ADD:add SignCheckAspect
Showing
8 changed files
with
331 additions
and
5 deletions
1 | +package com.xkl.authorization.aspect; | ||
2 | + | ||
3 | +import com.xkl.repository.XklInterKeyRespository; | ||
4 | +import com.xkl.security.SecurityTool; | ||
5 | +import com.xkl.tools.UtilTools; | ||
6 | +import lombok.extern.apachecommons.CommonsLog; | ||
7 | +import org.aspectj.lang.JoinPoint; | ||
8 | +import org.aspectj.lang.annotation.Aspect; | ||
9 | +import org.aspectj.lang.annotation.Before; | ||
10 | +import org.aspectj.lang.annotation.Pointcut; | ||
11 | +import org.springframework.beans.factory.annotation.Autowired; | ||
12 | +import org.springframework.stereotype.Service; | ||
13 | + | ||
14 | +import javax.servlet.http.HttpServletRequest; | ||
15 | +import java.nio.file.AccessDeniedException; | ||
16 | +import java.util.Collections; | ||
17 | +import java.util.List; | ||
18 | +import java.util.Map; | ||
19 | + | ||
20 | +/** | ||
21 | + * Created by win7 on 2016/11/20. | ||
22 | + *加密算法: | ||
23 | + * t: 北京时间距离1970年1月1日的秒数 | ||
24 | + * key:(平台对应的key,此值喜开路管理员授予) | ||
25 | + * str:业务参数数组,按参数名递增排序排列拼接,例如用户登陆接口,coid+password+username | ||
26 | + * sign=md5(str+t+key),32位小写md5 | ||
27 | + * 需要验证: | ||
28 | + * sign:是否正确 | ||
29 | + * t:是否过期,客户端与服务器时间必须为±300s以内,否则时间验证过期。 | ||
30 | + */ | ||
31 | +@Service | ||
32 | +@Aspect | ||
33 | +@CommonsLog | ||
34 | +public class SignAspect { | ||
35 | + @Autowired | ||
36 | + private XklInterKeyRespository xklInterKeyRespository; | ||
37 | + | ||
38 | + /** | ||
39 | + * 由接口传过来的type获取xkl_inter_key表中的key | ||
40 | + * @param type | ||
41 | + * @return | ||
42 | + */ | ||
43 | + private String getKeyByType(int type){ | ||
44 | + int id = 0; | ||
45 | + if(type == 1) | ||
46 | + id = 1; | ||
47 | + else | ||
48 | + id = 2; | ||
49 | + return xklInterKeyRespository.findById(id).getKey(); | ||
50 | + } | ||
51 | + /** | ||
52 | + * 定义切点,定位到@Sign注解的地方 | ||
53 | + */ | ||
54 | + @Pointcut("@annotation(com.xkl.authorization.annotation.Sign)") | ||
55 | + public void signPointCut() { | ||
56 | + | ||
57 | + } | ||
58 | + | ||
59 | + @Before(value="signPointCut()") | ||
60 | + public void beforeSign(JoinPoint joinPoint) throws Exception { | ||
61 | + Object[] args = joinPoint.getArgs(); | ||
62 | + | ||
63 | + //Controller中所有方法的参数,前两个分别为:Request,Response | ||
64 | + HttpServletRequest request = (HttpServletRequest) args[0]; | ||
65 | + // HttpServletResponse response = (HttpServletResponse)args[1]; | ||
66 | + String sign = request.getParameter("sign"); | ||
67 | + long t = UtilTools._long(request.getParameter("t")); | ||
68 | + int type = UtilTools._int(request.getParameter("type")); | ||
69 | + | ||
70 | + /** | ||
71 | + * str为 | ||
72 | + * sign=md5(str+t+key) | ||
73 | + */ | ||
74 | + Map<String,String[]> map=request.getParameterMap(); | ||
75 | + List<String> list=Collections.list(request.getParameterNames()); | ||
76 | + Collections.sort(list); | ||
77 | + String str=""; | ||
78 | + for(String para:list){ | ||
79 | + if(!para.equals("sign")&&!para.equals("t")&&!para.equals("type")) | ||
80 | + str += map.get(para)[0]; | ||
81 | + } | ||
82 | + | ||
83 | + String key = getKeyByType(type); | ||
84 | + long t1= UtilTools.get10Second(); | ||
85 | + String sign1= SecurityTool.encode("MD5",str+t1+key); | ||
86 | + /** | ||
87 | + * 比较sign和过期时间 | ||
88 | + */ | ||
89 | + if(sign1.equals(sign)&&Math.abs(t1-t)<300){ | ||
90 | + | ||
91 | + }else{ | ||
92 | + throw new Exception("您无权操作!"); | ||
93 | + } | ||
94 | + } | ||
95 | +} |
@@ -21,6 +21,8 @@ import org.springframework.web.bind.annotation.RequestMethod; | @@ -21,6 +21,8 @@ import org.springframework.web.bind.annotation.RequestMethod; | ||
21 | import org.springframework.web.bind.annotation.RequestParam; | 21 | import org.springframework.web.bind.annotation.RequestParam; |
22 | import org.springframework.web.bind.annotation.RestController; | 22 | import org.springframework.web.bind.annotation.RestController; |
23 | 23 | ||
24 | +import javax.servlet.http.HttpServletRequest; | ||
25 | + | ||
24 | /** | 26 | /** |
25 | * 获取和删除token的请求地址,在Restful设计中其实就对应着登录和退出登录的资源映射 | 27 | * 获取和删除token的请求地址,在Restful设计中其实就对应着登录和退出登录的资源映射 |
26 | */ | 28 | */ |
@@ -34,9 +36,11 @@ public class TokenController { | @@ -34,9 +36,11 @@ public class TokenController { | ||
34 | @Autowired | 36 | @Autowired |
35 | private ITokenManager tokenManager; | 37 | private ITokenManager tokenManager; |
36 | 38 | ||
39 | + //@Sign | ||
37 | @RequestMapping(method = RequestMethod.POST) | 40 | @RequestMapping(method = RequestMethod.POST) |
38 | @ApiOperation(value = "登录") | 41 | @ApiOperation(value = "登录") |
39 | - public ResponseEntity<ResultModel> login(@RequestParam String username, @RequestParam String password) { | 42 | + public ResponseEntity<ResultModel> login(HttpServletRequest request,@RequestParam String username, @RequestParam String password, |
43 | + @RequestParam String sign,@RequestParam long t,@RequestParam int type) { | ||
40 | Assert.notNull(username, "username can not be empty"); | 44 | Assert.notNull(username, "username can not be empty"); |
41 | Assert.notNull(password, "password can not be empty"); | 45 | Assert.notNull(password, "password can not be empty"); |
42 | 46 | ||
@@ -56,8 +60,10 @@ public class TokenController { | @@ -56,8 +60,10 @@ public class TokenController { | ||
56 | return new ResponseEntity<>(ResultModel.ok(model), HttpStatus.OK); | 60 | return new ResponseEntity<>(ResultModel.ok(model), HttpStatus.OK); |
57 | } | 61 | } |
58 | 62 | ||
59 | - @RequestMapping(method = RequestMethod.DELETE) | 63 | + |
60 | @Authorization | 64 | @Authorization |
65 | + //@Sign | ||
66 | + @RequestMapping(method = RequestMethod.DELETE) | ||
61 | @ApiOperation(value = "退出登录") | 67 | @ApiOperation(value = "退出登录") |
62 | @ApiImplicitParams({ | 68 | @ApiImplicitParams({ |
63 | @ApiImplicitParam(name = "authorization", value = "请输入登录返回信息:userId_tokens", required = true, dataType = "string", paramType = "header"), | 69 | @ApiImplicitParam(name = "authorization", value = "请输入登录返回信息:userId_tokens", required = true, dataType = "string", paramType = "header"), |
@@ -2,6 +2,7 @@ package com.xkl.controller; | @@ -2,6 +2,7 @@ package com.xkl.controller; | ||
2 | 2 | ||
3 | import com.xkl.authorization.annotation.Authorization; | 3 | import com.xkl.authorization.annotation.Authorization; |
4 | import com.xkl.authorization.annotation.CurrentUser; | 4 | import com.xkl.authorization.annotation.CurrentUser; |
5 | +import com.xkl.authorization.annotation.Sign; | ||
5 | import com.xkl.authorization.manager.ITokenManager; | 6 | import com.xkl.authorization.manager.ITokenManager; |
6 | import com.xkl.config.ResultStatus; | 7 | import com.xkl.config.ResultStatus; |
7 | import com.xkl.domain.User; | 8 | import com.xkl.domain.User; |
@@ -21,6 +22,8 @@ import org.springframework.web.bind.annotation.RequestMethod; | @@ -21,6 +22,8 @@ import org.springframework.web.bind.annotation.RequestMethod; | ||
21 | import org.springframework.web.bind.annotation.RequestParam; | 22 | import org.springframework.web.bind.annotation.RequestParam; |
22 | import org.springframework.web.bind.annotation.RestController; | 23 | import org.springframework.web.bind.annotation.RestController; |
23 | 24 | ||
25 | +import javax.servlet.http.HttpServletRequest; | ||
26 | + | ||
24 | /** | 27 | /** |
25 | * Created by win7 on 2016/10/19. | 28 | * Created by win7 on 2016/10/19. |
26 | */ | 29 | */ |
@@ -33,9 +36,11 @@ public class UserInfoController { | @@ -33,9 +36,11 @@ public class UserInfoController { | ||
33 | private ITokenManager tokenManager; | 36 | private ITokenManager tokenManager; |
34 | 37 | ||
35 | @AntiXSS | 38 | @AntiXSS |
39 | + //@Sign | ||
36 | @RequestMapping(method = RequestMethod.POST) | 40 | @RequestMapping(method = RequestMethod.POST) |
37 | @ApiOperation(value = "注册") | 41 | @ApiOperation(value = "注册") |
38 | - public ResponseEntity<ResultModel> register(@RequestParam String username, @RequestParam String password) { | 42 | + public ResponseEntity<ResultModel> register(HttpServletRequest request,@RequestParam String username, @RequestParam String password, |
43 | + @RequestParam String sign,@RequestParam long t,@RequestParam int type) { | ||
39 | Assert.notNull(username, "username can not be empty"); | 44 | Assert.notNull(username, "username can not be empty"); |
40 | Assert.notNull(password, "password can not be empty"); | 45 | Assert.notNull(password, "password can not be empty"); |
41 | 46 | ||
@@ -56,14 +61,17 @@ public class UserInfoController { | @@ -56,14 +61,17 @@ public class UserInfoController { | ||
56 | return new ResponseEntity<>(ResultModel.ok(), HttpStatus.OK); | 61 | return new ResponseEntity<>(ResultModel.ok(), HttpStatus.OK); |
57 | } | 62 | } |
58 | 63 | ||
59 | - @RequestMapping(method = RequestMethod.PUT) | 64 | + |
60 | @Authorization | 65 | @Authorization |
61 | @AntiXSS | 66 | @AntiXSS |
67 | + //@Sign | ||
68 | + @RequestMapping(method = RequestMethod.PUT) | ||
62 | @ApiOperation(value = "修改用户密码") | 69 | @ApiOperation(value = "修改用户密码") |
63 | @ApiImplicitParams({ | 70 | @ApiImplicitParams({ |
64 | @ApiImplicitParam(name = "authorization", value = "请输入登录返回信息:userId_tokens", required = true, dataType = "string", paramType = "header"), | 71 | @ApiImplicitParam(name = "authorization", value = "请输入登录返回信息:userId_tokens", required = true, dataType = "string", paramType = "header"), |
65 | }) | 72 | }) |
66 | - public ResponseEntity<ResultModel> modPassword(@CurrentUser User user,@RequestParam String password) { | 73 | + public ResponseEntity<ResultModel> modPassword(HttpServletRequest request,@CurrentUser User user,@RequestParam String password, |
74 | + @RequestParam String sign,@RequestParam long t,@RequestParam int type) { | ||
67 | Assert.notNull(password, "password can not be empty"); | 75 | Assert.notNull(password, "password can not be empty"); |
68 | String salt= SecurityTool.genSalt(); | 76 | String salt= SecurityTool.genSalt(); |
69 | String pass=SecurityTool.getPassword(user.getUsername(),password,salt); | 77 | String pass=SecurityTool.getPassword(user.getUsername(),password,salt); |
1 | +package com.xkl.domain; | ||
2 | + | ||
3 | +import lombok.Data; | ||
4 | + | ||
5 | +import javax.persistence.*; | ||
6 | + | ||
7 | +/** | ||
8 | + * Created by win7 on 2016/11/20. | ||
9 | + */ | ||
10 | +@Data | ||
11 | +@Entity | ||
12 | +@Table(name = "xkl_inter_key", schema = "hanhe_test", catalog = "") | ||
13 | +public class XklInterKeyEntity { | ||
14 | + @Id | ||
15 | + @Column(name = "id") | ||
16 | + private int id; | ||
17 | + @Basic | ||
18 | + @Column(name = "key") | ||
19 | + private String key; | ||
20 | + @Basic | ||
21 | + @Column(name = "status") | ||
22 | + private byte status; | ||
23 | + @Basic | ||
24 | + @Column(name = "note") | ||
25 | + private String note; | ||
26 | + @Basic | ||
27 | + @Column(name = "company_id") | ||
28 | + private int companyId; | ||
29 | +} |
1 | +package com.xkl.domain; | ||
2 | + | ||
3 | +import javax.persistence.*; | ||
4 | +import java.io.Serializable; | ||
5 | +import java.sql.Date; | ||
6 | + | ||
7 | +/** | ||
8 | + * Created by win7 on 2016/11/20. | ||
9 | + */ | ||
10 | +@Entity | ||
11 | +@Table(name = "xkl_member", schema = "hanhe_test", catalog = "") | ||
12 | +public class XklMemberEntity { | ||
13 | + @Id | ||
14 | + @Column(name = "id") | ||
15 | + private int id; | ||
16 | + @Basic | ||
17 | + @Column(name = "name") | ||
18 | + private String name; | ||
19 | + @Basic | ||
20 | + @Column(name = "sex") | ||
21 | + private Byte sex; | ||
22 | + @Basic | ||
23 | + @Column(name = "birth_date") | ||
24 | + private Date birthDate; | ||
25 | + @Basic | ||
26 | + @Column(name = "idcard") | ||
27 | + private String idcard; | ||
28 | + @Basic | ||
29 | + @Column(name = "phone") | ||
30 | + private String phone; | ||
31 | + @Basic | ||
32 | + @Column(name = "register_time") | ||
33 | + private String registerTime; | ||
34 | + @Basic | ||
35 | + @Column(name = "company_id") | ||
36 | + private int companyId; | ||
37 | + @Basic | ||
38 | + @Column(name = "province") | ||
39 | + private int province; | ||
40 | + @Basic | ||
41 | + @Column(name = "city") | ||
42 | + private int city; | ||
43 | + @Basic | ||
44 | + @Column(name = "country") | ||
45 | + private int country; | ||
46 | + @Basic | ||
47 | + @Column(name = "register_by") | ||
48 | + private int registerBy; | ||
49 | + @Basic | ||
50 | + @Column(name = "status") | ||
51 | + private Byte status; | ||
52 | +} |
1 | +package com.xkl.repository; | ||
2 | + | ||
3 | +import com.xkl.domain.User; | ||
4 | +import com.xkl.domain.XklInterKeyEntity; | ||
5 | +import org.springframework.data.repository.CrudRepository; | ||
6 | + | ||
7 | +/** | ||
8 | + * Created by win7 on 2016/11/20. | ||
9 | + */ | ||
10 | +public interface XklInterKeyRespository extends CrudRepository<XklInterKeyEntity, Long> { | ||
11 | + public XklInterKeyEntity findById(int companyId); | ||
12 | +} |
src/main/java/com/xkl/tools/UtilTools.java
0 → 100644
1 | +package com.xkl.tools; | ||
2 | + | ||
3 | +import org.joda.time.DateTime; | ||
4 | + | ||
5 | +import java.sql.Timestamp; | ||
6 | +import java.text.SimpleDateFormat; | ||
7 | +import java.util.Calendar; | ||
8 | +import java.util.Date; | ||
9 | +import java.util.Locale; | ||
10 | + | ||
11 | +/** | ||
12 | + * Created by win7 on 2016/11/20. | ||
13 | + */ | ||
14 | +public class UtilTools { | ||
15 | + /** | ||
16 | + * support time format yyyy-MM-dd'T'HH:mm:ss.SSS | ||
17 | + * | ||
18 | + * @param timestamp | ||
19 | + * @return | ||
20 | + * @throws Exception | ||
21 | + */ | ||
22 | + public static int getTime(String timestamp) throws Exception { | ||
23 | + SimpleDateFormat format = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSS", Locale.CHINA); | ||
24 | + Date time = format.parse(timestamp); | ||
25 | + SimpleDateFormat dayFormat = new SimpleDateFormat("yyyyMMdd"); | ||
26 | + return Integer.parseInt(dayFormat.format(time)); | ||
27 | + } | ||
28 | + public static Timestamp getTimestamp(String timestamp) throws Exception { | ||
29 | + SimpleDateFormat format = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSS", Locale.CHINA); | ||
30 | + Date time = format.parse(timestamp); | ||
31 | + return new Timestamp(time.getTime()); | ||
32 | + } | ||
33 | + public static DateTime getDateTime(String timestamp) throws Exception { | ||
34 | + SimpleDateFormat format = new SimpleDateFormat("yyyyMMddHH"); | ||
35 | + Date time = format.parse(timestamp); | ||
36 | + return new DateTime(time.getTime()); | ||
37 | + } | ||
38 | + | ||
39 | + public static int getDay(Timestamp timestamp) { | ||
40 | + SimpleDateFormat dayFormat = new SimpleDateFormat("yyyyMMdd"); | ||
41 | + return Integer.parseInt(dayFormat.format(new Date(timestamp.getTime()))); | ||
42 | + } | ||
43 | + | ||
44 | + public static int getHour(Timestamp timestamp) { | ||
45 | + SimpleDateFormat dayFormat = new SimpleDateFormat("yyyyMMddHH"); | ||
46 | + return Integer.parseInt(dayFormat.format(new Date(timestamp.getTime()))); | ||
47 | + } | ||
48 | + | ||
49 | + public static long get13Second(){ | ||
50 | + Calendar c = Calendar.getInstance();//可以对每个时间域单独修改 | ||
51 | + long a=c.getTimeInMillis(); | ||
52 | + return a; | ||
53 | + } | ||
54 | + | ||
55 | + public static long get10Second(){ | ||
56 | + Calendar c = Calendar.getInstance();//可以对每个时间域单独修改 | ||
57 | + long a=c.getTimeInMillis()/1000; | ||
58 | + return a; | ||
59 | + } | ||
60 | + | ||
61 | + public static long _long(String value) { | ||
62 | + if (value == null || "null".equals(value)) { | ||
63 | + return 0; | ||
64 | + } | ||
65 | + try { | ||
66 | + return Long.parseLong(value.toString()); | ||
67 | + } catch (Exception e) { | ||
68 | + return 0; | ||
69 | + } | ||
70 | + } | ||
71 | + public static long _long(Object value) { | ||
72 | + if (value == null || "null".equals(value)) { | ||
73 | + return 0; | ||
74 | + } | ||
75 | + try { | ||
76 | + return Long.parseLong(value.toString()); | ||
77 | + } catch (Exception e) { | ||
78 | + return 0; | ||
79 | + } | ||
80 | + } | ||
81 | + | ||
82 | + public static int _int(String value) { | ||
83 | + if (value == null || "null".equals(value)) { | ||
84 | + return 0; | ||
85 | + } | ||
86 | + try { | ||
87 | + return Integer.parseInt(value.toString()); | ||
88 | + } catch (Exception e) { | ||
89 | + return 0; | ||
90 | + } | ||
91 | + } | ||
92 | + public static Double _double(String value) { | ||
93 | + if (value == null || "null".equals(value)) { | ||
94 | + return 0.0; | ||
95 | + } | ||
96 | + try { | ||
97 | + return Double.parseDouble(value.toString()); | ||
98 | + } catch (Exception e) { | ||
99 | + return 0.0; | ||
100 | + } | ||
101 | + } | ||
102 | + | ||
103 | + public static String _string(Object object) { | ||
104 | + if (object == null || "null".equals(object)) { | ||
105 | + return ""; | ||
106 | + } | ||
107 | + return object.toString(); | ||
108 | + } | ||
109 | + | ||
110 | + | ||
111 | +} |
-
Please register or login to post a comment