UDI
/
udi-wms-java
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat: 修复高位漏洞 密码不返回

Browse Source
lh_dev_fifo
chenhc 4 months ago
parent 610047320e
commit 2baf2c4a76
2 changed files with 18 additions and 6 deletions
Show Stats Download Patch File Download Diff File

3
src/main/java/com/glxp/api/constant/Constant.java
Unescape Escape View File

@ -334,4 +334,7 @@ public class Constant {
public static final Integer SK_PRO_DSB_TYPE = 1;//1定数包内部使用 public static final Integer SK_PRO_DSB_TYPE = 1;//1定数包内部使用
public static final Integer SK_PRO_THR_TYPE = 2;//2项目、组套外部关联 public static final Integer SK_PRO_THR_TYPE = 2;//2项目、组套外部关联
public static final Integer SK_PRO_SS_TYPE = 3;//3术式组套 public static final Integer SK_PRO_SS_TYPE = 3;//3术式组套
//密码错误次数
public static final String PASSWORD_ERROR_COUNT = "PasswordErrorCount";
} }

21
src/main/java/com/glxp/api/controller/auth/LoginController.java
Unescape Escape View File

@ -62,7 +62,8 @@ public class LoginController extends BaseController {
private CompanyService companyService; private CompanyService companyService;
@Resource @Resource
private AuthLicenseDao authLicenseDao; private AuthLicenseDao authLicenseDao;
@Resource
RedisUtil redisUtil;
/** /**
* *
@ -82,18 +83,26 @@ public class LoginController extends BaseController {
throw new JsonException(ResultEnum.DATA_NOT, "用户名或密码错误"); throw new JsonException(ResultEnum.DATA_NOT, "用户名或密码错误");
} }
log.info(loginRequest.getPassword()); //验证错误了几次
log.info(PasswordUtils.authAdminPwd(authAdmin.getPassWord())); Integer errorCount = (Integer) redisUtil.get(Constant.PASSWORD_ERROR_COUNT + authAdmin.getId());
if (errorCount == null ){
errorCount = 0;
}else {
if (errorCount == 5){
throw new JsonException(ResultEnum.DATA_NOT, "已连续5次输入错误密码账号被锁定30分钟");
}
}
if (PasswordUtils.authAdminPwd(loginRequest.getPassword()).equals(PasswordUtils.authAdminPwd(authAdmin.getPassWord())) if (PasswordUtils.authAdminPwd(loginRequest.getPassword()).equals(PasswordUtils.authAdminPwd(authAdmin.getPassWord()))
|| loginRequest.getPassword().equals(authAdmin.getPassWord()) || loginRequest.getPassword().equals(authAdmin.getPassWord()) || (loginRequest.getPassword().equals(PasswordUtils.authAdminPwd(authAdmin.getPassWord())))
|| (loginRequest.getPassword().equals(PasswordUtils.authAdminPwd(authAdmin.getPassWord())))
) { ) {
redisUtil.del(Constant.PASSWORD_ERROR_COUNT+authAdmin.getId());
} else { } else {
if (!PasswordUtils.authAdminPwd(loginRequest.getPassword()).equals(SecureUtil.sha256(authAdmin.getPassWord()))) { if (!PasswordUtils.authAdminPwd(loginRequest.getPassword()).equals(SecureUtil.sha256(authAdmin.getPassWord()))) {
redisUtil.set(Constant.PASSWORD_ERROR_COUNT+authAdmin.getId(), errorCount + 1,30*60);
throw new JsonException(ResultEnum.DATA_NOT, "用户名或密码错误"); throw new JsonException(ResultEnum.DATA_NOT, "用户名或密码错误");
} }
} }
if (authAdmin.getUserFlag() == 0) { if (authAdmin.getUserFlag() == 0) {
throw new JsonException(ResultEnum.DATA_NOT, "该用户已被禁用!"); throw new JsonException(ResultEnum.DATA_NOT, "该用户已被禁用!");
} }

Write Preview
Loading…
Cancel
Save