|
|
@@ -106,8 +106,7 @@ public class SecurityInterceptor extends AbstractSecurityInterceptor implements
|
|
|
* @throws IOException
|
|
|
* @throws ServletException
|
|
|
*/
|
|
|
- public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException,
|
|
|
- ServletException {
|
|
|
+ public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
|
|
|
HttpServletRequest httpRequest = (HttpServletRequest) request;
|
|
|
HttpServletResponse httpResponse = (HttpServletResponse) response;
|
|
|
// 账号密码自动登录
|
|
|
@@ -116,7 +115,22 @@ public class SecurityInterceptor extends AbstractSecurityInterceptor implements
|
|
|
accessTokenLogin(httpRequest);
|
|
|
logSession(httpRequest);
|
|
|
User user = SystemSession.getUser();
|
|
|
- checkUser(httpRequest, httpResponse, user);
|
|
|
+ // 判断session的用户信息是否与Authentication一致
|
|
|
+ if (user == null) {// 未登录则要求登录
|
|
|
+ logoutSession();
|
|
|
+ if (!SecurityConstant.AUTHENTICATION_URL.equals(httpRequest.getServletPath()))
|
|
|
+ httpResponse.sendRedirect(httpRequest.getContextPath() + SecurityConstant.LOGIN_URL);
|
|
|
+ return;
|
|
|
+ }
|
|
|
+ Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
|
|
|
+ if (authentication != null && authentication.isAuthenticated()
|
|
|
+ && !authentication.getName().equals(String.valueOf(user.getUserUU()))) {// 用户信息与Authentication不一致
|
|
|
+ logger.error(String.format("用户信息%s@%s与Authentication信息%s@%s不一致", user.getUserUU(), user.getIp(), authentication.getName(),
|
|
|
+ AgentUtils.getIp(httpRequest)));
|
|
|
+ logoutSession();
|
|
|
+ httpResponse.sendRedirect(httpRequest.getContextPath() + SecurityConstant.LOGIN_URL);
|
|
|
+ return;
|
|
|
+ }
|
|
|
if (user.isSys()) {// 超级用户无需验证权限
|
|
|
chain.doFilter(request, response);
|
|
|
logoutSession();
|
|
|
@@ -135,28 +149,6 @@ public class SecurityInterceptor extends AbstractSecurityInterceptor implements
|
|
|
}
|
|
|
}
|
|
|
|
|
|
- /**
|
|
|
- * 判断session的用户信息是否与Authentication一致
|
|
|
- *
|
|
|
- * @throws IOException
|
|
|
- */
|
|
|
- private void checkUser(HttpServletRequest httpRequest, HttpServletResponse httpResponse, User user)
|
|
|
- throws IOException {
|
|
|
- if (user == null) {// 未登录则要求登录
|
|
|
- logoutSession();
|
|
|
- if (!SecurityConstant.AUTHENTICATION_URL.equals(httpRequest.getServletPath()))
|
|
|
- httpResponse.sendRedirect(httpRequest.getContextPath() + SecurityConstant.LOGIN_URL);
|
|
|
- }
|
|
|
- Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
|
|
|
- if (authentication != null && authentication.isAuthenticated()
|
|
|
- && !authentication.getName().equals(String.valueOf(user.getUserUU()))) {// 用户信息与Authentication不一致
|
|
|
- logger.error(String.format("用户信息%s@%s与Authentication信息%s@%s不一致", user.getUserUU(), user.getIp(),
|
|
|
- authentication.getName(), AgentUtils.getIp(httpRequest)));
|
|
|
- logoutSession();
|
|
|
- httpResponse.sendRedirect(httpRequest.getContextPath() + SecurityConstant.LOGIN_URL);
|
|
|
- }
|
|
|
- }
|
|
|
-
|
|
|
/**
|
|
|
*
|
|
|
*/
|
|
|
@@ -282,8 +274,7 @@ public class SecurityInterceptor extends AbstractSecurityInterceptor implements
|
|
|
}
|
|
|
if (user != null && user.getUserPwd().equals(Md5Utils.encode(password, user.getUserUU()))) {
|
|
|
Collection<GrantedAuthority> array = getGrantedAuthorities(user);
|
|
|
- UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(user.getUserUU(),
|
|
|
- password, array);
|
|
|
+ UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(user.getUserUU(), password, array);
|
|
|
Authentication authenticatedUser = authenticationManager.authenticate(token);
|
|
|
SecurityContextHolder.getContext().setAuthentication(authenticatedUser);
|
|
|
request.getSession().setAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY,
|
|
|
@@ -318,8 +309,7 @@ public class SecurityInterceptor extends AbstractSecurityInterceptor implements
|
|
|
String type = request.getParameter(typeParam);
|
|
|
String enUU = request.getParameter(enParam);
|
|
|
if ("manage".equals(type) && enUU != null) {
|
|
|
- if (user != null && UserCreater.isVirtual(user)
|
|
|
- && enUU.equals(String.valueOf(user.getEnterprise().getUu())))
|
|
|
+ if (user != null && UserCreater.isVirtual(user) && enUU.equals(String.valueOf(user.getEnterprise().getUu())))
|
|
|
return;
|
|
|
Enterprise enterprise = enterpriseService.findById(Long.parseLong(enUU));
|
|
|
if (enterprise != null) {
|
yingp