package com.whyc.filter;
|
|
import com.google.gson.Gson;
|
import com.whyc.constant.OperationLogEnum;
|
import com.whyc.constant.YamlProperties;
|
import com.whyc.dto.Response;
|
import com.whyc.pojo.db_user.User;
|
import com.whyc.util.CommonUtil;
|
import com.whyc.util.JsonUtil;
|
|
import javax.servlet.*;
|
import javax.servlet.annotation.WebFilter;
|
import javax.servlet.http.HttpServletRequest;
|
import javax.servlet.http.HttpServletResponse;
|
import java.io.IOException;
|
|
/**
|
* 权限验证
|
*/
|
@WebFilter
|
public class AccessFilter implements Filter {
|
@Override
|
public void init(FilterConfig filterConfig) throws ServletException {
|
|
}
|
|
@Override
|
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
|
|
HttpServletRequest request = (HttpServletRequest) servletRequest;
|
HttpServletResponse response = (HttpServletResponse) servletResponse;
|
|
String requestURI = request.getRequestURI();
|
String servletPath = request.getServletPath();
|
|
if(YamlProperties.profileType.equals("prod")) {
|
//用户需要登录
|
User user = (User) request.getSession().getAttribute("user");
|
//无需登录可以调用接口放行
|
if (!(requestURI.contains(".")&& !requestURI.contains("pis_file")) && !servletPath.equals("/") &&
|
(!
|
(
|
//登录页面接口
|
requestURI.contains("login/login")
|
|| requestURI.contains("loginByRSA")
|
|| requestURI.contains("logout")
|
//WebSocket-账号其他主机登录
|
|| requestURI.contains("loginCheck")
|
//软件升级申请请求
|
|| requestURI.contains("software/upgradeApply")
|
//验证码
|
|| requestURI.contains("message/getFontDynamicCode")
|
//获取心跳
|
|| request.getMethod().toUpperCase().equals("heart/getCookie")
|
//options请求
|
|| request.getMethod().toUpperCase().equals("OPTIONS")
|
))) {
|
if (user == null) {
|
//越权访问
|
CommonUtil.record(OperationLogEnum.TYPE_1_SYS.getType(),
|
OperationLogEnum.TYPE_2_UNAUTHORIZED_ACCESS.getType(),
|
"越权访问",
|
"越权访问接口:" + requestURI);
|
//越权访问
|
response.setStatus(401);
|
response.setContentType("text/html;charset=utf-8");
|
response.getWriter().write("非法请求,身份未验证");
|
return;
|
}else{
|
//越权访问
|
CommonUtil.record(OperationLogEnum.TYPE_1_SYS.getType(),
|
OperationLogEnum.TYPE_2_UNAUTHORIZED_ACCESS.getType(),
|
"越权访问",
|
"越权访问接口:" + requestURI);
|
response.setStatus(200);
|
Response<Object> response1 = new Response<>();
|
response1.set(1, false,"非法请求,当前用户没有权限访问");
|
Gson gson = JsonUtil.getGson();
|
String json = gson.toJson(response1);
|
response.setContentType("application/json;charset=utf-8");
|
|
response.getWriter().write(json);
|
//response.getWriter().write("非法请求,当前用户没有权限访问");
|
return;
|
|
}
|
}
|
}
|
|
filterChain.doFilter(servletRequest, servletResponse);
|
}
|
|
private int count(String target,char charValue){
|
int count = 0;
|
for (char ch : target.toCharArray()){
|
if(charValue == ch){
|
count++;
|
}
|
}
|
return count;
|
}
|
|
|
@Override
|
public void destroy() {
|
|
}
|
}
|
