From ce3298b9b01d83aea11bd144ccdc2e890a75cd97 Mon Sep 17 00:00:00 2001
From: RuoYi <yzz_ivy@163.com>
Date: 星期三, 26 六月 2024 19:52:25 +0800
Subject: [PATCH] 升级spring-security到安全版本,防止漏洞风险
---
src/main/java/com/ruoyi/framework/aspectj/LogAspect.java | 50 +++++++++++++++++++++++++++++++++++++++-----------
1 files changed, 39 insertions(+), 11 deletions(-)
diff --git a/src/main/java/com/ruoyi/framework/aspectj/LogAspect.java b/src/main/java/com/ruoyi/framework/aspectj/LogAspect.java
index c4d6eb8..19a857f 100644
--- a/src/main/java/com/ruoyi/framework/aspectj/LogAspect.java
+++ b/src/main/java/com/ruoyi/framework/aspectj/LogAspect.java
@@ -4,12 +4,15 @@
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import org.apache.commons.lang3.ArrayUtils;
import org.aspectj.lang.JoinPoint;
import org.aspectj.lang.annotation.AfterReturning;
import org.aspectj.lang.annotation.AfterThrowing;
import org.aspectj.lang.annotation.Aspect;
+import org.aspectj.lang.annotation.Before;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import org.springframework.core.NamedThreadLocal;
import org.springframework.stereotype.Component;
import org.springframework.validation.BindingResult;
import org.springframework.web.multipart.MultipartFile;
@@ -26,6 +29,7 @@
import com.ruoyi.framework.manager.factory.AsyncFactory;
import com.ruoyi.framework.security.LoginUser;
import com.ruoyi.project.monitor.domain.SysOperLog;
+import com.ruoyi.project.system.domain.SysUser;
/**
* 鎿嶄綔鏃ュ織璁板綍澶勭悊
@@ -40,6 +44,18 @@
/** 鎺掗櫎鏁忔劅灞炴�у瓧娈� */
public static final String[] EXCLUDE_PROPERTIES = { "password", "oldPassword", "newPassword", "confirmPassword" };
+
+ /** 璁$畻鎿嶄綔娑堣�楁椂闂� */
+ private static final ThreadLocal<Long> TIME_THREADLOCAL = new NamedThreadLocal<Long>("Cost Time");
+
+ /**
+ * 澶勭悊璇锋眰鍓嶆墽琛�
+ */
+ @Before(value = "@annotation(controllerLog)")
+ public void boBefore(JoinPoint joinPoint, Log controllerLog)
+ {
+ TIME_THREADLOCAL.set(System.currentTimeMillis());
+ }
/**
* 澶勭悊瀹岃姹傚悗鎵ц
@@ -75,12 +91,17 @@
SysOperLog operLog = new SysOperLog();
operLog.setStatus(BusinessStatus.SUCCESS.ordinal());
// 璇锋眰鐨勫湴鍧�
- String ip = IpUtils.getIpAddr(ServletUtils.getRequest());
+ String ip = IpUtils.getIpAddr();
operLog.setOperIp(ip);
operLog.setOperUrl(StringUtils.substring(ServletUtils.getRequest().getRequestURI(), 0, 255));
if (loginUser != null)
{
operLog.setOperName(loginUser.getUsername());
+ SysUser currentUser = loginUser.getUser();
+ if (StringUtils.isNotNull(currentUser) && StringUtils.isNotNull(currentUser.getDept()))
+ {
+ operLog.setDeptName(currentUser.getDept().getDeptName());
+ }
}
if (e != null)
@@ -96,6 +117,8 @@
operLog.setRequestMethod(ServletUtils.getRequest().getMethod());
// 澶勭悊璁剧疆娉ㄨВ涓婄殑鍙傛暟
getControllerMethodDescription(joinPoint, controllerLog, operLog, jsonResult);
+ // 璁剧疆娑堣�楁椂闂�
+ operLog.setCostTime(System.currentTimeMillis() - TIME_THREADLOCAL.get());
// 淇濆瓨鏁版嵁搴�
AsyncManager.me().execute(AsyncFactory.recordOper(operLog));
}
@@ -104,6 +127,10 @@
// 璁板綍鏈湴寮傚父鏃ュ織
log.error("寮傚父淇℃伅:{}", exp.getMessage());
exp.printStackTrace();
+ }
+ finally
+ {
+ TIME_THREADLOCAL.remove();
}
}
@@ -126,7 +153,7 @@
if (log.isSaveRequestData())
{
// 鑾峰彇鍙傛暟鐨勪俊鎭紝浼犲叆鍒版暟鎹簱涓��
- setRequestValue(joinPoint, operLog);
+ setRequestValue(joinPoint, operLog, log.excludeParamNames());
}
// 鏄惁闇�瑕佷繚瀛榬esponse锛屽弬鏁板拰鍊�
if (log.isSaveResponseData() && StringUtils.isNotNull(jsonResult))
@@ -141,25 +168,26 @@
* @param operLog 鎿嶄綔鏃ュ織
* @throws Exception 寮傚父
*/
- private void setRequestValue(JoinPoint joinPoint, SysOperLog operLog) throws Exception
+ private void setRequestValue(JoinPoint joinPoint, SysOperLog operLog, String[] excludeParamNames) throws Exception
{
String requestMethod = operLog.getRequestMethod();
- if (HttpMethod.PUT.name().equals(requestMethod) || HttpMethod.POST.name().equals(requestMethod))
+ Map<?, ?> paramsMap = ServletUtils.getParamMap(ServletUtils.getRequest());
+ if (StringUtils.isEmpty(paramsMap)
+ && (HttpMethod.PUT.name().equals(requestMethod) || HttpMethod.POST.name().equals(requestMethod)))
{
- String params = argsArrayToString(joinPoint.getArgs());
+ String params = argsArrayToString(joinPoint.getArgs(), excludeParamNames);
operLog.setOperParam(StringUtils.substring(params, 0, 2000));
}
else
{
- Map<?, ?> paramsMap = ServletUtils.getParamMap(ServletUtils.getRequest());
- operLog.setOperParam(StringUtils.substring(JSON.toJSONString(paramsMap, excludePropertyPreFilter()), 0, 2000));
+ operLog.setOperParam(StringUtils.substring(JSON.toJSONString(paramsMap, excludePropertyPreFilter(excludeParamNames)), 0, 2000));
}
}
/**
* 鍙傛暟鎷艰
*/
- private String argsArrayToString(Object[] paramsArray)
+ private String argsArrayToString(Object[] paramsArray, String[] excludeParamNames)
{
String params = "";
if (paramsArray != null && paramsArray.length > 0)
@@ -170,7 +198,7 @@
{
try
{
- String jsonObj = JSON.toJSONString(o, excludePropertyPreFilter());
+ String jsonObj = JSON.toJSONString(o, excludePropertyPreFilter(excludeParamNames));
params += jsonObj.toString() + " ";
}
catch (Exception e)
@@ -185,9 +213,9 @@
/**
* 蹇界暐鏁忔劅灞炴��
*/
- public PropertyPreExcludeFilter excludePropertyPreFilter()
+ public PropertyPreExcludeFilter excludePropertyPreFilter(String[] excludeParamNames)
{
- return new PropertyPreExcludeFilter().addExcludes(EXCLUDE_PROPERTIES);
+ return new PropertyPreExcludeFilter().addExcludes(ArrayUtils.addAll(EXCLUDE_PROPERTIES, excludeParamNames));
}
/**
--
Gitblit v1.9.3