From 7412db0d3c9375ddbc90d54f5254eb12c1545d5e Mon Sep 17 00:00:00 2001 From: fit2cloud-chenyw Date: Thu, 26 Dec 2024 11:53:29 +0800 Subject: [PATCH] =?UTF-8?q?fix:=20=E6=BD=9C=E5=9C=A8=E8=B6=8A=E6=9D=83?= =?UTF-8?q?=E6=BC=8F=E6=B4=9E?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../io/dataease/auth/filter/TokenFilter.java | 70 +++++++++++++------ .../io/dataease/exception/DEException.java | 6 ++ .../exception/GlobalExceptionHandler.java | 16 ++++- .../java/io/dataease/utils/AuthUtils.java | 4 ++ .../java/io/dataease/utils/UserUtils.java | 4 ++ .../io/dataease/utils/WhitelistUtils.java | 12 +++- 6 files changed, 84 insertions(+), 28 deletions(-) diff --git a/sdk/common/src/main/java/io/dataease/auth/filter/TokenFilter.java b/sdk/common/src/main/java/io/dataease/auth/filter/TokenFilter.java index d07673351c..f9201d4dea 100644 --- a/sdk/common/src/main/java/io/dataease/auth/filter/TokenFilter.java +++ b/sdk/common/src/main/java/io/dataease/auth/filter/TokenFilter.java @@ -2,13 +2,19 @@ package io.dataease.auth.filter; import io.dataease.auth.bo.TokenUserBO; import io.dataease.constant.AuthConstant; +import io.dataease.exception.DEException; +import io.dataease.result.ResultMessage; import io.dataease.utils.*; import jakarta.servlet.*; import jakarta.servlet.http.HttpServletRequest; import jakarta.servlet.http.HttpServletResponse; import org.apache.commons.lang3.StringUtils; +import org.springframework.http.HttpStatus; +import org.springframework.http.HttpStatusCode; +import org.springframework.http.ResponseEntity; import java.io.IOException; +import java.nio.charset.StandardCharsets; import java.util.Objects; public class TokenFilter implements Filter { @@ -35,32 +41,52 @@ public class TokenFilter implements Filter { } String requestURI = request.getRequestURI(); - if (ModelUtils.isDesktop()) { - UserUtils.setDesktopUser(); + boolean match = false; + try { + match = WhitelistUtils.match(requestURI); + } catch (DEException e) { + HttpServletResponse res = (HttpServletResponse) servletResponse; + ResultMessage resultMessage = new ResultMessage(e.getCode(), e.getMessage()); + ResponseEntity entity = new ResponseEntity<>(resultMessage, HttpStatus.UNAUTHORIZED); + sendResponseEntity(res, entity); + LogUtil.error(e.getMessage(), e); + return; + } + if (match) { filterChain.doFilter(servletRequest, servletResponse); return; } + try { + if (ModelUtils.isDesktop()) { + UserUtils.setDesktopUser(); + filterChain.doFilter(servletRequest, servletResponse); + return; + } + String executeVersion = null; + if (StringUtils.isNotBlank(executeVersion = VersionUtil.getRandomVersion())) { + Objects.requireNonNull(ServletUtils.response()).addHeader(AuthConstant.DE_EXECUTE_VERSION, executeVersion); + } + String linkToken = ServletUtils.getHead(AuthConstant.LINK_TOKEN_KEY); + if (StringUtils.isNotBlank(linkToken)) { + TokenUserBO tokenUserBO = TokenUtils.validateLinkToken(linkToken); + UserUtils.setUserInfo(tokenUserBO); + filterChain.doFilter(servletRequest, servletResponse); + return; + } + String token = ServletUtils.getToken(); + TokenUserBO userBO = TokenUtils.validate(token); + UserUtils.setUserInfo(userBO); + filterChain.doFilter(servletRequest, servletResponse); + } finally { + UserUtils.removeUser(); + } + } - if (WhitelistUtils.match(requestURI)) { - filterChain.doFilter(servletRequest, servletResponse); - return; - } - - String executeVersion = null; - if (StringUtils.isNotBlank(executeVersion = VersionUtil.getRandomVersion())) { - Objects.requireNonNull(ServletUtils.response()).addHeader(AuthConstant.DE_EXECUTE_VERSION, executeVersion); - } - String linkToken = ServletUtils.getHead(AuthConstant.LINK_TOKEN_KEY); - if (StringUtils.isNotBlank(linkToken)) { - TokenUserBO tokenUserBO = TokenUtils.validateLinkToken(linkToken); - UserUtils.setUserInfo(tokenUserBO); - filterChain.doFilter(servletRequest, servletResponse); - return; - } - String token = ServletUtils.getToken(); - TokenUserBO userBO = TokenUtils.validate(token); - UserUtils.setUserInfo(userBO); - filterChain.doFilter(servletRequest, servletResponse); + private void sendResponseEntity(HttpServletResponse httpResponse, ResponseEntity responseEntity) throws IOException { + HttpStatusCode statusCode = responseEntity.getStatusCode(); + httpResponse.setStatus(statusCode.value()); + httpResponse.setCharacterEncoding(StandardCharsets.UTF_8.name()); + httpResponse.getWriter().write(Objects.requireNonNull(JsonUtil.toJSONString(responseEntity.getBody()).toString())); } } diff --git a/sdk/common/src/main/java/io/dataease/exception/DEException.java b/sdk/common/src/main/java/io/dataease/exception/DEException.java index 9ef6a94b5c..662c488c96 100644 --- a/sdk/common/src/main/java/io/dataease/exception/DEException.java +++ b/sdk/common/src/main/java/io/dataease/exception/DEException.java @@ -2,12 +2,18 @@ package io.dataease.exception; import io.dataease.result.ResultCode; import lombok.Data; +import lombok.EqualsAndHashCode; import lombok.experimental.Accessors; +import java.io.Serial; + +@EqualsAndHashCode(callSuper = true) @Data @Accessors(chain = true) public class DEException extends RuntimeException { + @Serial + private static final long serialVersionUID = 8170873998824378304L; private int code; private String msg; diff --git a/sdk/common/src/main/java/io/dataease/exception/GlobalExceptionHandler.java b/sdk/common/src/main/java/io/dataease/exception/GlobalExceptionHandler.java index 267135617c..bb23716cc0 100644 --- a/sdk/common/src/main/java/io/dataease/exception/GlobalExceptionHandler.java +++ b/sdk/common/src/main/java/io/dataease/exception/GlobalExceptionHandler.java @@ -5,6 +5,7 @@ import io.dataease.i18n.Translator; import io.dataease.result.ResultCode; import io.dataease.result.ResultMessage; import io.dataease.utils.LogUtil; +import org.apache.commons.lang3.StringUtils; import org.springframework.validation.ObjectError; import org.springframework.web.bind.MethodArgumentNotValidException; import org.springframework.web.bind.annotation.ExceptionHandler; @@ -14,20 +15,29 @@ import org.springframework.web.bind.annotation.RestControllerAdvice; public class GlobalExceptionHandler { - /** -------- 参数校验异常 -------- **/ @ExceptionHandler(MethodArgumentNotValidException.class) public ResultMessage MethodArgumentNotValidExceptionHandler(MethodArgumentNotValidException e) { ObjectError objectError = e.getBindingResult().getAllErrors().get(0); String msg = objectError.getDefaultMessage(); msg = Translator.get(msg); LogUtil.error(msg); - return new ResultMessage(ResultCode.PARAM_IS_INVALID.code(),msg); + return new ResultMessage(ResultCode.PARAM_IS_INVALID.code(), msg); } @ExceptionHandler(DEException.class) public ResultMessage deExceptionHandler(DEException e) { LogUtil.error(e.getMessage(), e); - return new ResultMessage(e.getCode(),e.getMessage()); + return new ResultMessage(e.getCode(), e.getMessage()); + } + + @ExceptionHandler(NullPointerException.class) + public ResultMessage noUserExceptionHandler(Exception e) { + String message = e.getMessage(); + LogUtil.error(message, e); + if (StringUtils.contains(message, "Cannot invoke \"io.dataease.auth.bo.TokenUserBO.getUserId()\" because \"user\" is null")) { + return new ResultMessage(ResultCode.USER_NOT_LOGGED_IN.code(), ResultCode.USER_NOT_LOGGED_IN.message()); + } + return new ResultMessage(ResultCode.PARAM_IS_BLANK.code(), message); } } diff --git a/sdk/common/src/main/java/io/dataease/utils/AuthUtils.java b/sdk/common/src/main/java/io/dataease/utils/AuthUtils.java index c9eab2240a..d7dc571f3f 100644 --- a/sdk/common/src/main/java/io/dataease/utils/AuthUtils.java +++ b/sdk/common/src/main/java/io/dataease/utils/AuthUtils.java @@ -19,6 +19,10 @@ public class AuthUtils { USER_INFO.set(userBO); } + public static void remove() { + USER_INFO.remove(); + } + public static boolean isSysAdmin() { TokenUserBO user = null; if (ObjectUtils.isEmpty(user = getUser())) { diff --git a/sdk/common/src/main/java/io/dataease/utils/UserUtils.java b/sdk/common/src/main/java/io/dataease/utils/UserUtils.java index ffbea02d3d..4e820d5b13 100644 --- a/sdk/common/src/main/java/io/dataease/utils/UserUtils.java +++ b/sdk/common/src/main/java/io/dataease/utils/UserUtils.java @@ -14,4 +14,8 @@ public class UserUtils { bo.setDefaultOid(1L); AuthUtils.setUser(bo); } + + public static void removeUser() { + AuthUtils.remove(); + } } diff --git a/sdk/common/src/main/java/io/dataease/utils/WhitelistUtils.java b/sdk/common/src/main/java/io/dataease/utils/WhitelistUtils.java index f76ae37c8b..55e87f89c5 100644 --- a/sdk/common/src/main/java/io/dataease/utils/WhitelistUtils.java +++ b/sdk/common/src/main/java/io/dataease/utils/WhitelistUtils.java @@ -8,6 +8,8 @@ import org.springframework.core.env.Environment; import java.util.List; import java.util.Objects; +import static io.dataease.result.ResultCode.INTERFACE_ADDRESS_INVALID; + public class WhitelistUtils { private static String contextPath; @@ -50,9 +52,7 @@ public class WhitelistUtils { "/"); public static boolean match(String requestURI) { - if (requestURI.contains(";") && !requestURI.contains("?")) { - DEException.throwException("Invalid uri: " + requestURI); - } + invalidUrl(requestURI); if (StringUtils.startsWith(requestURI, getContextPath())) { requestURI = requestURI.replaceFirst(getContextPath(), ""); } @@ -100,4 +100,10 @@ public class WhitelistUtils { } return redirect_uri + AuthConstant.DE_API_PREFIX + "/"; } + + private static void invalidUrl(String requestURI) { + if (requestURI.contains("./") || (requestURI.contains(";") && !requestURI.contains("?"))) { + DEException.throwException(INTERFACE_ADDRESS_INVALID.code(), String.format("%s [%s]", INTERFACE_ADDRESS_INVALID.message(), requestURI)); + } + } }