Skip to content

X
xyqb-user2
Commit a156be30 authored by 技术部-任文超's avatar 技术部-任文超
Browse files
Options

提交自测

parent 52bfbcf2
Hide whitespace changes
Inline Side-by-side
Showing with 43 additions and 14 deletions
src/main/java/cn/quantgroup/xyqb/aspect/limit/PasswordFreeAccessValidatorValidateAdvisor.java
View file @ a156be30
......@@ -5,6 +5,7 @@ import cn.quantgroup.xyqb.entity.User;
import cn.quantgroup.xyqb.model.JsonResult;
import cn.quantgroup.xyqb.model.session.SessionStruct;
import cn.quantgroup.xyqb.session.XyqbSessionContextHolder;
import com.alibaba.fastjson.JSONObject;
import org.apache.commons.lang3.StringUtils;
import org.aspectj.lang.ProceedingJoinPoint;
import org.aspectj.lang.annotation.Around;
......@@ -20,10 +21,7 @@ import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;
import javax.servlet.http.HttpServletRequest;
import java.util.Enumeration;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.*;
/**
* 免密访问校验切面
......@@ -57,50 +55,74 @@ public class PasswordFreeAccessValidatorValidateAdvisor {
*/
@Around("passwordFreeAccess()")
private Object checkToken(ProceedingJoinPoint pjp) throws Throwable {
boolean valid = tokenValid();
HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest();
boolean valid = tokenValid(request) || ipValid(request);
if (valid) {
return pjp.proceed();
}
return JsonResult.buildErrorStateResult("操作失败,请重新提交请求", "");
return JsonResult.buildErrorStateResult("拒绝访问", "");
}
/**
* 校验免密访问
* 规则:token 与 身份标记(phoneNo、userId匹配)
* @return True or False
*/
private boolean tokenValid() {
HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest();
private boolean tokenValid(HttpServletRequest request) {
Objects.requireNonNull(request, "无效请求");
Set<String> paramKeys = request.getParameterMap().keySet();
if(!paramKeys.contains(PHONE_NO) && !paramKeys.contains(USER_ID)){
LOGGER.info("缺少参数信息,请重新请求, paramKeys={}, clientIp={}", paramKeys, request.getRemoteAddr());
LOGGER.info("非法请求 - 缺少参数, paramKeys={}, clientIp={}", paramKeys, request.getRemoteAddr());
return false;
}
// 当前请求的phoneNo/userId
String phoneNo = request.getParameter(PHONE_NO);
String userId = request.getParameter(USER_ID);
if(StringUtils.isBlank(phoneNo) && StringUtils.isBlank(userId)){
LOGGER.info("缺少参数信息,请重新请求, phoneNo={}, userId={}, clientIp={}", phoneNo, userId, request.getRemoteAddr());
LOGGER.info("非法请求 - 缺少参数, phoneNo={}, userId={}, clientIp={}", phoneNo, userId, request.getRemoteAddr());
return false;
}
// 当前请求的Token
String token = request.getHeader(Constants.X_AUTH_TOKEN);
if (Objects.isNull(token) || token.length() != 36) {
LOGGER.info("非法请求 - 无效token, token={}, phoneNo={}, userId={}, clientIp={}", token, phoneNo, userId, request.getRemoteAddr());
return false;
}
// 当前session
SessionStruct session = XyqbSessionContextHolder.getXSessionFromRedis(token);
if (Objects.isNull(session) || Objects.isNull(session.getValues()) || Objects.isNull(session.getValues().getUser())){
LOGGER.info("非法请求 - 未登录, token={}, phoneNo={}, userId={}, clientIp={}", token, phoneNo, userId, request.getRemoteAddr());
return false;
}
// 当前用户
User user = session.getValues().getUser();
if(Objects.isNull(user.getId()) && StringUtils.isBlank(user.getPhoneNo())){
LOGGER.info("非法请求 - 未登录, token={}, phoneNo={}, userId={}, clientIp={}", token, phoneNo, userId, request.getRemoteAddr());
return false;
}
// 校对用户信息是否匹配
boolean valid = Objects.equals(userId, user.getId()) || Objects.equals(phoneNo, user.getPhoneNo());
boolean valid = (Objects.nonNull(user.getId()) && Objects.equals(userId, user.getId().toString()));
valid = valid || (StringUtils.isNotBlank(phoneNo) && Objects.equals(phoneNo, user.getPhoneNo()));
if(!valid) {
LOGGER.info("非法请求 - 身份不匹配, token={}, phoneNo=({},{}), userId=({},{}), clientIp={}", token, phoneNo, user.getPhoneNo(), userId, user.getId(), request.getRemoteAddr());
}
return valid;
}
/**
* 校验免密访问
* 规则:来访IP与白名单匹配
* @return True or False
*/
private boolean ipValid(HttpServletRequest request) {
Objects.requireNonNull(request, "无效请求");
String remoteAddr = request.getRemoteAddr();
Set<String> whiteAddr = Collections.emptySet();
// Todo 配置白名单
// 校对来访IP是否与白名单匹配
boolean valid = StringUtils.isNotBlank(remoteAddr) && whiteAddr.contains(remoteAddr);
if(!valid) {
LOGGER.info("非法请求, token={}, phoneNo=({},{}), userId=({},{}), clientIp={}", token, phoneNo, user.getPhoneNo(), userId, user.getId(), request.getRemoteAddr());
LOGGER.info("非法请求 - 未授权访问, clientIp={}", request.getRemoteAddr());
}
return valid;
}
......
src/main/java/cn/quantgroup/xyqb/controller/external/user/InnerController.java
View file @ a156be30
package cn.quantgroup.xyqb.controller.external.user;
import cn.quantgroup.user.enums.Relation;
import cn.quantgroup.xyqb.aspect.limit.PasswordFreeAccessValidator;
import cn.quantgroup.xyqb.aspect.logcaller.LogHttpCaller;
import cn.quantgroup.xyqb.controller.IBaseController;
import cn.quantgroup.xyqb.entity.*;
......@@ -519,6 +520,7 @@ public class InnerController implements IBaseController {
return JsonResult.buildSuccessResult(null, UserExtInfoRet.getUserExtInfoRet(info));
}
// Todo @PasswordFreeAccessValidator
@RequestMapping("/user_detail/search_list")
@LogHttpCaller
public JsonResult searchUserDetailList(String name, String phoneNo, String idNo) {
......@@ -572,6 +574,7 @@ public class InnerController implements IBaseController {
return JsonResult.buildSuccessResult("success", wechatUserInfo.getOpenId());
}
// Todo @PasswordFreeAccessValidator
@RequestMapping("/user-association/search/phone")
@LogHttpCaller
public JsonResult findUserAssociationByPhone(String phoneNo) {
......@@ -624,6 +627,7 @@ public class InnerController implements IBaseController {
return JsonResult.buildSuccessResult("", bean);
}
@RequestMapping("/user-association/search/uid")
@LogHttpCaller
public JsonResult findUserAssociationByUid(Long uid) {
......
src/main/java/cn/quantgroup/xyqb/controller/external/user/center/UserCenterController.java
View file @ a156be30
package cn.quantgroup.xyqb.controller.external.user.center;
import cn.quantgroup.xyqb.Constants;
import cn.quantgroup.xyqb.aspect.limit.PasswordFreeAccessValidator;
import cn.quantgroup.xyqb.entity.*;
//import cn.quantgroup.xyqb.entity.enumerate.EducationEnum;
//import cn.quantgroup.xyqb.entity.enumerate.IncomeRangeEnum;
......@@ -55,6 +56,7 @@ public class UserCenterController {
* @param phoneNo
* @return
*/
@PasswordFreeAccessValidator
@RequestMapping("/index")
public JsonResult userCenterIndex(String phoneNo) {
Long userId = queryUserId(phoneNo);
......@@ -84,7 +86,7 @@ public class UserCenterController {
*/
@RequestMapping("/save/avatar")
public JsonResult SaveUserAvatarAddr(String phoneNo, String avatarUrl) {
if(StringUtils.isEmpty(avatarUrl) || StringUtils.isEmpty(phoneNo)) {
if(StringUtils.isBlank(avatarUrl) || StringUtils.isBlank(phoneNo)) {
LOGGER.error("参数不合法:avatarUrl:{}, phoneNo:{}", avatarUrl, phoneNo);
return JsonResult.buildErrorStateResult("参数不合法", null);
}
......@@ -190,9 +192,10 @@ public class UserCenterController {
* @param phoneNo
* @return
*/
@PasswordFreeAccessValidator
@RequestMapping("/personalData")
public JsonResult personalData(String phoneNo) {
if(StringUtils.isEmpty(phoneNo)) {
if(StringUtils.isBlank(phoneNo)) {
LOGGER.error("手机号为空,phoneNo:{}", phoneNo);
return JsonResult.buildErrorStateResult("参数不合法", null);
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment