Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
N
nouiWithSpringMVC
Overview
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
gechengyang
nouiWithSpringMVC
Commits
e58d0f03
Commit
e58d0f03
authored
Sep 30, 2020
by
WeiCong
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
调整用户token和session绑定
修复页面关闭资源依然可以访问得漏洞
parent
42525f86
Show whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
15 additions
and
13 deletions
+15
-13
LoginController.java
...org/sss/presentation/noui/controller/LoginController.java
+1
-1
ResourceAccessFilter.java
...rg/sss/presentation/noui/filter/ResourceAccessFilter.java
+14
-12
No files found.
src/main/java/org/sss/presentation/noui/controller/LoginController.java
View file @
e58d0f03
...
...
@@ -156,7 +156,7 @@ public class LoginController {
public
Object
logout
(
HttpServletRequest
request
,
HttpSession
session
)
{
try
{
request
.
getSession
().
removeAttribute
(
"to
ek
n"
);
request
.
getSession
().
removeAttribute
(
"to
ke
n"
);
NoUiRequest
noUiRequest
=
new
NoUiRequest
(
request
,
""
,
null
);
NoUiUtils
.
logout
(
noUiRequest
.
getUserId
(),
"*"
);
//清理可能存在的历史缓存
return
ResultUtil
.
result
(
ErrorCodes
.
SUCCESS
,
"退出成功"
,
null
);
...
...
src/main/java/org/sss/presentation/noui/filter/ResourceAccessFilter.java
View file @
e58d0f03
...
...
@@ -15,6 +15,7 @@ import java.io.InputStream;
public
class
ResourceAccessFilter
implements
Filter
{
public
static
final
String
FORBIDDEN
=
"forbidden.pdf"
;
public
static
final
String
NO_FOUND_PDF
=
"/WEB-INF/classes/forbidden.pdf"
;
protected
static
final
Log
log
=
LogFactory
.
getLog
(
ResourceAccessFilter
.
class
);
private
static
final
String
KEY
=
"session.##.WEB"
;
private
static
final
String
SALT
=
"1314520@Wc;"
;
...
...
@@ -24,26 +25,23 @@ public class ResourceAccessFilter implements Filter {
private
static
final
String
_403_HTML
=
"<html><body><div style='text-align:center'><h1 style='margin-top: 10px;'>Access Forbidden, Unauthorized!</h1></div></body></html>"
;
public
static
String
[]
pdfpth
;
public
static
String
[]
exclude
;
public
static
final
String
NO_FOUND_PDF
=
"/WEB-INF/classes/forbidden.pdf"
;
public
void
doFilter
(
ServletRequest
req
,
ServletResponse
res
,
FilterChain
chain
)
throws
IOException
,
ServletException
{
try
{
HttpServletRequest
request
=
(
HttpServletRequest
)
req
;
HttpServletResponse
response
=
(
HttpServletResponse
)
res
;
if
(
request
.
getSession
().
getAttribute
(
"token"
)==
null
)
{
response
.
setStatus
(
403
);
forbidden
(
request
,
response
);
String
uri
=
request
.
getRequestURI
();
if
(
uri
.
contains
(
"/login"
)
||
uri
.
contains
(
"/getUserByDn"
))
{
chain
.
doFilter
(
req
,
res
);
return
;
}
String
uri
=
request
.
getRequestURI
();
String
pdfres
;
if
((
pdfres
=
needPdfsFilter
(
uri
))!=
null
)
{
if
(!
doPdfsFilter
(
uri
,
pdfres
,
request
,
response
))
{
if
((
pdfres
=
needPdfsFilter
(
uri
))
!=
null
)
{
if
(!
doPdfsFilter
(
uri
,
pdfres
,
request
,
response
))
{
return
;
}
}
else
if
(
isExcludeRes
(
uri
))
{
}
else
if
(
isExcludeRes
(
uri
)
||
request
.
getSession
().
getAttribute
(
"token"
)
==
null
)
{
response
.
setStatus
(
403
);
forbidden
(
request
,
response
);
}
else
{
...
...
@@ -55,7 +53,11 @@ public class ResourceAccessFilter implements Filter {
}
}
private
boolean
doPdfsFilter
(
String
uri
,
String
pdfres
,
HttpServletRequest
request
,
HttpServletResponse
response
)
throws
Exception
{
private
boolean
doPdfsFilter
(
String
uri
,
String
pdfres
,
HttpServletRequest
request
,
HttpServletResponse
response
)
throws
Exception
{
if
(
request
.
getSession
().
getAttribute
(
"token"
)
==
null
)
{
log
.
warn
(
"Access Pdfs Forbidden"
);
return
forbiddenPdf
(
request
,
response
);
}
String
[]
parts
=
uri
.
split
(
"_"
);
if
(
parts
.
length
!=
3
)
{
log
.
warn
(
"Access Pdfs Forbidden"
);
...
...
@@ -74,7 +76,7 @@ public class ResourceAccessFilter implements Filter {
return
forbiddenPdf
(
request
,
response
);
}
}
res
=
res
.
substring
(
res
.
indexOf
(
pdfres
),
res
.
length
());
res
=
res
.
substring
(
res
.
indexOf
(
pdfres
),
res
.
length
());
pdfWriter
(
request
.
getSession
().
getServletContext
().
getResourceAsStream
(
res
),
response
);
return
false
;
}
...
...
@@ -156,7 +158,7 @@ public class ResourceAccessFilter implements Filter {
ServletOutputStream
out
;
try
{
out
=
response
.
getOutputStream
();
IOUtils
.
copy
(
inputStream
,
out
);
IOUtils
.
copy
(
inputStream
,
out
);
IOUtils
.
closeQuietly
(
inputStream
);
IOUtils
.
closeQuietly
(
out
);
}
catch
(
IOException
e
)
{
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment