Commit e58d0f03 by WeiCong

调整用户token和session绑定

修复页面关闭资源依然可以访问得漏洞
parent 42525f86
......@@ -156,7 +156,7 @@ public class LoginController {
public Object logout(HttpServletRequest request, HttpSession session) {
try {
request.getSession().removeAttribute("toekn");
request.getSession().removeAttribute("token");
NoUiRequest noUiRequest = new NoUiRequest(request, "", null);
NoUiUtils.logout(noUiRequest.getUserId(),"*"); //清理可能存在的历史缓存
return ResultUtil.result(ErrorCodes.SUCCESS,"退出成功",null);
......
......@@ -15,6 +15,7 @@ import java.io.InputStream;
public class ResourceAccessFilter implements Filter {
public static final String FORBIDDEN = "forbidden.pdf";
public static final String NO_FOUND_PDF = "/WEB-INF/classes/forbidden.pdf";
protected static final Log log = LogFactory.getLog(ResourceAccessFilter.class);
private static final String KEY = "session.##.WEB";
private static final String SALT = "1314520@Wc;";
......@@ -24,26 +25,23 @@ public class ResourceAccessFilter implements Filter {
private static final String _403_HTML = "<html><body><div style='text-align:center'><h1 style='margin-top: 10px;'>Access Forbidden, Unauthorized!</h1></div></body></html>";
public static String[] pdfpth;
public static String[] exclude;
public static final String NO_FOUND_PDF="/WEB-INF/classes/forbidden.pdf";
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
throws IOException, ServletException {
try {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
if(request.getSession().getAttribute("token")== null)
{
response.setStatus(403);
forbidden(request, response);
String uri = request.getRequestURI();
if (uri.contains("/login") || uri.contains("/getUserByDn")) {
chain.doFilter(req, res);
return;
}
String uri = request.getRequestURI();
String pdfres;
if ((pdfres=needPdfsFilter(uri))!=null) {
if (!doPdfsFilter(uri,pdfres, request, response)) {
if ((pdfres = needPdfsFilter(uri)) != null) {
if (!doPdfsFilter(uri, pdfres, request, response)) {
return;
}
} else if (isExcludeRes(uri)) {
} else if (isExcludeRes(uri) || request.getSession().getAttribute("token") == null) {
response.setStatus(403);
forbidden(request, response);
} else {
......@@ -55,7 +53,11 @@ public class ResourceAccessFilter implements Filter {
}
}
private boolean doPdfsFilter(String uri,String pdfres, HttpServletRequest request, HttpServletResponse response) throws Exception {
private boolean doPdfsFilter(String uri, String pdfres, HttpServletRequest request, HttpServletResponse response) throws Exception {
if (request.getSession().getAttribute("token") == null) {
log.warn("Access Pdfs Forbidden");
return forbiddenPdf(request, response);
}
String[] parts = uri.split("_");
if (parts.length != 3) {
log.warn("Access Pdfs Forbidden");
......@@ -74,7 +76,7 @@ public class ResourceAccessFilter implements Filter {
return forbiddenPdf(request, response);
}
}
res=res.substring(res.indexOf(pdfres),res.length());
res = res.substring(res.indexOf(pdfres), res.length());
pdfWriter(request.getSession().getServletContext().getResourceAsStream(res), response);
return false;
}
......@@ -156,7 +158,7 @@ public class ResourceAccessFilter implements Filter {
ServletOutputStream out;
try {
out = response.getOutputStream();
IOUtils.copy(inputStream,out);
IOUtils.copy(inputStream, out);
IOUtils.closeQuietly(inputStream);
IOUtils.closeQuietly(out);
} catch (IOException e) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment