修复漏洞（对报错信息进行自定义，避免泄露系统敏感信息）

ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysLoginController.java

@@ -3,6 +3,7 @@ package com.ruoyi.web.controller.system;
 import java.util.List;
 import java.util.Set;
 
+import com.ruoyi.cms.util.StringUtil;
 import com.ruoyi.common.core.domain.entity.tymh.wwToken.WwTokenResult;
 import com.ruoyi.common.core.domain.entity.tymh.wwToken.WwUserLogin;
 import com.ruoyi.common.core.domain.model.RegisterBody;
@@ -22,6 +23,8 @@ import com.ruoyi.framework.web.service.SysLoginService;
 import com.ruoyi.framework.web.service.SysPermissionService;
 import com.ruoyi.system.service.ISysMenuService;
 
+import javax.servlet.http.HttpServletRequest;
+
 
 /**
  * 登录验证
@@ -63,9 +66,24 @@ public class SysLoginController
     @PostMapping("/app/login")
     public AjaxResult loginApp(@RequestBody LoginBody loginBody)
     {
+        return AjaxResult.error(403, "接口已禁用");
+//        AjaxResult ajax = AjaxResult.success();
+//        // 生成令牌
+//        String token = loginService.loginApp("admin", "admin123");
+//        ajax.put(Constants.TOKEN, token);
+//        return ajax;
+    }
+
+    @PostMapping("/loginWeb")
+    public AjaxResult loginWeb(@RequestBody LoginBody loginBody, HttpServletRequest request)
+    {
+        String proxyServer = StringUtil.getProxyServer(request);
+        if (!"proxy-146".equals(proxyServer)) {
+            return AjaxResult.error(403, "当前环境不允许登录");
+        }
         AjaxResult ajax = AjaxResult.success();
         // 生成令牌
-        String token = loginService.loginApp("admin", "admin123");
+        String token = loginService.loginWeb("admin", "admin123");
         ajax.put(Constants.TOKEN, token);
         return ajax;
     }

ruoyi-bussiness/src/main/java/com/ruoyi/cms/controller/app/AppSkillController.java

@@ -38,6 +38,9 @@ public class AppSkillController extends BaseController {
     @ApiOperation("获取技能列表")
     @GetMapping("/list")
     public TableDataInfo list(AppSkill appSkill){
+        if(appSkill.getUserId()==null){
+            return error(400,"无效的用户id!");
+        }
         startPage();
         List<AppSkill> list=appSkillService.getList(appSkill);
         return getDataTable(list);

ruoyi-bussiness/src/main/java/com/ruoyi/cms/controller/cms/CmsSkillController.java

@@ -43,6 +43,9 @@ public class CmsSkillController extends BaseController {
     @ApiOperation("获取技能列表")
     @GetMapping("/list")
     public TableDataInfo list(AppSkill appSkill){
+        if(appSkill.getUserId()==null){
+            return error(400,"无效的用户id!");
+        }
         startPage();
         List<AppSkill> list=appSkillService.getList(appSkill);
         return getDataTable(list);

ruoyi-bussiness/src/main/java/com/ruoyi/cms/controller/cms/EmployeeConfirmController.java

@@ -37,6 +37,9 @@ public class EmployeeConfirmController extends BaseController {
 //    @PreAuthorize("@ss.hasPermi('cms:employeeConfirm:list')")
     @RequestMapping("/list")
     public TableDataInfo list(EmployeeConfirm employeeConfirm){
+        if(employeeConfirm.getCompanyId()==null){
+            return error(400,"无效的企业id!");
+        }
         List<EmployeeConfirm> list=employeeConfirmService.getEmployeeConfirmList(employeeConfirm);
         return getDataTable(list);
     }

ruoyi-bussiness/src/main/java/com/ruoyi/cms/util/StringUtil.java

@@ -229,7 +229,7 @@ public class StringUtil {
      * @param request
      * @return
      */
-    private static String getProxyServer(HttpServletRequest request) {
+    public static String getProxyServer(HttpServletRequest request) {
         if (request == null) {
             return null;
         }

ruoyi-framework/src/main/java/com/ruoyi/framework/config/SecurityConfig.java

@@ -66,6 +66,20 @@ public class SecurityConfig
     @Autowired
     private PermitAllUrlProperties permitAllUrl;
 
+    //全部禁用的高危接口
+    private static final String[] DENY_URLS = {
+            "/swagger-ui.html",
+            "/swagger-resources/**",
+            "/webjars/**",
+            "/*/api-docs/**",
+            "/druid/**",
+            "/app/user/list",
+            "/cms/appskill/list",
+            "/app/appskill/list",
+            "/cms/employeeConfirm/list",
+            "/app/fair/**"
+    };
+
     /**
      * 身份验证实现
      */
@@ -111,10 +125,9 @@ public class SecurityConfig
             .authorizeHttpRequests((requests) -> {
                 permitAllUrl.getUrls().forEach(url -> requests.antMatchers(url).permitAll());
                 // 对于登录login 注册register 验证码captchaImage 允许匿名访问
-                requests.antMatchers("/login", "/register", "/captchaImage","/app/login","/websocket/**","/ws/**","/app/appLogin",
+                requests.antMatchers("/login", "/register", "/captchaImage","/loginWeb","/websocket/**","/ws/**","/app/appLogin",
                                 "/app/appWxphoneSmsCode","/app/appLoginPhone","/app/sendSmsAgain","/app/idCardLogin","/app/phoneLogin",
-                                "/cms/company/listPage","/cms/appUser/noTmlist","/getTjmhToken","/getWwTjmhToken","/getWwTjmHlwToken",
+                                "/getTjmhToken","/getWwTjmhToken","/getWwTjmHlwToken","/actuator/health").permitAll()
-                                "/cms/jobApply/zphApply","/cms/jobApply/zphApplyAgree","/actuator/health").permitAll()
                     // 静态资源，可匿名访问
                     .antMatchers(HttpMethod.GET, "/", "/*.html", "/**/*.html", "/**/*.css", "/**/*.js", "/profile/**").permitAll()
                     // 移动端公用查询，可匿名访问
@@ -127,12 +140,10 @@ public class SecurityConfig
                     .antMatchers("/app/job/**").permitAll()
                     //企业信息
                     .antMatchers("/app/company/**").permitAll()
-                    //招聘会信息
-                    .antMatchers("/app/fair/**").permitAll()
                     //.antMatchers("/app/**").permitAll()
                     //.antMatchers("/swagger-ui.html", "/swagger-resources/**", "/webjars/**", "/*/api-docs", "/druid/**").permitAll()
                     //正式环境禁用接口
-                    .antMatchers("/swagger-ui.html", "/swagger-resources/**", "/webjars/**", "/*/api-docs", "/druid/**","/app/user/list").denyAll()
+                    .antMatchers(DENY_URLS).denyAll()
                     //放行前端界面
                     .antMatchers("/kashi/job-portal/detail/**").permitAll()
                     // 除上面外的所有请求全部需要鉴权认证

ruoyi-framework/src/main/java/com/ruoyi/framework/web/service/SysLoginService.java

@@ -145,6 +145,18 @@ public class SysLoginService
         return tokenSiteService.createToken(loginSiteUser);
     }
 
+    //给浪潮——web模拟登录
+    public String loginWeb(String username, String password){
+        SysUser sysUser = userService.selectUserById(1L);
+        LoginUser loginUser = new LoginUser();
+        loginUser.setUserId(sysUser.getUserId());
+        loginUser.setUser(sysUser);
+        AsyncManager.me().execute(AsyncFactory.recordLogininfor(username, Constants.LOGIN_SUCCESS, MessageUtils.message("user.login.success")));
+        recordLoginInfo(sysUser.getUserId());
+        // 生成token
+        return tokenService.createToken(loginUser);
+    }
+
     /**
      * 根据微信生成的
      * @param appUser