系统安全性优化,登陆Token写Cookie时进行MD5加密;

pull/6/head
xuxueli 7 years ago
parent 014b341ff8
commit 3569b1422c

@ -1101,7 +1101,7 @@ Tips: 历史版本(V1.3.x)目前已经Release至稳定版本, 进入维护阶段
- 24、Log地址格式兼容支持非"/"结尾路径配置;
- 25、底层系统日志级别规范调整清理遗留代码
- 26、建表SQL优化支持同步创建制定编码的库和表
- 27、系统安全性优化登陆Token写Cookie时进行MD5加密
### TODO LIST

@ -2,7 +2,6 @@ package com.xxl.job.admin.controller;
import com.xxl.job.admin.controller.annotation.PermessionLimit;
import com.xxl.job.admin.controller.interceptor.PermissionInterceptor;
import com.xxl.job.admin.core.util.PropertiesUtil;
import com.xxl.job.admin.service.XxlJobService;
import com.xxl.job.core.biz.model.ReturnT;
import org.apache.commons.lang3.StringUtils;
@ -61,18 +60,21 @@ public class IndexController {
@ResponseBody
@PermessionLimit(limit=false)
public ReturnT<String> loginDo(HttpServletRequest request, HttpServletResponse response, String userName, String password, String ifRemember){
if (!PermissionInterceptor.ifLogin(request)) {
if (StringUtils.isNotBlank(userName) && StringUtils.isNotBlank(password)
&& PropertiesUtil.getString("xxl.job.login.username").equals(userName)
&& PropertiesUtil.getString("xxl.job.login.password").equals(password)) {
boolean ifRem = false;
if (StringUtils.isNotBlank(ifRemember) && "on".equals(ifRemember)) {
ifRem = true;
}
PermissionInterceptor.login(response, ifRem);
} else {
return new ReturnT<String>(500, "账号或密码错误");
}
// valid
if (PermissionInterceptor.ifLogin(request)) {
return ReturnT.SUCCESS;
}
// param
if (StringUtils.isBlank(userName) || StringUtils.isBlank(password)){
return new ReturnT<String>(500, "账号或密码为空");
}
boolean ifRem = (StringUtils.isNotBlank(ifRemember) && "on".equals(ifRemember))?true:false;
// do login
boolean loginRet = PermissionInterceptor.login(response, userName, password, ifRem);
if (!loginRet) {
return new ReturnT<String>(500, "账号或密码错误");
}
return ReturnT.SUCCESS;
}

@ -3,6 +3,7 @@ package com.xxl.job.admin.controller.interceptor;
import com.xxl.job.admin.controller.annotation.PermessionLimit;
import com.xxl.job.admin.core.util.CookieUtil;
import com.xxl.job.admin.core.util.PropertiesUtil;
import org.apache.commons.codec.digest.DigestUtils;
import org.springframework.web.method.HandlerMethod;
import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
@ -22,11 +23,25 @@ public class PermissionInterceptor extends HandlerInterceptorAdapter {
static {
String username = PropertiesUtil.getString("xxl.job.login.username");
String password = PropertiesUtil.getString("xxl.job.login.password");
String temp = username + "_" + password;
LOGIN_IDENTITY_TOKEN = new BigInteger(1, temp.getBytes()).toString(16);
// login token
String tokenTmp = DigestUtils.md5Hex(username + "_" + password);
tokenTmp = new BigInteger(1, tokenTmp.getBytes()).toString(16);
LOGIN_IDENTITY_TOKEN = tokenTmp;
}
public static boolean login(HttpServletResponse response, boolean ifRemember){
public static boolean login(HttpServletResponse response, String username, String password, boolean ifRemember){
// login token
String tokenTmp = DigestUtils.md5Hex(username + "_" + password);
tokenTmp = new BigInteger(1, tokenTmp.getBytes()).toString(16);
if (!LOGIN_IDENTITY_TOKEN.equals(tokenTmp)){
return false;
}
// do login
CookieUtil.set(response, LOGIN_IDENTITY_KEY, LOGIN_IDENTITY_TOKEN, ifRemember);
return true;
}

@ -87,7 +87,6 @@ public class CookieUtil {
* @param request
* @param response
* @param key
* @param domainName
*/
public static void remove(HttpServletRequest request, HttpServletResponse response, String key) {
Cookie cookie = get(request, key);

Loading…
Cancel
Save