修改

whyclxw

2024-07-01 0ce771b4a4ff5897dc91bb1b84a4561781b00ca5

 src/main/java/com/whyc/filter/AccessFilter.java

@@ -2,14 +2,14 @@

import com.whyc.constant.OperationLogEnum;
import com.whyc.constant.YamlProperties;
import com.whyc.pojo.db_user.OperationLog;
import com.whyc.dto.Response;
import com.whyc.pojo.db_user.UserInf;
import com.whyc.service.OperationLogService;
import com.whyc.util.JsonUtil;
import com.whyc.util.MD5Util;
import com.whyc.util.UserUtil;
import org.apache.shiro.SecurityUtils;
import org.springframework.boot.web.servlet.context.AnnotationConfigServletWebServerApplicationContext;
import org.springframework.web.context.support.WebApplicationContextUtils;
import org.springframework.web.context.support.XmlWebApplicationContext;

import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
@@ -50,6 +50,7 @@

        String requestURI = request.getRequestURI();
        String servletPath = request.getServletPath();
        String remoteIp = request.getRemoteAddr();
        //防重放
        if (2 == YamlProperties.systemType) {
            if (time != null && sign != null && randomStr != null) { //检查接口的防重放功能
@@ -60,7 +61,7 @@
                if (context.getAttribute(randomStr) != null) {
                    response.setStatus(403);
                    response.setContentType("text/html;charset=utf-8");
                    response.getWriter().write("非法请求,参数异常");
                    response.getWriter().write(JsonUtil.getGson().toJson(new Response().set(0,"非法请求,参数异常")));
                    return;
                } else { //不存在,说明第一次使用,存入内存
                    context.setAttribute(randomStr, time);
@@ -71,14 +72,14 @@
                if (System.currentTimeMillis() - Long.parseLong(time) >= 60 * 1000) {
                    response.setStatus(408);
                    response.setContentType("text/html;charset=utf-8");
                    response.getWriter().write("请求超时异常");
                    response.getWriter().write(JsonUtil.getGson().toJson(new Response().set(0,"请求超时异常")));
                    return;
                }
                boolean res = MD5Util.checkSignMD5(time, randomStr, sign);
                if (!res) {
                    response.setStatus(403);
                    response.setContentType("text/html;charset=utf-8");
                    response.getWriter().write("非法请求,参数异常");
                    response.getWriter().write(JsonUtil.getGson().toJson(new Response().set(0,"非法请求,参数异常")));
                    return;
                }
            }
@@ -95,7 +96,7 @@
                )) {
                    response.setStatus(403);
                    response.setContentType("text/html;charset=utf-8");
                    response.getWriter().write("非法请求,参数异常");
                    response.getWriter().write(JsonUtil.getGson().toJson(new Response().set(0,"非法请求,参数异常")));
                    return;
                }
            }
@@ -103,7 +104,7 @@

        //if(YamlProperties.profileType.equals("prod")) {
            //用户需要登录
            UserInf user = UserUtil.getUser();
            UserInf user = (UserInf) SecurityUtils.getSubject().getPrincipal();
            //无需登录可以调用接口放行
            if (!requestURI.contains(".") && !servletPath.equals("/") &&
                (!
@@ -118,13 +119,16 @@
                        || requestURI.contains("server")
                        //options请求
                        || request.getMethod().toUpperCase().equals("OPTIONS")
                        //放行swagger
                        || requestURI.contains("swagger-resources")
                        || requestURI.contains("api-docs")
                    ))) {
                if (user == null) {
                    //越权访问
                    logService.record(OperationLogEnum.TYPE_1_SYS.getType(), OperationLogEnum.TYPE_2_UNAUTHORIZED_ACCESS.getType(),"越权访问", "越权访问接口:" + requestURI);
                    logService.record(OperationLogEnum.TYPE_1_SYS.getType(), OperationLogEnum.TYPE_2_UNAUTHORIZED_ACCESS.getType(),"越权访问", "越权访问接口:" + requestURI,remoteIp);
                    response.setStatus(401);
                    response.setContentType("text/html;charset=utf-8");
                    response.getWriter().write("非法请求，身份未验证");
                    response.getWriter().write(JsonUtil.getGson().toJson(new Response().set(0,"非法请求，身份未验证")));
                    return;
                }
                else if(requestURI.contains("userInf/resetSnId") //重置其他用户密码,必须1000以下的管理员才能设置
@@ -135,10 +139,10 @@
                    int userId = user.getUid();
                    if(userId>=1000){
                        //越权访问
                        logService.record(OperationLogEnum.TYPE_1_SYS.getType(), OperationLogEnum.TYPE_2_UNAUTHORIZED_ACCESS.getType(),"越权访问", "越权访问接口:" + requestURI);
                        logService.record(OperationLogEnum.TYPE_1_SYS.getType(), OperationLogEnum.TYPE_2_UNAUTHORIZED_ACCESS.getType(),"越权访问", "越权访问接口:" + requestURI,remoteIp);
                        response.setStatus(401);
                        response.setContentType("text/html;charset=utf-8");
                        response.getWriter().write("非法请求，身份未授权");
                        response.getWriter().write(JsonUtil.getGson().toJson(new Response().set(0,"非法请求，身份未授权")));
                        return;
                    }
                }