content
==
null
?
DECRYPT_ERROR
:
content
;
}
private
static
String
preHandle
(
String
[]
pars
)
throws
Exception
{
if
(
ArrayUtils
.
isEmpty
(
pars
))
{
return
null
;
}
List
<
String
>
lst
=
Arrays
.
asList
(
pars
);
String
md5
=
String
.
join
(
FIX_STR
,
lst
);
md5
=
StringUtil
.
encryptMD5
(
md5
);
return
md5
;
}
private
static
DynamicSalt
getDynamicSaltFromRedis
(
String
userId
)
throws
Exception
{
String
key
=
getCacheSaltKey
(
userId
);
Object
obj
=
RedisUtil
.
get
(
key
);
DynamicSalt
rs
=
parseDynamicSalt
(
obj
);
if
(
rs
!=
null
){
RedisUtil
.
delete
(
key
);
return
rs
;
}
return
null
;
}
private
static
DynamicSalt
parseDynamicSalt
(
Object
raw
){
if
(
raw
instanceof
String
){
String
[]
parts
=
((
String
)
raw
).
split
(
"_"
);
if
(
parts
!=
null
&&
parts
.
length
==
2
){
return
new
DynamicSalt
(
parts
[
0
],
parts
[
1
]);
}
}
else
if
(
raw
instanceof
DynamicSalt
){
return
(
DynamicSalt
)
raw
;
}
return
null
;
}
private
static
void
setDynamicSaltFromRedis
(
DynamicSalt
dynamicSalt
,
String
userId
)
throws
Exception
{
RedisUtil
.
set
(
getCacheSaltKey
(
userId
),
dynamicSalt
.
toString
());
}
static
class
DynamicSalt
{
private
String
iv
;
private
String
pwd
;
public
DynamicSalt
()
{
}
public
DynamicSalt
(
String
iv
,
String
pwd
)
{
this
.
iv
=
iv
;
this
.
pwd
=
pwd
;
}
public
void
init
()
{
String
uuid
=
UUID
.
randomUUID
().
toString
().
replace
(
"-"
,
""
);
iv
=
uuid
.
substring
(
0
,
16
);
pwd
=
uuid
.
substring
(
16
);
}
@Override
public
String
toString
()
{
return
iv
+
"_"
+
pwd
;
}
}
}
src/main/java/org/sss/presentation/noui/util/StringUtil.java
View file @
e32e0dec
...
...
@@ -8,8 +8,9 @@ import java.security.MessageDigest;
public
class
StringUtil
{
public
static
boolean
isEmpty
(
String
str
)
{
if
(
str
==
null
||
str
.
trim
().
equals
(
""
))
if
(
str
==
null
||
str
.
trim
().
equals
(
""
)){
return
true
;
}
return
false
;
}
...
...
@@ -18,13 +19,24 @@ public class StringUtil {
}
/**
* 获取指定用户缓存的sessionid
*
* @param userId 用户ID
* @return 返回指定用户登陆客户端的sessionid
*/
public
static
String
getCacheSessionId
(
String
userId
)
{
String
setKey
=
new
StringBuilder
(
Constants
.
SESSION
).
append
(
"."
).
append
(
userId
).
append
(
".CACHE_SESSION"
).
toString
();
return
setKey
;
}
/**
* MD5加密字符串
*
* @param inStr
* @return
* @throws Exception
*/
public
static
String
encryptMD5
(
String
inStr
)
throws
Exception
{
public
static
String
encryptMD5
(
String
inStr
)
throws
Exception
{
MessageDigest
md5
=
null
;
md5
=
MessageDigest
.
getInstance
(
"MD5"
);
char
[]
charArray
=
inStr
.
toCharArray
();
...
...
@@ -37,8 +49,7 @@ public class StringUtil {
StringBuffer
hexValue
=
new
StringBuffer
();
for
(
int
i
=
0
;
i
<
md5Bytes
.
length
;
i
++)
{
for
(
int
i
=
0
;
i
<
md5Bytes
.
length
;
i
++)
{
int
val
=
((
int
)
md5Bytes
[
i
])
&
0xff
;
if
(
val
<
16
)
hexValue
.
append
(
"0"
);
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment