MonitStation.git

			@@ -1,8 +1,15 @@
			package com.whyc.filter;

			import com.whyc.constant.OperationLogEnum;
			import com.whyc.constant.YamlProperties;
			import com.whyc.pojo.UserInf;
			import com.whyc.util.ActionUtil;
			import com.whyc.dto.Response;
			import com.whyc.pojo.db_user.UserInf;
			import com.whyc.service.OperationLogService;
			import com.whyc.util.JsonUtil;
			import com.whyc.util.MD5Util;
			import org.apache.shiro.SecurityUtils;
			import org.springframework.boot.web.servlet.context.AnnotationConfigServletWebServerApplicationContext;
			import org.springframework.web.context.support.WebApplicationContextUtils;

			import javax.servlet.*;
			import javax.servlet.annotation.WebFilter;
			@@ -12,12 +19,22 @@

			/**
			* 防重放功能
			* 及
			* 用户登录验证拦截
			*/
			@WebFilter
			public class AccessFilter implements Filter {

			private OperationLogService logService;

			@Override
			public void init(FilterConfig filterConfig) throws ServletException {
			ServletContext sc = filterConfig.getServletContext();
			AnnotationConfigServletWebServerApplicationContext cxt = (AnnotationConfigServletWebServerApplicationContext)WebApplicationContextUtils.getWebApplicationContext(sc);

			if(cxt != null && cxt.getBean("operationLogService") != null && logService == null) {
			logService = (OperationLogService) cxt.getBean("operationLogService");
			}
			}

			@Override
			@@ -33,8 +50,9 @@

			String requestURI = request.getRequestURI();
			String servletPath = request.getServletPath();
			//严格要求
			if (2 == YamlProperties.systemType \|\| 3 == YamlProperties.systemType) {
			String remoteIp = request.getRemoteAddr();
			//防重放
			if (2 == YamlProperties.systemType) {
			if (time != null && sign != null && randomStr != null) { //检查接口的防重放功能
			//60秒内检查randomStr是否存在(60秒后定时清除)
			//ServletContext context = request.getServletContext();
			@@ -43,7 +61,7 @@
			if (context.getAttribute(randomStr) != null) {
			response.setStatus(403);
			response.setContentType("text/html;charset=utf-8");
			response.getWriter().write("非法请求,参数异常");
			response.getWriter().write(JsonUtil.getGson().toJson(new Response().set(0,"非法请求,参数异常")));
			return;
			} else { //不存在,说明第一次使用,存入内存
			context.setAttribute(randomStr, time);
			@@ -54,14 +72,14 @@
			if (System.currentTimeMillis() - Long.parseLong(time) >= 60 * 1000) {
			response.setStatus(408);
			response.setContentType("text/html;charset=utf-8");
			response.getWriter().write("请求超时异常");
			response.getWriter().write(JsonUtil.getGson().toJson(new Response().set(0,"请求超时异常")));
			return;
			}
			boolean res = ActionUtil.checkSignMD5(time, randomStr, sign);
			boolean res = MD5Util.checkSignMD5(time, randomStr, sign);
			if (!res) {
			response.setStatus(403);
			response.setContentType("text/html;charset=utf-8");
			response.getWriter().write("非法请求,参数异常");
			response.getWriter().write(JsonUtil.getGson().toJson(new Response().set(0,"非法请求,参数异常")));
			return;
			}
			}
			@@ -69,19 +87,6 @@
			else {
			//签名所需时间戳
			if (!(requestURI.contains("server/timestamp")
			//↓================此处与签名和无需登录放行保持一致===============↓/
			//对外接口-大屏
			\|\| requestURI.contains("mapOutline/all")
			\|\| requestURI.contains("battMapInformation/findStationState")
			\|\| requestURI.contains("battMapInformation/searchUserManageStation")
			\|\| requestURI.contains("battMapInformation/del")
			\|\| requestURI.contains("station3D/byDeviceId")
			\|\| requestURI.contains("battMapInformation/multAmout")
			//对外接口-外部
			\|\| requestURI.contains("interface/")
			// \|\| requestURI.contains("interface/getBattAlarm")
			// \|\| requestURI.contains("interface/getPowerInf")
			// \|\| requestURI.contains("interface/getPowerAlarm")
			//↑================此处与签名和无需登录放行保持一致===============↑/
			//静态资源
			\|\| requestURI.contains(".")
			@@ -91,69 +96,57 @@
			)) {
			response.setStatus(403);
			response.setContentType("text/html;charset=utf-8");
			response.getWriter().write("非法请求,参数异常");
			response.getWriter().write(JsonUtil.getGson().toJson(new Response().set(0,"非法请求,参数异常")));
			return;
			}
			}
			}

			if(YamlProperties.profileType.equals("prod1")) {
			//if(YamlProperties.profileType.equals("prod")) {
			//用户需要登录
			UserInf user = (UserInf) request.getSession().getAttribute("user");
			UserInf user = (UserInf) SecurityUtils.getSubject().getPrincipal();
			//无需登录可以调用接口放行
			if (!requestURI.contains(".") && !servletPath.equals("/") &&
			(!
			//签名所需时间戳
			(requestURI.contains("server/timestamp")
			//↓================此处与签名和无需登录放行保持一致===============↓/
			//对外接口-大屏
			\|\| requestURI.contains("mapOutline/all")
			\|\| requestURI.contains("battMapInformation/findStationState")
			\|\| requestURI.contains("battMapInformation/searchUserManageStation")
			\|\| requestURI.contains("battMapInformation/del")
			\|\| requestURI.contains("station3D/byDeviceId")
			\|\| requestURI.contains("battMapInformation/multAmout")
			//对外接口-外部
			\|\| requestURI.contains("interface/")
			// \|\| requestURI.contains("interface/getBattInf")
			// \|\| requestURI.contains("interface/getBattAlarm")
			// \|\| requestURI.contains("interface/getPowerInf")
			// \|\| requestURI.contains("interface/getPowerAlarm")
			//↑================此处与签名和无需登录放行保持一致===============↑/
			//登录页面接口
			\|\| requestURI.contains("User_infAction!searchSnIdByUId") //TODO 免登陆v2待开发
			\|\| requestURI.contains("message")
			\|\| requestURI.contains("login/login")
			\|\| requestURI.contains("user/updatePassword2")
			\|\| requestURI.contains("pageParam/findByCategoryId")
			\|\| requestURI.contains("pageParam/allList")
			\|\| requestURI.contains("license")
			\|\| requestURI.contains("UKey")
			\|\| requestURI.contains("closeBrowser")
			\|\| requestURI.contains("user/register")
			\|\| requestURI.contains("face/activeOnline")
			\|\| requestURI.contains("face/faceCompare2N")
			//WebSocket-账号其他主机登录
			\|\| requestURI.contains("loginCheck")
			\|\| requestURI.contains("interfacePowerAlarm")
			\|\| requestURI.contains("interfaceDevAlarm")
			\|\| requestURI.contains("interfaceBattAlarm")
			\|\| requestURI.contains("interfaceRealTime")
			//WebSocket-签名所需时间戳
			\|\| requestURI.contains("server")
			//options请求
			\|\| request.getMethod().toUpperCase().equals("OPTIONS")
			))) {
			(!
			//签名所需时间戳
			(requestURI.contains("server/timestamp")
			//↑================此处与签名和无需登录放行保持一致===============↑/
			//登录页面接口
			\|\| requestURI.contains("login/login")
			//WebSocket-账号其他主机登录
			\|\| requestURI.contains("loginCheck")
			//WebSocket-签名所需时间戳
			\|\| requestURI.contains("server")
			//options请求
			\|\| request.getMethod().toUpperCase().equals("OPTIONS")
			//放行swagger
			\|\| requestURI.contains("swagger-resources")
			\|\| requestURI.contains("api-docs")
			))) {
			if (user == null) {
			//越权访问
			//CommonUtil.record(0, UserOperation.TYPE_UNAUTHORIZED_ACCESS.getType(), "越权访问", "越权访问接口:" + requestURI);
			//CommonUtil.record2(request, 0,"", UserOperation.TYPE_UNAUTHORIZED_ACCESS.getType(), "越权访问", "越权访问接口:" + requestURI);
			logService.record(OperationLogEnum.TYPE_1_SYS.getType(), OperationLogEnum.TYPE_2_UNAUTHORIZED_ACCESS.getType(),"越权访问", "越权访问接口:" + requestURI,remoteIp);
			response.setStatus(401);
			response.setContentType("text/html;charset=utf-8");
			response.getWriter().write("非法请求，身份未验证");
			response.getWriter().write(JsonUtil.getGson().toJson(new Response().set(0,"非法请求，身份未验证")));
			return;
			}
			}
			else if(requestURI.contains("userInf/resetSnId") //重置其他用户密码,必须1000以下的管理员才能设置
			\|\|requestURI.contains("add")
			\|\|requestURI.contains("delete")
			\|\|requestURI.contains("update")
			){
			int userId = user.getUid();
			if(userId>=1000){
			//越权访问
			logService.record(OperationLogEnum.TYPE_1_SYS.getType(), OperationLogEnum.TYPE_2_UNAUTHORIZED_ACCESS.getType(),"越权访问", "越权访问接口:" + requestURI,remoteIp);
			response.setStatus(401);
			response.setContentType("text/html;charset=utf-8");
			response.getWriter().write(JsonUtil.getGson().toJson(new Response().set(0,"非法请求，身份未授权")));
			return;
			}
			}
			//}
			}

			filterChain.doFilter(servletRequest, servletResponse);