UDI
/
udi-wms-java
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat: 修复高位漏洞 密码不返回

Browse Source
lh_dev_fifo
chenhc 4 months ago
parent 610047320e
commit 2baf2c4a76
2 changed files with 18 additions and 6 deletions
Show Stats Download Patch File Download Diff File

3
src/main/java/com/glxp/api/constant/Constant.java
Unescape Escape View File

@ -334,4 +334,7 @@ public class Constant {
public static final Integer SK_PRO_DSB_TYPE = 1;//1定数包内部使用
public static final Integer SK_PRO_THR_TYPE = 2;//2项目、组套外部关联
public static final Integer SK_PRO_SS_TYPE = 3;//3术式组套
//密码错误次数
public static final String PASSWORD_ERROR_COUNT = "PasswordErrorCount";
}

21
src/main/java/com/glxp/api/controller/auth/LoginController.java
Unescape Escape View File

@ -62,7 +62,8 @@ public class LoginController extends BaseController {
private CompanyService companyService;
@Resource
private AuthLicenseDao authLicenseDao;
@Resource
RedisUtil redisUtil;
/**
*
@ -82,18 +83,26 @@ public class LoginController extends BaseController {
throw new JsonException(ResultEnum.DATA_NOT, "用户名或密码错误");
}
log.info(loginRequest.getPassword());
log.info(PasswordUtils.authAdminPwd(authAdmin.getPassWord()));
//验证错误了几次
Integer errorCount = (Integer) redisUtil.get(Constant.PASSWORD_ERROR_COUNT + authAdmin.getId());
if (errorCount == null ){
errorCount = 0;
}else {
if (errorCount == 5){
throw new JsonException(ResultEnum.DATA_NOT, "已连续5次输入错误密码账号被锁定30分钟");
}
}
if (PasswordUtils.authAdminPwd(loginRequest.getPassword()).equals(PasswordUtils.authAdminPwd(authAdmin.getPassWord()))
|| loginRequest.getPassword().equals(authAdmin.getPassWord())
|| (loginRequest.getPassword().equals(PasswordUtils.authAdminPwd(authAdmin.getPassWord())))
|| loginRequest.getPassword().equals(authAdmin.getPassWord()) || (loginRequest.getPassword().equals(PasswordUtils.authAdminPwd(authAdmin.getPassWord())))
) {
redisUtil.del(Constant.PASSWORD_ERROR_COUNT+authAdmin.getId());
} else {
if (!PasswordUtils.authAdminPwd(loginRequest.getPassword()).equals(SecureUtil.sha256(authAdmin.getPassWord()))) {
redisUtil.set(Constant.PASSWORD_ERROR_COUNT+authAdmin.getId(), errorCount + 1,30*60);
throw new JsonException(ResultEnum.DATA_NOT, "用户名或密码错误");
}
}
if (authAdmin.getUserFlag() == 0) {
throw new JsonException(ResultEnum.DATA_NOT, "该用户已被禁用!");
}

Write Preview
Loading…
Cancel
Save