devbox
我家小花儿
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

使用环绕增强注解解决防重复提交及防重放安全问题_防重放和防重复的区别

作者:我家小花儿 | 2024-03-14 12:55:26

防重放和防重复的区别
使用环绕增强注解解决防重复提交及防重放安全问题
AvoidRepeatableCommit 注释类
import java.lang.annotation.*;

@Target(ElementType.METHOD)
@Retention(RetentionPolicy.RUNTIME)
public @interface AvoidRepeatableCommit {
}

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
AvoidRepeatableCommitAspect 环绕类

CacheStore 是hutool的缓存可以换成redis,SHA256也是使用hutool的内置加密方法

import java.util.Date;

import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;

import org.aspectj.lang.ProceedingJoinPoint;
import org.aspectj.lang.annotation.Around;
import org.aspectj.lang.annotation.Aspect;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;

import cn.com.sgcc.sgec.ksplatform.common.exception.KsException;
import cn.com.sgcc.sgec.ksplatform.security.util.CacheStore;
import cn.hutool.core.date.DateUnit;
import cn.hutool.core.date.DateUtil;
import cn.hutool.core.util.StrUtil;
import cn.hutool.crypto.digest.DigestAlgorithm;
import cn.hutool.crypto.digest.Digester;
import lombok.extern.slf4j.Slf4j;


/**
 * 防重复提交
 * @author Mr.Xiao
 *
 */
@Aspect
@Component
@Slf4j
public class AvoidRepeatableCommitAspect {

	@Autowired
	CacheStore cacheStore;
	
    /**
     * @param point
     * @throws Throwable 
     */
	@Around("@annotation(cn.com.aop.AvoidRepeatableCommit)")
    public Object around(ProceedingJoinPoint pjp) throws Throwable {
    	ServletRequestAttributes attributes = (ServletRequestAttributes) RequestContextHolder.getRequestAttributes();
    	HttpServletRequest request = attributes.getRequest();
    	//防重放规则1.0 (url防重放)
    	
    	String tid = "";
    	Cookie[] cookie = request.getCookies();
    	if(null != cookie) {
    		for(Cookie c : cookie) {
    			if(c.getName().equals("token")) {
    				tid = c.getValue();
        			break;
        		}
        	}
    	}
        
        
        String key = tid + "-" + request.getRequestURI();
        String value = cacheStore.getTokenUrlCache().get(key);
        if(StrUtil.isNotEmpty(value)) {
        	log.error("频繁操作{}",key);
        	throw new KsException("请勿频繁操作");
        }else {
        	cacheStore.getTokenUrlCache().put(key, "1",DateUnit.SECOND.getMillis()*3);
        }
        
    	//防重放规则2.0 (数据包防重放)
    	
    	String timestamp = request.getHeader("timestamp");
    	String nonce = request.getHeader("nonce");
    	String sign = request.getHeader("sign");
    	
    	if(StrUtil.hasBlank(timestamp,nonce,sign)) {
    		log.error("参数不完整{}",nonce);
        	throw new KsException("参数不完整");
    	}
    	
    	//大于10分钟的数据包失效不可用
    	long bmin = DateUtil.between(new Date(), new Date(Long.parseLong(timestamp)), DateUnit.MINUTE);
    	if(bmin > 10) {
    		log.error("数据包已失效{}",nonce);
			throw new KsException("数据包已失效");
    	}
    	
    	Digester sha256 = new Digester(DigestAlgorithm.SHA256);
    	String sign1 = sha256.digestHex(sha256.digestHex(nonce)+timestamp);
    	
    	//规则校验
    	if(!sign.equals(sign1)) {
    		log.error("篡改数据包非法提交{}",nonce);
        	throw new KsException("篡改数据包非法提交");
    	}
    	
    	
    	
    	value = cacheStore.getNonceCache().get(timestamp+nonce);
    	if(StrUtil.isNotEmpty(value)) {
    		log.error("重复提交{}",nonce);
        	throw new KsException("重复提交");
    	}
    	
    	Object o = pjp.proceed();
    	cacheStore.getNonceCache().put(timestamp+nonce, "1",DateUnit.MINUTE.getMillis()*11);
    	return o;
    }
	
}

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
注解的使用
  @PostMapping("operationAudit")
    @ApiOperation(value = "运营审核")
    @Secured(RolesConstant.AUDITOR) //审核员才有权限操作
    @AvoidRepeatableCommit  // todo
    public ItemResponse operationAudit(OnlineMeasureAuditDTO auditDTO) throws Exception {

        OnlineMeasure onlineMeasure = onlineMeasureService.getById(auditDTO.getId());

        if (onlineMeasure == null){
            return ItemResponse.fault("数据错误");
        }

        /**
         * 待审核 10 光伏云 驳回 30 运营才能审核
         */
        if ( ( !OnlineMeasureConstant.AUDIT_10.equals(onlineMeasure.getStatus())
                &&  !OnlineMeasureConstant.AUDIT_30.equals(onlineMeasure.getStatus()) )   ){
            return ItemResponse.fault("审核状态错误");
        }
 
     
        ItemResponse result = auditRecordService.onlineMeasureOperationAudit(auditDTO);
        return result;
    }

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/我家小花儿/article/detail/234587
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号