修复漏洞（对报错信息进行自定义，避免泄露系统敏感信息）

2026-04-29 17:12:04 +08:00
parent 6b7d16c400
commit 106c1a0b6f
7 changed files with 58 additions and 8 deletions
--- a/ruoyi-framework/src/main/java/com/ruoyi/framework/config/SecurityConfig.java
+++ b/ruoyi-framework/src/main/java/com/ruoyi/framework/config/SecurityConfig.java
@@ -66,6 +66,20 @@ public class SecurityConfig
    @Autowired
    private PermitAllUrlProperties permitAllUrl;

+    //全部禁用的高危接口
+    private static final String[] DENY_URLS = {
+            "/swagger-ui.html",
+            "/swagger-resources/**",
+            "/webjars/**",
+            "/*/api-docs/**",
+            "/druid/**",
+            "/app/user/list",
+            "/cms/appskill/list",
+            "/app/appskill/list",
+            "/cms/employeeConfirm/list",
+            "/app/fair/**"
+    };
+
    /**
     * 身份验证实现
     */
@@ -111,10 +125,9 @@ public class SecurityConfig
            .authorizeHttpRequests((requests) -> {
                permitAllUrl.getUrls().forEach(url -> requests.antMatchers(url).permitAll());
                // 对于登录login 注册register 验证码captchaImage 允许匿名访问
-                requests.antMatchers("/login", "/register", "/captchaImage","/app/login","/websocket/**","/ws/**","/app/appLogin",
+                requests.antMatchers("/login", "/register", "/captchaImage","/loginWeb","/websocket/**","/ws/**","/app/appLogin",
                                "/app/appWxphoneSmsCode","/app/appLoginPhone","/app/sendSmsAgain","/app/idCardLogin","/app/phoneLogin",
-                                "/cms/company/listPage","/cms/appUser/noTmlist","/getTjmhToken","/getWwTjmhToken","/getWwTjmHlwToken",
-                                "/cms/jobApply/zphApply","/cms/jobApply/zphApplyAgree","/actuator/health").permitAll()
+                                "/getTjmhToken","/getWwTjmhToken","/getWwTjmHlwToken","/actuator/health").permitAll()
                    // 静态资源，可匿名访问
                    .antMatchers(HttpMethod.GET, "/", "/*.html", "/**/*.html", "/**/*.css", "/**/*.js", "/profile/**").permitAll()
                    // 移动端公用查询，可匿名访问
@@ -127,12 +140,10 @@ public class SecurityConfig
                    .antMatchers("/app/job/**").permitAll()
                    //企业信息
                    .antMatchers("/app/company/**").permitAll()
-                    //招聘会信息
-                    .antMatchers("/app/fair/**").permitAll()
                    //.antMatchers("/app/**").permitAll()
                    //.antMatchers("/swagger-ui.html", "/swagger-resources/**", "/webjars/**", "/*/api-docs", "/druid/**").permitAll()
                    //正式环境禁用接口
-                    .antMatchers("/swagger-ui.html", "/swagger-resources/**", "/webjars/**", "/*/api-docs", "/druid/**","/app/user/list").denyAll()
+                    .antMatchers(DENY_URLS).denyAll()
                    //放行前端界面
                    .antMatchers("/kashi/job-portal/detail/**").permitAll()
                    // 除上面外的所有请求全部需要鉴权认证
--- a/ruoyi-framework/src/main/java/com/ruoyi/framework/web/service/SysLoginService.java
+++ b/ruoyi-framework/src/main/java/com/ruoyi/framework/web/service/SysLoginService.java
@@ -145,6 +145,18 @@ public class SysLoginService
        return tokenSiteService.createToken(loginSiteUser);
    }

+    //给浪潮——web模拟登录
+    public String loginWeb(String username, String password){
+        SysUser sysUser = userService.selectUserById(1L);
+        LoginUser loginUser = new LoginUser();
+        loginUser.setUserId(sysUser.getUserId());
+        loginUser.setUser(sysUser);
+        AsyncManager.me().execute(AsyncFactory.recordLogininfor(username, Constants.LOGIN_SUCCESS, MessageUtils.message("user.login.success")));
+        recordLoginInfo(sysUser.getUserId());
+        // 生成token
+        return tokenService.createToken(loginUser);
+    }
+
    /**
     * 根据微信生成的
     * @param appUser