提交免密访问校验切面，同时优化代码

52bfbcf2 · 技术部-任文超 · 2d785812 · 52bfbcf2 · 52bfbcf2 · 52bfbcf2
Commit 52bfbcf2 authored Nov 21, 2017 by 技术部-任文超
7 changed files
--- a/src/main/java/cn/quantgroup/xyqb/Constants.java
+++ b/src/main/java/cn/quantgroup/xyqb/Constants.java
@@ -12,6 +12,9 @@ public interface Constants {
  String PASSWORD_SALT = "_lkb";

  String IMAGE_CAPTCHA_KEY = "img_captcha:";
+  String X_AUTH_TOKEN = "x-auth-token";
+  String ONE_TIME_TOKEN = "oneTimeToken";
+  String REDIS_PASSWORD_ERROR_COUNT = "password_error_4_phone:";
  String REDIS_CAPTCHA_KEY = "auth:";

  String CONFIG_CAPTCHA = "cfg_captcha_%";
@@ -35,8 +38,9 @@ public interface Constants {
  String REDIS_VOICE_DEVICE_COUNT = "Voice_Device_verification_code_count:";

  String REDIS_VERIFICATION_COUNT = "verification_code_count:";
-  final Long Image_Need_Count=3L;
-  String REDIS_PASSWORD_ERROR_COUNT = "password_error_count:";
+  final Long Image_Need_Count = 3L;
+  final Long IMAGE_FINITE_COUNT = 3L;
+
  /**
   * redis中token的key值前缀
   */

--- a/src/main/java/cn/quantgroup/xyqb/aspect/limit/PasswordFreeAccessValidator.java
+++ b/src/main/java/cn/quantgroup/xyqb/aspect/limit/PasswordFreeAccessValidator.java
+package cn.quantgroup.xyqb.aspect.limit;
+
+import java.lang.annotation.*;
+
+/**
+ * 免密访问校验标记
+ * @author 任文超
+ * @version 1.0.0
+ * @since 2017-11-21
+ */
+@Documented
+@Target(ElementType.METHOD)
+@Retention(RetentionPolicy.RUNTIME)
+public @interface PasswordFreeAccessValidator {
+}
--- a/src/main/java/cn/quantgroup/xyqb/aspect/limit/PasswordFreeAccessValidatorValidateAdvisor.java
+++ b/src/main/java/cn/quantgroup/xyqb/aspect/limit/PasswordFreeAccessValidatorValidateAdvisor.java
+package cn.quantgroup.xyqb.aspect.limit;
+
+import cn.quantgroup.xyqb.Constants;
+import cn.quantgroup.xyqb.entity.User;
+import cn.quantgroup.xyqb.model.JsonResult;
+import cn.quantgroup.xyqb.model.session.SessionStruct;
+import cn.quantgroup.xyqb.session.XyqbSessionContextHolder;
+import org.apache.commons.lang3.StringUtils;
+import org.aspectj.lang.ProceedingJoinPoint;
+import org.aspectj.lang.annotation.Around;
+import org.aspectj.lang.annotation.Aspect;
+import org.aspectj.lang.annotation.Pointcut;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Qualifier;
+import org.springframework.data.redis.core.RedisTemplate;
+import org.springframework.stereotype.Component;
+import org.springframework.web.context.request.RequestContextHolder;
+import org.springframework.web.context.request.ServletRequestAttributes;
+
+import javax.servlet.http.HttpServletRequest;
+import java.util.Enumeration;
+import java.util.Map;
+import java.util.Objects;
+import java.util.Set;
+
+/**
+ * 免密访问校验切面
+ *
+ * @author 任文超
+ * @version 1.0.0
+ * @since 2017-11-21
+ */
+@Aspect
+@Component
+public class PasswordFreeAccessValidatorValidateAdvisor {
+
+    private static final Logger LOGGER = LoggerFactory.getLogger(PasswordFreeAccessValidatorValidateAdvisor.class);
+    private static final String PHONE_NO = "phoneNo";
+    private static final String USER_ID = "userId";
+
+    @Autowired
+    @Qualifier("stringRedisTemplate")
+    private RedisTemplate<String, String> redisTemplate;
+
+    /**
+     * 免密访问校验切面
+     */
+    @Pointcut("@annotation(cn.quantgroup.xyqb.aspect.limit.PasswordFreeAccessValidator)")
+    private void passwordFreeAccess() {}
+
+    /**
+     * 执行免密访问校验
+     *
+     * @throws Throwable
+     */
+    @Around("passwordFreeAccess()")
+    private Object checkToken(ProceedingJoinPoint pjp) throws Throwable {
+        boolean valid = tokenValid();
+        if (valid) {
+            return pjp.proceed();
+        }
+        return JsonResult.buildErrorStateResult("操作失败，请重新提交请求", "");
+    }
+
+    /**
+     * 校验免密访问
+     * @return True or False
+     */
+    private boolean tokenValid() {
+        HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest();
+        Set<String> paramKeys = request.getParameterMap().keySet();
+        if(!paramKeys.contains(PHONE_NO) && !paramKeys.contains(USER_ID)){
+            LOGGER.info("缺少参数信息，请重新请求, paramKeys={}, clientIp={}", paramKeys, request.getRemoteAddr());
+            return false;
+        }
+        // 当前请求的phoneNo/userId
+        String phoneNo = request.getParameter(PHONE_NO);
+        String userId = request.getParameter(USER_ID);
+        if(StringUtils.isBlank(phoneNo) && StringUtils.isBlank(userId)){
+            LOGGER.info("缺少参数信息，请重新请求, phoneNo={}, userId={}, clientIp={}", phoneNo, userId, request.getRemoteAddr());
+            return false;
+        }
+        // 当前请求的Token
+        String token = request.getHeader(Constants.X_AUTH_TOKEN);
+        if (Objects.isNull(token) || token.length() != 36) {
+            return false;
+        }
+        // 当前session
+        SessionStruct session = XyqbSessionContextHolder.getXSessionFromRedis(token);
+        if (Objects.isNull(session) || Objects.isNull(session.getValues()) || Objects.isNull(session.getValues().getUser())){
+            return false;
+        }
+        // 当前用户
+        User user = session.getValues().getUser();
+        if(Objects.isNull(user.getId()) && StringUtils.isBlank(user.getPhoneNo())){
+            return false;
+        }
+        // 校对用户信息是否匹配
+        boolean valid = Objects.equals(userId, user.getId()) || Objects.equals(phoneNo, user.getPhoneNo());
+        if(!valid) {
+            LOGGER.info("非法请求, token={}, phoneNo=({},{}), userId=({},{}), clientIp={}", token, phoneNo, user.getPhoneNo(), userId, user.getId(), request.getRemoteAddr());
+        }
+        return valid;
+    }
+
+}
--- a/src/main/java/cn/quantgroup/xyqb/controller/external/motan/MotanUserServiceImpl.java
+++ b/src/main/java/cn/quantgroup/xyqb/controller/external/motan/MotanUserServiceImpl.java
@@ -679,7 +679,7 @@ public class MotanUserServiceImpl implements UserMotanService {
        return returnErrorValue("用户未登录");
      }
      String checkUrl = xyqbAuthUrl+"/innerapi/is_login";
-      ImmutableMap<String, String> headMap = ImmutableMap.of("x-auth-token", token);
+      ImmutableMap<String, String> headMap = ImmutableMap.of(Constants.X_AUTH_TOKEN, token);
      String response = httpService.get(checkUrl, headMap, null);
      log.info("去向函谷关查询用户信息,response:[{}]",response);
      JsonResult result = JSONObject.parseObject(response, JsonResult.class);
@@ -722,7 +722,7 @@ public class MotanUserServiceImpl implements UserMotanService {
    }else {
      log.info("去向函谷关查询用户信息");
      String checkUrl = xyqbAuthUrl+"/innerapi/is_login";
-      ImmutableMap<String, String> headMap = ImmutableMap.of("x-auth-token", token);
+      ImmutableMap<String, String> headMap = ImmutableMap.of(Constants.X_AUTH_TOKEN, token);
      String response = httpService.get(checkUrl, headMap, null);
      log.info("去向函谷关查询用户信息,response:[{}]",response);
      JsonResult result = JSONObject.parseObject(response, JsonResult.class);

--- a/src/main/java/cn/quantgroup/xyqb/controller/external/queryLog/UserQueryLogController.java
+++ b/src/main/java/cn/quantgroup/xyqb/controller/external/queryLog/UserQueryLogController.java
 package cn.quantgroup.xyqb.controller.external.queryLog;
+import cn.quantgroup.xyqb.Constants;
 import cn.quantgroup.xyqb.entity.Address;
 import cn.quantgroup.xyqb.entity.UserDetail;
 import cn.quantgroup.xyqb.entity.UserQueryLog;
@@ -75,7 +76,7 @@ public class UserQueryLogController {
  public JsonResult queryLog(HttpServletRequest request,@RequestParam(required=false) String beginDate,@RequestParam(required=false) String endDate, Integer pageId, Integer pageSize) {

    LOGGER.info("查询日期：beginDate{},endDate{}",beginDate,endDate);
-    String token=request.getHeader("x-auth-token");
+    String token=request.getHeader(Constants.X_AUTH_TOKEN);
    if(token==null||token.equals("")){
        LOGGER.info("token为空，非法查询");
      return JsonResult.buildErrorStateResult("缺少授权信息",null);
@@ -142,7 +143,7 @@ public class UserQueryLogController {
  public JsonResult queryForResult(HttpServletRequest request,String key,String keyValues, String columns,Integer pageId,Integer pageSize) {

    LOGGER.info("查询条件：key{},columns{}",key,columns);
-    String token=request.getHeader("x-auth-token");
+    String token=request.getHeader(Constants.X_AUTH_TOKEN);
    if(token==null||token.equals("")){
        LOGGER.info("token为空，非法查询");
      return JsonResult.buildErrorStateResult("缺少授权信息",null);
@@ -372,7 +373,7 @@ public class UserQueryLogController {
  public JsonResult exportExcel(final HttpServletResponse response, HttpServletRequest request,String key,String keyValues, String columns){


-    String token=request.getHeader("x-auth-token");
+    String token=request.getHeader(Constants.X_AUTH_TOKEN);
    if(token==null||token.equals("")){
      LOGGER.info("token为空，非法查询");
      return JsonResult.buildErrorStateResult("缺少授权信息",null);

--- a/src/main/java/cn/quantgroup/xyqb/controller/internal/login/AuthInfoController.java
+++ b/src/main/java/cn/quantgroup/xyqb/controller/internal/login/AuthInfoController.java
 package cn.quantgroup.xyqb.controller.internal.login;

+import cn.quantgroup.xyqb.Constants;
 import cn.quantgroup.xyqb.controller.IBaseController;
 import cn.quantgroup.xyqb.entity.User;
 import cn.quantgroup.xyqb.entity.UserBtRegister;
@@ -15,9 +16,7 @@ import com.google.common.collect.ImmutableMap;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.beans.factory.annotation.Value;
-import org.springframework.data.redis.core.RedisTemplate;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
 import org.springframework.web.context.request.RequestContextHolder;
@@ -67,12 +66,12 @@ public class AuthInfoController implements IBaseController {
      // 函谷关去查token 返回值高仿
      log.info("去向函谷关查询用户信息");
      HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest();
-      String token = request.getHeader("x-auth-token");
+      String token = request.getHeader(Constants.X_AUTH_TOKEN);
      if(StringUtils.isBlank(token) ||token.length() != 36){
        return JsonResult.buildErrorStateResult("用户未登录",null);
      }
      String checkUrl = xyqbAuthUrl+"/innerapi/is_login";
-      ImmutableMap<String, String> headMap = ImmutableMap.of("x-auth-token", token);
+      ImmutableMap<String, String> headMap = ImmutableMap.of(Constants.X_AUTH_TOKEN, token);
      String response = httpService.get(checkUrl, headMap, null);
      log.info("去向函谷关查询用户信息,response:[{}]",response);
      JsonResult result = JSONObject.parseObject(response, JsonResult.class);

--- a/src/main/java/cn/quantgroup/xyqb/session/XyqbSessionContextHolder.java
+++ b/src/main/java/cn/quantgroup/xyqb/session/XyqbSessionContextHolder.java
@@ -27,7 +27,7 @@ public class XyqbSessionContextHolder {
      return threadSession.get();
    }
    HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest();
-    String token = request.getHeader("x-auth-token");
+    String token = request.getHeader(Constants.X_AUTH_TOKEN);
    if (token == null || token.length() != 36) {
      return null;
    }
@@ -54,7 +54,7 @@ public class XyqbSessionContextHolder {

  public static SessionStruct getXSessionFromRedis(){
    HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest();
-    String token = request.getHeader("x-auth-token");
+    String token = request.getHeader(Constants.X_AUTH_TOKEN);
    if (token == null || token.length() != 36) {
      return null;
    }