diff --git a/jshERP-boot/src/main/java/com/jsh/erp/controller/UserController.java b/jshERP-boot/src/main/java/com/jsh/erp/controller/UserController.java index 12411aa4..6623469e 100644 --- a/jshERP-boot/src/main/java/com/jsh/erp/controller/UserController.java +++ b/jshERP-boot/src/main/java/com/jsh/erp/controller/UserController.java @@ -86,7 +86,7 @@ public class UserController { //获取用户状态 int userStatus = -1; try { - redisService.deleteObjectBySession(request,"tenantId"); + redisService.deleteObjectBySession(request,"userId"); userStatus = userService.validateUser(loginName, password); } catch (Exception e) { e.printStackTrace(); @@ -125,7 +125,6 @@ public class UserController { Integer userNumLimit = tenant.getUserNumLimit(); Integer billsNumLimit = tenant.getBillsNumLimit(); if(tenantId!=null) { - redisService.storageObjectBySession(token,"tenantId",tenantId); //租户tenantId redisService.storageObjectBySession(token,"userNumLimit",userNumLimit); //用户限制数 redisService.storageObjectBySession(token,"billsNumLimit",billsNumLimit); //单据限制数 } @@ -140,7 +139,7 @@ public class UserController { if(user!=null){ String roleType = userService.getRoleTypeByUserId(user.getId()); //角色类型 redisService.storageObjectBySession(token,"roleType",roleType); - redisService.storageObjectBySession(token,"token", token); + redisService.storageObjectBySession(token,"clientIp", Tools.getLocalIp(request)); logService.insertLogWithUserId(user.getId(), user.getTenantId(), "用户", new StringBuffer(BusinessConstants.LOG_OPERATION_TYPE_LOGIN).append(user.getLoginName()).toString(), ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest()); @@ -188,10 +187,7 @@ public class UserController { public BaseResponseInfo logout(HttpServletRequest request, HttpServletResponse response)throws Exception { BaseResponseInfo res = new BaseResponseInfo(); try { - redisService.deleteObjectBySession(request,"user"); - redisService.deleteObjectBySession(request,"tenantId"); - redisService.deleteObjectBySession(request,"userNumLimit"); - redisService.deleteObjectBySession(request,"billsNumLimit"); + redisService.deleteObjectBySession(request,"userId"); response.sendRedirect("/login.html"); } catch(Exception e){ e.printStackTrace(); diff --git a/jshERP-boot/src/main/java/com/jsh/erp/datasource/mappers/LogMapperEx.java b/jshERP-boot/src/main/java/com/jsh/erp/datasource/mappers/LogMapperEx.java index 655c73cc..94af9487 100644 --- a/jshERP-boot/src/main/java/com/jsh/erp/datasource/mappers/LogMapperEx.java +++ b/jshERP-boot/src/main/java/com/jsh/erp/datasource/mappers/LogMapperEx.java @@ -28,4 +28,8 @@ public interface LogMapperEx { @Param("beginTime") String beginTime, @Param("endTime") String endTime, @Param("content") String content); + + Long getCountByIpAndDate( + @Param("clientIp") String clientIp, + @Param("createTime") String createTime); } \ No newline at end of file diff --git a/jshERP-boot/src/main/java/com/jsh/erp/service/log/LogService.java b/jshERP-boot/src/main/java/com/jsh/erp/service/log/LogService.java index 1da17182..b710cbf1 100644 --- a/jshERP-boot/src/main/java/com/jsh/erp/service/log/LogService.java +++ b/jshERP-boot/src/main/java/com/jsh/erp/service/log/LogService.java @@ -148,15 +148,23 @@ public class LogService { try{ Long userId = userService.getUserId(request); if(userId!=null) { - Log log = new Log(); - log.setUserId(userId); - log.setOperation(moduleName); - log.setClientIp(getLocalIp(request)); - log.setCreateTime(new Date()); - Byte status = 0; - log.setStatus(status); - log.setContent(content); - logMapper.insertSelective(log); + String clientIp = getLocalIp(request); + String createTime = Tools.getNow3(); + Long count = logMapperEx.getCountByIpAndDate(clientIp, createTime); + if(count > 0) { + //如果某1个IP在同1秒内连续操作两遍,此时需要删除该redis记录,使其退出,防止恶意攻击 + redisService.deleteObjectByKeyAndIp("clientIp", clientIp, "userId"); + } else { + Log log = new Log(); + log.setUserId(userId); + log.setOperation(moduleName); + log.setClientIp(getLocalIp(request)); + log.setCreateTime(new Date()); + Byte status = 0; + log.setStatus(status); + log.setContent(content); + logMapper.insertSelective(log); + } } }catch(Exception e){ JshException.writeFail(logger, e); diff --git a/jshERP-boot/src/main/java/com/jsh/erp/service/redis/RedisService.java b/jshERP-boot/src/main/java/com/jsh/erp/service/redis/RedisService.java index 8062da70..9793c511 100644 --- a/jshERP-boot/src/main/java/com/jsh/erp/service/redis/RedisService.java +++ b/jshERP-boot/src/main/java/com/jsh/erp/service/redis/RedisService.java @@ -10,6 +10,7 @@ import org.springframework.stereotype.Component; import javax.annotation.Resource; import javax.servlet.http.HttpServletRequest; +import java.util.Set; import java.util.concurrent.TimeUnit; /** @@ -96,11 +97,24 @@ public class RedisService { } } - public Long getTenantId(HttpServletRequest request) { - if(getObjectFromSessionByKey(request,"tenantId")!=null) { - return Long.parseLong(getObjectFromSessionByKey(request, "tenantId").toString()); - } else { - return null; + /** + * @author jisheng hua + * description: + * 将信息从redis中移除,比对key和ip + *@date: 2021/08/21 22:10 + * @Param: request + * @Param: key + * @Param: ip + * @Param: deleteKey + * @return Object + */ + public void deleteObjectByKeyAndIp(String key, String ip, String deleteKey){ + Set tokens = redisTemplate.keys("*"); + for(String token : tokens) { + Object value = redisTemplate.opsForHash().get(token, key); + if(value!=null && value.equals(ip)) { + redisTemplate.opsForHash().delete(token, deleteKey); + } } } } diff --git a/jshERP-boot/src/main/resources/mapper_xml/LogMapperEx.xml b/jshERP-boot/src/main/resources/mapper_xml/LogMapperEx.xml index e5094c63..9cbbaac7 100644 --- a/jshERP-boot/src/main/resources/mapper_xml/LogMapperEx.xml +++ b/jshERP-boot/src/main/resources/mapper_xml/LogMapperEx.xml @@ -70,4 +70,8 @@ and l.content like #{bindContent} + + \ No newline at end of file