diff --git a/ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysLoginController.java b/ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysLoginController.java index abc8d02..557e895 100644 --- a/ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysLoginController.java +++ b/ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysLoginController.java @@ -3,6 +3,7 @@ package com.ruoyi.web.controller.system; import java.util.List; import java.util.Set; +import com.ruoyi.cms.util.StringUtil; import com.ruoyi.common.core.domain.entity.tymh.wwToken.WwTokenResult; import com.ruoyi.common.core.domain.entity.tymh.wwToken.WwUserLogin; import com.ruoyi.common.core.domain.model.RegisterBody; @@ -22,6 +23,8 @@ import com.ruoyi.framework.web.service.SysLoginService; import com.ruoyi.framework.web.service.SysPermissionService; import com.ruoyi.system.service.ISysMenuService; +import javax.servlet.http.HttpServletRequest; + /** * 登录验证 @@ -63,9 +66,24 @@ public class SysLoginController @PostMapping("/app/login") public AjaxResult loginApp(@RequestBody LoginBody loginBody) { + return AjaxResult.error(403, "接口已禁用"); +// AjaxResult ajax = AjaxResult.success(); +// // 生成令牌 +// String token = loginService.loginApp("admin", "admin123"); +// ajax.put(Constants.TOKEN, token); +// return ajax; + } + + @PostMapping("/loginWeb") + public AjaxResult loginWeb(@RequestBody LoginBody loginBody, HttpServletRequest request) + { + String proxyServer = StringUtil.getProxyServer(request); + if (!"proxy-146".equals(proxyServer)) { + return AjaxResult.error(403, "当前环境不允许登录"); + } AjaxResult ajax = AjaxResult.success(); // 生成令牌 - String token = loginService.loginApp("admin", "admin123"); + String token = loginService.loginWeb("admin", "admin123"); ajax.put(Constants.TOKEN, token); return ajax; } diff --git a/ruoyi-bussiness/src/main/java/com/ruoyi/cms/controller/app/AppSkillController.java b/ruoyi-bussiness/src/main/java/com/ruoyi/cms/controller/app/AppSkillController.java index 511d519..490df18 100644 --- a/ruoyi-bussiness/src/main/java/com/ruoyi/cms/controller/app/AppSkillController.java +++ b/ruoyi-bussiness/src/main/java/com/ruoyi/cms/controller/app/AppSkillController.java @@ -38,6 +38,9 @@ public class AppSkillController extends BaseController { @ApiOperation("获取技能列表") @GetMapping("/list") public TableDataInfo list(AppSkill appSkill){ + if(appSkill.getUserId()==null){ + return error(400,"无效的用户id!"); + } startPage(); List list=appSkillService.getList(appSkill); return getDataTable(list); diff --git a/ruoyi-bussiness/src/main/java/com/ruoyi/cms/controller/cms/CmsSkillController.java b/ruoyi-bussiness/src/main/java/com/ruoyi/cms/controller/cms/CmsSkillController.java index 1719933..93b927e 100644 --- a/ruoyi-bussiness/src/main/java/com/ruoyi/cms/controller/cms/CmsSkillController.java +++ b/ruoyi-bussiness/src/main/java/com/ruoyi/cms/controller/cms/CmsSkillController.java @@ -43,6 +43,9 @@ public class CmsSkillController extends BaseController { @ApiOperation("获取技能列表") @GetMapping("/list") public TableDataInfo list(AppSkill appSkill){ + if(appSkill.getUserId()==null){ + return error(400,"无效的用户id!"); + } startPage(); List list=appSkillService.getList(appSkill); return getDataTable(list); diff --git a/ruoyi-bussiness/src/main/java/com/ruoyi/cms/controller/cms/EmployeeConfirmController.java b/ruoyi-bussiness/src/main/java/com/ruoyi/cms/controller/cms/EmployeeConfirmController.java index 1d5ae64..4a86c3f 100644 --- a/ruoyi-bussiness/src/main/java/com/ruoyi/cms/controller/cms/EmployeeConfirmController.java +++ b/ruoyi-bussiness/src/main/java/com/ruoyi/cms/controller/cms/EmployeeConfirmController.java @@ -37,6 +37,9 @@ public class EmployeeConfirmController extends BaseController { // @PreAuthorize("@ss.hasPermi('cms:employeeConfirm:list')") @RequestMapping("/list") public TableDataInfo list(EmployeeConfirm employeeConfirm){ + if(employeeConfirm.getCompanyId()==null){ + return error(400,"无效的企业id!"); + } List list=employeeConfirmService.getEmployeeConfirmList(employeeConfirm); return getDataTable(list); } diff --git a/ruoyi-bussiness/src/main/java/com/ruoyi/cms/util/StringUtil.java b/ruoyi-bussiness/src/main/java/com/ruoyi/cms/util/StringUtil.java index 929546f..666d17f 100644 --- a/ruoyi-bussiness/src/main/java/com/ruoyi/cms/util/StringUtil.java +++ b/ruoyi-bussiness/src/main/java/com/ruoyi/cms/util/StringUtil.java @@ -229,7 +229,7 @@ public class StringUtil { * @param request * @return */ - private static String getProxyServer(HttpServletRequest request) { + public static String getProxyServer(HttpServletRequest request) { if (request == null) { return null; } diff --git a/ruoyi-framework/src/main/java/com/ruoyi/framework/config/SecurityConfig.java b/ruoyi-framework/src/main/java/com/ruoyi/framework/config/SecurityConfig.java index 536ad9b..a0a791e 100644 --- a/ruoyi-framework/src/main/java/com/ruoyi/framework/config/SecurityConfig.java +++ b/ruoyi-framework/src/main/java/com/ruoyi/framework/config/SecurityConfig.java @@ -66,6 +66,20 @@ public class SecurityConfig @Autowired private PermitAllUrlProperties permitAllUrl; + //全部禁用的高危接口 + private static final String[] DENY_URLS = { + "/swagger-ui.html", + "/swagger-resources/**", + "/webjars/**", + "/*/api-docs/**", + "/druid/**", + "/app/user/list", + "/cms/appskill/list", + "/app/appskill/list", + "/cms/employeeConfirm/list", + "/app/fair/**" + }; + /** * 身份验证实现 */ @@ -111,10 +125,9 @@ public class SecurityConfig .authorizeHttpRequests((requests) -> { permitAllUrl.getUrls().forEach(url -> requests.antMatchers(url).permitAll()); // 对于登录login 注册register 验证码captchaImage 允许匿名访问 - requests.antMatchers("/login", "/register", "/captchaImage","/app/login","/websocket/**","/ws/**","/app/appLogin", + requests.antMatchers("/login", "/register", "/captchaImage","/loginWeb","/websocket/**","/ws/**","/app/appLogin", "/app/appWxphoneSmsCode","/app/appLoginPhone","/app/sendSmsAgain","/app/idCardLogin","/app/phoneLogin", - "/cms/company/listPage","/cms/appUser/noTmlist","/getTjmhToken","/getWwTjmhToken","/getWwTjmHlwToken", - "/cms/jobApply/zphApply","/cms/jobApply/zphApplyAgree","/actuator/health").permitAll() + "/getTjmhToken","/getWwTjmhToken","/getWwTjmHlwToken","/actuator/health").permitAll() // 静态资源,可匿名访问 .antMatchers(HttpMethod.GET, "/", "/*.html", "/**/*.html", "/**/*.css", "/**/*.js", "/profile/**").permitAll() // 移动端公用查询,可匿名访问 @@ -127,12 +140,10 @@ public class SecurityConfig .antMatchers("/app/job/**").permitAll() //企业信息 .antMatchers("/app/company/**").permitAll() - //招聘会信息 - .antMatchers("/app/fair/**").permitAll() //.antMatchers("/app/**").permitAll() //.antMatchers("/swagger-ui.html", "/swagger-resources/**", "/webjars/**", "/*/api-docs", "/druid/**").permitAll() //正式环境禁用接口 - .antMatchers("/swagger-ui.html", "/swagger-resources/**", "/webjars/**", "/*/api-docs", "/druid/**","/app/user/list").denyAll() + .antMatchers(DENY_URLS).denyAll() //放行前端界面 .antMatchers("/kashi/job-portal/detail/**").permitAll() // 除上面外的所有请求全部需要鉴权认证 diff --git a/ruoyi-framework/src/main/java/com/ruoyi/framework/web/service/SysLoginService.java b/ruoyi-framework/src/main/java/com/ruoyi/framework/web/service/SysLoginService.java index 1220521..5c59060 100644 --- a/ruoyi-framework/src/main/java/com/ruoyi/framework/web/service/SysLoginService.java +++ b/ruoyi-framework/src/main/java/com/ruoyi/framework/web/service/SysLoginService.java @@ -145,6 +145,18 @@ public class SysLoginService return tokenSiteService.createToken(loginSiteUser); } + //给浪潮——web模拟登录 + public String loginWeb(String username, String password){ + SysUser sysUser = userService.selectUserById(1L); + LoginUser loginUser = new LoginUser(); + loginUser.setUserId(sysUser.getUserId()); + loginUser.setUser(sysUser); + AsyncManager.me().execute(AsyncFactory.recordLogininfor(username, Constants.LOGIN_SUCCESS, MessageUtils.message("user.login.success"))); + recordLoginInfo(sysUser.getUserId()); + // 生成token + return tokenService.createToken(loginUser); + } + /** * 根据微信生成的 * @param appUser