增加防御代码，防止恶意攻击

56dbc071 · 季圣华 · 7ac14d49 · 56dbc071 · 56dbc071 · 56dbc071
Commit 56dbc071 authored Aug 21, 2021 by 季圣华
--- a/jshERP-boot/src/main/java/com/jsh/erp/controller/UserController.java
+++ b/jshERP-boot/src/main/java/com/jsh/erp/controller/UserController.java
@@ -86,7 +86,7 @@ public class UserController {
            //获取用户状态
            int userStatus = -1;
            try {
-                redisService.deleteObjectBySession(request,"tenantId");
+                redisService.deleteObjectBySession(request,"userId");
                userStatus = userService.validateUser(loginName, password);
            } catch (Exception e) {
                e.printStackTrace();
@@ -125,7 +125,6 @@ public class UserController {
                            Integer userNumLimit = tenant.getUserNumLimit();
                            Integer billsNumLimit = tenant.getBillsNumLimit();
                            if(tenantId!=null) {
-                                redisService.storageObjectBySession(token,"tenantId",tenantId); //租户tenantId
                                redisService.storageObjectBySession(token,"userNumLimit",userNumLimit); //用户限制数
                                redisService.storageObjectBySession(token,"billsNumLimit",billsNumLimit); //单据限制数
                            }
@@ -140,7 +139,7 @@ public class UserController {
            if(user!=null){
                String roleType = userService.getRoleTypeByUserId(user.getId()); //角色类型
                redisService.storageObjectBySession(token,"roleType",roleType);
-                redisService.storageObjectBySession(token,"token", token);
+                redisService.storageObjectBySession(token,"clientIp", Tools.getLocalIp(request));
                logService.insertLogWithUserId(user.getId(), user.getTenantId(), "用户",
                        new StringBuffer(BusinessConstants.LOG_OPERATION_TYPE_LOGIN).append(user.getLoginName()).toString(),
                        ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest());
@@ -188,10 +187,7 @@ public class UserController {
    public BaseResponseInfo logout(HttpServletRequest request, HttpServletResponse response)throws Exception {
        BaseResponseInfo res = new BaseResponseInfo();
        try {
-            redisService.deleteObjectBySession(request,"user");
-            redisService.deleteObjectBySession(request,"tenantId");
-            redisService.deleteObjectBySession(request,"userNumLimit");
-            redisService.deleteObjectBySession(request,"billsNumLimit");
+            redisService.deleteObjectBySession(request,"userId");
            response.sendRedirect("/login.html");
        } catch(Exception e){
            e.printStackTrace();

--- a/jshERP-boot/src/main/java/com/jsh/erp/datasource/mappers/LogMapperEx.java
+++ b/jshERP-boot/src/main/java/com/jsh/erp/datasource/mappers/LogMapperEx.java
@@ -28,4 +28,8 @@ public interface LogMapperEx {
            @Param("beginTime") String beginTime,
            @Param("endTime") String endTime,
            @Param("content") String content);
+
+    Long getCountByIpAndDate(
+            @Param("clientIp") String clientIp,
+            @Param("createTime") String createTime);
 }
\ No newline at end of file
--- a/jshERP-boot/src/main/java/com/jsh/erp/service/log/LogService.java
+++ b/jshERP-boot/src/main/java/com/jsh/erp/service/log/LogService.java
@@ -148,15 +148,23 @@ public class LogService {
        try{
            Long userId = userService.getUserId(request);
            if(userId!=null) {
-                Log log = new Log();
-                log.setUserId(userId);
-                log.setOperation(moduleName);
-                log.setClientIp(getLocalIp(request));
-                log.setCreateTime(new Date());
-                Byte status = 0;
-                log.setStatus(status);
-                log.setContent(content);
-                logMapper.insertSelective(log);
+                String clientIp = getLocalIp(request);
+                String createTime = Tools.getNow3();
+                Long count = logMapperEx.getCountByIpAndDate(clientIp, createTime);
+                if(count > 0) {
+                    //如果某1个IP在同1秒内连续操作两遍，此时需要删除该redis记录，使其退出，防止恶意攻击
+                    redisService.deleteObjectByKeyAndIp("clientIp", clientIp, "userId");
+                } else {
+                    Log log = new Log();
+                    log.setUserId(userId);
+                    log.setOperation(moduleName);
+                    log.setClientIp(getLocalIp(request));
+                    log.setCreateTime(new Date());
+                    Byte status = 0;
+                    log.setStatus(status);
+                    log.setContent(content);
+                    logMapper.insertSelective(log);
+                }
            }
        }catch(Exception e){
            JshException.writeFail(logger, e);

--- a/jshERP-boot/src/main/java/com/jsh/erp/service/redis/RedisService.java
+++ b/jshERP-boot/src/main/java/com/jsh/erp/service/redis/RedisService.java
@@ -10,6 +10,7 @@ import org.springframework.stereotype.Component;

 import javax.annotation.Resource;
 import javax.servlet.http.HttpServletRequest;
+import java.util.Set;
 import java.util.concurrent.TimeUnit;

 /**
@@ -96,11 +97,24 @@ public class RedisService {
        }
    }

-    public Long getTenantId(HttpServletRequest request) {
-        if(getObjectFromSessionByKey(request,"tenantId")!=null) {
-            return Long.parseLong(getObjectFromSessionByKey(request, "tenantId").toString());
-        } else {
-            return null;
+    /**
+     * @author jisheng hua
+     * description:
+     *  将信息从redis中移除，比对key和ip
+     *@date: 2021/08/21 22:10
+     * @Param: request
+     * @Param: key
+     * @Param: ip
+     * @Param: deleteKey
+     * @return Object
+     */
+    public void deleteObjectByKeyAndIp(String key, String ip, String deleteKey){
+        Set<String> tokens = redisTemplate.keys("*");
+        for(String token : tokens) {
+            Object value = redisTemplate.opsForHash().get(token, key);
+            if(value!=null && value.equals(ip)) {
+                redisTemplate.opsForHash().delete(token, deleteKey);
+            }
        }
    }
 }
--- a/jshERP-boot/src/main/resources/mapper_xml/LogMapperEx.xml
+++ b/jshERP-boot/src/main/resources/mapper_xml/LogMapperEx.xml
@@ -70,4 +70,8 @@
            and l.content like #{bindContent}
        </if>
    </select>
+
+    <select id="getCountByIpAndDate" resultType="java.lang.Long">
+        select count(1) from jsh_log where client_ip=#{clientIp} and create_time=#{createTime}
+    </select>
 </mapper>
\ No newline at end of file