Authored by fangyeqing

ADD:add SignCheckAspect

  1 +package com.xkl.authorization.annotation;
  2 +
  3 +import java.lang.annotation.*;
  4 +
  5 +/**
  6 + * Created by win7 on 2016/11/20.
  7 + * 检查不同平台的签名
  8 + */
  9 +@Documented
  10 +@Retention(RetentionPolicy.RUNTIME)
  11 +@Target(ElementType.METHOD)
  12 +public @interface Sign {
  13 +}
  1 +package com.xkl.authorization.aspect;
  2 +
  3 +import com.xkl.repository.XklInterKeyRespository;
  4 +import com.xkl.security.SecurityTool;
  5 +import com.xkl.tools.UtilTools;
  6 +import lombok.extern.apachecommons.CommonsLog;
  7 +import org.aspectj.lang.JoinPoint;
  8 +import org.aspectj.lang.annotation.Aspect;
  9 +import org.aspectj.lang.annotation.Before;
  10 +import org.aspectj.lang.annotation.Pointcut;
  11 +import org.springframework.beans.factory.annotation.Autowired;
  12 +import org.springframework.stereotype.Service;
  13 +
  14 +import javax.servlet.http.HttpServletRequest;
  15 +import java.nio.file.AccessDeniedException;
  16 +import java.util.Collections;
  17 +import java.util.List;
  18 +import java.util.Map;
  19 +
  20 +/**
  21 + * Created by win7 on 2016/11/20.
  22 + *加密算法:
  23 + * t: 北京时间距离1970年1月1日的秒数
  24 + * key:(平台对应的key,此值喜开路管理员授予)
  25 + * str:业务参数数组,按参数名递增排序排列拼接,例如用户登陆接口,coid+password+username
  26 + * sign=md5(str+t+key),32位小写md5
  27 + * 需要验证:
  28 + * sign:是否正确
  29 + * t:是否过期,客户端与服务器时间必须为±300s以内,否则时间验证过期。
  30 + */
  31 +@Service
  32 +@Aspect
  33 +@CommonsLog
  34 +public class SignAspect {
  35 + @Autowired
  36 + private XklInterKeyRespository xklInterKeyRespository;
  37 +
  38 + /**
  39 + * 由接口传过来的type获取xkl_inter_key表中的key
  40 + * @param type
  41 + * @return
  42 + */
  43 + private String getKeyByType(int type){
  44 + int id = 0;
  45 + if(type == 1)
  46 + id = 1;
  47 + else
  48 + id = 2;
  49 + return xklInterKeyRespository.findById(id).getKey();
  50 + }
  51 + /**
  52 + * 定义切点,定位到@Sign注解的地方
  53 + */
  54 + @Pointcut("@annotation(com.xkl.authorization.annotation.Sign)")
  55 + public void signPointCut() {
  56 +
  57 + }
  58 +
  59 + @Before(value="signPointCut()")
  60 + public void beforeSign(JoinPoint joinPoint) throws Exception {
  61 + Object[] args = joinPoint.getArgs();
  62 +
  63 + //Controller中所有方法的参数,前两个分别为:Request,Response
  64 + HttpServletRequest request = (HttpServletRequest) args[0];
  65 + // HttpServletResponse response = (HttpServletResponse)args[1];
  66 + String sign = request.getParameter("sign");
  67 + long t = UtilTools._long(request.getParameter("t"));
  68 + int type = UtilTools._int(request.getParameter("type"));
  69 +
  70 + /**
  71 + * str为
  72 + * sign=md5(str+t+key)
  73 + */
  74 + Map<String,String[]> map=request.getParameterMap();
  75 + List<String> list=Collections.list(request.getParameterNames());
  76 + Collections.sort(list);
  77 + String str="";
  78 + for(String para:list){
  79 + if(!para.equals("sign")&&!para.equals("t")&&!para.equals("type"))
  80 + str += map.get(para)[0];
  81 + }
  82 +
  83 + String key = getKeyByType(type);
  84 + long t1= UtilTools.get10Second();
  85 + String sign1= SecurityTool.encode("MD5",str+t1+key);
  86 + /**
  87 + * 比较sign和过期时间
  88 + */
  89 + if(sign1.equals(sign)&&Math.abs(t1-t)<300){
  90 +
  91 + }else{
  92 + throw new Exception("您无权操作!");
  93 + }
  94 + }
  95 +}
@@ -21,6 +21,8 @@ import org.springframework.web.bind.annotation.RequestMethod; @@ -21,6 +21,8 @@ import org.springframework.web.bind.annotation.RequestMethod;
21 import org.springframework.web.bind.annotation.RequestParam; 21 import org.springframework.web.bind.annotation.RequestParam;
22 import org.springframework.web.bind.annotation.RestController; 22 import org.springframework.web.bind.annotation.RestController;
23 23
  24 +import javax.servlet.http.HttpServletRequest;
  25 +
24 /** 26 /**
25 * 获取和删除token的请求地址,在Restful设计中其实就对应着登录和退出登录的资源映射 27 * 获取和删除token的请求地址,在Restful设计中其实就对应着登录和退出登录的资源映射
26 */ 28 */
@@ -34,9 +36,11 @@ public class TokenController { @@ -34,9 +36,11 @@ public class TokenController {
34 @Autowired 36 @Autowired
35 private ITokenManager tokenManager; 37 private ITokenManager tokenManager;
36 38
  39 + //@Sign
37 @RequestMapping(method = RequestMethod.POST) 40 @RequestMapping(method = RequestMethod.POST)
38 @ApiOperation(value = "登录") 41 @ApiOperation(value = "登录")
39 - public ResponseEntity<ResultModel> login(@RequestParam String username, @RequestParam String password) { 42 + public ResponseEntity<ResultModel> login(HttpServletRequest request,@RequestParam String username, @RequestParam String password,
  43 + @RequestParam String sign,@RequestParam long t,@RequestParam int type) {
40 Assert.notNull(username, "username can not be empty"); 44 Assert.notNull(username, "username can not be empty");
41 Assert.notNull(password, "password can not be empty"); 45 Assert.notNull(password, "password can not be empty");
42 46
@@ -56,8 +60,10 @@ public class TokenController { @@ -56,8 +60,10 @@ public class TokenController {
56 return new ResponseEntity<>(ResultModel.ok(model), HttpStatus.OK); 60 return new ResponseEntity<>(ResultModel.ok(model), HttpStatus.OK);
57 } 61 }
58 62
59 - @RequestMapping(method = RequestMethod.DELETE) 63 +
60 @Authorization 64 @Authorization
  65 + //@Sign
  66 + @RequestMapping(method = RequestMethod.DELETE)
61 @ApiOperation(value = "退出登录") 67 @ApiOperation(value = "退出登录")
62 @ApiImplicitParams({ 68 @ApiImplicitParams({
63 @ApiImplicitParam(name = "authorization", value = "请输入登录返回信息:userId_tokens", required = true, dataType = "string", paramType = "header"), 69 @ApiImplicitParam(name = "authorization", value = "请输入登录返回信息:userId_tokens", required = true, dataType = "string", paramType = "header"),
@@ -2,6 +2,7 @@ package com.xkl.controller; @@ -2,6 +2,7 @@ package com.xkl.controller;
2 2
3 import com.xkl.authorization.annotation.Authorization; 3 import com.xkl.authorization.annotation.Authorization;
4 import com.xkl.authorization.annotation.CurrentUser; 4 import com.xkl.authorization.annotation.CurrentUser;
  5 +import com.xkl.authorization.annotation.Sign;
5 import com.xkl.authorization.manager.ITokenManager; 6 import com.xkl.authorization.manager.ITokenManager;
6 import com.xkl.config.ResultStatus; 7 import com.xkl.config.ResultStatus;
7 import com.xkl.domain.User; 8 import com.xkl.domain.User;
@@ -21,6 +22,8 @@ import org.springframework.web.bind.annotation.RequestMethod; @@ -21,6 +22,8 @@ import org.springframework.web.bind.annotation.RequestMethod;
21 import org.springframework.web.bind.annotation.RequestParam; 22 import org.springframework.web.bind.annotation.RequestParam;
22 import org.springframework.web.bind.annotation.RestController; 23 import org.springframework.web.bind.annotation.RestController;
23 24
  25 +import javax.servlet.http.HttpServletRequest;
  26 +
24 /** 27 /**
25 * Created by win7 on 2016/10/19. 28 * Created by win7 on 2016/10/19.
26 */ 29 */
@@ -33,9 +36,11 @@ public class UserInfoController { @@ -33,9 +36,11 @@ public class UserInfoController {
33 private ITokenManager tokenManager; 36 private ITokenManager tokenManager;
34 37
35 @AntiXSS 38 @AntiXSS
  39 + //@Sign
36 @RequestMapping(method = RequestMethod.POST) 40 @RequestMapping(method = RequestMethod.POST)
37 @ApiOperation(value = "注册") 41 @ApiOperation(value = "注册")
38 - public ResponseEntity<ResultModel> register(@RequestParam String username, @RequestParam String password) { 42 + public ResponseEntity<ResultModel> register(HttpServletRequest request,@RequestParam String username, @RequestParam String password,
  43 + @RequestParam String sign,@RequestParam long t,@RequestParam int type) {
39 Assert.notNull(username, "username can not be empty"); 44 Assert.notNull(username, "username can not be empty");
40 Assert.notNull(password, "password can not be empty"); 45 Assert.notNull(password, "password can not be empty");
41 46
@@ -56,14 +61,17 @@ public class UserInfoController { @@ -56,14 +61,17 @@ public class UserInfoController {
56 return new ResponseEntity<>(ResultModel.ok(), HttpStatus.OK); 61 return new ResponseEntity<>(ResultModel.ok(), HttpStatus.OK);
57 } 62 }
58 63
59 - @RequestMapping(method = RequestMethod.PUT) 64 +
60 @Authorization 65 @Authorization
61 @AntiXSS 66 @AntiXSS
  67 + //@Sign
  68 + @RequestMapping(method = RequestMethod.PUT)
62 @ApiOperation(value = "修改用户密码") 69 @ApiOperation(value = "修改用户密码")
63 @ApiImplicitParams({ 70 @ApiImplicitParams({
64 @ApiImplicitParam(name = "authorization", value = "请输入登录返回信息:userId_tokens", required = true, dataType = "string", paramType = "header"), 71 @ApiImplicitParam(name = "authorization", value = "请输入登录返回信息:userId_tokens", required = true, dataType = "string", paramType = "header"),
65 }) 72 })
66 - public ResponseEntity<ResultModel> modPassword(@CurrentUser User user,@RequestParam String password) { 73 + public ResponseEntity<ResultModel> modPassword(HttpServletRequest request,@CurrentUser User user,@RequestParam String password,
  74 + @RequestParam String sign,@RequestParam long t,@RequestParam int type) {
67 Assert.notNull(password, "password can not be empty"); 75 Assert.notNull(password, "password can not be empty");
68 String salt= SecurityTool.genSalt(); 76 String salt= SecurityTool.genSalt();
69 String pass=SecurityTool.getPassword(user.getUsername(),password,salt); 77 String pass=SecurityTool.getPassword(user.getUsername(),password,salt);
  1 +package com.xkl.domain;
  2 +
  3 +import lombok.Data;
  4 +
  5 +import javax.persistence.*;
  6 +
  7 +/**
  8 + * Created by win7 on 2016/11/20.
  9 + */
  10 +@Data
  11 +@Entity
  12 +@Table(name = "xkl_inter_key", schema = "hanhe_test", catalog = "")
  13 +public class XklInterKeyEntity {
  14 + @Id
  15 + @Column(name = "id")
  16 + private int id;
  17 + @Basic
  18 + @Column(name = "key")
  19 + private String key;
  20 + @Basic
  21 + @Column(name = "status")
  22 + private byte status;
  23 + @Basic
  24 + @Column(name = "note")
  25 + private String note;
  26 + @Basic
  27 + @Column(name = "company_id")
  28 + private int companyId;
  29 +}
  1 +package com.xkl.domain;
  2 +
  3 +import javax.persistence.*;
  4 +import java.io.Serializable;
  5 +import java.sql.Date;
  6 +
  7 +/**
  8 + * Created by win7 on 2016/11/20.
  9 + */
  10 +@Entity
  11 +@Table(name = "xkl_member", schema = "hanhe_test", catalog = "")
  12 +public class XklMemberEntity {
  13 + @Id
  14 + @Column(name = "id")
  15 + private int id;
  16 + @Basic
  17 + @Column(name = "name")
  18 + private String name;
  19 + @Basic
  20 + @Column(name = "sex")
  21 + private Byte sex;
  22 + @Basic
  23 + @Column(name = "birth_date")
  24 + private Date birthDate;
  25 + @Basic
  26 + @Column(name = "idcard")
  27 + private String idcard;
  28 + @Basic
  29 + @Column(name = "phone")
  30 + private String phone;
  31 + @Basic
  32 + @Column(name = "register_time")
  33 + private String registerTime;
  34 + @Basic
  35 + @Column(name = "company_id")
  36 + private int companyId;
  37 + @Basic
  38 + @Column(name = "province")
  39 + private int province;
  40 + @Basic
  41 + @Column(name = "city")
  42 + private int city;
  43 + @Basic
  44 + @Column(name = "country")
  45 + private int country;
  46 + @Basic
  47 + @Column(name = "register_by")
  48 + private int registerBy;
  49 + @Basic
  50 + @Column(name = "status")
  51 + private Byte status;
  52 +}
  1 +package com.xkl.repository;
  2 +
  3 +import com.xkl.domain.User;
  4 +import com.xkl.domain.XklInterKeyEntity;
  5 +import org.springframework.data.repository.CrudRepository;
  6 +
  7 +/**
  8 + * Created by win7 on 2016/11/20.
  9 + */
  10 +public interface XklInterKeyRespository extends CrudRepository<XklInterKeyEntity, Long> {
  11 + public XklInterKeyEntity findById(int companyId);
  12 +}
  1 +package com.xkl.tools;
  2 +
  3 +import org.joda.time.DateTime;
  4 +
  5 +import java.sql.Timestamp;
  6 +import java.text.SimpleDateFormat;
  7 +import java.util.Calendar;
  8 +import java.util.Date;
  9 +import java.util.Locale;
  10 +
  11 +/**
  12 + * Created by win7 on 2016/11/20.
  13 + */
  14 +public class UtilTools {
  15 + /**
  16 + * support time format yyyy-MM-dd'T'HH:mm:ss.SSS
  17 + *
  18 + * @param timestamp
  19 + * @return
  20 + * @throws Exception
  21 + */
  22 + public static int getTime(String timestamp) throws Exception {
  23 + SimpleDateFormat format = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSS", Locale.CHINA);
  24 + Date time = format.parse(timestamp);
  25 + SimpleDateFormat dayFormat = new SimpleDateFormat("yyyyMMdd");
  26 + return Integer.parseInt(dayFormat.format(time));
  27 + }
  28 + public static Timestamp getTimestamp(String timestamp) throws Exception {
  29 + SimpleDateFormat format = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSS", Locale.CHINA);
  30 + Date time = format.parse(timestamp);
  31 + return new Timestamp(time.getTime());
  32 + }
  33 + public static DateTime getDateTime(String timestamp) throws Exception {
  34 + SimpleDateFormat format = new SimpleDateFormat("yyyyMMddHH");
  35 + Date time = format.parse(timestamp);
  36 + return new DateTime(time.getTime());
  37 + }
  38 +
  39 + public static int getDay(Timestamp timestamp) {
  40 + SimpleDateFormat dayFormat = new SimpleDateFormat("yyyyMMdd");
  41 + return Integer.parseInt(dayFormat.format(new Date(timestamp.getTime())));
  42 + }
  43 +
  44 + public static int getHour(Timestamp timestamp) {
  45 + SimpleDateFormat dayFormat = new SimpleDateFormat("yyyyMMddHH");
  46 + return Integer.parseInt(dayFormat.format(new Date(timestamp.getTime())));
  47 + }
  48 +
  49 + public static long get13Second(){
  50 + Calendar c = Calendar.getInstance();//可以对每个时间域单独修改
  51 + long a=c.getTimeInMillis();
  52 + return a;
  53 + }
  54 +
  55 + public static long get10Second(){
  56 + Calendar c = Calendar.getInstance();//可以对每个时间域单独修改
  57 + long a=c.getTimeInMillis()/1000;
  58 + return a;
  59 + }
  60 +
  61 + public static long _long(String value) {
  62 + if (value == null || "null".equals(value)) {
  63 + return 0;
  64 + }
  65 + try {
  66 + return Long.parseLong(value.toString());
  67 + } catch (Exception e) {
  68 + return 0;
  69 + }
  70 + }
  71 + public static long _long(Object value) {
  72 + if (value == null || "null".equals(value)) {
  73 + return 0;
  74 + }
  75 + try {
  76 + return Long.parseLong(value.toString());
  77 + } catch (Exception e) {
  78 + return 0;
  79 + }
  80 + }
  81 +
  82 + public static int _int(String value) {
  83 + if (value == null || "null".equals(value)) {
  84 + return 0;
  85 + }
  86 + try {
  87 + return Integer.parseInt(value.toString());
  88 + } catch (Exception e) {
  89 + return 0;
  90 + }
  91 + }
  92 + public static Double _double(String value) {
  93 + if (value == null || "null".equals(value)) {
  94 + return 0.0;
  95 + }
  96 + try {
  97 + return Double.parseDouble(value.toString());
  98 + } catch (Exception e) {
  99 + return 0.0;
  100 + }
  101 + }
  102 +
  103 + public static String _string(Object object) {
  104 + if (object == null || "null".equals(object)) {
  105 + return "";
  106 + }
  107 + return object.toString();
  108 + }
  109 +
  110 +
  111 +}