|
|
@@ -16,6 +16,7 @@ import javax.servlet.ServletResponse;
|
|
|
import javax.servlet.http.HttpServletRequest;
|
|
|
import javax.servlet.http.HttpServletResponse;
|
|
|
|
|
|
+import org.apache.log4j.Logger;
|
|
|
import org.springframework.beans.factory.annotation.Autowired;
|
|
|
import org.springframework.beans.factory.annotation.Qualifier;
|
|
|
import org.springframework.mobile.device.Device;
|
|
|
@@ -92,6 +93,8 @@ public class SecurityInterceptor extends AbstractSecurityInterceptor implements
|
|
|
|
|
|
private final DeviceResolver deviceResolver;
|
|
|
|
|
|
+ private static final Logger logger = Logger.getLogger(SecurityInterceptor.class);
|
|
|
+
|
|
|
public SecurityInterceptor() {
|
|
|
this.deviceResolver = new LiteDeviceResolver();
|
|
|
}
|
|
|
@@ -103,7 +106,8 @@ public class SecurityInterceptor extends AbstractSecurityInterceptor implements
|
|
|
* @throws IOException
|
|
|
* @throws ServletException
|
|
|
*/
|
|
|
- public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
|
|
|
+ public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException,
|
|
|
+ ServletException {
|
|
|
HttpServletRequest httpRequest = (HttpServletRequest) request;
|
|
|
HttpServletResponse httpResponse = (HttpServletResponse) response;
|
|
|
// 账号密码自动登录
|
|
|
@@ -112,12 +116,7 @@ public class SecurityInterceptor extends AbstractSecurityInterceptor implements
|
|
|
accessTokenLogin(httpRequest);
|
|
|
logSession(httpRequest);
|
|
|
User user = SystemSession.getUser();
|
|
|
- if (user == null) {// 未登录则要求登录
|
|
|
- logoutSession();
|
|
|
- if (!SecurityConstant.AUTHENTICATION_URL.equals(httpRequest.getServletPath()))
|
|
|
- httpResponse.sendRedirect(httpRequest.getContextPath() + SecurityConstant.LOGIN_URL);
|
|
|
- return;
|
|
|
- }
|
|
|
+ checkUser(httpRequest, httpResponse, user);
|
|
|
if (user.isSys()) {// 超级用户无需验证权限
|
|
|
chain.doFilter(request, response);
|
|
|
logoutSession();
|
|
|
@@ -136,6 +135,28 @@ public class SecurityInterceptor extends AbstractSecurityInterceptor implements
|
|
|
}
|
|
|
}
|
|
|
|
|
|
+ /**
|
|
|
+ * 判断session的用户信息是否与Authentication一致
|
|
|
+ *
|
|
|
+ * @throws IOException
|
|
|
+ */
|
|
|
+ private void checkUser(HttpServletRequest httpRequest, HttpServletResponse httpResponse, User user)
|
|
|
+ throws IOException {
|
|
|
+ if (user == null) {// 未登录则要求登录
|
|
|
+ logoutSession();
|
|
|
+ if (!SecurityConstant.AUTHENTICATION_URL.equals(httpRequest.getServletPath()))
|
|
|
+ httpResponse.sendRedirect(httpRequest.getContextPath() + SecurityConstant.LOGIN_URL);
|
|
|
+ }
|
|
|
+ Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
|
|
|
+ if (authentication != null && authentication.isAuthenticated()
|
|
|
+ && !authentication.getName().equals(String.valueOf(user.getUserUU()))) {// 用户信息与Authentication不一致
|
|
|
+ logger.error(String.format("用户信息%s@%s与Authentication信息%s@%s不一致", user.getUserUU(), user.getIp(),
|
|
|
+ authentication.getName(), AgentUtils.getIp(httpRequest)));
|
|
|
+ logoutSession();
|
|
|
+ httpResponse.sendRedirect(httpRequest.getContextPath() + SecurityConstant.LOGIN_URL);
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
/**
|
|
|
*
|
|
|
*/
|
|
|
@@ -261,7 +282,8 @@ public class SecurityInterceptor extends AbstractSecurityInterceptor implements
|
|
|
}
|
|
|
if (user != null && user.getUserPwd().equals(Md5Utils.encode(password, user.getUserUU()))) {
|
|
|
Collection<GrantedAuthority> array = getGrantedAuthorities(user);
|
|
|
- UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(user.getUserUU(), password, array);
|
|
|
+ UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(user.getUserUU(),
|
|
|
+ password, array);
|
|
|
Authentication authenticatedUser = authenticationManager.authenticate(token);
|
|
|
SecurityContextHolder.getContext().setAuthentication(authenticatedUser);
|
|
|
request.getSession().setAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY,
|
|
|
@@ -296,7 +318,8 @@ public class SecurityInterceptor extends AbstractSecurityInterceptor implements
|
|
|
String type = request.getParameter(typeParam);
|
|
|
String enUU = request.getParameter(enParam);
|
|
|
if ("manage".equals(type) && enUU != null) {
|
|
|
- if (user != null && UserCreater.isVirtual(user) && enUU.equals(String.valueOf(user.getEnterprise().getUu())))
|
|
|
+ if (user != null && UserCreater.isVirtual(user)
|
|
|
+ && enUU.equals(String.valueOf(user.getEnterprise().getUu())))
|
|
|
return;
|
|
|
Enterprise enterprise = enterpriseService.findById(Long.parseLong(enUU));
|
|
|
if (enterprise != null) {
|
administrator