增加防御代码,防止恶意攻击
This commit is contained in:
季圣华
@@ -86,7 +86,7 @@ public class UserController {
|
||||
//获取用户状态
|
||||
int userStatus = -1;
|
||||
try {
|
||||
redisService.deleteObjectBySession(request,"tenantId");
|
||||
redisService.deleteObjectBySession(request,"userId");
|
||||
userStatus = userService.validateUser(loginName, password);
|
||||
} catch (Exception e) {
|
||||
e.printStackTrace();
|
||||
@@ -125,7 +125,6 @@ public class UserController {
|
||||
Integer userNumLimit = tenant.getUserNumLimit();
|
||||
Integer billsNumLimit = tenant.getBillsNumLimit();
|
||||
if(tenantId!=null) {
|
||||
redisService.storageObjectBySession(token,"tenantId",tenantId); //租户tenantId
|
||||
redisService.storageObjectBySession(token,"userNumLimit",userNumLimit); //用户限制数
|
||||
redisService.storageObjectBySession(token,"billsNumLimit",billsNumLimit); //单据限制数
|
||||
}
|
||||
@@ -140,7 +139,7 @@ public class UserController {
|
||||
if(user!=null){
|
||||
String roleType = userService.getRoleTypeByUserId(user.getId()); //角色类型
|
||||
redisService.storageObjectBySession(token,"roleType",roleType);
|
||||
redisService.storageObjectBySession(token,"token", token);
|
||||
redisService.storageObjectBySession(token,"clientIp", Tools.getLocalIp(request));
|
||||
logService.insertLogWithUserId(user.getId(), user.getTenantId(), "用户",
|
||||
new StringBuffer(BusinessConstants.LOG_OPERATION_TYPE_LOGIN).append(user.getLoginName()).toString(),
|
||||
((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest());
|
||||
@@ -188,10 +187,7 @@ public class UserController {
|
||||
public BaseResponseInfo logout(HttpServletRequest request, HttpServletResponse response)throws Exception {
|
||||
BaseResponseInfo res = new BaseResponseInfo();
|
||||
try {
|
||||
redisService.deleteObjectBySession(request,"user");
|
||||
redisService.deleteObjectBySession(request,"tenantId");
|
||||
redisService.deleteObjectBySession(request,"userNumLimit");
|
||||
redisService.deleteObjectBySession(request,"billsNumLimit");
|
||||
redisService.deleteObjectBySession(request,"userId");
|
||||
response.sendRedirect("/login.html");
|
||||
} catch(Exception e){
|
||||
e.printStackTrace();
|
||||
|
||||
@@ -28,4 +28,8 @@ public interface LogMapperEx {
|
||||
@Param("beginTime") String beginTime,
|
||||
@Param("endTime") String endTime,
|
||||
@Param("content") String content);
|
||||
|
||||
Long getCountByIpAndDate(
|
||||
@Param("clientIp") String clientIp,
|
||||
@Param("createTime") String createTime);
|
||||
}
|
||||
@@ -148,15 +148,23 @@ public class LogService {
|
||||
try{
|
||||
Long userId = userService.getUserId(request);
|
||||
if(userId!=null) {
|
||||
Log log = new Log();
|
||||
log.setUserId(userId);
|
||||
log.setOperation(moduleName);
|
||||
log.setClientIp(getLocalIp(request));
|
||||
log.setCreateTime(new Date());
|
||||
Byte status = 0;
|
||||
log.setStatus(status);
|
||||
log.setContent(content);
|
||||
logMapper.insertSelective(log);
|
||||
String clientIp = getLocalIp(request);
|
||||
String createTime = Tools.getNow3();
|
||||
Long count = logMapperEx.getCountByIpAndDate(clientIp, createTime);
|
||||
if(count > 0) {
|
||||
//如果某1个IP在同1秒内连续操作两遍,此时需要删除该redis记录,使其退出,防止恶意攻击
|
||||
redisService.deleteObjectByKeyAndIp("clientIp", clientIp, "userId");
|
||||
} else {
|
||||
Log log = new Log();
|
||||
log.setUserId(userId);
|
||||
log.setOperation(moduleName);
|
||||
log.setClientIp(getLocalIp(request));
|
||||
log.setCreateTime(new Date());
|
||||
Byte status = 0;
|
||||
log.setStatus(status);
|
||||
log.setContent(content);
|
||||
logMapper.insertSelective(log);
|
||||
}
|
||||
}
|
||||
}catch(Exception e){
|
||||
JshException.writeFail(logger, e);
|
||||
|
||||
@@ -10,6 +10,7 @@ import org.springframework.stereotype.Component;
|
||||
|
||||
import javax.annotation.Resource;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import java.util.Set;
|
||||
import java.util.concurrent.TimeUnit;
|
||||
|
||||
/**
|
||||
@@ -96,11 +97,24 @@ public class RedisService {
|
||||
}
|
||||
}
|
||||
|
||||
public Long getTenantId(HttpServletRequest request) {
|
||||
if(getObjectFromSessionByKey(request,"tenantId")!=null) {
|
||||
return Long.parseLong(getObjectFromSessionByKey(request, "tenantId").toString());
|
||||
} else {
|
||||
return null;
|
||||
/**
|
||||
* @author jisheng hua
|
||||
* description:
|
||||
* 将信息从redis中移除,比对key和ip
|
||||
*@date: 2021/08/21 22:10
|
||||
* @Param: request
|
||||
* @Param: key
|
||||
* @Param: ip
|
||||
* @Param: deleteKey
|
||||
* @return Object
|
||||
*/
|
||||
public void deleteObjectByKeyAndIp(String key, String ip, String deleteKey){
|
||||
Set<String> tokens = redisTemplate.keys("*");
|
||||
for(String token : tokens) {
|
||||
Object value = redisTemplate.opsForHash().get(token, key);
|
||||
if(value!=null && value.equals(ip)) {
|
||||
redisTemplate.opsForHash().delete(token, deleteKey);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -70,4 +70,8 @@
|
||||
and l.content like #{bindContent}
|
||||
</if>
|
||||
</select>
|
||||
|
||||
<select id="getCountByIpAndDate" resultType="java.lang.Long">
|
||||
select count(1) from jsh_log where client_ip=#{clientIp} and create_time=#{createTime}
|
||||
</select>
|
||||
</mapper>
|
||||
Reference in New Issue
Block a user