From 5ac56c82c48200f5bfd82917d04279ff502a906f Mon Sep 17 00:00:00 2001
From: tj <1378534974@qq.com>
Date: 星期四, 20 三月 2025 15:06:20 +0800
Subject: [PATCH] 高级安全防护
---
src/main/java/com/jsh/erp/filter/LogCostFilter.java | 45 +++++++++++++++++++++++++++++++++++++++------
1 files changed, 39 insertions(+), 6 deletions(-)
diff --git a/src/main/java/com/jsh/erp/filter/LogCostFilter.java b/src/main/java/com/jsh/erp/filter/LogCostFilter.java
index 8b8bee2..ae7a4a7 100644
--- a/src/main/java/com/jsh/erp/filter/LogCostFilter.java
+++ b/src/main/java/com/jsh/erp/filter/LogCostFilter.java
@@ -17,7 +17,10 @@
"/jshERP-boot/user/registerUser#/jshERP-boot/user/randomImage#" +
"/jshERP-boot/platformConfig/getPlatform#/jshERP-boot/v2/api-docs#/jshERP-boot/webjars#" +
"/jshERP-boot/systemConfig/static#/jshERP-boot/api/plugin/wechat/weChat/share#" +
- "/jshERP-boot/api/plugin/general-ledger/pdf/voucher#/jshERP-boot/api/plugin/tenant-statistics/tenantClean")})
+ "/jshERP-boot/api/plugin/general-ledger/pdf/voucher#/jshERP-boot/api/plugin/tenant-statistics/tenantClean#" +
+ "/jshERP-boot/swagger-ui.html#/jshERP-boot/swagger-resources#" +
+ "/jshERP-boot/doc.html#/jshERP-boot/swagger-resources/**#" +
+ "/jshERP-boot/v2/api-docs/**#/jshERP-boot/webjars/**")})
public class LogCostFilter implements Filter {
private static final String FILTER_PATH = "filterPath";
@@ -40,14 +43,26 @@
HttpServletRequest servletRequest = (HttpServletRequest) request;
HttpServletResponse servletResponse = (HttpServletResponse) response;
String requestUrl = servletRequest.getRequestURI();
- //具体,比如:处理若用户未登录,则跳转到登录页
- Object userId = redisService.getObjectFromSessionByKey(servletRequest,"userId");
- if(userId!=null) { //如果已登录,不阻止
+
+ if (isSwaggerRequest(requestUrl)) {
chain.doFilter(request, response);
return;
}
- if (requestUrl != null && (requestUrl.contains("/doc.html") ||
- requestUrl.contains("/user/login") || requestUrl.contains("/user/register"))) {
+
+ if (requestUrl != null && (
+ requestUrl.contains("/doc.html") ||
+ requestUrl.contains("/swagger-ui.html") ||
+ requestUrl.contains("/swagger-resources") ||
+ requestUrl.contains("/v2/api-docs") ||
+ requestUrl.contains("/webjars/") ||
+ requestUrl.contains("/user/login") ||
+ requestUrl.contains("/user/register"))) {
+ chain.doFilter(request, response);
+ return;
+ }
+
+ Object userId = redisService.getObjectFromSessionByKey(servletRequest,"userId");
+ if(userId!=null) { //如果已登录,不阻止
chain.doFilter(request, response);
return;
}
@@ -64,6 +79,24 @@
servletResponse.getWriter().write("loginOut");
}
}
+ private boolean isSwaggerRequest(String requestUrl) {
+ return requestUrl != null && (
+ requestUrl.contains("/doc.html") ||
+ requestUrl.contains("/swagger-ui.html") ||
+ requestUrl.contains("/swagger-resources") ||
+ requestUrl.contains("/v2/api-docs") ||
+ requestUrl.contains("/webjars/") ||
+ requestUrl.contains("/user/login") ||
+ requestUrl.contains("/user/register") ||
+ // 添加API尝试请求
+ requestUrl.contains("/cloudContent/getByType") || // 允许未登录访问的API
+ requestUrl.contains("/cloudContent/list") || // 允许未登录访问的API
+ requestUrl.contains("/sysDict/getByDictCodeAndItemText") || //允许查询字典值API
+ requestUrl.contains("/sms/send-code") || //
+ requestUrl.contains("/sms/login")|| //
+ requestUrl.contains("/config-security/enable-list-all") //
+ );
+ }
@Override
public void destroy() {
--
Gitblit v1.9.3