Skip to content

N
nouiWithSpringMVC
Commit e58d0f03 by WeiCong
Options

调整用户token和session绑定 

修复页面关闭资源依然可以访问得漏洞
parent 42525f86
Showing with 15 additions and 13 deletions
src/main/java/org/sss/presentation/noui/controller/LoginController.java
...@@ -156,7 +156,7 @@ public class LoginController { ...@@ -156,7 +156,7 @@ public class LoginController {
public Object logout(HttpServletRequest request, HttpSession session) { public Object logout(HttpServletRequest request, HttpSession session) {
try { try {
request.getSession().removeAttribute("toekn"); request.getSession().removeAttribute("token");
NoUiRequest noUiRequest = new NoUiRequest(request, "", null); NoUiRequest noUiRequest = new NoUiRequest(request, "", null);
NoUiUtils.logout(noUiRequest.getUserId(),"*"); //清理可能存在的历史缓存 NoUiUtils.logout(noUiRequest.getUserId(),"*"); //清理可能存在的历史缓存
return ResultUtil.result(ErrorCodes.SUCCESS,"退出成功",null); return ResultUtil.result(ErrorCodes.SUCCESS,"退出成功",null);
......
src/main/java/org/sss/presentation/noui/filter/ResourceAccessFilter.java
...@@ -15,6 +15,7 @@ import java.io.InputStream; ...@@ -15,6 +15,7 @@ import java.io.InputStream;
public class ResourceAccessFilter implements Filter { public class ResourceAccessFilter implements Filter {
public static final String FORBIDDEN = "forbidden.pdf"; public static final String FORBIDDEN = "forbidden.pdf";
public static final String NO_FOUND_PDF = "/WEB-INF/classes/forbidden.pdf";
protected static final Log log = LogFactory.getLog(ResourceAccessFilter.class); protected static final Log log = LogFactory.getLog(ResourceAccessFilter.class);
private static final String KEY = "session.##.WEB"; private static final String KEY = "session.##.WEB";
private static final String SALT = "1314520@Wc;"; private static final String SALT = "1314520@Wc;";
...@@ -24,26 +25,23 @@ public class ResourceAccessFilter implements Filter { ...@@ -24,26 +25,23 @@ public class ResourceAccessFilter implements Filter {
private static final String _403_HTML = "<html><body><div style='text-align:center'><h1 style='margin-top: 10px;'>Access Forbidden, Unauthorized!</h1></div></body></html>"; private static final String _403_HTML = "<html><body><div style='text-align:center'><h1 style='margin-top: 10px;'>Access Forbidden, Unauthorized!</h1></div></body></html>";
public static String[] pdfpth; public static String[] pdfpth;
public static String[] exclude; public static String[] exclude;
public static final String NO_FOUND_PDF="/WEB-INF/classes/forbidden.pdf";
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
throws IOException, ServletException { throws IOException, ServletException {
try { try {
HttpServletRequest request = (HttpServletRequest) req; HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res; HttpServletResponse response = (HttpServletResponse) res;
if(request.getSession().getAttribute("token")== null) String uri = request.getRequestURI();
{ if (uri.contains("/login") || uri.contains("/getUserByDn")) {
response.setStatus(403); chain.doFilter(req, res);
forbidden(request, response);
return; return;
} }
String uri = request.getRequestURI();
String pdfres; String pdfres;
if ((pdfres=needPdfsFilter(uri))!=null) { if ((pdfres = needPdfsFilter(uri)) != null) {
if (!doPdfsFilter(uri,pdfres, request, response)) { if (!doPdfsFilter(uri, pdfres, request, response)) {
return; return;
} }
} else if (isExcludeRes(uri)) { } else if (isExcludeRes(uri) || request.getSession().getAttribute("token") == null) {
response.setStatus(403); response.setStatus(403);
forbidden(request, response); forbidden(request, response);
} else { } else {
...@@ -55,7 +53,11 @@ public class ResourceAccessFilter implements Filter { ...@@ -55,7 +53,11 @@ public class ResourceAccessFilter implements Filter {
} }
} }
private boolean doPdfsFilter(String uri,String pdfres, HttpServletRequest request, HttpServletResponse response) throws Exception { private boolean doPdfsFilter(String uri, String pdfres, HttpServletRequest request, HttpServletResponse response) throws Exception {
if (request.getSession().getAttribute("token") == null) {
log.warn("Access Pdfs Forbidden");
return forbiddenPdf(request, response);
}
String[] parts = uri.split("_"); String[] parts = uri.split("_");
if (parts.length != 3) { if (parts.length != 3) {
log.warn("Access Pdfs Forbidden"); log.warn("Access Pdfs Forbidden");
...@@ -74,7 +76,7 @@ public class ResourceAccessFilter implements Filter { ...@@ -74,7 +76,7 @@ public class ResourceAccessFilter implements Filter {
return forbiddenPdf(request, response); return forbiddenPdf(request, response);
} }
} }
res=res.substring(res.indexOf(pdfres),res.length()); res = res.substring(res.indexOf(pdfres), res.length());
pdfWriter(request.getSession().getServletContext().getResourceAsStream(res), response); pdfWriter(request.getSession().getServletContext().getResourceAsStream(res), response);
return false; return false;
} }
...@@ -156,7 +158,7 @@ public class ResourceAccessFilter implements Filter { ...@@ -156,7 +158,7 @@ public class ResourceAccessFilter implements Filter {
ServletOutputStream out; ServletOutputStream out;
try { try {
out = response.getOutputStream(); out = response.getOutputStream();
IOUtils.copy(inputStream,out); IOUtils.copy(inputStream, out);
IOUtils.closeQuietly(inputStream); IOUtils.closeQuietly(inputStream);
IOUtils.closeQuietly(out); IOUtils.closeQuietly(out);
} catch (IOException e) { } catch (IOException e) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment