🔒 修复用户登陆后将密文密码返回前台的安全隐患问题
This commit is contained in:
b2baccline
@@ -2,6 +2,7 @@ package com.hccake.ballcat.admin.modules.sys.model.converter;
|
||||
|
||||
import com.hccake.ballcat.admin.modules.sys.model.dto.SysUserDTO;
|
||||
import com.hccake.ballcat.admin.modules.sys.model.entity.SysUser;
|
||||
import com.hccake.ballcat.admin.modules.sys.model.vo.SysUserVO;
|
||||
import org.mapstruct.Mapper;
|
||||
import org.mapstruct.factory.Mappers;
|
||||
|
||||
@@ -17,20 +18,16 @@ public interface SysUserConverter {
|
||||
|
||||
/**
|
||||
* 转换DTO 为 PO
|
||||
* @param sysUserDTO
|
||||
* @return
|
||||
* @param sysUserDTO 系统用户DTO
|
||||
* @return SysUser 系统用户
|
||||
*/
|
||||
// @Mapping(target = "password", expression = "java( encodePassword(sysUserDTO) )")
|
||||
SysUser dtoToPo(SysUserDTO sysUserDTO);
|
||||
|
||||
/**
|
||||
* 将前端传输密码进行加解密
|
||||
* @param sysUserDTO
|
||||
* @return
|
||||
*/
|
||||
/*
|
||||
* default String encodePassword(SysUserDTO sysUserDTO){ String pass =
|
||||
* sysUserDTO.getPass(); return "encode"+pass; }
|
||||
* PO 转 DTO
|
||||
* @param sysUser 系统用户
|
||||
* @return SysUserVO 系统用户VO
|
||||
*/
|
||||
SysUserVO poToVo(SysUser sysUser);
|
||||
|
||||
}
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
package com.hccake.ballcat.admin.modules.sys.model.vo;
|
||||
package com.hccake.ballcat.admin.modules.sys.model.dto;
|
||||
|
||||
import com.hccake.ballcat.admin.modules.sys.model.entity.SysUser;
|
||||
import io.swagger.annotations.ApiModel;
|
||||
@@ -9,11 +9,13 @@ import java.io.Serializable;
|
||||
import java.util.List;
|
||||
|
||||
/**
|
||||
* @author
|
||||
* 用户信息
|
||||
*
|
||||
* @author Hccake
|
||||
*/
|
||||
@Data
|
||||
@ApiModel(value = "用户信息")
|
||||
public class UserInfo implements Serializable {
|
||||
public class UserInfoDTO implements Serializable {
|
||||
|
||||
/**
|
||||
* 用户基本信息
|
||||
@@ -1,12 +1,11 @@
|
||||
package com.hccake.ballcat.admin.modules.sys.model.entity;
|
||||
|
||||
import com.baomidou.mybatisplus.annotation.*;
|
||||
import com.baomidou.mybatisplus.extension.activerecord.Model;
|
||||
import io.swagger.annotations.ApiModel;
|
||||
import io.swagger.annotations.ApiModelProperty;
|
||||
import lombok.Data;
|
||||
import lombok.EqualsAndHashCode;
|
||||
|
||||
import java.io.Serializable;
|
||||
import java.time.LocalDateTime;
|
||||
|
||||
/**
|
||||
@@ -17,17 +16,16 @@ import java.time.LocalDateTime;
|
||||
*/
|
||||
@Data
|
||||
@TableName("sys_user")
|
||||
@EqualsAndHashCode(callSuper = true)
|
||||
@ApiModel(value = "系统用户表")
|
||||
public class SysUser extends Model<SysUser> {
|
||||
public class SysUser implements Serializable {
|
||||
|
||||
private static final long serialVersionUID = 1L;
|
||||
|
||||
/**
|
||||
* 主键id
|
||||
* 用户ID
|
||||
*/
|
||||
@TableId
|
||||
@ApiModelProperty(value = "主键id")
|
||||
@ApiModelProperty(value = "用户ID")
|
||||
private Integer userId;
|
||||
|
||||
/**
|
||||
|
||||
@@ -0,0 +1,85 @@
|
||||
package com.hccake.ballcat.admin.modules.sys.model.vo;
|
||||
|
||||
import io.swagger.annotations.ApiModel;
|
||||
import io.swagger.annotations.ApiModelProperty;
|
||||
import lombok.Data;
|
||||
|
||||
import java.io.Serializable;
|
||||
import java.time.LocalDateTime;
|
||||
|
||||
/**
|
||||
* 系统用户表
|
||||
*
|
||||
* @author ballcat code generator
|
||||
* @date 2019-09-12 20:39:31
|
||||
*/
|
||||
@Data
|
||||
@ApiModel(value = "系统用户VO")
|
||||
public class SysUserVO implements Serializable {
|
||||
|
||||
private static final long serialVersionUID = 1L;
|
||||
|
||||
/**
|
||||
* 用户ID
|
||||
*/
|
||||
@ApiModelProperty(value = "用户ID")
|
||||
private Integer userId;
|
||||
|
||||
/**
|
||||
* 登录账号
|
||||
*/
|
||||
@ApiModelProperty(value = "登录账号")
|
||||
private String username;
|
||||
|
||||
/**
|
||||
* 昵称
|
||||
*/
|
||||
@ApiModelProperty(value = "昵称")
|
||||
private String nickname;
|
||||
|
||||
/**
|
||||
* 头像
|
||||
*/
|
||||
@ApiModelProperty(value = "头像")
|
||||
private String avatar;
|
||||
|
||||
/**
|
||||
* 性别(0-默认未知,1-男,2-女)
|
||||
*/
|
||||
@ApiModelProperty(value = "性别(0-默认未知,1-男,2-女)")
|
||||
private Integer sex;
|
||||
|
||||
/**
|
||||
* 电子邮件
|
||||
*/
|
||||
@ApiModelProperty(value = "电子邮件")
|
||||
private String email;
|
||||
|
||||
/**
|
||||
* 电话
|
||||
*/
|
||||
@ApiModelProperty(value = "电话")
|
||||
private String phone;
|
||||
|
||||
/**
|
||||
* 状态(1-正常,0-冻结)
|
||||
*/
|
||||
@ApiModelProperty(value = "状态(1-正常, 0-冻结)")
|
||||
private Integer status;
|
||||
|
||||
@ApiModelProperty(value = "1:系统用户, 2:客户用户")
|
||||
private Integer type;
|
||||
|
||||
/**
|
||||
* 创建时间
|
||||
*/
|
||||
@ApiModelProperty(value = "创建时间")
|
||||
private LocalDateTime createTime;
|
||||
|
||||
/**
|
||||
* 更新时间
|
||||
*/
|
||||
@ApiModelProperty(value = "更新时间")
|
||||
private LocalDateTime updateTime;
|
||||
|
||||
}
|
||||
@@ -6,7 +6,7 @@ import com.hccake.ballcat.admin.modules.sys.model.dto.SysUserDTO;
|
||||
import com.hccake.ballcat.admin.modules.sys.model.dto.SysUserScope;
|
||||
import com.hccake.ballcat.admin.modules.sys.model.entity.SysUser;
|
||||
import com.hccake.ballcat.admin.modules.sys.model.qo.SysUserQO;
|
||||
import com.hccake.ballcat.admin.modules.sys.model.vo.UserInfo;
|
||||
import com.hccake.ballcat.admin.modules.sys.model.dto.UserInfoDTO;
|
||||
import com.hccake.ballcat.common.core.vo.SelectData;
|
||||
import org.springframework.web.multipart.MultipartFile;
|
||||
|
||||
@@ -25,66 +25,66 @@ public interface SysUserService extends IService<SysUser> {
|
||||
* 查询系统用户列表
|
||||
* @param page 分页对象
|
||||
* @param qo 查询参数
|
||||
* @return
|
||||
* @return IPage<SysUser>
|
||||
*/
|
||||
IPage<SysUser> page(IPage<SysUser> page, SysUserQO qo);
|
||||
|
||||
/**
|
||||
* 根据用户名查询用户
|
||||
* @param username
|
||||
* @return
|
||||
* @param username 用户名
|
||||
* @return SysUser
|
||||
*/
|
||||
SysUser getByUsername(String username);
|
||||
|
||||
/**
|
||||
* 获取用户详情信息
|
||||
* @param user
|
||||
* @return
|
||||
* @param user SysUser
|
||||
* @return UserInfoDTO
|
||||
*/
|
||||
UserInfo findUserInfo(SysUser user);
|
||||
UserInfoDTO findUserInfo(SysUser user);
|
||||
|
||||
/**
|
||||
* 新增系统用户
|
||||
* @param sysUserDto
|
||||
* @return
|
||||
* @param sysUserDto SysUserDTO
|
||||
* @return boolean
|
||||
*/
|
||||
boolean addSysUser(SysUserDTO sysUserDto);
|
||||
|
||||
/**
|
||||
* 更新系统用户信息
|
||||
* @param sysUserDTO
|
||||
* @return
|
||||
* @param sysUserDTO 用户DTO
|
||||
* @return boolean
|
||||
*/
|
||||
boolean updateSysUser(SysUserDTO sysUserDTO);
|
||||
|
||||
/**
|
||||
* 更新用户权限信息
|
||||
* @param userId
|
||||
* @param sysUserScope
|
||||
* @return
|
||||
* @param userId 用户ID
|
||||
* @param sysUserScope 用户权限域
|
||||
* @return boolean
|
||||
*/
|
||||
boolean updateUserScope(Integer userId, SysUserScope sysUserScope);
|
||||
|
||||
/**
|
||||
* 根据userId删除 用户
|
||||
* @param userId
|
||||
* @return
|
||||
* @param userId 用户ID
|
||||
* @return boolean
|
||||
*/
|
||||
boolean deleteByUserId(Integer userId);
|
||||
|
||||
/**
|
||||
* 修改用户密码
|
||||
* @param userId
|
||||
* @param pass
|
||||
* @return
|
||||
* @param userId 用户ID
|
||||
* @param pass 未加密的密码
|
||||
* @return boolean
|
||||
*/
|
||||
boolean updateUserPass(Integer userId, String pass);
|
||||
|
||||
/**
|
||||
* 批量修改用户状态
|
||||
* @param userIds
|
||||
* @param status
|
||||
* @return
|
||||
* @param userIds 用户ID集合
|
||||
* @param status 状态
|
||||
* @return boolean
|
||||
*/
|
||||
boolean updateUserStatus(List<Integer> userIds, Integer status);
|
||||
|
||||
@@ -93,14 +93,14 @@ public interface SysUserService extends IService<SysUser> {
|
||||
* @param file 头像文件
|
||||
* @param userId 用户ID
|
||||
* @return 文件相对路径
|
||||
* @throws IOException
|
||||
* @throws IOException IO异常
|
||||
*/
|
||||
String updateAvatar(MultipartFile file, Integer userId) throws IOException;
|
||||
|
||||
/**
|
||||
* 根据角色查询用户
|
||||
* @return
|
||||
* @param roleCode
|
||||
* @param roleCode 角色标识
|
||||
* @return List<SysUser>
|
||||
*/
|
||||
List<SysUser> selectUsersByRoleCode(String roleCode);
|
||||
|
||||
|
||||
@@ -17,11 +17,11 @@ import com.hccake.ballcat.admin.modules.sys.mapper.SysUserMapper;
|
||||
import com.hccake.ballcat.admin.modules.sys.model.converter.SysUserConverter;
|
||||
import com.hccake.ballcat.admin.modules.sys.model.dto.SysUserDTO;
|
||||
import com.hccake.ballcat.admin.modules.sys.model.dto.SysUserScope;
|
||||
import com.hccake.ballcat.admin.modules.sys.model.dto.UserInfoDTO;
|
||||
import com.hccake.ballcat.admin.modules.sys.model.entity.SysRole;
|
||||
import com.hccake.ballcat.admin.modules.sys.model.entity.SysUser;
|
||||
import com.hccake.ballcat.admin.modules.sys.model.qo.SysUserQO;
|
||||
import com.hccake.ballcat.admin.modules.sys.model.vo.PermissionVO;
|
||||
import com.hccake.ballcat.admin.modules.sys.model.vo.UserInfo;
|
||||
import com.hccake.ballcat.admin.modules.sys.service.*;
|
||||
import com.hccake.ballcat.admin.oauth.util.SecurityUtils;
|
||||
import com.hccake.ballcat.common.core.util.PasswordUtil;
|
||||
@@ -96,9 +96,9 @@ public class SysUserServiceImpl extends ServiceImpl<SysUserMapper, SysUser> impl
|
||||
* @return 用户信息
|
||||
*/
|
||||
@Override
|
||||
public UserInfo findUserInfo(SysUser sysUser) {
|
||||
UserInfo userInfo = new UserInfo();
|
||||
userInfo.setSysUser(sysUser);
|
||||
public UserInfoDTO findUserInfo(SysUser sysUser) {
|
||||
UserInfoDTO userInfoDTO = new UserInfoDTO();
|
||||
userInfoDTO.setSysUser(sysUser);
|
||||
// 设置角色列表 (ID)
|
||||
List<SysRole> roleList;
|
||||
|
||||
@@ -117,8 +117,8 @@ public class SysUserServiceImpl extends ServiceImpl<SysUserMapper, SysUser> impl
|
||||
roles.add(role.getCode());
|
||||
}
|
||||
|
||||
userInfo.setRoles(roles);
|
||||
userInfo.setRoleIds(roleIds);
|
||||
userInfoDTO.setRoles(roles);
|
||||
userInfoDTO.setRoleIds(roleIds);
|
||||
|
||||
// 设置权限列表(permission)
|
||||
Set<String> permissions = new HashSet<>();
|
||||
@@ -128,8 +128,8 @@ public class SysUserServiceImpl extends ServiceImpl<SysUserMapper, SysUser> impl
|
||||
.collect(Collectors.toList());
|
||||
permissions.addAll(permissionList);
|
||||
});
|
||||
userInfo.setPermissions(new ArrayList<>(permissions));
|
||||
return userInfo;
|
||||
userInfoDTO.setPermissions(new ArrayList<>(permissions));
|
||||
return userInfoDTO;
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -1,5 +1,7 @@
|
||||
package com.hccake.ballcat.admin.oauth;
|
||||
|
||||
import com.hccake.ballcat.admin.modules.sys.model.converter.SysUserConverter;
|
||||
import com.hccake.ballcat.admin.modules.sys.model.vo.SysUserVO;
|
||||
import org.springframework.security.oauth2.common.DefaultOAuth2AccessToken;
|
||||
import org.springframework.security.oauth2.common.OAuth2AccessToken;
|
||||
import org.springframework.security.oauth2.provider.OAuth2Authentication;
|
||||
@@ -17,9 +19,9 @@ public class CustomTokenEnhancer implements TokenEnhancer {
|
||||
|
||||
/**
|
||||
* 处理 token 增强
|
||||
* @param accessToken
|
||||
* @param authentication
|
||||
* @return
|
||||
* @param accessToken token信息
|
||||
* @param authentication 鉴权信息
|
||||
* @return OAuth2AccessToken 增强后的token
|
||||
*/
|
||||
@Override
|
||||
public OAuth2AccessToken enhance(OAuth2AccessToken accessToken, OAuth2Authentication authentication) {
|
||||
@@ -27,8 +29,9 @@ public class CustomTokenEnhancer implements TokenEnhancer {
|
||||
Object principal = authentication.getUserAuthentication().getPrincipal();
|
||||
|
||||
SysUserDetails sysUserDetails = (SysUserDetails) principal;
|
||||
SysUserVO sysUserVO = SysUserConverter.INSTANCE.poToVo(sysUserDetails.getSysUser());
|
||||
|
||||
additionalInfo.put("info", sysUserDetails.getSysUser());
|
||||
additionalInfo.put("info", sysUserVO);
|
||||
additionalInfo.put("roles", sysUserDetails.getRoles());
|
||||
additionalInfo.put("permissions", sysUserDetails.getPermissions());
|
||||
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
package com.hccake.ballcat.admin.oauth;
|
||||
|
||||
import cn.hutool.core.collection.CollectionUtil;
|
||||
import com.hccake.ballcat.admin.modules.sys.model.dto.UserInfoDTO;
|
||||
import com.hccake.ballcat.admin.modules.sys.model.entity.SysUser;
|
||||
import com.hccake.ballcat.admin.modules.sys.model.vo.UserInfo;
|
||||
import com.hccake.ballcat.admin.modules.sys.service.SysUserService;
|
||||
import lombok.RequiredArgsConstructor;
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
@@ -37,21 +37,21 @@ public class SysUserDetailsServiceImpl implements UserDetailsService {
|
||||
log.error("登陆:用户名错误,用户名:{}", username);
|
||||
throw new UsernameNotFoundException("username error!");
|
||||
}
|
||||
UserInfo userInfo = sysUserService.findUserInfo(sysUser);
|
||||
return getUserDetailsByUserInfo(userInfo);
|
||||
UserInfoDTO userInfoDTO = sysUserService.findUserInfo(sysUser);
|
||||
return getUserDetailsByUserInfo(userInfoDTO);
|
||||
}
|
||||
|
||||
/**
|
||||
* 根据UserInfo 获取 UserDetails
|
||||
* @param userInfo
|
||||
* @return
|
||||
* @param userInfoDTO 用户信息DTO
|
||||
* @return UserDetails
|
||||
*/
|
||||
private UserDetails getUserDetailsByUserInfo(UserInfo userInfo) {
|
||||
private UserDetails getUserDetailsByUserInfo(UserInfoDTO userInfoDTO) {
|
||||
|
||||
SysUser user = userInfo.getSysUser();
|
||||
List<String> roles = userInfo.getRoles();
|
||||
List<Integer> roleIds = userInfo.getRoleIds();
|
||||
List<String> permissions = userInfo.getPermissions();
|
||||
SysUser sysUser = userInfoDTO.getSysUser();
|
||||
List<String> roles = userInfoDTO.getRoles();
|
||||
List<Integer> roleIds = userInfoDTO.getRoleIds();
|
||||
List<String> permissions = userInfoDTO.getPermissions();
|
||||
|
||||
Set<String> dbAuthsSet = new HashSet<>();
|
||||
if (CollectionUtil.isNotEmpty(roles)) {
|
||||
@@ -64,7 +64,7 @@ public class SysUserDetailsServiceImpl implements UserDetailsService {
|
||||
Collection<? extends GrantedAuthority> authorities = AuthorityUtils
|
||||
.createAuthorityList(dbAuthsSet.toArray(new String[0]));
|
||||
|
||||
return new SysUserDetails(user, roles, roleIds, permissions, authorities);
|
||||
return new SysUserDetails(sysUser, roles, roleIds, permissions, authorities);
|
||||
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user