个人忘记密码安全性修改

o2server/x_organization_assemble_personal/src/main/java/com/x/organization/assemble/personal/jaxrs/reset/ActionCode.java

@@ -5,12 +5,19 @@ import com.x.base.core.container.factory.EntityManagerContainerFactory;
 import com.x.base.core.project.config.Config;
 import com.x.base.core.project.http.ActionResult;
 import com.x.base.core.project.http.WrapOutBoolean;
+import com.x.base.core.project.logger.Logger;
+import com.x.base.core.project.logger.LoggerFactory;
+import com.x.base.core.project.tools.Crypto;
+import com.x.base.core.project.tools.DefaultCharset;
 import com.x.organization.assemble.personal.Business;
 import com.x.organization.core.entity.Person;
 import org.apache.commons.lang3.BooleanUtils;
+import org.codehaus.plexus.util.StringUtils;
 
-class ActionCode extends BaseAction {
+import java.net.URLDecoder;
 
+class ActionCode extends BaseAction {
+	private static final Logger LOGGER = LoggerFactory.getLogger(ActionCode.class);
 	ActionResult<WrapOutBoolean> execute(String credential) throws Exception {
 		try (EntityManagerContainer emc = EntityManagerContainerFactory.instance().create()) {
 			ActionResult<WrapOutBoolean> result = new ActionResult<>();
@@ -19,6 +26,9 @@ class ActionCode extends BaseAction {
 			if (BooleanUtils.isNotTrue(Config.collect().getEnable())) {
 				throw new ExceptionDisableCollect();
 			}
+			credential =  BooleanUtils.isTrue(Config.token().getRsaEnable()) ? Crypto.rsaDecrypt(URLDecoder.decode(credential, DefaultCharset.charset),
+					Config.privateKey()) : credential;
+			LOGGER.info("{} 用户进行忘记密码修改操作", credential);
 			Person person = business.person().getWithCredential(credential);
 			if (null == person) {
 				throw new ExceptionSendCodeError();

o2server/x_organization_assemble_personal/src/main/java/com/x/organization/assemble/personal/jaxrs/reset/ActionReset.java

@@ -44,9 +44,11 @@ class ActionReset extends BaseAction {
 			if (StringUtils.isBlank(password)) {
 				throw new ExceptionPasswordEmpty();
 			}
+			credential =  BooleanUtils.isTrue(Config.token().getRsaEnable()) ? Crypto.rsaDecrypt(credential, Config.privateKey()) : credential;
+			password =  BooleanUtils.isTrue(Config.token().getRsaEnable()) ? Crypto.rsaDecrypt(password, Config.privateKey()) : password;
 			Person person = business.person().getWithCredential(credential);
 			if (null == person) {
-				throw new ExceptionPersonNotExist(credential);
+				throw new ExceptionPersonNotExistOrInvalidAnswer();
 			}
 			person = emc.find(person.getId(), Person.class, ExceptionWhen.not_found);
 			if (BooleanUtils.isTrue(Config.person().getSuperPermission())
@@ -57,7 +59,7 @@ class ActionReset extends BaseAction {
 					throw new ExceptionInvalidPassword(Config.person().getPasswordRegexHint());
 				}
 				if (BooleanUtils.isFalse(business.instrument().code().validate(person.getMobile(), codeAnswer))) {
-					throw new ExceptionInvalidCode();
+					throw new ExceptionPersonNotExistOrInvalidAnswer();
 				}
 			}
 			emc.beginTransaction(Person.class);

o2server/x_organization_assemble_personal/src/main/java/com/x/organization/assemble/personal/jaxrs/reset/ActionSetPasswordAnonymous.java

 package com.x.organization.assemble.personal.jaxrs.reset;
 
-import org.apache.commons.codec.binary.Base64;
-import org.apache.commons.lang3.BooleanUtils;
-import org.apache.commons.lang3.StringUtils;
-
 import com.google.gson.JsonElement;
 import com.x.base.core.container.EntityManagerContainer;
 import com.x.base.core.container.factory.EntityManagerContainerFactory;
 import com.x.base.core.project.annotation.FieldDescribe;
 import com.x.base.core.project.cache.CacheManager;
 import com.x.base.core.project.config.Config;
-import com.x.base.core.project.exception.ExceptionPersonNotExist;
 import com.x.base.core.project.gson.GsonPropertyObject;
 import com.x.base.core.project.http.ActionResult;
 import com.x.base.core.project.http.EffectivePerson;
@@ -20,6 +15,9 @@ import com.x.base.core.project.logger.LoggerFactory;
 import com.x.base.core.project.tools.Crypto;
 import com.x.organization.assemble.personal.Business;
 import com.x.organization.core.entity.Person;
+import org.apache.commons.codec.binary.Base64;
+import org.apache.commons.lang3.BooleanUtils;
+import org.apache.commons.lang3.StringUtils;
 
 public class ActionSetPasswordAnonymous extends BaseAction {
 	private static final Logger LOGGER = LoggerFactory.getLogger(ActionSetPasswordAnonymous.class);
@@ -30,7 +28,6 @@ public class ActionSetPasswordAnonymous extends BaseAction {
 			Wi wi = this.convertToWrapIn(jsonElement, Wi.class);
 			Business business = new Business(emc);
 
-			/** 排除xadmin */
 			if (Config.token().isInitialManager(wi.getUserName())) {
 				throw new ExceptionEditInitialManagerDeny();
 			} else {
@@ -40,13 +37,10 @@ public class ActionSetPasswordAnonymous extends BaseAction {
 
 				Person o = business.person().getWithCredential(wi.getUserName());
 				if (null == o) {
-					throw new ExceptionPersonNotExist(wi.getUserName());
+					throw new ExceptionPersonNotExistOrInvalidPassword();
 				}
 
 				Person person = emc.find(o.getId(), Person.class);
-				if (null == person) {
-					throw new ExceptionPersonNotExist(wi.getUserName());
-				}
 
 				if (StringUtils.isEmpty(wi.getOldPassword())) {
 					throw new ExceptionOldPasswordEmpty();
@@ -54,31 +48,23 @@ public class ActionSetPasswordAnonymous extends BaseAction {
 				if (StringUtils.isEmpty(wi.getNewPassword())) {
 					throw new ExceptionPasswordEmpty();
 				}
-
 				if (StringUtils.isEmpty(wi.getConfirmPassword())) {
 					throw new ExceptionConfirmPasswordEmpty();
 				}
 
-				if (!StringUtils.equals(wi.getNewPassword(), wi.getConfirmPassword())) {
-					throw new ExceptionTwicePasswordNotMatch();
-				}
+				String oldPassword = BooleanUtils.isTrue(Config.token().getRsaEnable()) ? Crypto.rsaDecrypt(wi.getOldPassword(), Config.privateKey())
+						: wi.getOldPassword();
+				String newPassword = BooleanUtils.isTrue(Config.token().getRsaEnable()) ? Crypto.rsaDecrypt(wi.getNewPassword(), Config.privateKey())
+						: wi.getNewPassword();
+				String confirmPassword = BooleanUtils.isTrue(Config.token().getRsaEnable()) ? Crypto.rsaDecrypt(wi.getConfirmPassword(), Config.privateKey())
+						: wi.getConfirmPassword();
 
 				if (StringUtils.equals(wi.getNewPassword(), wi.getOldPassword())) {
 					throw new ExceptionNewPasswordSameAsOldPassword();
 				}
 
-				String oldPassword = wi.getOldPassword();
-				String newPassword = wi.getNewPassword();
-				String confirmPassword = wi.getConfirmPassword();
-				String isEncrypted = wi.getIsEncrypted();
-
-				// RSA解秘
-				if (!StringUtils.isEmpty(isEncrypted)) {
-					if (isEncrypted.trim().equalsIgnoreCase("y")) {
-						oldPassword = this.decryptRSA(oldPassword);
-						newPassword = this.decryptRSA(newPassword);
-						confirmPassword = this.decryptRSA(confirmPassword);
-					}
+				if(!StringUtils.equals(newPassword, confirmPassword)){
+					throw new ExceptionTwicePasswordNotMatch();
 				}
 
 				if (BooleanUtils.isTrue(Config.person().getSuperPermission())
@@ -88,7 +74,7 @@ public class ActionSetPasswordAnonymous extends BaseAction {
 					if (!StringUtils.equals(
 							Crypto.encrypt(oldPassword, Config.token().getKey(), Config.person().getEncryptType()),
 							person.getPassword())) {
-						throw new ExceptionOldPasswordNotMatch();
+						throw new ExceptionPersonNotExistOrInvalidPassword();
 					}
 					if (!newPassword.matches(Config.person().getPasswordRegex())) {
 						throw new ExceptionInvalidPassword(Config.person().getPasswordRegexHint());

o2server/x_organization_assemble_personal/src/main/java/com/x/organization/assemble/personal/jaxrs/reset/ExceptionPersonNotExistOrInvalidAnswer.java

+package com.x.organization.assemble.personal.jaxrs.reset;
+
+import com.x.base.core.project.exception.PromptException;
+
+class ExceptionPersonNotExistOrInvalidAnswer extends PromptException {
+
+	private static final long serialVersionUID = -8334021007462970656L;
+	public static String defaultMessage = "用户不存在或者验证码错误.";
+
+	ExceptionPersonNotExistOrInvalidAnswer( ) {
+		super(defaultMessage);
+	}
+}

o2server/x_organization_assemble_personal/src/main/java/com/x/organization/assemble/personal/jaxrs/reset/ExceptionPersonNotExistOrInvalidPassword.java

+package com.x.organization.assemble.personal.jaxrs.reset;
+
+import com.x.base.core.project.exception.PromptException;
+
+class ExceptionPersonNotExistOrInvalidPassword extends PromptException {
+
+
+	private static final long serialVersionUID = 2537120821114609351L;
+	public static String defaultMessage = "用户不存在或者密码错误.";
+
+	ExceptionPersonNotExistOrInvalidPassword( ) {
+		super(defaultMessage);
+	}
+}

o2server/x_organization_assemble_personal/src/main/java/com/x/organization/assemble/personal/jaxrs/reset/ResetAction.java

 package com.x.organization.assemble.personal.jaxrs.reset;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.Consumes;
-import javax.ws.rs.GET;
-import javax.ws.rs.POST;
-import javax.ws.rs.PUT;
-import javax.ws.rs.Path;
-import javax.ws.rs.PathParam;
-import javax.ws.rs.Produces;
-import javax.ws.rs.container.AsyncResponse;
-import javax.ws.rs.container.Suspended;
-import javax.ws.rs.core.Context;
-import javax.ws.rs.core.MediaType;
-
 import com.google.gson.JsonElement;
 import com.x.base.core.project.annotation.JaxrsDescribe;
 import com.x.base.core.project.annotation.JaxrsMethodDescribe;
@@ -26,6 +13,13 @@ import com.x.base.core.project.jaxrs.StandardJaxrsAction;
 import com.x.base.core.project.logger.Logger;
 import com.x.base.core.project.logger.LoggerFactory;
 
+import javax.servlet.http.HttpServletRequest;
+import javax.ws.rs.*;
+import javax.ws.rs.container.AsyncResponse;
+import javax.ws.rs.container.Suspended;
+import javax.ws.rs.core.Context;
+import javax.ws.rs.core.MediaType;
+
 @Path("reset")
 @JaxrsDescribe("重置操作")
 public class ResetAction extends StandardJaxrsAction {