Przeglądaj źródła

修复已知安全漏洞:
1、PDF型XSS漏洞
2、点击劫持:缺少X-Frame-Options标头
3、明文传输
4、CORS跨域攻击

csg6 3 tygodni temu
rodzic
commit
6fa72c89ad

+ 47 - 5
README.md

@@ -5,13 +5,55 @@
5 5
 ### 工业互联网CAS统一认证开始/关闭:
6 6
     
7 7
 ```` java
8
-    CAS配置文件:application-cas.yml    
8
+    一 CAS配置文件:application-cas.yml    
9
+    
10
+    二 打开注解即开始认证,注释注解即关闭认证
11
+      /**
12
+       * TODO 甲方部署时打开:CAS统一认证拦截器
13
+       */
14
+      @EnableCasClient
15
+      @Configuration
16
+      public class CasConfigure extends CasClientConfigurerAdapter 
17
+
18
+    三 打包发布的时候,注释掉登录接口
19
+        SysLoginController.class
20
+             /**
21
+             * 登录方法
22
+             *
23
+             * @param loginBody 登录信息
24
+             * @return 结果
25
+             */
26
+            //TODO 打包屏蔽-甲方部署时注释:甲方不需要本地登录功能采用单点登录
27
+            @PostMapping("/login")
28
+            public AjaxResult login(@RequestBody LoginBody loginBody) {
29
+                AjaxResult ajax = AjaxResult.success();
30
+        
31
+                // 生成令牌
32
+                String token = loginService.login(loginBody.getUsername(), loginBody.getPassword(), loginBody.getCode(), loginBody.getUuid(), true);
33
+                ajax.put(Constants.TOKEN, token);
34
+                return ajax;
35
+            }
36
+    
37
+    四 打包时注释允许的:Access-Control-Allow-Origin
38
+        RestCorsFilter.class 
39
+            保留前三个,后面的都注释掉
40
+            String[] allowDomain = {"http://10.152.70.21:8080"//CAS服务器
41
+                    , "http://10.152.72.7:8181"//岗检前端Nginx
42
+                    , "*.connc.*"
43
+                    //TODO 打包屏蔽-甲方部署时注释:甲方不需要本地登录功能采用单点登录
44
+                    // , "http://192.168.3.32:81"//前端开发
45
+                    // , "http://101.42.248.108:17003"//前端开发
46
+                    // , "http://localhost"//前端开发
47
+            };
9 48
     
10
-    打开注解即开始认证,注释注解即关闭认证
11
-    //@EnableCasClient
12
-    //@Configuration
13
-    public class CasConfigure extends CasClientConfigurerAdapter {
14 49
     
50
+    五 修改配置文件:application.yml
51
+        甲方部署时修改 单点登录 和 数据库 的配置文件:
52
+            active: druid-test,cas-test
53
+    
54
+    六 修改数据库链接:application-druid-dev.yml 或者 application-druid-test.yml
55
+
56
+    七 修改CAS单点登录信息:application-cas-dev.yml 或者 application-cas-test.yml
15 57
     
16 58
 ````
17 59
 

+ 2 - 2
ruoyi-admin/src/main/java/com/ruoyi/web/controller/cas/CASLoginController.java

@@ -200,8 +200,8 @@ public class CASLoginController {
200 200
      * @param loginBody 登录信息
201 201
      * @return 结果
202 202
      */
203
-//    @RequestMapping("/postcheck/login")
204
-//    @ResponseBody
203
+    @RequestMapping("/postcheck/login")
204
+    @ResponseBody
205 205
     public AjaxResult casLogin(@RequestBody LoginBody loginBody, HttpServletRequest request) {
206 206
 //        String serverLoginUrl = casConfig.getServerLoginUrl();
207 207
 //        String serverLogoutUrl = casConfig.getServerLogoutUrl();

+ 3 - 2
ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysLoginController.java

@@ -42,7 +42,8 @@ public class SysLoginController {
42 42
      * @param loginBody 登录信息
43 43
      * @return 结果
44 44
      */
45
-    @PostMapping("/login")
45
+    //TODO 打包屏蔽-甲方部署时注释:甲方不需要本地登录功能采用单点登录
46
+    /*@PostMapping("/login")
46 47
     public AjaxResult login(@RequestBody LoginBody loginBody) {
47 48
         AjaxResult ajax = AjaxResult.success();
48 49
 
@@ -50,7 +51,7 @@ public class SysLoginController {
50 51
         String token = loginService.login(loginBody.getUsername(), loginBody.getPassword(), loginBody.getCode(), loginBody.getUuid(), true);
51 52
         ajax.put(Constants.TOKEN, token);
52 53
         return ajax;
53
-    }
54
+    }*/
54 55
 
55 56
     /**
56 57
      * 获取用户信息

+ 2 - 2
ruoyi-admin/src/main/resources/application-cas-dev.yml

@@ -5,7 +5,7 @@ caseitc:
5 5
   # cas服务器认证登出地址:API未提供,代码中岗检系统自己做跳转使用到 cas client 没用到
6 6
   server-logout-url: http://10.152.70.21:8080/cas/logout
7 7
   # 前端页面地址 服务器IP
8
-  webStartPage: http://10.152.72.5:8181/postcheck
8
+  webStartPage: http://10.152.72.7:8181/postcheck
9 9
 #  webStartPage: http://10.152.164.68/postcheck
10 10
 
11 11
 # cas client 配置文件
@@ -14,7 +14,7 @@ cas:
14 14
   server-url-prefix: http://10.152.70.21:8080/cas
15 15
   # cas服务器认证登录地址
16 16
   server-login-url: http://10.152.70.21:8080/cas/login
17
-  # cas认证完成返回地址
17
+  # 服务器IP 岗检系统后端(JAVA后台)回调地址 验证票据号
18 18
   client-host-url: http://10.152.164.68:8180/postcheck
19 19
   validation-type: CAS
20 20
 #  use-session: true

+ 3 - 5
ruoyi-admin/src/main/resources/application-cas-test.yml

@@ -5,8 +5,7 @@ caseitc:
5 5
   # cas服务器认证登出地址:API未提供,代码中岗检系统自己做跳转使用到 cas client 没用到
6 6
   server-logout-url: http://10.152.70.21:8080/cas/logout
7 7
   # 前端页面地址 服务器IP
8
-  webStartPage: http://10.152.72.5:8181/postcheck
9
-#  webStartPage: http://10.152.164.68/postcheck
8
+  webStartPage: http://10.152.72.7:8181/postcheck
10 9
 
11 10
 # cas client 配置文件
12 11
 cas:
@@ -15,9 +14,8 @@ cas:
15 14
   # cas服务器认证登录地址
16 15
   server-login-url: http://10.152.70.21:8080/cas/login
17 16
   # cas认证完成返回地址
18
-  # 服务器IP 岗检系统后端回调地址 验证票据号
19
-  client-host-url: http://10.152.72.5:8180/postcheck
20
-  # 开发本机IP 岗检系统后端回调地址 验证票据号
17
+  # 服务器IP 岗检系统后端(JAVA后台)回调地址 验证票据号
18
+  client-host-url: http://10.152.72.7:8180/postcheck
21 19
 #  client-host-url: http://10.152.164.68:8180/postcheck
22 20
   validation-type: CAS
23 21
 #  use-session: true

+ 2 - 2
ruoyi-admin/src/main/resources/application-druid-dev.yml

@@ -31,8 +31,8 @@ spring:
31 31
         druid:
32 32
             # 主库数据源
33 33
             master:
34
-#                url: jdbc:kingbase8://localhost:54321/postcheck
35
-                url: jdbc:kingbase8://39.106.66.72:54321/postcheck
34
+                url: jdbc:kingbase8://localhost:54321/postcheck
35
+#                url: jdbc:kingbase8://39.106.66.72:54321/postcheck
36 36
                 username: postcheckuser
37 37
                 password: Hzsh.eitc@6626.pcu
38 38
             # 从库数据源

+ 1 - 1
ruoyi-admin/src/main/resources/application-druid-test.yml

@@ -32,8 +32,8 @@ spring:
32 32
         druid:
33 33
             # 主库数据源
34 34
             master:
35
-#                url: jdbc:kingbase8://localhost:54321/postcheck
36 35
 #                url: jdbc:kingbase8://10.152.164.68:54321/postcheck
36
+#                url: jdbc:kingbase8://localhost:9300/postcheck
37 37
                 url: jdbc:kingbase8://10.152.72.7:9300/postcheck
38 38
                 username: postcheckuser
39 39
                 password: Hzsh.eitc@6626.pcu

+ 8 - 6
ruoyi-admin/src/main/resources/application.yml

@@ -3,7 +3,7 @@ ruoyi:
3 3
 #  name: 惠州石化岗检信息平台
4 4
   name: 惠州石化岗检系统
5 5
   # 版本
6
-  version: 1.0.0
6
+  version: 1.0.1
7 7
   # 版权年份
8 8
   copyrightYear: 2023
9 9
   # 文件路径 示例( Windows配置D:/ruoyi/uploadPath,Linux配置 /home/ruoyi/uploadPath)
@@ -48,7 +48,7 @@ user:
48 48
     # 密码最大错误次数
49 49
     maxRetryCount: 500
50 50
     # 密码锁定时间(默认10分钟)
51
-    lockTime: 10
51
+    lockTime: 5
52 52
 
53 53
 # Spring配置
54 54
 spring:
@@ -57,15 +57,17 @@ spring:
57 57
     # 国际化资源文件路径
58 58
     basename: i18n/messages
59 59
   profiles:
60
-    active: druid-dev,cas-dev
61
-#    active: druid-test,cas-test
60
+# 本地开发时
61
+#    active: druid-dev,cas-dev
62
+# 甲方部署时
63
+    active: druid-test,cas-test
62 64
   # 文件上传
63 65
   servlet:
64 66
     multipart:
65 67
       # 单个文件大小
66
-      max-file-size: 10MB
68
+      max-file-size: 50MB
67 69
       # 设置总上传的文件大小
68
-      max-request-size: 20MB
70
+      max-request-size: 100MB
69 71
   # 服务模块
70 72
   devtools:
71 73
     restart:

+ 38 - 0
ruoyi-admin/src/test/java/com/post/FlinkStreamingExample.java

@@ -0,0 +1,38 @@
1
+package com.post;
2
+//import org.apache.flink.api.common.functions.MapFunction;
3
+//import org.apache.flink.api.common.functions.ReduceFunction;
4
+//import org.apache.flink.streaming.api.datastream.DataStream;
5
+//import org.apache.flink.streaming.api.environment.StreamExecutionEnvironment;
6
+//import org.apache.flink.streaming.api.windowing.time.Time;
7
+
8
+public class FlinkStreamingExample {
9
+    /*
10
+    public static void main(String[] args) throws Exception {
11
+        final StreamExecutionEnvironment env = StreamExecutionEnvironment.getExecutionEnvironment();
12
+
13
+        DataStream<String> text = env.readTextFile("path/to/your/input/file");
14
+
15
+        DataStream<Tuple2<String, Integer>> wordCounts = text
16
+                .flatMap(new Tokenizer())
17
+                .keyBy(0)
18
+                .timeWindow(Time.seconds(5))
19
+                .reduce(new ReduceFunction<Tuple2<String, Integer>>() {
20
+                    @Override
21
+                    public Tuple2<String, Integer> reduce(Tuple2<String, Integer> t1, Tuple2<String, Integer> t2) throws Exception {
22
+                        return new Tuple2<>(t1.f0, t1.f1 + t2.f1);
23
+                    }
24
+                });
25
+
26
+        wordCounts.print();
27
+
28
+        env.execute("Word Count Example");
29
+    }
30
+
31
+    public static class Tokenizer implements MapFunction<String, Tuple2<String, Integer>> {
32
+        @Override
33
+        public Tuple2<String, Integer> map(String value) {
34
+            return new Tuple2<>(value.toLowerCase(), 1);
35
+        }
36
+    }
37
+    */
38
+}

+ 4 - 0
ruoyi-admin/src/test/java/com/post/WordpayXml.xml

@@ -0,0 +1,4 @@
1
+<?xml version="1.0" encoding="utf-8" ?>
2
+<set xmlns="http://www.springframework.org/schema/util">
3
+
4
+</set>

+ 18 - 8
ruoyi-common/src/main/java/com/ruoyi/common/filter/RestCorsFilter.java

@@ -24,13 +24,24 @@ public class RestCorsFilter implements Filter {
24 24
         HttpServletResponse response = (HttpServletResponse) res;
25 25
         HttpServletRequest request = (HttpServletRequest) req;
26 26
 
27
-        String[] allowDomain={"http://10.152.72.*","http://10.152.70.*","*.connc.*"};
28
-        Set<String> allowedOrigins=new HashSet<>(Arrays.asList(allowDomain));
29
-        String originHeader=request.getHeader("Origin");
30
-        if(allowedOrigins.contains(originHeader)){
31
-            response.setHeader("Access-Control-Allow-Origin",originHeader);
27
+//        岗检服务器IP:10.152.72.7,访问时就是直接IP没有域名
28
+//        1、统一登录的地址(甲方系统):http://10.152.70.21:8080/cas/login
29
+//        2、岗检系统前端页面Nginx(统一登录成功后的跳转地址):http://10.152.72.5:8181/postcheck
30
+//        3、岗检系统后端接口:http://10.152.72.7:8180
31
+        String[] allowDomain = {"http://10.152.70.21:8080"//CAS服务器
32
+                , "http://10.152.72.7:8181"//岗检前端Nginx
33
+                , "*.connc.*"
34
+                //TODO 打包屏蔽-甲方部署时注释:甲方不需要本地登录功能采用单点登录
35
+//                , "http://192.168.3.32:81"//前端开发
36
+//                , "http://101.42.248.108:17003"//前端开发
37
+//                , "http://localhost"//前端开发
38
+        };
39
+        Set<String> allowedOrigins = new HashSet<>(Arrays.asList(allowDomain));
40
+        String originHeader = request.getHeader("Origin");//http://IP:port
41
+        if (allowedOrigins.contains(originHeader)) {
42
+            response.setHeader("Access-Control-Allow-Origin", originHeader);
32 43
         }
33
-        response.setHeader("Access-Control-Allow-Credentials","true");
44
+        response.setHeader("Access-Control-Allow-Credentials", "true");
34 45
         response.setHeader("Access-Control-Allow-Methods", "POST, GET,DELETE,PUT");
35 46
         response.setHeader("Access-Control-Max-Age", "31536000");
36 47
         response.setHeader("Access-Control-Allow-Headers", "*");
@@ -46,8 +57,7 @@ public class RestCorsFilter implements Filter {
46 57
     }
47 58
 
48 59
 
49
-
50 60
     @Override
51 61
     public void destroy() {
52 62
     }
53
-}
63
+}

+ 4 - 4
ruoyi-framework/src/main/java/com/ruoyi/framework/interceptor/cas/CasConfigure.java

@@ -7,10 +7,10 @@ import net.unicon.cas.client.configuration.CasClientConfigurerAdapter;
7 7
 import net.unicon.cas.client.configuration.EnableCasClient;
8 8
 
9 9
 /**
10
- * TODO $CAS统一认证:拦截器类CAS
10
+ * TODO 甲方部署时打开:CAS统一认证拦截器
11 11
  */
12
-//@EnableCasClient
13
-//@Configuration
12
+@EnableCasClient
13
+@Configuration
14 14
 public class CasConfigure extends CasClientConfigurerAdapter {
15 15
     @Override
16 16
     public void configureAuthenticationFilter(FilterRegistrationBean authenticationFilter) {
@@ -20,7 +20,7 @@ public class CasConfigure extends CasClientConfigurerAdapter {
20 20
 //        authenticationFilter.addInitParameter("ignorePattern", "/Content/*|/context/*|/actuator/*|/assets/*|/instances/*|login/*|/loginv2/*|/captchaImage/*");
21 21
 //              "|/captchaImage/*|/system/*|/common/*|/monitor/*|/register/*|/login/*|/getInfo/*|/getRouters/*|/test/user/*|/tool/gen/*|/postcheck/login|/redirectpostcheck");
22 22
         authenticationFilter.addInitParameter("ignorePattern", "/Content/*|/context/*|/actuator/*|/assets/*|/instances/*" +
23
-                "|/postCheck/*|/captchaImage/*|/system/*|/common/*|/monitor/*|/register/*|/login/*|/logout/*|/getInfo/*|/getRouters/*|/test/user/*|/tool/gen/*|/postcheck/login|/redirectpostcheck|/redirectpostcheckout"+
23
+                "|/postCheck/*|/captchaImage/*|/system/*|/common/*|/monitor/*|/register/*|/login/*|/logout/*|/getInfo/*|/getRouters/*|/test/user/*|/tool/gen/*|/postcheck/login|/redirectpostcheck|/redirectpostcheckout" +
24 24
                 "|/avatar/*|/swagger-ui/*");
25 25
         authenticationFilter.getInitParameters().put("authenticationRedirectStrategyClass", "com.patterncat.CustomAuthRedirectStrategy");
26 26
     }