diff --git a/src/main/java/com/ruoyi/common/constant/ShiroConstants.java b/src/main/java/com/ruoyi/common/constant/ShiroConstants.java index a0583536..dfce28d3 100644 --- a/src/main/java/com/ruoyi/common/constant/ShiroConstants.java +++ b/src/main/java/com/ruoyi/common/constant/ShiroConstants.java @@ -45,7 +45,7 @@ public interface ShiroConstants /** * 验证码开关 */ - public static final String CURRENT_EBABLED = "captchaEbabled"; + public static final String CURRENT_ENABLED = "captchaEnabled"; /** * 验证码开关 diff --git a/src/main/java/com/ruoyi/common/xss/XssFilter.java b/src/main/java/com/ruoyi/common/xss/XssFilter.java index 50179423..4495ca49 100644 --- a/src/main/java/com/ruoyi/common/xss/XssFilter.java +++ b/src/main/java/com/ruoyi/common/xss/XssFilter.java @@ -11,7 +11,6 @@ import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; -import javax.servlet.annotation.WebFilter; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import com.ruoyi.common.utils.StringUtils; @@ -21,7 +20,6 @@ import com.ruoyi.common.utils.StringUtils; * * @author ruoyi */ -@WebFilter(filterName = "xssFilter", urlPatterns = "/system/*") public class XssFilter implements Filter { /** @@ -32,14 +30,14 @@ public class XssFilter implements Filter /** * xss过滤开关 */ - public boolean xssEbabled = false; + public boolean enabled = false; @Override public void init(FilterConfig filterConfig) throws ServletException { String tempExcludes = filterConfig.getInitParameter("excludes"); - String tempXssEbabled = filterConfig.getInitParameter("xssEbabled"); - if (tempExcludes != null) + String tempEnabled = filterConfig.getInitParameter("enabled"); + if (StringUtils.isNotEmpty(tempExcludes)) { String[] url = tempExcludes.split(","); for (int i = 0; url != null && i < url.length; i++) @@ -47,9 +45,9 @@ public class XssFilter implements Filter excludes.add(url[i]); } } - if (StringUtils.isNotEmpty(tempXssEbabled)) + if (StringUtils.isNotEmpty(tempEnabled)) { - xssEbabled = Boolean.valueOf(tempXssEbabled); + enabled = Boolean.valueOf(tempEnabled); } } @@ -70,13 +68,13 @@ public class XssFilter implements Filter private boolean handleExcludeURL(HttpServletRequest request, HttpServletResponse response) { - if (excludes == null || excludes.isEmpty()) + if (!enabled) { - return false; + return true; } - if (!xssEbabled) + if (excludes == null || excludes.isEmpty()) { - return true; + return false; } String url = request.getServletPath(); for (String pattern : excludes) diff --git a/src/main/java/com/ruoyi/framework/config/FilterConfig.java b/src/main/java/com/ruoyi/framework/config/FilterConfig.java index 5ef85396..11b61935 100644 --- a/src/main/java/com/ruoyi/framework/config/FilterConfig.java +++ b/src/main/java/com/ruoyi/framework/config/FilterConfig.java @@ -2,10 +2,12 @@ package com.ruoyi.framework.config; import java.util.Map; import javax.servlet.DispatcherType; +import org.springframework.beans.factory.annotation.Value; import org.springframework.boot.web.servlet.FilterRegistrationBean; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import com.google.common.collect.Maps; +import com.ruoyi.common.utils.StringUtils; import com.ruoyi.common.xss.XssFilter; /** @@ -16,6 +18,15 @@ import com.ruoyi.common.xss.XssFilter; @Configuration public class FilterConfig { + @Value("${xss.enabled}") + private String enabled; + + @Value("${xss.excludes}") + private String excludes; + + @Value("${xss.urlPatterns}") + private String urlPatterns; + @SuppressWarnings({ "rawtypes", "unchecked" }) @Bean public FilterRegistrationBean xssFilterRegistration() @@ -23,12 +34,12 @@ public class FilterConfig FilterRegistrationBean registration = new FilterRegistrationBean(); registration.setDispatcherTypes(DispatcherType.REQUEST); registration.setFilter(new XssFilter()); - registration.addUrlPatterns("/*"); + registration.addUrlPatterns(StringUtils.split(urlPatterns, ",")); registration.setName("xssFilter"); registration.setOrder(Integer.MAX_VALUE); Map initParameters = Maps.newHashMap(); - initParameters.put("excludes", "/system/notice/*,/img/*,/css/*,/fonts/*,/js/*,/ajax/*,/ruoyi/*"); - initParameters.put("xssEbabled", "false"); + initParameters.put("excludes", excludes); + initParameters.put("enabled", enabled); registration.setInitParameters(initParameters); return registration; } diff --git a/src/main/java/com/ruoyi/framework/config/ShiroConfig.java b/src/main/java/com/ruoyi/framework/config/ShiroConfig.java index 866115bb..33228e43 100644 --- a/src/main/java/com/ruoyi/framework/config/ShiroConfig.java +++ b/src/main/java/com/ruoyi/framework/config/ShiroConfig.java @@ -46,8 +46,8 @@ public class ShiroConfig private int validationInterval; // 验证码开关 - @Value("${shiro.user.captchaEbabled}") - private boolean captchaEbabled; + @Value("${shiro.user.captchaEnabled}") + private boolean captchaEnabled; // 验证码类型 @Value("${shiro.user.captchaType}") @@ -297,7 +297,7 @@ public class ShiroConfig public CaptchaValidateFilter captchaValidateFilter() { CaptchaValidateFilter captchaValidateFilter = new CaptchaValidateFilter(); - captchaValidateFilter.setCaptchaEbabled(captchaEbabled); + captchaValidateFilter.setCaptchaEnabled(captchaEnabled); captchaValidateFilter.setCaptchaType(captchaType); return captchaValidateFilter; } diff --git a/src/main/java/com/ruoyi/framework/shiro/web/filter/captcha/CaptchaValidateFilter.java b/src/main/java/com/ruoyi/framework/shiro/web/filter/captcha/CaptchaValidateFilter.java index 3235e7d9..efcfc00c 100644 --- a/src/main/java/com/ruoyi/framework/shiro/web/filter/captcha/CaptchaValidateFilter.java +++ b/src/main/java/com/ruoyi/framework/shiro/web/filter/captcha/CaptchaValidateFilter.java @@ -20,16 +20,16 @@ public class CaptchaValidateFilter extends AccessControlFilter /** * 是否开启验证码 */ - private boolean captchaEbabled = true; + private boolean captchaEnabled = true; /** * 验证码类型 */ private String captchaType = "math"; - public void setCaptchaEbabled(boolean captchaEbabled) + public void setCaptchaEnabled(boolean captchaEnabled) { - this.captchaEbabled = captchaEbabled; + this.captchaEnabled = captchaEnabled; } public void setCaptchaType(String captchaType) @@ -40,7 +40,7 @@ public class CaptchaValidateFilter extends AccessControlFilter @Override public boolean onPreHandle(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception { - request.setAttribute(ShiroConstants.CURRENT_EBABLED, captchaEbabled); + request.setAttribute(ShiroConstants.CURRENT_ENABLED, captchaEnabled); request.setAttribute(ShiroConstants.CURRENT_TYPE, captchaType); return super.onPreHandle(request, response, mappedValue); } @@ -51,7 +51,7 @@ public class CaptchaValidateFilter extends AccessControlFilter { HttpServletRequest httpServletRequest = (HttpServletRequest) request; // 验证码禁用 或不是表单提交 允许访问 - if (captchaEbabled == false || !"post".equals(httpServletRequest.getMethod().toLowerCase())) + if (captchaEnabled == false || !"post".equals(httpServletRequest.getMethod().toLowerCase())) { return true; } diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml index f26c2792..a1c0715a 100644 --- a/src/main/resources/application.yml +++ b/src/main/resources/application.yml @@ -40,6 +40,7 @@ spring: thymeleaf: mode: HTML encoding: utf-8 + # 禁用缓存 cache: false messages: #国际化资源文件路径 @@ -82,7 +83,7 @@ shiro: # 首页地址 indexUrl: /index # 验证码开关 - captchaEbabled: true + captchaEnabled: true # 验证码类型 math 数组计算 char 字符 captchaType: math cookie: @@ -101,6 +102,14 @@ shiro: dbSyncPeriod: 1 # 相隔多久检查一次session的有效性,默认就是10分钟 validationInterval: 10 +# 防止XSS攻击 +xss: + # 过滤开关 + enabled: true + # 排除链接(多个用逗号分隔) + excludes: /system/notice/* + # 匹配链接 + urlPatterns: /system/*,/monitor/*,/tool/* # 代码生成 gen: # 作者 diff --git a/src/main/resources/templates/login.html b/src/main/resources/templates/login.html index 3856233a..165843a9 100644 --- a/src/main/resources/templates/login.html +++ b/src/main/resources/templates/login.html @@ -50,7 +50,7 @@

你若不离不弃,我必生死相依

-
+