Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
智布道
OneBlog
比较版本
15edb712ab0a5fb2949d7e1fb70ebd5f0bf61a16...1b2bd1a271656e59d370289d6597baf2c8919087
O
OneBlog
项目概览
智布道
/
OneBlog
8 个月 前同步成功
通知
11
Star
2
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
DevOps
流水线
流水线任务
计划
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
O
OneBlog
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
DevOps
DevOps
流水线
流水线任务
计划
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
流水线任务
提交
Issue看板
前往新版Gitcode,体验更适合开发者的 AI 搜索 >>
源分支
1b2bd1a271656e59d370289d6597baf2c8919087
选择Git版本
...
目标分支
15edb712ab0a5fb2949d7e1fb70ebd5f0bf61a16
选择Git版本
比较
Commits (7)
https://gitcode.net/u011197448/oneblog/-/commit/e165c0195b9b3813dc97300c24552b1569550527
修改 nginx 的配置文件
2021-06-21T18:54:16+08:00
yadong.zhang
yadong.zhang0415@gmail.com
https://gitcode.net/u011197448/oneblog/-/commit/f354ab37eef18f3e215142d0ea27907c1ae9e1f8
Signed-off-by: 国产大熊猫 <9199771@qq.com>
2021-07-20T13:13:24+08:00
国产大熊猫
9199771@qq.com
https://gitcode.net/u011197448/oneblog/-/commit/10a88d6cbfbca352fb2c46b115650a9be9101ec6
!28 shiro反序列化安全过滤
2021-07-20T05:27:29+00:00
yadong.zhang
yadong.zhang0415@gmail.com
Merge pull request !28 from 国产大熊猫/master
https://gitcode.net/u011197448/oneblog/-/commit/8cf948c40abc99b8558d6f16330db7a3306d0e52
Signed-off-by: 国产大熊猫 <9199771@qq.com>
2021-07-20T14:02:35+08:00
国产大熊猫
9199771@qq.com
https://gitcode.net/u011197448/oneblog/-/commit/818e983a40edda5c0976a53f9bb59a801350eb2c
!29 增加一句注释
2021-07-20T06:06:58+00:00
yadong.zhang
yadong.zhang0415@gmail.com
Merge pull request !29 from 国产大熊猫/master
https://gitcode.net/u011197448/oneblog/-/commit/91d74d9283426b2d8f24c7948c0f5ee88251e01e
解决 treetable 中操作按钮被隐藏的问题
2021-08-01T16:48:10+08:00
yadong.zhang
yadong.zhang0415@gmail.com
https://gitcode.net/u011197448/oneblog/-/commit/1b2bd1a271656e59d370289d6597baf2c8919087
Merge branch 'master' of gitee.com:yadong.zhang/DBlog
2021-08-01T16:48:38+08:00
yadong.zhang
yadong.zhang0415@gmail.com
隐藏空白更改
内联
并排
Showing
6 changed file
with
105 addition
and
10 deletion
+105
-10
blog-admin/src/main/java/com/zyd/blog/core/config/MyClassResolvingObjectInputStream.java
...d/blog/core/config/MyClassResolvingObjectInputStream.java
+41
-0
blog-admin/src/main/java/com/zyd/blog/core/config/MySecSerializer.java
...c/main/java/com/zyd/blog/core/config/MySecSerializer.java
+51
-0
blog-admin/src/main/java/com/zyd/blog/core/config/ShiroConfig.java
...n/src/main/java/com/zyd/blog/core/config/ShiroConfig.java
+5
-3
blog-admin/src/main/resources/static/assets/js/zhyd.treetable.js
...min/src/main/resources/static/assets/js/zhyd.treetable.js
+2
-2
blog-admin/src/main/resources/templates/resources/list.ftl
blog-admin/src/main/resources/templates/resources/list.ftl
+3
-2
docs/nginx/nginx-local-file-storage-80.conf
docs/nginx/nginx-local-file-storage-80.conf
+3
-3
未找到文件。
blog-admin/src/main/java/com/zyd/blog/core/config/MyClassResolvingObjectInputStream.java
0 → 100644
浏览文件 @
1b2bd1a2
package
com.zyd.blog.core.config
;
import
org.apache.shiro.util.ClassUtils
;
import
org.apache.shiro.util.UnknownClassException
;
import
java.io.IOException
;
import
java.io.InputStream
;
import
java.io.ObjectInputStream
;
import
java.io.ObjectStreamClass
;
public
class
MyClassResolvingObjectInputStream
extends
ObjectInputStream
{
public
MyClassResolvingObjectInputStream
(
InputStream
inputStream
)
throws
IOException
{
super
(
inputStream
);
}
protected
Class
<?>
resolveClass
(
ObjectStreamClass
osc
)
throws
IOException
,
ClassNotFoundException
{
try
{
String
s
=
osc
.
getName
();
// 干掉常见的gadget,为了避免 [ ; 符号,必须使用contains方法
// 简单的使用 s.equals 可能导致fastjson 以前出现的黑名单逃逸问题
if
(
s
.
contains
(
"java.util.PriorityQueue"
)
||
s
.
contains
(
"xsltc.trax.TemplatesImpl"
))
{
throw
new
ClassNotFoundException
(
"Unable to load Dangerous ObjectStreamClass ["
+
osc
+
"]"
);
}
if
(
s
.
contains
(
"org.apache."
))
{
// 直接干掉了 org.apache ,但是要保留shiro自己
if
(
s
.
startsWith
(
"org.apache.shiro.subject."
))
{
return
ClassUtils
.
forName
(
s
);
}
throw
new
ClassNotFoundException
(
"Unable to load Dangerous ObjectStreamClass ["
+
osc
+
"]"
);
}
// 使用白名单保证业务的正常开展
if
(
s
.
startsWith
(
"java.lang"
)
||
s
.
startsWith
(
"java.util"
))
{
return
ClassUtils
.
forName
(
s
);
}
else
{
throw
new
ClassNotFoundException
(
"Unable to load Dangerous ObjectStreamClass ["
+
osc
+
"]"
);
}
}
catch
(
UnknownClassException
var3
)
{
throw
new
ClassNotFoundException
(
"Unable to load ObjectStreamClass ["
+
osc
+
"]: "
,
var3
);
}
}
}
\ No newline at end of file
blog-admin/src/main/java/com/zyd/blog/core/config/MySecSerializer.java
0 → 100644
浏览文件 @
1b2bd1a2
package
com.zyd.blog.core.config
;
import
org.apache.shiro.io.SerializationException
;
import
org.apache.shiro.io.Serializer
;
import
java.io.*
;
public
class
MySecSerializer
<
T
>
implements
Serializer
<
T
>
{
public
MySecSerializer
()
{
}
public
byte
[]
serialize
(
T
o
)
throws
SerializationException
{
if
(
o
==
null
)
{
String
msg
=
"argument cannot be null."
;
throw
new
IllegalArgumentException
(
msg
);
}
else
{
ByteArrayOutputStream
baos
=
new
ByteArrayOutputStream
();
BufferedOutputStream
bos
=
new
BufferedOutputStream
(
baos
);
try
{
ObjectOutputStream
oos
=
new
ObjectOutputStream
(
bos
);
oos
.
writeObject
(
o
);
oos
.
close
();
return
baos
.
toByteArray
();
}
catch
(
IOException
var6
)
{
String
msg
=
"Unable to serialize object ["
+
o
+
"]. In order for the DefaultSerializer to serialize this object, the ["
+
o
.
getClass
().
getName
()
+
"] class must implement java.io.Serializable."
;
throw
new
SerializationException
(
msg
,
var6
);
}
}
}
public
T
deserialize
(
byte
[]
serialized
)
throws
SerializationException
{
if
(
serialized
==
null
)
{
String
msg
=
"argument cannot be null."
;
throw
new
IllegalArgumentException
(
msg
);
}
else
{
ByteArrayInputStream
bais
=
new
ByteArrayInputStream
(
serialized
);
BufferedInputStream
bis
=
new
BufferedInputStream
(
bais
);
try
{
ObjectInputStream
ois
=
new
MyClassResolvingObjectInputStream
(
bis
);
T
deserialized
=
(
T
)
ois
.
readObject
();
ois
.
close
();
return
deserialized
;
}
catch
(
Exception
var6
)
{
String
msg
=
"Unable to deserialize argument byte array."
;
throw
new
SerializationException
(
msg
,
var6
);
}
}
}
}
blog-admin/src/main/java/com/zyd/blog/core/config/ShiroConfig.java
浏览文件 @
1b2bd1a2
...
...
@@ -225,8 +225,10 @@ public class ShiroConfig {
*/
public
CookieRememberMeManager
rememberMeManager
()
{
CookieRememberMeManager
cookieRememberMeManager
=
new
CookieRememberMeManager
();
// 使用自定义的序列化类
cookieRememberMeManager
.
setSerializer
(
new
MySecSerializer
<>());
cookieRememberMeManager
.
setCookie
(
rememberMeCookie
());
//rememberMe cookie加密的密钥 建议每个项目都不一样 默认AES算法 密钥长度(128
256 512
位)
//rememberMe cookie加密的密钥 建议每个项目都不一样 默认AES算法 密钥长度(128
192 256
位)
cookieRememberMeManager
.
setCipherKey
(
GenerateCipherKey
.
generateNewKey
());
return
cookieRememberMeManager
;
}
...
...
@@ -251,8 +253,8 @@ public class ShiroConfig {
String
msg
=
"Unable to acquire AES algorithm. This is required to function."
;
throw
new
IllegalStateException
(
msg
,
var5
);
}
kg
.
init
(
128
);
// 满足合规应使用256位
kg
.
init
(
256
);
SecretKey
key
=
kg
.
generateKey
();
return
key
.
getEncoded
();
}
...
...
blog-admin/src/main/resources/static/assets/js/zhyd.treetable.js
浏览文件 @
1b2bd1a2
...
...
@@ -18,7 +18,7 @@ $.extend({
toobarTemplate
:
'
<div id="tree-table-toolbar" class="btn-group" role="group" aria-label="..."><button id="add-btn" type="button" class="btn btn-info" title="新增"><i class="fa fa-plus fa-fw"> </i> </button><button id="batch-delete-btn" type="button" class="btn btn-danger" title="批量删除"><i class="fa fa-trash-o fa-fw"> </i> </button></div>
'
,
oprater
:
{
title
:
'
操作
'
,
width
:
'
1
0
0px
'
,
width
:
'
1
3
0px
'
,
align
:
"
center
"
,
formatter
:
function
(
value
,
row
,
index
)
{
var
curId
=
row
.
id
;
...
...
@@ -168,4 +168,4 @@ $.extend({
}
}
});
\ No newline at end of file
});
blog-admin/src/main/resources/templates/resources/list.ftl
浏览文件 @
1b2bd1a2
...
...
@@ -114,7 +114,7 @@
}, {
field: '-',
title: '层级',
width: "
6
0px",
width: "
9
0px",
align: "center"
}, {
field: 'name',
...
...
@@ -132,6 +132,7 @@
}, {
field: 'type',
title: '资源类型',
width: '100px',
formatter: function (code) {
return code == 'menu' ? '菜单' : '按钮';
}
...
...
@@ -196,4 +197,4 @@
})
});
</script>
</@footer>
\ No newline at end of file
</@footer>
docs/nginx/nginx-local-file-storage-80.conf
浏览文件 @
1b2bd1a2
server
{
listen
80
;
server_name
改成自己的域名;
root
改成自己的文件目录;
;
root
改成自己的文件目录;
location
^~ / {
try_files
$
uri
$
uri
/ /
index
.
html
;
proxy_set_header
Cookie
$
http_cookie
;
proxy_set_header
Cookie
$
http_cookie
;
proxy_set_header
Host
$
host
:$
server_port
;
}
}