From 45ef54268739d2162046a7a53279518bd11bd5b7 Mon Sep 17 00:00:00 2001
From: RuoYi <yzz_ivy@163.com>
Date: 星期二, 15 八月 2023 12:17:27 +0800
Subject: [PATCH] 升级fastjson到最新版2.0.39
---
ruoyi-common/src/main/java/com/ruoyi/common/constant/Constants.java | 5 +++++
ruoyi-framework/src/main/java/com/ruoyi/framework/web/service/TokenService.java | 5 +++++
pom.xml | 2 +-
ruoyi-framework/src/main/java/com/ruoyi/framework/config/FastJson2JsonRedisSerializer.java | 6 +++++-
4 files changed, 16 insertions(+), 2 deletions(-)
diff --git a/pom.xml b/pom.xml
index 58f472d..c971e46 100644
--- a/pom.xml
+++ b/pom.xml
@@ -23,7 +23,7 @@
<swagger.version>3.0.0</swagger.version>
<kaptcha.version>2.3.3</kaptcha.version>
<pagehelper.boot.version>1.4.6</pagehelper.boot.version>
- <fastjson.version>2.0.34</fastjson.version>
+ <fastjson.version>2.0.39</fastjson.version>
<oshi.version>6.4.4</oshi.version>
<commons.io.version>2.13.0</commons.io.version>
<commons.collections.version>3.2.2</commons.collections.version>
diff --git a/ruoyi-common/src/main/java/com/ruoyi/common/constant/Constants.java b/ruoyi-common/src/main/java/com/ruoyi/common/constant/Constants.java
index f4ba293..cc9418e 100644
--- a/ruoyi-common/src/main/java/com/ruoyi/common/constant/Constants.java
+++ b/ruoyi-common/src/main/java/com/ruoyi/common/constant/Constants.java
@@ -130,6 +130,11 @@
public static final String LOOKUP_LDAPS = "ldaps:";
/**
+ * 自动识别json对象白名单配置(仅允许解析的包名,范围越小越安全)
+ */
+ public static final String[] JSON_WHITELIST_STR = { "org.springframework", "com.ruoyi" };
+
+ /**
* 定时任务白名单配置(仅允许访问的包名,如其他需要可以自行添加)
*/
public static final String[] JOB_WHITELIST_STR = { "com.ruoyi" };
diff --git a/ruoyi-framework/src/main/java/com/ruoyi/framework/config/FastJson2JsonRedisSerializer.java b/ruoyi-framework/src/main/java/com/ruoyi/framework/config/FastJson2JsonRedisSerializer.java
index 9503f25..bd369b4 100644
--- a/ruoyi-framework/src/main/java/com/ruoyi/framework/config/FastJson2JsonRedisSerializer.java
+++ b/ruoyi-framework/src/main/java/com/ruoyi/framework/config/FastJson2JsonRedisSerializer.java
@@ -6,6 +6,8 @@
import com.alibaba.fastjson2.JSON;
import com.alibaba.fastjson2.JSONReader;
import com.alibaba.fastjson2.JSONWriter;
+import com.alibaba.fastjson2.filter.Filter;
+import com.ruoyi.common.constant.Constants;
/**
* Redis使用FastJson序列化
@@ -15,6 +17,8 @@
public class FastJson2JsonRedisSerializer<T> implements RedisSerializer<T>
{
public static final Charset DEFAULT_CHARSET = Charset.forName("UTF-8");
+
+ static final Filter AUTO_TYPE_FILTER = JSONReader.autoTypeFilter(Constants.JSON_WHITELIST_STR);
private Class<T> clazz;
@@ -43,6 +47,6 @@
}
String str = new String(bytes, DEFAULT_CHARSET);
- return JSON.parseObject(str, clazz, JSONReader.Feature.SupportAutoType);
+ return JSON.parseObject(str, clazz, AUTO_TYPE_FILTER);
}
}
diff --git a/ruoyi-framework/src/main/java/com/ruoyi/framework/web/service/TokenService.java b/ruoyi-framework/src/main/java/com/ruoyi/framework/web/service/TokenService.java
index 4b190d0..e062faf 100644
--- a/ruoyi-framework/src/main/java/com/ruoyi/framework/web/service/TokenService.java
+++ b/ruoyi-framework/src/main/java/com/ruoyi/framework/web/service/TokenService.java
@@ -4,6 +4,8 @@
import java.util.Map;
import java.util.concurrent.TimeUnit;
import javax.servlet.http.HttpServletRequest;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Component;
@@ -29,6 +31,8 @@
@Component
public class TokenService
{
+ private static final Logger log = LoggerFactory.getLogger(TokenService.class);
+
// 令牌自定义标识
@Value("${token.header}")
private String header;
@@ -72,6 +76,7 @@
}
catch (Exception e)
{
+ log.error("获取用户信息异常'{}'", e.getMessage());
}
}
return null;
--
Gitblit v1.9.2