From 3569b1422c04894e6fe299ecaab6f6e5c76adf3b Mon Sep 17 00:00:00 2001 From: xuxueli <931591021@qq.com> Date: Mon, 25 Dec 2017 20:03:18 +0800 Subject: [PATCH] =?UTF-8?q?=E7=B3=BB=E7=BB=9F=E5=AE=89=E5=85=A8=E6=80=A7?= =?UTF-8?q?=E4=BC=98=E5=8C=96=EF=BC=8C=E7=99=BB=E9=99=86Token=E5=86=99Cook?= =?UTF-8?q?ie=E6=97=B6=E8=BF=9B=E8=A1=8CMD5=E5=8A=A0=E5=AF=86=EF=BC=9B?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- doc/XXL-JOB官方文档.md | 2 +- .../job/admin/controller/IndexController.java | 28 ++++++++++--------- .../interceptor/PermissionInterceptor.java | 21 ++++++++++++-- .../xxl/job/admin/core/util/CookieUtil.java | 1 - 4 files changed, 34 insertions(+), 18 deletions(-) diff --git a/doc/XXL-JOB官方文档.md b/doc/XXL-JOB官方文档.md index d480e1d5..4a4dcd8a 100644 --- a/doc/XXL-JOB官方文档.md +++ b/doc/XXL-JOB官方文档.md @@ -1101,7 +1101,7 @@ Tips: 历史版本(V1.3.x)目前已经Release至稳定版本, 进入维护阶段 - 24、Log地址格式兼容,支持非"/"结尾路径配置; - 25、底层系统日志级别规范调整,清理遗留代码; - 26、建表SQL优化,支持同步创建制定编码的库和表; - +- 27、系统安全性优化,登陆Token写Cookie时进行MD5加密; ### TODO LIST diff --git a/xxl-job-admin/src/main/java/com/xxl/job/admin/controller/IndexController.java b/xxl-job-admin/src/main/java/com/xxl/job/admin/controller/IndexController.java index 23055c2f..f4b1cadd 100644 --- a/xxl-job-admin/src/main/java/com/xxl/job/admin/controller/IndexController.java +++ b/xxl-job-admin/src/main/java/com/xxl/job/admin/controller/IndexController.java @@ -2,7 +2,6 @@ package com.xxl.job.admin.controller; import com.xxl.job.admin.controller.annotation.PermessionLimit; import com.xxl.job.admin.controller.interceptor.PermissionInterceptor; -import com.xxl.job.admin.core.util.PropertiesUtil; import com.xxl.job.admin.service.XxlJobService; import com.xxl.job.core.biz.model.ReturnT; import org.apache.commons.lang3.StringUtils; @@ -61,18 +60,21 @@ public class IndexController { @ResponseBody @PermessionLimit(limit=false) public ReturnT loginDo(HttpServletRequest request, HttpServletResponse response, String userName, String password, String ifRemember){ - if (!PermissionInterceptor.ifLogin(request)) { - if (StringUtils.isNotBlank(userName) && StringUtils.isNotBlank(password) - && PropertiesUtil.getString("xxl.job.login.username").equals(userName) - && PropertiesUtil.getString("xxl.job.login.password").equals(password)) { - boolean ifRem = false; - if (StringUtils.isNotBlank(ifRemember) && "on".equals(ifRemember)) { - ifRem = true; - } - PermissionInterceptor.login(response, ifRem); - } else { - return new ReturnT(500, "账号或密码错误"); - } + // valid + if (PermissionInterceptor.ifLogin(request)) { + return ReturnT.SUCCESS; + } + + // param + if (StringUtils.isBlank(userName) || StringUtils.isBlank(password)){ + return new ReturnT(500, "账号或密码为空"); + } + boolean ifRem = (StringUtils.isNotBlank(ifRemember) && "on".equals(ifRemember))?true:false; + + // do login + boolean loginRet = PermissionInterceptor.login(response, userName, password, ifRem); + if (!loginRet) { + return new ReturnT(500, "账号或密码错误"); } return ReturnT.SUCCESS; } diff --git a/xxl-job-admin/src/main/java/com/xxl/job/admin/controller/interceptor/PermissionInterceptor.java b/xxl-job-admin/src/main/java/com/xxl/job/admin/controller/interceptor/PermissionInterceptor.java index 74633dd7..da7f699f 100644 --- a/xxl-job-admin/src/main/java/com/xxl/job/admin/controller/interceptor/PermissionInterceptor.java +++ b/xxl-job-admin/src/main/java/com/xxl/job/admin/controller/interceptor/PermissionInterceptor.java @@ -3,6 +3,7 @@ package com.xxl.job.admin.controller.interceptor; import com.xxl.job.admin.controller.annotation.PermessionLimit; import com.xxl.job.admin.core.util.CookieUtil; import com.xxl.job.admin.core.util.PropertiesUtil; +import org.apache.commons.codec.digest.DigestUtils; import org.springframework.web.method.HandlerMethod; import org.springframework.web.servlet.handler.HandlerInterceptorAdapter; @@ -22,11 +23,25 @@ public class PermissionInterceptor extends HandlerInterceptorAdapter { static { String username = PropertiesUtil.getString("xxl.job.login.username"); String password = PropertiesUtil.getString("xxl.job.login.password"); - String temp = username + "_" + password; - LOGIN_IDENTITY_TOKEN = new BigInteger(1, temp.getBytes()).toString(16); + + // login token + String tokenTmp = DigestUtils.md5Hex(username + "_" + password); + tokenTmp = new BigInteger(1, tokenTmp.getBytes()).toString(16); + + LOGIN_IDENTITY_TOKEN = tokenTmp; } - public static boolean login(HttpServletResponse response, boolean ifRemember){ + public static boolean login(HttpServletResponse response, String username, String password, boolean ifRemember){ + + // login token + String tokenTmp = DigestUtils.md5Hex(username + "_" + password); + tokenTmp = new BigInteger(1, tokenTmp.getBytes()).toString(16); + + if (!LOGIN_IDENTITY_TOKEN.equals(tokenTmp)){ + return false; + } + + // do login CookieUtil.set(response, LOGIN_IDENTITY_KEY, LOGIN_IDENTITY_TOKEN, ifRemember); return true; } diff --git a/xxl-job-admin/src/main/java/com/xxl/job/admin/core/util/CookieUtil.java b/xxl-job-admin/src/main/java/com/xxl/job/admin/core/util/CookieUtil.java index 19a6751f..28baa214 100644 --- a/xxl-job-admin/src/main/java/com/xxl/job/admin/core/util/CookieUtil.java +++ b/xxl-job-admin/src/main/java/com/xxl/job/admin/core/util/CookieUtil.java @@ -87,7 +87,6 @@ public class CookieUtil { * @param request * @param response * @param key - * @param domainName */ public static void remove(HttpServletRequest request, HttpServletResponse response, String key) { Cookie cookie = get(request, key);