系统安全性优化,登陆Token写Cookie时进行MD5加密,同时Cookie启用HttpOnly;

pull/6/head
xuxueli 7 years ago
parent 3569b1422c
commit badcf6e3cb

@ -1101,7 +1101,7 @@ Tips: 历史版本(V1.3.x)目前已经Release至稳定版本, 进入维护阶段
- 24、Log地址格式兼容支持非"/"结尾路径配置; - 24、Log地址格式兼容支持非"/"结尾路径配置;
- 25、底层系统日志级别规范调整清理遗留代码 - 25、底层系统日志级别规范调整清理遗留代码
- 26、建表SQL优化支持同步创建制定编码的库和表 - 26、建表SQL优化支持同步创建制定编码的库和表
- 27、系统安全性优化登陆Token写Cookie时进行MD5加密 - 27、系统安全性优化登陆Token写Cookie时进行MD5加密同时Cookie启用HttpOnly
### TODO LIST ### TODO LIST

@ -18,6 +18,7 @@ import java.math.BigInteger;
*/ */
public class PermissionInterceptor extends HandlerInterceptorAdapter { public class PermissionInterceptor extends HandlerInterceptorAdapter {
public static final String LOGIN_IDENTITY_KEY = "XXL_JOB_LOGIN_IDENTITY"; public static final String LOGIN_IDENTITY_KEY = "XXL_JOB_LOGIN_IDENTITY";
public static final String LOGIN_IDENTITY_TOKEN; public static final String LOGIN_IDENTITY_TOKEN;
static { static {
@ -31,6 +32,8 @@ public class PermissionInterceptor extends HandlerInterceptorAdapter {
LOGIN_IDENTITY_TOKEN = tokenTmp; LOGIN_IDENTITY_TOKEN = tokenTmp;
} }
public static boolean login(HttpServletResponse response, String username, String password, boolean ifRemember){ public static boolean login(HttpServletResponse response, String username, String password, boolean ifRemember){
// login token // login token
@ -56,6 +59,8 @@ public class PermissionInterceptor extends HandlerInterceptorAdapter {
return true; return true;
} }
@Override @Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception { public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {

@ -6,9 +6,11 @@ import javax.servlet.http.HttpServletResponse;
/** /**
* Cookie.Util * Cookie.Util
*
* @author xuxueli 2015-12-12 18:01:06 * @author xuxueli 2015-12-12 18:01:06
*/ */
public class CookieUtil { public class CookieUtil {
// 默认缓存时间,单位/秒, 2H // 默认缓存时间,单位/秒, 2H
private static final int COOKIE_MAX_AGE = 60 * 60 * 2; private static final int COOKIE_MAX_AGE = 60 * 60 * 2;
// 保存路径,根路径 // 保存路径,根路径
@ -16,43 +18,39 @@ public class CookieUtil {
/** /**
* *
*
* @param response * @param response
* @param key * @param key
* @param value * @param value
* @param ifRemember * @param ifRemember
*/ */
public static void set(HttpServletResponse response, String key, String value, boolean ifRemember) { public static void set(HttpServletResponse response, String key, String value, boolean ifRemember) {
int age = ifRemember?COOKIE_MAX_AGE:-1;
int age = COOKIE_MAX_AGE; set(response, key, value, null, COOKIE_PATH, age, true);
if (ifRemember) {
age = COOKIE_MAX_AGE;
} else {
age = -1;
}
Cookie cookie = new Cookie(key, value);
cookie.setMaxAge(age); // Cookie过期时间,单位/秒
cookie.setPath(COOKIE_PATH); // Cookie适用的路径
response.addCookie(cookie);
} }
/** /**
* *
*
* @param response * @param response
* @param key * @param key
* @param value * @param value
* @param maxAge * @param maxAge
*/ */
private static void set(HttpServletResponse response, private static void set(HttpServletResponse response, String key, String value, String domain, String path, int maxAge, boolean isHttpOnly) {
String key, String value, int maxAge, String path) {
Cookie cookie = new Cookie(key, value); Cookie cookie = new Cookie(key, value);
cookie.setMaxAge(maxAge); // Cookie过期时间,单位/秒 if (domain != null) {
cookie.setPath(path); // Cookie适用的路径 cookie.setDomain(domain);
}
cookie.setPath(path);
cookie.setMaxAge(maxAge);
cookie.setHttpOnly(isHttpOnly);
response.addCookie(cookie); response.addCookie(cookie);
} }
/** /**
* value * value
*
* @param request * @param request
* @param key * @param key
* @return * @return
@ -67,6 +65,7 @@ public class CookieUtil {
/** /**
* Cookie * Cookie
*
* @param request * @param request
* @param key * @param key
*/ */
@ -84,6 +83,7 @@ public class CookieUtil {
/** /**
* Cookie * Cookie
*
* @param request * @param request
* @param response * @param response
* @param key * @param key
@ -91,7 +91,7 @@ public class CookieUtil {
public static void remove(HttpServletRequest request, HttpServletResponse response, String key) { public static void remove(HttpServletRequest request, HttpServletResponse response, String key) {
Cookie cookie = get(request, key); Cookie cookie = get(request, key);
if (cookie != null) { if (cookie != null) {
set(response, key, "", 0, COOKIE_PATH); set(response, key, "", null, COOKIE_PATH, 0, true);
} }
} }

Loading…
Cancel
Save