guoyuepeng
/
qa-prevention-gwj
1
0
Fork 3
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

替赵煜提交代码

liujun-2024-05-23-接口漏洞修复
liujun 2024-04-02 17:06:03 +08:00
parent df9a0e3dfb
commit a93fc05ea5
2 changed files with 176 additions and 70 deletions
src/main/java/com/zcloud

49
src/main/java/com/zcloud/controller/system/LoginController.java
View File

@ -70,7 +70,7 @@ public class LoginController extends BaseController {
@Autowired @Autowired
private PhotoService photoService; private PhotoService photoService;
// @Value("${czks-useridentity}") // @Value("${czks-useridentity}")
// private String czksIdentity; // private String czksIdentity;
// @Value("${czks-baseimgpath}") // @Value("${czks-baseimgpath}")
// private String czksBaseimgpath; // private String czksBaseimgpath;
@ -126,6 +126,9 @@ public class LoginController extends BaseController {
PageData pd = new PageData(); PageData pd = new PageData();
pd = this.getPageData(); pd = this.getPageData();
PageData loginPd = new PageData();
loginPd.put("KEYDATA", pd.getString("KEYDATA"));
loginPd.put("tm", pd.getString("tm"));
String loginData = pd.getString("KEYDATA"); String loginData = pd.getString("KEYDATA");
if (!loginData.startsWith("qdkjchina")) { if (!loginData.startsWith("qdkjchina")) {
loginData = RSAUtils.decryptDataOnJava(loginData, RSAUtils.getPrivateKey()); loginData = RSAUtils.decryptDataOnJava(loginData, RSAUtils.getPrivateKey());
@ -178,6 +181,37 @@ public class LoginController extends BaseController {
removeSession(USERNAME); removeSession(USERNAME);
if (pd != null) { if (pd != null) {
//查询该用户或企业的图片和后端地址
if (!Tools.isEmpty(pd.getString("CORPINFO_ID")) && !pd.getString("CORPINFO_ID").equals("1")) {
PageData pathData = corpPathService.getCorpPathByCorpId(pd);
map.put("baseImgPath",pathData.getString("PIC_PATH"));
map.put("USER_IDENTITY",pathData.getString("USER_IDENTITY"));
map.put("BACKENDADDR", pathData.getString("BACK_END_PATH"));
} else {
PageData pathData = corpPathService.getCorpPathByPersonInfo(pd);
map.put("baseImgPath",pathData.getString("PIC_PATH"));
map.put("USER_IDENTITY",pathData.getString("USER_IDENTITY"));
map.put("BACKENDADDR", pathData.getString("BACK_END_PATH"));
}
// 如果用户不是港务局用户,则向对应分公司发送登录请求
if (!map.get("USER_IDENTITY").toString().equals("GWJ")) {
Map backEndPath = HttpClientUtil.getPOSTTest(map.get("BACKENDADDR").toString() + "admin/check", loginPd);
if (backEndPath.get("result").toString().equals("success")) {
backEndPath.put("baseImgPath",map.get("baseImgPath").toString());
backEndPath.put("USER_IDENTITY",map.get("USER_IDENTITY").toString());
backEndPath.put("BACKENDADDR", map.get("BACKENDADDR").toString());
System.out.println("登录返回参数:" + backEndPath);
return backEndPath;
} else {
map.put("result", "fail");
map.put("msg", backEndPath.get("msg").toString());
map.put("errorCode", errInfo);
map.put("failMsg", backEndPath.get("msg").toString());
return map;
}
}
if ("99".equals(pd.getString("STATUS"))) { if ("99".equals(pd.getString("STATUS"))) {
errInfo = "userlock"; errInfo = "userlock";
map.put("result", "fail"); map.put("result", "fail");
@ -236,6 +270,7 @@ public class LoginController extends BaseController {
PageData rpd = roleService.findMaxRoleByRId(roleIds); PageData rpd = roleService.findMaxRoleByRId(roleIds);
map.put("ROLEID", rpd.getString("ROLE_ID")); map.put("ROLEID", rpd.getString("ROLE_ID"));
map.put("ROLE_NAME", rpd.getString("ROLE_NAME")); map.put("ROLE_NAME", rpd.getString("ROLE_NAME"));
map.put("RNUMBER", rpd.getString("RNUMBER"));
map.put("USERBZ", pd.getString("BZ")); map.put("USERBZ", pd.getString("BZ"));
PageData dpd = new PageData(); PageData dpd = new PageData();
dpd.put("DEPARTMENT_ID", pd.getString("DEPARTMENT_ID")); dpd.put("DEPARTMENT_ID", pd.getString("DEPARTMENT_ID"));
@ -288,18 +323,6 @@ public class LoginController extends BaseController {
FHLOG.save(USERNAME, "成功登录系统", ip); //记录日志 FHLOG.save(USERNAME, "成功登录系统", ip); //记录日志
//查询该用户或企业的图片和后端地址
if (!Tools.isEmpty(pd.getString("CORPINFO_ID")) && !pd.getString("CORPINFO_ID").equals("1")) {
PageData pathData = corpPathService.getCorpPathByCorpId(pd);
map.put("baseImgPath",pathData.getString("PIC_PATH"));
map.put("USER_IDENTITY",pathData.getString("USER_IDENTITY"));
map.put("BACKENDADDR", pathData.getString("BACK_END_PATH"));
} else {
PageData pathData = corpPathService.getCorpPathByPersonInfo(pd);
map.put("baseImgPath",pathData.getString("PIC_PATH"));
map.put("USER_IDENTITY",pathData.getString("USER_IDENTITY"));
map.put("BACKENDADDR", pathData.getString("BACK_END_PATH"));
}
} }
} else { } else {
token.clear(); token.clear();

197
src/main/java/com/zcloud/util/HttpClientUtil.java
View File

@ -1,14 +1,9 @@
package com.zcloud.util; package com.zcloud.util;
import java.io.BufferedReader; import java.io.*;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.HttpURLConnection; import java.net.HttpURLConnection;
import java.net.URL; import java.net.URL;
import java.net.URLEncoder;
import java.security.KeyManagementException; import java.security.KeyManagementException;
import java.security.KeyStore; import java.security.KeyStore;
import java.security.KeyStoreException; import java.security.KeyStoreException;
@ -19,10 +14,12 @@ import java.security.cert.CertificateException;
import java.util.HashMap; import java.util.HashMap;
import java.util.Map; import java.util.Map;
import com.alibaba.fastjson.JSONObject;
import com.sun.net.ssl.HttpsURLConnection; import com.sun.net.ssl.HttpsURLConnection;
import com.sun.net.ssl.KeyManagerFactory; import com.sun.net.ssl.KeyManagerFactory;
import com.sun.net.ssl.SSLContext; import com.sun.net.ssl.SSLContext;
import com.sun.net.ssl.TrustManagerFactory; import com.sun.net.ssl.TrustManagerFactory;
import com.zcloud.entity.PageData;
public class HttpClientUtil { public class HttpClientUtil {
/** /**
@ -33,7 +30,7 @@ public class HttpClientUtil {
public static final String JKS = "JKS"; public static final String JKS = "JKS";
public static final String PKCS12 = "PKCS12"; public static final String PKCS12 = "PKCS12";
public static final String TLS = "TLS"; public static final String TLS = "TLS";
/** /**
* get HttpURLConnection * get HttpURLConnection
* @param strUrl url * @param strUrl url
@ -47,7 +44,7 @@ public class HttpClientUtil {
.openConnection(); .openConnection();
return httpURLConnection; return httpURLConnection;
} }
/** /**
* get HttpsURLConnection * get HttpsURLConnection
* @param strUrl urlַ * @param strUrl urlַ
@ -61,7 +58,7 @@ public class HttpClientUtil {
.openConnection(); .openConnection();
return httpsURLConnection; return httpsURLConnection;
} }
/** /**
* url * url
* @param strUrl * @param strUrl
@ -73,34 +70,34 @@ public class HttpClientUtil {
int indexOf = strUrl.indexOf("?"); int indexOf = strUrl.indexOf("?");
if(-1 != indexOf) { if(-1 != indexOf) {
return strUrl.substring(0, indexOf); return strUrl.substring(0, indexOf);
} }
return strUrl; return strUrl;
} }
return strUrl; return strUrl;
} }
/** /**
* *
* @param strUrl * @param strUrl
* @return String * @return String
*/ */
public static String getQueryString(String strUrl) { public static String getQueryString(String strUrl) {
if(null != strUrl) { if(null != strUrl) {
int indexOf = strUrl.indexOf("?"); int indexOf = strUrl.indexOf("?");
if(-1 != indexOf) { if(-1 != indexOf) {
return strUrl.substring(indexOf+1, strUrl.length()); return strUrl.substring(indexOf+1, strUrl.length());
} }
return ""; return "";
} }
return strUrl; return strUrl;
} }
/** /**
* map * map
* name1=key1&name2=key2&... * name1=key1&name2=key2&...
@ -111,18 +108,18 @@ public class HttpClientUtil {
if(null == queryString || "".equals(queryString)) { if(null == queryString || "".equals(queryString)) {
return null; return null;
} }
Map m = new HashMap(); Map m = new HashMap();
String[] strArray = queryString.split("&"); String[] strArray = queryString.split("&");
for(int index = 0; index < strArray.length; index++) { for(int index = 0; index < strArray.length; index++) {
String pair = strArray[index]; String pair = strArray[index];
HttpClientUtil.putMapByPair(pair, m); HttpClientUtil.putMapByPair(pair, m);
} }
return m; return m;
} }
/** /**
* map * map
* pair:name=value * pair:name=value
@ -130,11 +127,11 @@ public class HttpClientUtil {
* @param m * @param m
*/ */
public static void putMapByPair(String pair, Map m) { public static void putMapByPair(String pair, Map m) {
if(null == pair || "".equals(pair)) { if(null == pair || "".equals(pair)) {
return; return;
} }
int indexOf = pair.indexOf("="); int indexOf = pair.indexOf("=");
if(-1 != indexOf) { if(-1 != indexOf) {
String k = pair.substring(0, indexOf); String k = pair.substring(0, indexOf);
@ -160,7 +157,7 @@ public class HttpClientUtil {
buf.append(line); buf.append(line);
buf.append("\r\n"); buf.append("\r\n");
} }
return buf.toString(); return buf.toString();
} }
/** /**
@ -192,17 +189,17 @@ public class HttpClientUtil {
} }
/** /**
* SSLContext * SSLContext
* @param trustFile * @param trustFile
* @param trustPasswd * @param trustPasswd
* @param keyFile * @param keyFile
* @param keyPasswd * @param keyPasswd
* @return * @return
* @throws NoSuchAlgorithmException * @throws NoSuchAlgorithmException
* @throws KeyStoreException * @throws KeyStoreException
* @throws IOException * @throws IOException
* @throws CertificateException * @throws CertificateException
* @throws UnrecoverableKeyException * @throws UnrecoverableKeyException
* @throws KeyManagementException * @throws KeyManagementException
*/ */
public static SSLContext getSSLContext( public static SSLContext getSSLContext(
FileInputStream trustFileInputStream, String trustPasswd, FileInputStream trustFileInputStream, String trustPasswd,
@ -230,7 +227,7 @@ public class HttpClientUtil {
return ctx; return ctx;
} }
/** /**
* char * char
* @param str * @param str
@ -238,14 +235,14 @@ public class HttpClientUtil {
*/ */
public static char[] str2CharArray(String str) { public static char[] str2CharArray(String str) {
if(null == str) return null; if(null == str) return null;
return str.toCharArray(); return str.toCharArray();
} }
public static InputStream String2Inputstream(String str) { public static InputStream String2Inputstream(String str) {
return new ByteArrayInputStream(str.getBytes()); return new ByteArrayInputStream(str.getBytes());
} }
/** /**
* InputStreamByte * InputStreamByte
* : * :
@ -253,23 +250,23 @@ public class HttpClientUtil {
* @return byte * @return byte
* @throws Exception * @throws Exception
*/ */
public static byte[] InputStreamTOByte(InputStream in) throws IOException{ public static byte[] InputStreamTOByte(InputStream in) throws IOException{
int BUFFER_SIZE = 4096; int BUFFER_SIZE = 4096;
ByteArrayOutputStream outStream = new ByteArrayOutputStream(); ByteArrayOutputStream outStream = new ByteArrayOutputStream();
byte[] data = new byte[BUFFER_SIZE]; byte[] data = new byte[BUFFER_SIZE];
int count = -1; int count = -1;
while((count = in.read(data,0,BUFFER_SIZE)) != -1) while((count = in.read(data,0,BUFFER_SIZE)) != -1)
outStream.write(data, 0, count); outStream.write(data, 0, count);
data = null; data = null;
byte[] outByte = outStream.toByteArray(); byte[] outByte = outStream.toByteArray();
outStream.close(); outStream.close();
return outByte; return outByte;
} }
/** /**
* InputStreamString * InputStreamString
* : * :
@ -278,10 +275,96 @@ public class HttpClientUtil {
* @return String * @return String
* @throws Exception * @throws Exception
*/ */
public static String InputStreamTOString(InputStream in,String encoding) throws IOException{ public static String InputStreamTOString(InputStream in,String encoding) throws IOException{
return new String(InputStreamTOByte(in),encoding); return new String(InputStreamTOByte(in),encoding);
}
} }
public static Map getPOSTTest(String httpUrl , PageData pd ){
HttpURLConnection connection = null;
InputStream is = null;
BufferedReader br = null;
StringBuffer result = new StringBuffer();
// ?username=admin&password=234f3424be5a75ad898a1b55f6e34d9e&url_token_only=true
StringBuffer nameValue = new StringBuffer();
Map<Object, Object> map = (Map)pd;
System.out.print("参数:{");
for(Map.Entry<Object, Object> entry : map.entrySet()){
System.out.print(entry.getKey().toString() + ":" + entry.getValue().toString() + ",");
nameValue.append(entry.getKey().toString()+"=" + entry.getValue().toString() + "&");
}
System.out.println("}");
String parameter = "";
if(nameValue.length()>0){
parameter = "?"+nameValue.toString().substring(0,nameValue.length()-1);
}
try {
String plusEncode = URLEncoder.encode("+", "UTF-8");
parameter = parameter.replaceAll("\\+", plusEncode);
} catch (UnsupportedEncodingException e) {
e.printStackTrace();
}
System.out.println( "地址:"+httpUrl + parameter);
try {
//创建连接
URL url = new URL(httpUrl + parameter);
connection = (HttpURLConnection) url.openConnection();
//设置请求方式
connection.setRequestMethod("POST");
//设置连接超时时间
connection.setReadTimeout(15000);
//开始连接
connection.connect();
//获取响应数据
if (connection.getResponseCode() == 200) {
//获取返回的数据
is = connection.getInputStream();
if (null != is) {
br = new BufferedReader(new InputStreamReader(is, "UTF-8"));
String temp = null;
while (null != (temp = br.readLine())) {
result.append(temp);
}
}
}
} catch (IOException e) {
e.printStackTrace();
} finally {
if (null != br) {
try {
br.close();
} catch (IOException e) {
e.printStackTrace();
}
}
if (null != is) {
try {
is.close();
} catch (IOException e) {
e.printStackTrace();
}
}
//关闭远程连接
connection.disconnect();
}
// return result.toString();
/**
* json,json
*/
JSONObject jsonObject = null;
try{
jsonObject = JSONObject.parseObject(result.toString());
Map<String, Object> maps = new HashMap<String, Object>();
maps = HttpClientService.parseJSON2Map(jsonObject);
return maps;
}catch (Exception e){
e.printStackTrace();
return null;
}
}
}