1.第三方检测问题修复-登录时用户信息明文传输

2.第三方检测问题修复-未对用户登录次数进行限制
This commit is contained in:
dinggang 2022-11-14 16:29:00 +08:00
parent 7f224cf1a3
commit a14ba472eb
3 changed files with 75 additions and 23 deletions

View File

@ -31,7 +31,6 @@ public class TsingtaoDataResourceService extends AbstractDataResourceService {
TsingtaoDataResourceService.restTemplate = SpringContextUtils.getBean(RestTemplate.class); TsingtaoDataResourceService.restTemplate = SpringContextUtils.getBean(RestTemplate.class);
} }
@Override @Override
public Object getDataResource(GetDataResourceListDto dto) { public Object getDataResource(GetDataResourceListDto dto) {

View File

@ -1,12 +1,16 @@
package io.renren.modules.security.controller; package io.renren.modules.security.controller;
import cn.hutool.core.date.DateUtil;
import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper;
import io.renren.common.annotation.LogOperation; import io.renren.common.annotation.LogOperation;
import io.renren.common.constant.Constant; import io.renren.common.constant.Constant;
import io.renren.common.exception.ErrorCode; import io.renren.common.exception.ErrorCode;
import io.renren.common.exception.RenException; import io.renren.common.exception.RenException;
import io.renren.common.utils.DateUtils;
import io.renren.common.utils.IpUtils; import io.renren.common.utils.IpUtils;
import io.renren.common.utils.Result; import io.renren.common.utils.Result;
import io.renren.common.validator.AssertUtils; import io.renren.common.validator.AssertUtils;
import io.renren.modules.log.dao.SysLogLoginDao;
import io.renren.modules.log.entity.SysLogLoginEntity; import io.renren.modules.log.entity.SysLogLoginEntity;
import io.renren.modules.log.enums.LoginOperationEnum; import io.renren.modules.log.enums.LoginOperationEnum;
import io.renren.modules.log.enums.LoginStatusEnum; import io.renren.modules.log.enums.LoginStatusEnum;
@ -65,6 +69,8 @@ public class LoginController {
private CaptchaService captchaService; private CaptchaService captchaService;
@Autowired @Autowired
private SysLogLoginService sysLogLoginService; private SysLogLoginService sysLogLoginService;
@Autowired
private SysLogLoginDao logLoginDao;
@Autowired(required = false) @Autowired(required = false)
private SSOValidator ssoValidator; private SSOValidator ssoValidator;
@ -72,6 +78,11 @@ public class LoginController {
@Value("${yawei.enable}") @Value("${yawei.enable}")
private Boolean yaweiEnable; // 亚微登录 private Boolean yaweiEnable; // 亚微登录
@Value("${system.maxErrorTimes}")
private Integer maxErrorTimes;
@Value("${system.resumeLogonTime}")
private Integer resumeLogonTime;
@GetMapping("captcha") @GetMapping("captcha")
@ApiOperation(value = "验证码", produces = "application/octet-stream") @ApiOperation(value = "验证码", produces = "application/octet-stream")
@ApiImplicitParam(paramType = "query", dataType = "string", name = "uuid", required = true) @ApiImplicitParam(paramType = "query", dataType = "string", name = "uuid", required = true)
@ -95,21 +106,25 @@ public class LoginController {
public Result login(HttpServletRequest request, HttpServletResponse response, @ApiIgnore @RequestParam Map<String, Object> params) throws Exception { public Result login(HttpServletRequest request, HttpServletResponse response, @ApiIgnore @RequestParam Map<String, Object> params) throws Exception {
LoginDTO login = new LoginDTO(); LoginDTO login = new LoginDTO();
login.setUsername(String.valueOf(params.get("username")));
//2022-11-11 修改用户名加密传输
String userName = PasswordUtils.desEncrypt(String.valueOf(params.get("username")));
login.setUsername(userName);
//login.setUsername(String.valueOf(params.get("username")));
String password = PasswordUtils.desEncrypt(String.valueOf(params.get("password"))); String password = PasswordUtils.desEncrypt(String.valueOf(params.get("password")));
login.setPassword(password); login.setPassword(password);
login.setUuid(String.valueOf(params.get("uuid"))); login.setUuid(String.valueOf(params.get("uuid")));
//新增访客模式访客模式下模拟登录每次新增用户 //新增访客模式访客模式下模拟登录每次新增用户
if (String.valueOf(params.get("username")).contains("guest")) { //if (String.valueOf(params.get("username")).contains("guest")) {
SysUserDTO userDTO = new SysUserDTO(); // SysUserDTO userDTO = new SysUserDTO();
userDTO.setStatus(1); // userDTO.setStatus(1);
userDTO.setPassword(String.valueOf(params.get("password"))); // userDTO.setPassword(String.valueOf(params.get("password")));
userDTO.setUsername(String.valueOf(params.get("username"))); // userDTO.setUsername(String.valueOf(params.get("username")));
userDTO.setSuperAdmin(0); // userDTO.setSuperAdmin(0);
userDTO.setDeptId(sysDeptDao.getByName("访客部门") == null ? null : sysDeptDao.getByName("访客部门").getId()); // userDTO.setDeptId(sysDeptDao.getByName("访客部门") == null ? null : sysDeptDao.getByName("访客部门").getId());
userDTO.setDeptName("访客部门"); // userDTO.setDeptName("访客部门");
sysUserService.save(userDTO); // sysUserService.save(userDTO);
} //}
//用户信息 //用户信息
SysUserDTO user = sysUserService.getByUsername(login.getUsername()); SysUserDTO user = sysUserService.getByUsername(login.getUsername());
@ -118,7 +133,6 @@ public class LoginController {
log.setCreateDate(new Date()); log.setCreateDate(new Date());
log.setIp(IpUtils.getIpAddr(request)); log.setIp(IpUtils.getIpAddr(request));
log.setUserAgent(request.getHeader(HttpHeaders.USER_AGENT)); log.setUserAgent(request.getHeader(HttpHeaders.USER_AGENT));
log.setIp(IpUtils.getIpAddr(request));
//用户不存在 //用户不存在
if (user == null) { if (user == null) {
@ -129,16 +143,6 @@ public class LoginController {
throw new RenException(ErrorCode.ACCOUNT_PASSWORD_ERROR); throw new RenException(ErrorCode.ACCOUNT_PASSWORD_ERROR);
} }
//密码错误
if (!PasswordUtils.matches(login.getPassword(), user.getPassword())) {
log.setStatus(LoginStatusEnum.FAIL.value());
log.setCreator(user.getId());
log.setCreatorName(user.getUsername());
sysLogLoginService.save(log);
throw new RenException(ErrorCode.ACCOUNT_PASSWORD_ERROR);
}
//账号停用 //账号停用
if (user.getStatus() == UserStatusEnum.DISABLE.value()) { if (user.getStatus() == UserStatusEnum.DISABLE.value()) {
log.setStatus(LoginStatusEnum.LOCK.value()); log.setStatus(LoginStatusEnum.LOCK.value());
@ -149,11 +153,55 @@ public class LoginController {
throw new RenException(ErrorCode.ACCOUNT_DISABLE); throw new RenException(ErrorCode.ACCOUNT_DISABLE);
} }
//2022-11-11 账号锁定 且在规定时间内则不能登录
if (user.getStatus() == UserStatusEnum.LOCKED.value()) {
Date now = DateUtil.date();
QueryWrapper<SysLogLoginEntity> queryWrapper = new QueryWrapper<>();
//queryWrapper.eq("creator_name", params.get("username")).orderByDesc("create_date").last("LIMIT 1");
queryWrapper.eq("creator_name", userName).orderByDesc("create_date").last("LIMIT 1");
SysLogLoginEntity loginEntity = logLoginDao.selectOne(queryWrapper);
Date lastLoginDate = loginEntity.getCreateDate();
//未超过规定时间返回账户锁定信息
if (DateUtils.addDateHours(lastLoginDate, resumeLogonTime).after(now)) {
throw new RenException("当前账号为锁定状态,请在" + DateUtils.format(DateUtils.addDateHours(lastLoginDate, resumeLogonTime), DateUtils.DATE_TIME_PATTERN) + "时间后重试。");
}
}
//密码错误
if (!PasswordUtils.matches(login.getPassword(), user.getPassword())) {
log.setStatus(LoginStatusEnum.FAIL.value());
log.setCreator(user.getId());
log.setCreatorName(user.getUsername());
sysLogLoginService.save(log);
//2022-11-11 新增限制用户登录次数超过后账户锁定状态变为2
if (user.getFrequency() < maxErrorTimes) {
user.setFrequency(user.getFrequency() + 1);
if (user.getFrequency() == maxErrorTimes) {
user.setStatus(2);
sysUserService.update(user);
throw new RenException("账号或密码连续输入错误" + maxErrorTimes + "次,账号已锁定。");
} else {
sysUserService.update(user);
throw new RenException("账号或密码输入错误,当前还可输入" + (maxErrorTimes - user.getFrequency()) + "次。");
}
}
}
//登录成功 //登录成功
log.setStatus(LoginStatusEnum.SUCCESS.value()); log.setStatus(LoginStatusEnum.SUCCESS.value());
log.setCreator(user.getId()); log.setCreator(user.getId());
log.setCreatorName(user.getUsername()); log.setCreatorName(user.getUsername());
sysLogLoginService.save(log); sysLogLoginService.save(log);
//将用户状态改为正常,登录失败次数置为0
if (user.getStatus() != 1 || user.getFrequency() != 0) {
user.setStatus(1);
user.setFrequency(0);
sysUserService.update(user);
}
Result<Map> token = sysUserTokenService.createToken(user.getId()); Result<Map> token = sysUserTokenService.createToken(user.getId());
request.setAttribute(Constant.TOKEN_HEADER, token.getData().get(Constant.TOKEN_HEADER)); request.setAttribute(Constant.TOKEN_HEADER, token.getData().get(Constant.TOKEN_HEADER));

View File

@ -83,4 +83,9 @@ public class SysUserEntity extends BaseEntity {
*/ */
private String ywMobile; private String ywMobile;
/**
* 登录失败次数
*/
private Integer frequency;
} }