系统安全性优化,登陆Token写Cookie时进行MD5加密;

pull/6/head
xuxueli 7 years ago
parent 014b341ff8
commit 3569b1422c

@ -1101,7 +1101,7 @@ Tips: 历史版本(V1.3.x)目前已经Release至稳定版本, 进入维护阶段
- 24、Log地址格式兼容支持非"/"结尾路径配置; - 24、Log地址格式兼容支持非"/"结尾路径配置;
- 25、底层系统日志级别规范调整清理遗留代码 - 25、底层系统日志级别规范调整清理遗留代码
- 26、建表SQL优化支持同步创建制定编码的库和表 - 26、建表SQL优化支持同步创建制定编码的库和表
- 27、系统安全性优化登陆Token写Cookie时进行MD5加密
### TODO LIST ### TODO LIST

@ -2,7 +2,6 @@ package com.xxl.job.admin.controller;
import com.xxl.job.admin.controller.annotation.PermessionLimit; import com.xxl.job.admin.controller.annotation.PermessionLimit;
import com.xxl.job.admin.controller.interceptor.PermissionInterceptor; import com.xxl.job.admin.controller.interceptor.PermissionInterceptor;
import com.xxl.job.admin.core.util.PropertiesUtil;
import com.xxl.job.admin.service.XxlJobService; import com.xxl.job.admin.service.XxlJobService;
import com.xxl.job.core.biz.model.ReturnT; import com.xxl.job.core.biz.model.ReturnT;
import org.apache.commons.lang3.StringUtils; import org.apache.commons.lang3.StringUtils;
@ -61,18 +60,21 @@ public class IndexController {
@ResponseBody @ResponseBody
@PermessionLimit(limit=false) @PermessionLimit(limit=false)
public ReturnT<String> loginDo(HttpServletRequest request, HttpServletResponse response, String userName, String password, String ifRemember){ public ReturnT<String> loginDo(HttpServletRequest request, HttpServletResponse response, String userName, String password, String ifRemember){
if (!PermissionInterceptor.ifLogin(request)) { // valid
if (StringUtils.isNotBlank(userName) && StringUtils.isNotBlank(password) if (PermissionInterceptor.ifLogin(request)) {
&& PropertiesUtil.getString("xxl.job.login.username").equals(userName) return ReturnT.SUCCESS;
&& PropertiesUtil.getString("xxl.job.login.password").equals(password)) { }
boolean ifRem = false;
if (StringUtils.isNotBlank(ifRemember) && "on".equals(ifRemember)) { // param
ifRem = true; if (StringUtils.isBlank(userName) || StringUtils.isBlank(password)){
} return new ReturnT<String>(500, "账号或密码为空");
PermissionInterceptor.login(response, ifRem); }
} else { boolean ifRem = (StringUtils.isNotBlank(ifRemember) && "on".equals(ifRemember))?true:false;
return new ReturnT<String>(500, "账号或密码错误");
} // do login
boolean loginRet = PermissionInterceptor.login(response, userName, password, ifRem);
if (!loginRet) {
return new ReturnT<String>(500, "账号或密码错误");
} }
return ReturnT.SUCCESS; return ReturnT.SUCCESS;
} }

@ -3,6 +3,7 @@ package com.xxl.job.admin.controller.interceptor;
import com.xxl.job.admin.controller.annotation.PermessionLimit; import com.xxl.job.admin.controller.annotation.PermessionLimit;
import com.xxl.job.admin.core.util.CookieUtil; import com.xxl.job.admin.core.util.CookieUtil;
import com.xxl.job.admin.core.util.PropertiesUtil; import com.xxl.job.admin.core.util.PropertiesUtil;
import org.apache.commons.codec.digest.DigestUtils;
import org.springframework.web.method.HandlerMethod; import org.springframework.web.method.HandlerMethod;
import org.springframework.web.servlet.handler.HandlerInterceptorAdapter; import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
@ -22,11 +23,25 @@ public class PermissionInterceptor extends HandlerInterceptorAdapter {
static { static {
String username = PropertiesUtil.getString("xxl.job.login.username"); String username = PropertiesUtil.getString("xxl.job.login.username");
String password = PropertiesUtil.getString("xxl.job.login.password"); String password = PropertiesUtil.getString("xxl.job.login.password");
String temp = username + "_" + password;
LOGIN_IDENTITY_TOKEN = new BigInteger(1, temp.getBytes()).toString(16); // login token
String tokenTmp = DigestUtils.md5Hex(username + "_" + password);
tokenTmp = new BigInteger(1, tokenTmp.getBytes()).toString(16);
LOGIN_IDENTITY_TOKEN = tokenTmp;
} }
public static boolean login(HttpServletResponse response, boolean ifRemember){ public static boolean login(HttpServletResponse response, String username, String password, boolean ifRemember){
// login token
String tokenTmp = DigestUtils.md5Hex(username + "_" + password);
tokenTmp = new BigInteger(1, tokenTmp.getBytes()).toString(16);
if (!LOGIN_IDENTITY_TOKEN.equals(tokenTmp)){
return false;
}
// do login
CookieUtil.set(response, LOGIN_IDENTITY_KEY, LOGIN_IDENTITY_TOKEN, ifRemember); CookieUtil.set(response, LOGIN_IDENTITY_KEY, LOGIN_IDENTITY_TOKEN, ifRemember);
return true; return true;
} }

@ -87,7 +87,6 @@ public class CookieUtil {
* @param request * @param request
* @param response * @param response
* @param key * @param key
* @param domainName
*/ */
public static void remove(HttpServletRequest request, HttpServletResponse response, String key) { public static void remove(HttpServletRequest request, HttpServletResponse response, String key) {
Cookie cookie = get(request, key); Cookie cookie = get(request, key);

Loading…
Cancel
Save