From c9da42e65eff27516b9971008160faa48b301b21 Mon Sep 17 00:00:00 2001
From: xuhy <3313886187@qq.com>
Date: 星期四, 02 一月 2025 16:52:56 +0800
Subject: [PATCH] 修改
---
/dev/null | 28 --------------
manage/src/main/java/com/jilongda/manage/config/WebSecurityConfig.java | 14 ++++--
common/src/main/java/com/jilongda/common/security/ExceptionHandleFilter.java | 41 ++++++++++++++++++++
manage/src/main/java/com/jilongda/manage/ManageApplication.java | 2 +
manage/src/main/resources/application.yml | 8 ++--
5 files changed, 56 insertions(+), 37 deletions(-)
diff --git a/common/src/main/java/com/jilongda/common/config/CorsConfig.java b/common/src/main/java/com/jilongda/common/config/CorsConfig.java
deleted file mode 100644
index 4e2bcd9..0000000
--- a/common/src/main/java/com/jilongda/common/config/CorsConfig.java
+++ /dev/null
@@ -1,95 +0,0 @@
-package com.jilongda.common.config;
-
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.context.annotation.Bean;
-import org.springframework.context.annotation.Configuration;
-import org.springframework.http.HttpHeaders;
-import org.springframework.http.HttpMethod;
-import org.springframework.http.HttpStatus;
-import org.springframework.http.MediaType;
-import org.springframework.http.server.reactive.ServerHttpRequest;
-import org.springframework.http.server.reactive.ServerHttpResponse;
-import org.springframework.web.cors.CorsConfiguration;
-import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
-import org.springframework.web.cors.reactive.CorsUtils;
-import org.springframework.web.filter.CorsFilter;
-import org.springframework.web.server.ServerWebExchange;
-import org.springframework.web.server.WebFilter;
-import org.springframework.web.server.WebFilterChain;
-import org.springframework.web.servlet.config.annotation.CorsRegistry;
-import org.springframework.web.servlet.function.RequestPredicates;
-import org.springframework.web.servlet.function.RouterFunction;
-import org.springframework.web.servlet.function.RouterFunctions;
-import reactor.core.publisher.Mono;
-
-import java.util.Collections;
-
-/**
- * 实现基本的跨域请求
- * 2.4.0 通多配置
- *
- * @author xiaochen
- * @Override public void addCorsMappings(CorsRegistry registry) {
- * registry.addMapping("/**")
- * // SpringBoot2.4.0 [allowedOriginPatterns]代替[allowedOrigins]
- * .allowedOriginPatterns("*")
- * .allowedMethods("*")
- * .maxAge(3600)
- * .allowCredentials(true);
- * }
- */
-@Configuration
-public class CorsConfig {
-
- /**
- * 这里为支持的请求头,如果有自定义的header字段请自己添加
- */
- private static final String ALLOWED_HEADERS = "X-Requested-With, Content-Type, Authorization, credential, X-XSRF-TOKEN, token, username, client, request-origion";
- private static final String ALLOWED_METHODS = "GET,POST,PUT,DELETE";
- private static final String ALLOWED_ORIGIN = "*";
- private static final String ALLOWED_EXPOSE = "*";
- private static final String MAX_AGE = "18000L";
-
- /**
- * 跨域配置
- */
- @Bean
- public WebFilter corsFilter()
- {
- return (ServerWebExchange ctx, WebFilterChain chain) -> {
- ServerHttpRequest request = ctx.getRequest();
- if (CorsUtils.isCorsRequest(request))
- {
- ServerHttpResponse response = ctx.getResponse();
- HttpHeaders headers = response.getHeaders();
- headers.add("Access-Control-Allow-Headers", ALLOWED_HEADERS);
- headers.add("Access-Control-Allow-Methods", ALLOWED_METHODS);
- headers.add("Access-Control-Allow-Origin", ALLOWED_ORIGIN);
- headers.add("Access-Control-Expose-Headers", ALLOWED_EXPOSE);
- headers.add("Access-Control-Max-Age", MAX_AGE);
- headers.add("Access-Control-Allow-Credentials", "false");
- if (request.getMethod() == HttpMethod.OPTIONS)
- {
- response.setStatusCode(HttpStatus.OK);
- return Mono.empty();
- }
- }
- return chain.filter(ctx);
- };
- }
-
- @Bean
- public CorsRegistry addCorsMappings() {
- return new CorsRegistry();
- }
-
- @Bean
- public void addCorsMappings(CorsRegistry registry) {
- registry.addMapping("/**")
- .allowedOriginPatterns("*")
- .allowedMethods("*")
- .maxAge(3600)
- .allowCredentials(true);
- }
-
-}
diff --git a/common/src/main/java/com/jilongda/common/security/ExceptionHandleFilter.java b/common/src/main/java/com/jilongda/common/security/ExceptionHandleFilter.java
new file mode 100644
index 0000000..962bf53
--- /dev/null
+++ b/common/src/main/java/com/jilongda/common/security/ExceptionHandleFilter.java
@@ -0,0 +1,41 @@
+package com.jilongda.common.security;
+
+import com.jilongda.common.basic.ApiResult;
+import com.jilongda.common.exception.ServiceException;
+import com.jilongda.common.exception.TokenException;
+import com.jilongda.common.utils.ResponseUtils;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.web.filter.OncePerRequestFilter;
+
+import javax.servlet.FilterChain;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+/**
+ * @author liheng
+ * @ClassName ExceptionHandleFilter
+ * @Description 最外层filter处理验证token、登录认证和授权过滤器中抛出的所有异常
+ * @date 2020-08-24 9:31
+ */
+@Slf4j
+public class ExceptionHandleFilter extends OncePerRequestFilter {
+ @Override
+ protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) {
+ // 全局异常无法捕捉过滤器异常,需在此处做处理
+ try {
+ filterChain.doFilter(httpServletRequest, httpServletResponse);
+ } catch (Exception e) {
+ // 如果是业务异常,需返回状态码
+ if (e instanceof ServiceException) {
+ ServiceException e1 = (ServiceException) e;
+ ResponseUtils.renderJson(httpServletResponse, ApiResult.failed(e1.getCode(), e.getMessage()));
+ } else if (e instanceof TokenException) {
+ TokenException e1 = (TokenException) e;
+ ResponseUtils.renderJson(httpServletResponse, ApiResult.failed(e1.getCode(), e.getMessage()));
+ } else {
+ ResponseUtils.renderJson(httpServletResponse, ApiResult.failed(e.getMessage()));
+ }
+ return;
+ }
+ }
+}
diff --git a/common/src/main/java/com/jilongda/common/security/filter/CorsFilter.java b/common/src/main/java/com/jilongda/common/security/filter/CorsFilter.java
deleted file mode 100644
index a88baab..0000000
--- a/common/src/main/java/com/jilongda/common/security/filter/CorsFilter.java
+++ /dev/null
@@ -1,61 +0,0 @@
-package com.jilongda.common.security.filter;
-
-import com.aliyun.oss.HttpMethod;
-import com.baomidou.mybatisplus.core.toolkit.CollectionUtils;
-import com.baomidou.mybatisplus.core.toolkit.StringUtils;
-import com.google.common.net.HttpHeaders;
-import lombok.extern.slf4j.Slf4j;
-import org.mybatis.logging.LoggerFactory;
-
-import javax.servlet.*;
-import javax.servlet.annotation.WebFilter;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import java.io.IOException;
-import java.util.Arrays;
-import java.util.List;
-import java.util.logging.Logger;
-
-@Slf4j
-@WebFilter(urlPatterns = {"/*"}, filterName = "corsFilter")
-public class CorsFilter implements Filter {
-// private static final Logger logger = LoggerFactory.getLogger(IsvSearchController.class);
-
- private String allowOrigin = "*";
-
- @Override
- public void init(FilterConfig filterConfig) throws ServletException {
-
- }
-
- @Override
- public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
-// logger.info("doFilter start ...");
- HttpServletRequest request = (HttpServletRequest) servletRequest;
- HttpServletResponse response = (HttpServletResponse) servletResponse;
- if (StringUtils.isNotEmpty(allowOrigin)) {
- List<String> allowOriginList = Arrays.asList(allowOrigin.split(","));
- if (!CollectionUtils.isEmpty(allowOriginList)) {
- String currentOrigin = request.getHeader("Origin");
- if (allowOriginList.contains(currentOrigin)) {
- response.setHeader("Access-Control-Allow-Origin", currentOrigin);
- }
- }
- }
- response.setHeader("Access-Control-Allow-Methods", "GET,POST,PUT,DELETE,OPTIONS");
- response.setHeader("Access-Control-Allow-Credentials", "true");
- response.setHeader("Access-Control-Allow-Origin", "*");
- response.setHeader("Access-Control-Allow-Headers", "content-Type");
- if (HttpMethod.OPTIONS.name().equalsIgnoreCase(request.getMethod()) &&/*options 请求返回允许跨域的头*/
- request.getHeader(HttpHeaders.ORIGIN) != null) {
-// logger.info("doFilter options request");
- return;
- }
- filterChain.doFilter(servletRequest, servletResponse);
- }
-
- @Override
- public void destroy() {
-
- }
-}
\ No newline at end of file
diff --git a/common/src/main/java/com/jilongda/common/security/filter/XssAndSqlHttpServletRequestWrapper.java b/common/src/main/java/com/jilongda/common/security/filter/XssAndSqlHttpServletRequestWrapper.java
deleted file mode 100644
index 8320186..0000000
--- a/common/src/main/java/com/jilongda/common/security/filter/XssAndSqlHttpServletRequestWrapper.java
+++ /dev/null
@@ -1,42 +0,0 @@
-package com.jilongda.common.security.filter;
-
-import org.apache.commons.lang3.StringEscapeUtils;
-import org.apache.commons.lang3.StringUtils;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletRequestWrapper;
-
-/**
- * @author yu 2019/1/20.
- */
-public class XssAndSqlHttpServletRequestWrapper extends HttpServletRequestWrapper {
-
- private HttpServletRequest request;
-
- public XssAndSqlHttpServletRequestWrapper(HttpServletRequest request) {
- super(request);
- this.request = request;
- }
-
- @Override
- public String getParameter(String name) {
- String value = request.getParameter(name);
- if (!StringUtils.isEmpty(value)) {
- value = StringEscapeUtils.escapeHtml4(value);
- }
- return value;
- }
-
- @Override
- public String[] getParameterValues(String name) {
- String[] parameterValues = super.getParameterValues(name);
- if (parameterValues == null) {
- return null;
- }
- for (int i = 0; i < parameterValues.length; i++) {
- String value = parameterValues[i];
- parameterValues[i] = StringEscapeUtils.escapeHtml4(value);
- }
- return parameterValues;
- }
-}
diff --git a/common/src/main/java/com/jilongda/common/security/filter/XssFilter.java b/common/src/main/java/com/jilongda/common/security/filter/XssFilter.java
deleted file mode 100644
index c10985f..0000000
--- a/common/src/main/java/com/jilongda/common/security/filter/XssFilter.java
+++ /dev/null
@@ -1,58 +0,0 @@
-package com.jilongda.common.security.filter;
-
-import com.fasterxml.jackson.databind.ObjectMapper;
-import com.fasterxml.jackson.databind.module.SimpleModule;
-import org.springframework.context.annotation.Bean;
-import org.springframework.context.annotation.Primary;
-import org.springframework.http.converter.json.Jackson2ObjectMapperBuilder;
-
-import javax.servlet.*;
-import javax.servlet.http.HttpServletRequest;
-import java.io.IOException;
-
-/**
- * @author yu 2019/1/20.
- */
-public class XssFilter implements Filter {
-
- @Override
- public void init(FilterConfig filterConfig) throws ServletException {
-
- }
-
- @Override
- public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
- throws IOException, ServletException {
- HttpServletRequest req = (HttpServletRequest) request;
- XssAndSqlHttpServletRequestWrapper xssRequestWrapper = new XssAndSqlHttpServletRequestWrapper(req);
-
-
- chain.doFilter(xssRequestWrapper, response);
- }
-
- @Override
- public void destroy() {
-
- }
-
- /**
- * 过滤json类型的
- *
- * @param builder
- * @return
- */
- @Bean
- @Primary
- public ObjectMapper xssObjectMapper(Jackson2ObjectMapperBuilder builder) {
- //解析器
- ObjectMapper objectMapper = builder.createXmlMapper(false).build();
- //注册xss解析器
- SimpleModule xssModule = new SimpleModule("XssStringJsonSerializer");
- xssModule.addSerializer(new XssStringJsonSerializer());
- objectMapper.registerModule(xssModule);
- //返回
- return objectMapper;
- }
-
-
-}
diff --git a/common/src/main/java/com/jilongda/common/security/filter/XssStringJsonSerializer.java b/common/src/main/java/com/jilongda/common/security/filter/XssStringJsonSerializer.java
deleted file mode 100644
index ffcf640..0000000
--- a/common/src/main/java/com/jilongda/common/security/filter/XssStringJsonSerializer.java
+++ /dev/null
@@ -1,28 +0,0 @@
-package com.jilongda.common.security.filter;
-
-import com.fasterxml.jackson.core.JsonGenerator;
-import com.fasterxml.jackson.databind.JsonSerializer;
-import com.fasterxml.jackson.databind.SerializerProvider;
-import org.apache.commons.lang3.StringEscapeUtils;
-
-import java.io.IOException;
-
-/**
- * @author yu 2019/1/20.
- */
-public class XssStringJsonSerializer extends JsonSerializer<String> {
-
- @Override
- public Class<String> handledType() {
- return String.class;
- }
-
- @Override
- public void serialize(String value, JsonGenerator jsonGenerator,
- SerializerProvider serializerProvider) throws IOException {
- if (value != null) {
- String encodedValue = StringEscapeUtils.escapeHtml4(value);
- jsonGenerator.writeString(encodedValue);
- }
- }
-}
diff --git a/manage/src/main/java/com/jilongda/manage/ManageApplication.java b/manage/src/main/java/com/jilongda/manage/ManageApplication.java
index d1a05ec..caf37c5 100644
--- a/manage/src/main/java/com/jilongda/manage/ManageApplication.java
+++ b/manage/src/main/java/com/jilongda/manage/ManageApplication.java
@@ -11,6 +11,7 @@
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.transaction.annotation.EnableTransactionManagement;
+import org.springframework.web.bind.annotation.CrossOrigin;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import java.net.InetAddress;
@@ -26,6 +27,7 @@
@MapperScan({"com.jilongda.manage.mapper", "com.jilongda.manage.authority.mapper"})
@EnableTransactionManagement
@SpringBootApplication
+@CrossOrigin
public class ManageApplication {
public static void main(String[] args) throws UnknownHostException {
diff --git a/manage/src/main/java/com/jilongda/manage/config/WebSecurityConfig.java b/manage/src/main/java/com/jilongda/manage/config/WebSecurityConfig.java
index 58186dd..328ce4f 100644
--- a/manage/src/main/java/com/jilongda/manage/config/WebSecurityConfig.java
+++ b/manage/src/main/java/com/jilongda/manage/config/WebSecurityConfig.java
@@ -1,5 +1,6 @@
package com.jilongda.manage.config;
+import com.jilongda.common.security.ExceptionHandleFilter;
import com.jilongda.manage.security.SecurityAccessDeniedHandler;
import com.jilongda.manage.security.SysUserDetailsService;
import com.jilongda.common.basic.Constant;
@@ -22,6 +23,7 @@
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
/**
* 细粒度的访问控制
@@ -59,8 +61,8 @@
*/
@Bean
public SecurityUtils securityUtils() {
-// return new SecurityUtils(accessTokenCache,refreshTokenCache);
- return new SecurityUtils();
+ return new SecurityUtils(accessTokenCache,refreshTokenCache);
+// return new SecurityUtils();
}
@@ -107,14 +109,14 @@
.logout().disable()
.csrf().disable()
// 放在 Cookie 中返回前端,防止跨域伪造
- //.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()).and()
+// .csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()).and()
//.and()
.authorizeRequests()
// 跨域预检请求
-// .antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
+ .antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
// 登录URL permitAll() 无需保护 ---> 此种方式配置忽略认证规则会走Spring Security 过滤器链,在过滤器链中,给请求放行
// 不需要保护的请求,但需要经过过滤连
- .antMatchers(HttpMethod.POST, "/**").permitAll()
+// .antMatchers(HttpMethod.POST, "/**").permitAll()
// 其他都需要权限认证
.anyRequest()
.authenticated()
@@ -135,6 +137,8 @@
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
// 访问控制时登录状态检查过滤器
http.addFilterBefore(new AuthenticationFilter(securityUtils()), UsernamePasswordAuthenticationFilter.class);
+ // 异常捕捉过滤器,必须在AuthenticationFilter之前才能捕捉到异常信息
+ http.addFilterBefore(new ExceptionHandleFilter(), AuthenticationFilter.class);
//禁用缓存
http.headers().cacheControl();
}
diff --git a/manage/src/main/resources/application.yml b/manage/src/main/resources/application.yml
index 0d0dbcc..fe82c8c 100644
--- a/manage/src/main/resources/application.yml
+++ b/manage/src/main/resources/application.yml
@@ -13,8 +13,8 @@
max-request-size: 500MB
resolve-lazily: true #设置为懒加载,不然依然会捕获不到异常
profiles:
-# active: dev
- active: prod
+ active: dev
+# active: prod
main:
allow-bean-definition-overriding: true
#sagger文档属性配置
@@ -89,8 +89,8 @@
# 数据源
datasource:
username: root #测试环境
- password: YanDu@2025!
- url: jdbc:mysql://127.0.0.1:3306/eyes?useUnicode=true&characterEncoding=UTF-8&serverTimezone=Asia/Shanghai
+ password: 123456
+ url: jdbc:mysql://192.168.110.34:3306/eyes?useUnicode=true&characterEncoding=UTF-8&serverTimezone=Asia/Shanghai
type: com.zaxxer.hikari.HikariDataSource
driver-class-name: com.mysql.cj.jdbc.Driver
hikari:
--
Gitblit v1.7.1