From 10f68b97af299c94efffdba118ee6b41fb134a17 Mon Sep 17 00:00:00 2001
From: RuoYi <yzz_ivy@163.com>
Date: 星期三, 26 六月 2024 17:43:14 +0800
Subject: [PATCH] 升级spring-security到安全版本,防止漏洞风险
---
ruoyi-framework/src/main/java/com/ruoyi/framework/web/service/TokenService.java | 46 +++++++++++++++++++++++++++++-----------------
1 files changed, 29 insertions(+), 17 deletions(-)
diff --git a/ruoyi-framework/src/main/java/com/ruoyi/framework/web/service/TokenService.java b/ruoyi-framework/src/main/java/com/ruoyi/framework/web/service/TokenService.java
index 66885af..e062faf 100644
--- a/ruoyi-framework/src/main/java/com/ruoyi/framework/web/service/TokenService.java
+++ b/ruoyi-framework/src/main/java/com/ruoyi/framework/web/service/TokenService.java
@@ -4,9 +4,12 @@
import java.util.Map;
import java.util.concurrent.TimeUnit;
import javax.servlet.http.HttpServletRequest;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Component;
+import com.ruoyi.common.constant.CacheConstants;
import com.ruoyi.common.constant.Constants;
import com.ruoyi.common.core.domain.model.LoginUser;
import com.ruoyi.common.core.redis.RedisCache;
@@ -22,12 +25,14 @@
/**
* token验证处理
- *
+ *
* @author ruoyi
*/
@Component
public class TokenService
{
+ private static final Logger log = LoggerFactory.getLogger(TokenService.class);
+
// 令牌自定义标识
@Value("${token.header}")
private String header;
@@ -51,7 +56,7 @@
/**
* 获取用户身份信息
- *
+ *
* @return 用户信息
*/
public LoginUser getLoginUser(HttpServletRequest request)
@@ -60,12 +65,19 @@
String token = getToken(request);
if (StringUtils.isNotEmpty(token))
{
- Claims claims = parseToken(token);
- // 解析对应的权限以及用户信息
- String uuid = (String) claims.get(Constants.LOGIN_USER_KEY);
- String userKey = getTokenKey(uuid);
- LoginUser user = redisCache.getCacheObject(userKey);
- return user;
+ try
+ {
+ Claims claims = parseToken(token);
+ // 解析对应的权限以及用户信息
+ String uuid = (String) claims.get(Constants.LOGIN_USER_KEY);
+ String userKey = getTokenKey(uuid);
+ LoginUser user = redisCache.getCacheObject(userKey);
+ return user;
+ }
+ catch (Exception e)
+ {
+ log.error("获取用户信息异常'{}'", e.getMessage());
+ }
}
return null;
}
@@ -95,7 +107,7 @@
/**
* 创建令牌
- *
+ *
* @param loginUser 用户信息
* @return 令牌
*/
@@ -113,8 +125,8 @@
/**
* 验证令牌有效期,相差不足20分钟,自动刷新缓存
- *
- * @param token 令牌
+ *
+ * @param loginUser
* @return 令牌
*/
public void verifyToken(LoginUser loginUser)
@@ -129,7 +141,7 @@
/**
* 刷新令牌有效期
- *
+ *
* @param loginUser 登录信息
*/
public void refreshToken(LoginUser loginUser)
@@ -140,22 +152,22 @@
String userKey = getTokenKey(loginUser.getToken());
redisCache.setCacheObject(userKey, loginUser, expireTime, TimeUnit.MINUTES);
}
-
+
/**
* 设置用户代理信息
- *
+ *
* @param loginUser 登录信息
*/
public void setUserAgent(LoginUser loginUser)
{
UserAgent userAgent = UserAgent.parseUserAgentString(ServletUtils.getRequest().getHeader("User-Agent"));
- String ip = IpUtils.getIpAddr(ServletUtils.getRequest());
+ String ip = IpUtils.getIpAddr();
loginUser.setIpaddr(ip);
loginUser.setLoginLocation(AddressUtils.getRealAddressByIP(ip));
loginUser.setBrowser(userAgent.getBrowser().getName());
loginUser.setOs(userAgent.getOperatingSystem().getName());
}
-
+
/**
* 从数据声明生成令牌
*
@@ -214,6 +226,6 @@
private String getTokenKey(String uuid)
{
- return Constants.LOGIN_TOKEN_KEY + uuid;
+ return CacheConstants.LOGIN_TOKEN_KEY + uuid;
}
}
--
Gitblit v1.9.2