快照防篡改后台优化

e5df2660 · WeiCong · 95150ec6 · e5df2660 · e5df2660
Commit e5df2660 authored Oct 09, 2020 by WeiCong
Showing with 38 additions and 7 deletions

ResourceAccessFilter.java ...rg/sss/presentation/noui/filter/ResourceAccessFilter.java +35 -7

DataSecurityUtil.java ...java/org/sss/presentation/noui/util/DataSecurityUtil.java +3 -0

No files found.
--- a/src/main/java/org/sss/presentation/noui/filter/ResourceAccessFilter.java
+++ b/src/main/java/org/sss/presentation/noui/filter/ResourceAccessFilter.java
@@ -25,7 +25,7 @@ public class ResourceAccessFilter implements Filter {
    private static final String SALT = "1314520@Wc;";
    private static final String _JSON_CONTENT = "application/json; charset=UTF-8";
    private static final String _HTML_CONTENT = "text/html; charset=UTF-8";
-    private static final String _403_JSON = "{'code': '403', 'msg': 'Access Forbidden, Unauthorized!'}";
+    private static final String _403_JSON = "{\"code\": \"403\", \"msg\": \"Access Forbidden, Unauthorized!\"}";
    private static final String _403_HTML = "<html><body><div style='text-align:center'><h1 style='margin-top: 10px;'>Access Forbidden, Unauthorized!</h1></div></body></html>";
    public static String[] pdfpth;
    public static String[] exclude;
@@ -61,16 +61,40 @@ public class ResourceAccessFilter implements Filter {
        }
    }
-    private void doDspFilter(String uri, HttpServletRequest request, HttpServletResponse response) throws IOException {
+    private void doDspFilter(String uri, HttpServletRequest request, HttpServletResponse response) throws Exception {
-        String relPth=uri.substring(uri.indexOf(DSPPTH));
+        String[] parts = uri.split("_");
+        if (parts.length != 3) {
+            log.warn("Access Dsp Forbidden");
+            forbidden(request, response);
+            return;
+        }
+        String res = parts[0];
+        String uid = parts[1];
+        String sec = parts[2];
+        if (StringUtil.isEmpty(sec) || StringUtil.isEmpty(uid) || StringUtil.isEmpty(res)) {
+            log.warn("Access Dsp Forbidden");
+            forbidden(request, response);
+            return;
+        } else {
+            //校验usrid+token+固定值的加密
+            if (!isLegalSec(sec, uid, res, request)) {
+                log.warn("Access Dsp Forbidden");
+                forbidden(request, response);
+                return;
+            }
+        }
+        String relPth=res.substring(res.indexOf(DSPPTH));
        StringBuilder sb=new StringBuilder(NoUiUtils.getDatapath());
        sb.append(relPth);
        File file=new File(sb.toString());
        if(file.exists()){
            response.setContentType(_JSON_CONTENT);
            response.getWriter().print(FileUtils.readFileToString(file, StandardCharsets.UTF_8));
+            return;
        }else{
            log.warn("Dsp Is Not Exists");
+            forbidden(request, response);
+            return;
        }
    }
@@ -165,20 +189,24 @@ public class ResourceAccessFilter implements Filter {
    private boolean forbidden403(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
        response.setStatus(403);
-        forbidden(request, response);
+        forbiddenJson(request, response);
        return true;
    }
-    private void forbidden(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
+    private void forbidden(HttpServletRequest request, HttpServletResponse response) throws IOException {
        if (isAjaxRequest(request)) {
-            response.setContentType(_JSON_CONTENT);
+            forbiddenJson(request,response);
-            response.getWriter().print(_403_JSON);
        } else {
            response.setContentType(_HTML_CONTENT);
            response.getWriter().print(_403_HTML);
        }
    }
+    private void forbiddenJson(HttpServletRequest request, HttpServletResponse response) throws IOException {
+        response.setContentType(_JSON_CONTENT);
+        response.getWriter().print(_403_JSON);
+    }
    private boolean isAjaxRequest(HttpServletRequest request) {
        String header = request.getHeader("X-Requested-With");
        if (header != null && header.length() > 0) {

--- a/src/main/java/org/sss/presentation/noui/util/DataSecurityUtil.java
+++ b/src/main/java/org/sss/presentation/noui/util/DataSecurityUtil.java
@@ -131,6 +131,9 @@ public class DataSecurityUtil {
                                for(String ck:DEFAULT_CHECK){
                                    if(noUiRequest.getParamsMap().containsKey(ck)){
                                        val=noUiRequest.getParamsMap().get(ck).toString();
+                                        if(!StringUtil.isEmpty(val)){
+                                            break;
+                                        }
                                    }
                                }
                            }else{