更新

mms-font/src/api/user.js

@@ -8,11 +8,10 @@ export function login(data) {
   })
 }
 
-export function getInfo(token) {
+export function getInfo() {
   return request({
-    url: '/vue-element-admin/user/info',
-    method: 'get',
-    params: { token }
+    url: '/sys/user/info/',
+    method: 'get'
   })
 }
 

mms-font/src/store/modules/user.js

@@ -35,8 +35,9 @@ const actions = {
     return new Promise((resolve, reject) => {
       login({ userName: userName.trim(), password: password }).then(response => {
         const { data } = response
-        commit('SET_TOKEN', data.token)
-        setToken(data.token)
+        commit('SET_TOKEN', data)
+        console.log(data)
+        setToken(data)
         resolve()
       }).catch(error => {
         reject(error)
@@ -46,6 +47,7 @@ const actions = {
 
   // get user info
   getInfo({ commit, state }) {
+    console.log(state)
     return new Promise((resolve, reject) => {
       getInfo(state.token).then(response => {
         const { data } = response

mms-font/src/views/dashboard/index.vue

@@ -3,6 +3,7 @@
 </template>
 
 <script>
+
 export default {
   name: 'Dashboard',
   components: { },

mms-font/src/views/login/index.vue

@@ -88,8 +88,8 @@ export default {
     }
     return {
       loginForm: {
-        userName: 'admin',
-        password: '111111'
+        userName: 'qxd',
+        password: '123456'
       },
       loginRules: {
         password: [

mms/pom.xml

@@ -105,6 +105,16 @@
             <artifactId>shiro-spring</artifactId>
             <version>${shiro.version}</version>
         </dependency>
+        <dependency>
+            <groupId>commons-io</groupId>
+            <artifactId>commons-io</artifactId>
+            <version>${commons.io.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>commons-lang</groupId>
+            <artifactId>commons-lang</artifactId>
+            <version>${commons.lang.version}</version>
+        </dependency>
         <dependency>
             <groupId>com.alibaba</groupId>
             <artifactId>druid-spring-boot-starter</artifactId>

mms/src/main/java/com/pannk/mms/common/config/FilterConfig.java

+package com.pannk.mms.common.config;
+
+import com.pannk.mms.common.filters.XssFilter;
+import org.springframework.boot.web.servlet.FilterRegistrationBean;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.web.filter.DelegatingFilterProxy;
+
+import javax.servlet.DispatcherType;
+
+/**
+ * Created by wolf on 20-11-6.
+ */
+@Configuration
+public class FilterConfig {
+
+    @Bean
+    public FilterRegistrationBean shiroFilterRegistration(){
+        FilterRegistrationBean registration = new FilterRegistrationBean();
+        registration.setFilter(new DelegatingFilterProxy("shiroFilter"));
+        registration.addInitParameter("targetFilterLifecycle","true");
+        registration.setEnabled(true);
+        registration.setOrder(Integer.MAX_VALUE-1);
+        registration.addUrlPatterns("/*");
+        return registration;
+    }
+
+    @Bean
+    public FilterRegistrationBean xssFilterRegistration(){
+        FilterRegistrationBean registrationBean= new FilterRegistrationBean();
+        registrationBean.setDispatcherTypes(DispatcherType.REQUEST);
+        registrationBean.setFilter(new XssFilter());
+        registrationBean.addUrlPatterns("/*");
+        registrationBean.setName("xssFilter");
+        registrationBean.setOrder(Integer.MAX_VALUE);
+        return registrationBean;
+    }
+}

mms/src/main/java/com/pannk/mms/common/config/ShiroConfig.java

+package com.pannk.mms.common.config;
+
+import com.pannk.mms.common.oauth2.OAuth2Filter;
+import com.pannk.mms.common.oauth2.OAuth2Realm;
+import org.apache.shiro.mgt.SecurityManager;
+import org.apache.shiro.spring.LifecycleBeanPostProcessor;
+import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;
+import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
+import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+import javax.servlet.Filter;
+import java.util.HashMap;
+import java.util.LinkedHashMap;
+import java.util.Map;
+
+/**
+ * Created by wolf on 20-11-6.
+ */
+@Configuration
+public class ShiroConfig {
+
+    @Bean
+    public SecurityManager securityManager(OAuth2Realm oAuth2Realm){
+        DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
+        securityManager.setRealm(oAuth2Realm);
+        securityManager.setRememberMeManager(null);
+        return securityManager;
+    }
+
+    @Bean
+    public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(SecurityManager securityManager){
+        AuthorizationAttributeSourceAdvisor advisor= new AuthorizationAttributeSourceAdvisor();
+        advisor.setSecurityManager(securityManager);
+        return advisor;
+    }
+
+    @Bean("shiroFilter")
+    public ShiroFilterFactoryBean shiroFilter(SecurityManager securityManager){
+        ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
+        shiroFilterFactoryBean.setSecurityManager(securityManager);
+
+        Map<String,Filter> filters = new HashMap<>();
+        filters.put("oauth2",new OAuth2Filter());
+        shiroFilterFactoryBean.setFilters(filters);
+
+        Map<String,String> filterMap = new LinkedHashMap<>();
+        filterMap.put("/webjars/**","anon");
+        filterMap.put("/durid/**","anon");
+        filterMap.put("/sys/log","anon");
+        filterMap.put("/swagger/**","anon");
+        filterMap.put("v2/api-docs","anon");
+        filterMap.put("/swagger-ui.html","anon");
+        filterMap.put("/swagger-resources/**","anon");
+
+        shiroFilterFactoryBean.setFilterChainDefinitionMap(filterMap);
+        return shiroFilterFactoryBean;
+    }
+
+    @Bean("lifecycleBeanPostProcessor")
+    public LifecycleBeanPostProcessor lifecycleBeanPostProcessor(){
+        return new LifecycleBeanPostProcessor();
+    }
+
+}

mms/src/main/java/com/pannk/mms/common/filters/SQLFilter.java

+package com.pannk.mms.common.filters;
+
+
+import com.pannk.mms.common.exception.BaseException;
+import org.apache.commons.lang.StringUtils;
+
+/**
+ * Created by wolf on 20-11-6.
+ */
+public class SQLFilter {
+
+    public static String sqlInject(String str){
+        if (StringUtils.isBlank(str)){
+            return null;
+        }
+        //去掉'|"|;|\字符
+        str = StringUtils.replace(str,"'","");
+        str = StringUtils.replace(str,"\"","");
+        str = StringUtils.replace(str,";","");
+        str = StringUtils.replace(str,"\\","");
+
+        //转换为小写
+        str = str.toLowerCase();
+
+        //非法字符
+        String[] keywords = {"master","truncate","insert","select","delete","update","declare","alter","drop"};
+
+        //判断是否包含非法字符
+        for (String keyword :keywords) {
+            if (str.indexOf(keyword) != -1) {
+                throw new BaseException("包含非法字符");
+            }
+        }
+        return str;
+    }
+}

mms/src/main/java/com/pannk/mms/common/filters/XssFilter.java

+package com.pannk.mms.common.filters;
+
+import javax.servlet.*;
+import javax.servlet.http.HttpServletRequest;
+import java.io.IOException;
+
+/**
+ * Created by wolf on 20-11-6.
+ */
+public class XssFilter implements Filter {
+    @Override
+    public void init(FilterConfig filterConfig) throws ServletException {
+
+    }
+
+    @Override
+    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
+        XssHttpServletRequestWrapper xssHttpServletRequestWrapper = new XssHttpServletRequestWrapper((HttpServletRequest)servletRequest);
+        filterChain.doFilter(xssHttpServletRequestWrapper,servletResponse);
+    }
+
+    @Override
+    public void destroy() {
+
+    }
+}

mms/src/main/java/com/pannk/mms/common/filters/XssHttpServletRequestWrapper.java

+package com.pannk.mms.common.filters;
+
+import com.baomidou.mybatisplus.core.toolkit.StringUtils;
+import org.apache.commons.io.IOUtils;
+import org.apache.commons.lang.StringEscapeUtils;
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.MediaType;
+
+import javax.servlet.ReadListener;
+import javax.servlet.ServletInputStream;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletRequestWrapper;
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.util.LinkedHashMap;
+import java.util.Map;
+
+/**
+ * Created by wolf on 20-11-6.
+ */
+public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper{
+
+    HttpServletRequest oriRequest;
+
+    private final static HTMLFilter HTML_FILTER = new HTMLFilter();
+
+    public XssHttpServletRequestWrapper(HttpServletRequest request) {
+        super(request);
+        this.oriRequest = request;
+    }
+
+    @Override
+    public ServletInputStream getInputStream() throws IOException {
+        if (!MediaType.APPLICATION_JSON_VALUE.equalsIgnoreCase(super.getHeader(HttpHeaders.CONTENT_TYPE))){
+            return super.getInputStream();
+        }
+        String json = IOUtils.toString(super.getInputStream(),"UTF-8");
+        if (StringUtils.isBlank(json)){
+            return super.getInputStream();
+        }
+
+        json = xssEncode(json);
+        final ByteArrayInputStream bis = new ByteArrayInputStream(json.getBytes("UTF-8"));
+        return new ServletInputStream() {
+            @Override
+            public boolean isFinished() {
+                return true;
+            }
+
+            @Override
+            public boolean isReady() {
+                return true;
+            }
+
+            @Override
+            public void setReadListener(ReadListener listener) {
+
+            }
+
+            @Override
+            public int read() throws IOException {
+                return bis.read();
+            }
+        };
+    }
+
+    @Override
+    public String getParameter(String name) {
+        String value = super.getParameter(xssEncode(name));
+        if (StringUtils.isNotBlank(value)){
+            value = xssEncode(value);
+        }
+        value = SQLFilter.sqlInject(value);
+        return StringEscapeUtils.unescapeHtml(value);
+    }
+
+    @Override
+    public String[] getParameterValues(String name) {
+        String[] parameters = super.getParameterValues(name);
+        if (parameters==null||parameters.length==0){
+            return null;
+        }
+        for (int i = 0; i < parameters.length; i++) {
+            parameters[i] = xssEncode(parameters[i]);
+            parameters[i] = SQLFilter.sqlInject(parameters[i]);
+            parameters[i] = StringEscapeUtils.unescapeHtml(parameters[i]);
+        }
+        return parameters;
+    }
+
+    @Override
+    public Map<String, String[]> getParameterMap() {
+        Map<String,String[]> map = new LinkedHashMap<>();
+        Map<String,String[]> parameters = super.getParameterMap();
+        for (String key:parameters.keySet()){
+            String[] values = parameters.get(key);
+            for (int i = 0; i < values.length; i++) {
+                values[i] = xssEncode(values[i]);
+                values[i] = SQLFilter.sqlInject(values[i]);
+                values[i] = StringEscapeUtils.unescapeHtml(values[i]);
+            }
+            map.put(key,values);
+        }
+        return map;
+    }
+
+    @Override
+    public String getHeader(String name) {
+        String value = super.getHeader(xssEncode(name));
+        if (StringUtils.isNotBlank(value)){
+            value = xssEncode(value);
+        }
+        value = SQLFilter.sqlInject(value);
+        return StringEscapeUtils.unescapeHtml(value);
+    }
+
+    private String xssEncode(String json) {
+        return HTML_FILTER.filter(json);
+    }
+
+    public HttpServletRequest getOriRequest() {
+        return oriRequest;
+    }
+
+    public static HttpServletRequest getOriRequest(HttpServletRequest request){
+        if (request instanceof XssHttpServletRequestWrapper){
+            return ((XssHttpServletRequestWrapper)request).getOriRequest();
+        }
+        return request;
+    }
+}

mms/src/main/java/com/pannk/mms/common/oauth2/OAuth2Filter.java

+package com.pannk.mms.common.oauth2;
+
+import com.alibaba.fastjson.JSON;
+import com.pannk.mms.common.base.Result;
+import org.apache.shiro.authc.AuthenticationToken;
+import org.apache.shiro.web.filter.authc.AuthenticatingFilter;
+import org.junit.platform.commons.util.StringUtils;
+import org.springframework.http.HttpStatus;
+
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+/**
+ * Created by wolf on 20-11-6.
+ */
+public class OAuth2Filter extends AuthenticatingFilter {
+    @Override
+    protected AuthenticationToken createToken(ServletRequest servletRequest, ServletResponse servletResponse) throws Exception {
+        String token = getToken(servletRequest);
+        if (StringUtils.isBlank(token)) {
+            return null;
+        }
+        return new OAuth2Token(token);
+    }
+
+    @Override
+    protected boolean onAccessDenied(ServletRequest servletRequest, ServletResponse servletResponse) throws Exception {
+        String token = getToken(servletRequest);
+        if (StringUtils.isBlank(token)) {
+            HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
+            httpServletResponse.setHeader("Access-Control-Allow-Credentials", "true");
+            httpServletResponse.setHeader("Access-Control-Allow-Origin", ((HttpServletRequest) servletRequest).getHeader("Origin"));
+
+            String responJson = JSON.toJSONString(Result.error(HttpStatus.FORBIDDEN.value(), HttpStatus.FORBIDDEN.getReasonPhrase()));
+            httpServletResponse.getWriter().print(responJson);
+            return false;
+        }
+        return executeLogin(servletRequest,servletResponse);
+    }
+
+    private String getToken(ServletRequest request) {
+        return ((HttpServletRequest) request).getHeader("X-Token");
+    }
+}

mms/src/main/java/com/pannk/mms/common/oauth2/OAuth2Realm.java

+package com.pannk.mms.common.oauth2;
+
+import org.apache.shiro.authc.AuthenticationException;
+import org.apache.shiro.authc.AuthenticationInfo;
+import org.apache.shiro.authc.AuthenticationToken;
+import org.apache.shiro.authz.AuthorizationInfo;
+import org.apache.shiro.realm.AuthorizingRealm;
+import org.apache.shiro.subject.PrincipalCollection;
+import org.springframework.stereotype.Component;
+
+/**
+ * Created by wolf on 20-11-6.
+ */
+@Component
+public class OAuth2Realm extends AuthorizingRealm {
+    @Override
+    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
+        return null;
+    }
+
+    @Override
+    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
+        return null;
+    }
+}

mms/src/main/java/com/pannk/mms/common/oauth2/OAuth2Token.java

+package com.pannk.mms.common.oauth2;
+
+import org.apache.shiro.authc.AuthenticationToken;
+
+/**
+ * Created by wolf on 20-11-6.
+ */
+public class OAuth2Token implements AuthenticationToken {
+
+
+    private String token;
+
+    public OAuth2Token(String token){
+        this.token = token;
+    }
+
+    @Override
+    public Object getPrincipal() {
+        return token;
+    }
+
+    @Override
+    public Object getCredentials() {
+        return token;
+    }
+}