增加pdf资源访问权限校验

fd9f0dee · WeiCong · 05ced278 · fd9f0dee · fd9f0dee
Commit fd9f0dee authored Sep 14, 2020 by WeiCong
Hide whitespace changes
Inline Side-by-side

Showing with 137 additions and 0 deletions

ResourceAccessFilter.java ...rg/sss/presentation/noui/filter/ResourceAccessFilter.java +124 -0

web.xml src/main/webapp/WEB-INF/web.xml +13 -0

No files found.
--- a/src/main/java/org/sss/presentation/noui/filter/ResourceAccessFilter.java
+++ b/src/main/java/org/sss/presentation/noui/filter/ResourceAccessFilter.java
+package org.sss.presentation.noui.filter;
+
+import log.Log;
+import log.LogFactory;
+import org.apache.commons.lang.ArrayUtils;
+import org.sss.presentation.noui.jwt.RedisLoginInfo;
+import org.sss.presentation.noui.util.RedisUtil;
+import org.sss.presentation.noui.util.StringUtil;
+
+import javax.servlet.*;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+public class ResourceAccessFilter implements Filter {
+    public static String pdfpth;
+    protected static final Log log = LogFactory.getLog(ResourceAccessFilter.class);
+    private static final String KEY = "session.##.WEB";
+    private static final String SALT="1314520@Wc;";
+    private static final String _JSON_CONTENT = "application/json; charset=UTF-8";
+    private static final String _HTML_CONTENT = "text/html; charset=UTF-8";
+    private static final String _403_JSON = "{'code': '403', 'msg': 'Access Forbidden, Unauthorized!'}";
+    private static final String _403_HTML = "<html><body><div style='text-align:center'><h1 style='margin-top: 10px;'>Access Forbidden, Unauthorized!</h1><hr><span>@lichmama</span></div></body></html>";
+
+    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
+            throws IOException, ServletException {
+        try{
+            HttpServletRequest request=(HttpServletRequest) req;
+            HttpServletResponse response=(HttpServletResponse) res;
+            String uri=request.getRequestURI();
+            if(needPdfsFilter(uri)){
+                if(!doPdfsFilter(request,response)){
+                    chain.doFilter(req, res);
+                }
+            }else{
+                chain.doFilter(req, res);
+            }
+        }catch (Throwable b){
+            log.warn("资源访问过滤器执行异常:"+b.getMessage());
+            chain.doFilter(req, res);
+        }
+    }
+
+    private boolean doPdfsFilter(HttpServletRequest request,HttpServletResponse response) throws Exception {
+        String[] sec=request.getParameterValues("sec");
+        String[] uid=request.getParameterValues("uid");
+        String[] res=request.getParameterValues("file");
+        if(ArrayUtils.isEmpty(sec) || ArrayUtils.isEmpty(uid) || ArrayUtils.isEmpty(res)){
+            log.warn("Access Pdfs Forbidden");
+            return forbidden403(request,response);
+        }else{
+            //校验usrid+token+固定值的加密
+            if(!isLegalSec(sec[0],uid[0],res[0])){
+                log.warn("Access Pdfs Forbidden");
+                return forbidden403(request,response);
+            }
+        }
+        return false;
+    }
+
+    private boolean isLegalSec(String sec, String uid, String res) throws Exception {
+        if(res.lastIndexOf("/")>0){
+            res=res.substring(res.lastIndexOf("/")+1);
+        }
+        String rawuid=new StringBuilder(uid).reverse().toString();
+        Object obj = RedisUtil.get(KEY.replace("##",rawuid));
+        if (obj == null){
+            return false;
+        }
+        RedisLoginInfo redisLoginInfo= (RedisLoginInfo) obj;
+        StringBuilder raw=new StringBuilder();
+        raw.append(redisLoginInfo.getToken());
+        raw.append(SALT);
+        raw.append(rawuid);
+        raw.append(SALT);
+        raw.append(res);
+        String rawsec= StringUtil.encryptMD5(raw.toString());
+        if(!rawsec.equals(sec)){
+            return false;
+        }
+        return true;
+    }
+
+    private boolean needPdfsFilter(String uri){
+        if(pdfpth.equals(uri)){
+            return true;
+        }
+        return false;
+    }
+
+    private boolean forbidden403(HttpServletRequest request,HttpServletResponse response) throws IOException, ServletException{
+        response.setStatus(403);
+        forbidden(request,response);
+        return true;
+    }
+
+    private void forbidden(HttpServletRequest request,HttpServletResponse response) throws IOException, ServletException{
+        if (isAjaxRequest(request)) {
+            response.setContentType(_JSON_CONTENT);
+            response.getWriter().print(_403_JSON);
+        } else {
+            response.setContentType(_HTML_CONTENT);
+            response.getWriter().print(_403_HTML);
+        }
+    }
+
+    private boolean isAjaxRequest(HttpServletRequest request) {
+        String header = request.getHeader("X-Requested-With");
+        if (header != null && header.length() > 0) {
+            if ("XMLHttpRequest".equalsIgnoreCase(header))
+                return true;
+        }
+        return false;
+    }
+
+    public void init(FilterConfig filterConfig) {
+        if(filterConfig.getInitParameter("pdfpth")!=null){
+            pdfpth=filterConfig.getInitParameter("pdfpth");
+        }
+
+    }
+
+    public void destroy() {}
+}
--- a/src/main/webapp/WEB-INF/web.xml
+++ b/src/main/webapp/WEB-INF/web.xml
@@ -60,6 +60,19 @@
 		<url-pattern>/*</url-pattern>
 	</filter-mapping>

+	<filter>
+		<filter-name>resaccess</filter-name>
+		<filter-class>org.sss.presentation.noui.filter.ResourceAccessFilter</filter-class>
+		<init-param>
+			<param-name>pdfpth</param-name>
+			<param-value>/esfeserver/pdfjs/web/viewer.html</param-value>
+		</init-param>
+	</filter>
+	<filter-mapping>
+		<filter-name>resaccess</filter-name>
+		<url-pattern>/*</url-pattern>
+	</filter-mapping>
+
 	<servlet>
 		<servlet-name>springDispatcherServlet</servlet-name>
 		<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>