package com.ruoyi.gateway.filter;
|
|
import java.nio.charset.StandardCharsets;
|
import java.util.*;
|
import java.util.concurrent.atomic.AtomicReference;
|
|
import com.alibaba.fastjson.JSON;
|
import com.alibaba.fastjson.JSONObject;
|
import com.ruoyi.common.core.constant.HttpStatus;
|
import com.ruoyi.common.core.constant.TokenConstants;
|
import com.ruoyi.common.core.utils.ServletUtils;
|
import org.apache.commons.codec.binary.Base64;
|
import org.slf4j.Logger;
|
import org.slf4j.LoggerFactory;
|
import org.springframework.beans.factory.annotation.Autowired;
|
import org.springframework.beans.factory.annotation.Value;
|
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
|
import org.springframework.cloud.gateway.filter.GatewayFilterChain;
|
import org.springframework.cloud.gateway.filter.GlobalFilter;
|
import org.springframework.core.Ordered;
|
import org.springframework.core.io.buffer.DataBuffer;
|
import org.springframework.core.io.buffer.DataBufferFactory;
|
import org.springframework.core.io.buffer.DataBufferUtils;
|
import org.springframework.core.io.buffer.DefaultDataBufferFactory;
|
import org.springframework.core.io.buffer.NettyDataBufferFactory;
|
import org.springframework.http.HttpHeaders;
|
import org.springframework.http.HttpMethod;
|
import org.springframework.http.MediaType;
|
import org.springframework.http.server.reactive.ServerHttpRequest;
|
import org.springframework.http.server.reactive.ServerHttpRequestDecorator;
|
import org.springframework.stereotype.Component;
|
import org.springframework.web.server.ServerWebExchange;
|
import com.ruoyi.common.core.utils.StringUtils;
|
import com.ruoyi.common.core.utils.html.EscapeUtil;
|
import com.ruoyi.gateway.config.properties.XssProperties;
|
import io.netty.buffer.ByteBufAllocator;
|
import reactor.core.publisher.Flux;
|
import reactor.core.publisher.Mono;
|
|
/**
|
* 跨站脚本过滤器
|
*
|
* @author ruoyi
|
*/
|
@Component
|
@ConditionalOnProperty(value = "security.xss.enabled", havingValue = "true")
|
public class XssFilter implements GlobalFilter, Ordered
|
{
|
private static final Logger log = LoggerFactory.getLogger(XssFilter.class);
|
// 跨站脚本的 xss 配置,nacos自行添加
|
@Autowired
|
private XssProperties xss;
|
|
@Value("${security.sign}")
|
private boolean parameter_signature;
|
|
@Override
|
public Mono<Void> filter(ServerWebExchange exchange, GatewayFilterChain chain)
|
{
|
ServerHttpRequest request = exchange.getRequest();
|
// xss开关未开启 或 通过nacos关闭,不过滤
|
if (!xss.getEnabled())
|
{
|
return chain.filter(exchange);
|
}
|
// GET DELETE 不过滤
|
HttpMethod method = request.getMethod();
|
if (method == null || method == HttpMethod.GET || method == HttpMethod.DELETE)
|
{
|
return chain.filter(exchange);
|
}
|
// 非json类型,不过滤
|
if (!isJsonRequest(exchange))
|
{
|
return chain.filter(exchange);
|
}
|
// excludeUrls 不过滤
|
String url = request.getURI().getPath();
|
if (StringUtils.matches(url, xss.getExcludeUrls()))
|
{
|
return chain.filter(exchange);
|
}
|
ServerHttpRequestDecorator httpRequestDecorator = requestDecorator(exchange);
|
if(parameter_signature && !authSign(httpRequestDecorator)){
|
log.error("[鉴权签名异常处理]请求路径:{}", exchange.getRequest().getPath());
|
return ServletUtils.webFluxResponseWriter(exchange.getResponse(), "签名校验失败", HttpStatus.BAD_REQUEST);
|
}
|
return chain.filter(exchange.mutate().request(httpRequestDecorator).build());
|
|
}
|
|
private ServerHttpRequestDecorator requestDecorator(ServerWebExchange exchange)
|
{
|
ServerHttpRequestDecorator serverHttpRequestDecorator = new ServerHttpRequestDecorator(exchange.getRequest())
|
{
|
@Override
|
public Flux<DataBuffer> getBody()
|
{
|
Flux<DataBuffer> body = super.getBody();
|
return body.buffer().map(dataBuffers -> {
|
DataBufferFactory dataBufferFactory = new DefaultDataBufferFactory();
|
DataBuffer join = dataBufferFactory.join(dataBuffers);
|
byte[] content = new byte[join.readableByteCount()];
|
join.read(content);
|
DataBufferUtils.release(join);
|
String bodyStr = new String(content, StandardCharsets.UTF_8);
|
// 防xss攻击过滤
|
bodyStr = EscapeUtil.clean(bodyStr);
|
// 转成字节
|
byte[] bytes = bodyStr.getBytes();
|
NettyDataBufferFactory nettyDataBufferFactory = new NettyDataBufferFactory(ByteBufAllocator.DEFAULT);
|
DataBuffer buffer = nettyDataBufferFactory.allocateBuffer(bytes.length);
|
buffer.write(bytes);
|
return buffer;
|
});
|
}
|
|
@Override
|
public HttpHeaders getHeaders()
|
{
|
HttpHeaders httpHeaders = new HttpHeaders();
|
httpHeaders.putAll(super.getHeaders());
|
// 由于修改了请求体的body,导致content-length长度不确定,因此需要删除原先的content-length
|
httpHeaders.remove(HttpHeaders.CONTENT_LENGTH);
|
httpHeaders.set(HttpHeaders.TRANSFER_ENCODING, "chunked");
|
return httpHeaders;
|
}
|
|
};
|
return serverHttpRequestDecorator;
|
}
|
|
/**
|
* 是否是Json请求
|
*
|
* @param exchange HTTP请求
|
*/
|
public boolean isJsonRequest(ServerWebExchange exchange)
|
{
|
String header = exchange.getRequest().getHeaders().getFirst(HttpHeaders.CONTENT_TYPE);
|
return StringUtils.startsWithIgnoreCase(header, MediaType.APPLICATION_JSON_VALUE);
|
}
|
|
|
/**
|
* 签名校验
|
* @param httpRequestDecorator
|
* @return
|
*/
|
private boolean authSign(ServerHttpRequestDecorator httpRequestDecorator) {
|
HttpHeaders headers = httpRequestDecorator.getHeaders();
|
AtomicReference<JSONObject> jsonObject = new AtomicReference<>(new JSONObject());
|
httpRequestDecorator.getBody().buffer().map(dataBuffers -> {
|
DataBufferFactory dataBufferFactory = new DefaultDataBufferFactory();
|
DataBuffer join = dataBufferFactory.join(dataBuffers);
|
byte[] content = new byte[join.readableByteCount()];
|
join.read(content);
|
DataBufferUtils.release(join);
|
String bodyStr = new String(content, StandardCharsets.UTF_8);
|
jsonObject.set(JSON.parseObject(bodyStr));
|
|
// 防xss攻击过滤
|
bodyStr = EscapeUtil.clean(bodyStr);
|
// 转成字节
|
byte[] bytes = bodyStr.getBytes();
|
NettyDataBufferFactory nettyDataBufferFactory = new NettyDataBufferFactory(ByteBufAllocator.DEFAULT);
|
DataBuffer buffer = nettyDataBufferFactory.allocateBuffer(bytes.length);
|
buffer.write(bytes);
|
return buffer;
|
});
|
JSONObject params = jsonObject.get();
|
String sign = headers.getFirst(TokenConstants.SING);
|
if(StringUtils.isEmpty(sign)){
|
return false;
|
}
|
String nonce_str = headers.getFirst(TokenConstants.NONCE_STR);
|
if(StringUtils.isEmpty(nonce_str)){
|
return false;
|
}
|
|
String signUrlEncode = localSignUrl(params, nonce_str);
|
signUrlEncode = signUrlEncode.replaceAll("& #40;", "\\(")
|
.replaceAll("& #41;", "\\)")
|
.replaceAll("\\+", " ");
|
if(sign.equals(signUrlEncode)){
|
return true;
|
}
|
return false;
|
}
|
|
|
/**
|
* 组装签名路径
|
* @param params
|
* @return
|
*/
|
public static String localSignUrl(JSONObject params, String key) {
|
List<String> keySet = new ArrayList<>(params.keySet());
|
// 对所有传入参数按照字段名的 ASCII 码从小到大排序(字典序)
|
Collections.sort(keySet, new Comparator<String>() {
|
@Override
|
public int compare(String o1, String o2) {
|
return o1.compareTo(o2);
|
}
|
});
|
// 构造签名键值对的格式
|
StringBuilder sb = new StringBuilder();
|
for (String k : keySet) {
|
String v = params.getString(k);
|
if(StringUtils.isNotEmpty(v)){
|
sb.append(k + "=" + v + "&");
|
}
|
}
|
String signUrl = sb.substring(0, sb.length() - 1);
|
return signUrlEncode(signUrl, key);
|
}
|
|
|
/**
|
* 签名字符串加密
|
* @param signUrl
|
* @param encryptKey
|
* @return
|
*/
|
public static String signUrlEncode(String signUrl, String encryptKey) {
|
byte[] signByte = new byte[0];
|
try {
|
signByte = HMACSHA1.HmacSHA1Encrypt(signUrl, encryptKey);
|
} catch (Exception e) {
|
throw new RuntimeException(e);
|
}
|
String localSign = Base64.encodeBase64String(signByte);
|
return localSign;
|
}
|
|
|
@Override
|
public int getOrder()
|
{
|
return -100;
|
}
|
}
|
