| java110-core/src/main/java/com/java110/core/factory/AuthenticationFactory.java | ●●●●● 补丁 | 查看 | 原始文档 | blame | 历史 | |
| java110-core/src/main/java/com/java110/core/smo/IOwnerGetDataCheck.java | ●●●●● 补丁 | 查看 | 原始文档 | blame | 历史 | |
| java110-core/src/main/java/com/java110/core/smo/impl/OwnerGetDataCheckImpl.java | ●●●●● 补丁 | 查看 | 原始文档 | blame | 历史 | |
| service-acct/src/main/java/com/java110/acct/api/AccountApi.java | ●●●●● 补丁 | 查看 | 原始文档 | blame | 历史 | |
| service-fee/src/main/java/com/java110/fee/cmd/fee/ListFeeCmd.java | ●●●●● 补丁 | 查看 | 原始文档 | blame | 历史 | |
| service-user/src/main/java/com/java110/user/cmd/login/PcUserLoginCmd.java | ●●●●● 补丁 | 查看 | 原始文档 | blame | 历史 | |
| service-user/src/main/java/com/java110/user/cmd/owner/EditOwnerCmd.java | ●●●●● 补丁 | 查看 | 原始文档 | blame | 历史 | |
| service-user/src/main/java/com/java110/user/cmd/user/UserSendSmsCmd.java | ●●●●● 补丁 | 查看 | 原始文档 | blame | 历史 |
java110-core/src/main/java/com/java110/core/factory/AuthenticationFactory.java
@@ -13,6 +13,7 @@ import com.java110.core.context.DataFlow; import com.java110.dto.reportData.ReportDataDto; import com.java110.dto.reportData.ReportDataHeaderDto; import com.java110.utils.cache.CommonCache; import com.java110.utils.cache.JWTCache; import com.java110.utils.cache.MappingCache; import com.java110.utils.constant.CommonConstant; @@ -64,6 +65,8 @@ * 默认编码 */ private static final String CHARSET = "utf-8"; private static final String USER_ERROR_COUNT = "USER_ERROR_COUNT_";// 用户登录错误次数,防止暴力破解 // 加密 @@ -604,6 +607,42 @@ } /** * 登陆密码错误时 记录,连续输入错误7次后账号锁定 2小时 * * @param userName */ public static void userLoginError(String userName) { String count = CommonCache.getValue(USER_ERROR_COUNT + userName); int countNum = 0; if (!StringUtil.isEmpty(count)) { countNum = Integer.parseInt(count); } countNum += 1; CommonCache.setValue(USER_ERROR_COUNT + userName, countNum + "", CommonCache.TOKEN_EXPIRE_TIME); } /** * 校验 登录次数 * * @param userName 登录账号 */ public static void checkLoginErrorCount(String userName) { String count = CommonCache.getValue(USER_ERROR_COUNT + userName); int countNum = 0; if (!StringUtil.isEmpty(count)) { countNum = Integer.parseInt(count); } if (countNum >= 7) { throw new IllegalArgumentException("登陆错误次数过多,请休息一会再试"); } } /***********************************JWT start***************************************/
New file @@ -0,0 +1,27 @@ package com.java110.core.smo; import com.alibaba.fastjson.JSONObject; /*** * 业主 查询数据合法性校验 */ public interface IOwnerGetDataCheck { /** * 校验业主 账户查询 * * @param appId 应用ID * @param loginUserId 登陆用户ID * @param reqJson 传递参数内容 */ void checkOwnerAccount(String appId, String loginUserId, JSONObject reqJson); /** * 查询费用校验 * * @param appId * @param loginUserId * @param reqJson */ void checkOwnerFee(String appId, String loginUserId, JSONObject reqJson); } java110-core/src/main/java/com/java110/core/smo/impl/OwnerGetDataCheckImpl.java
New file @@ -0,0 +1,248 @@ package com.java110.core.smo.impl; import com.alibaba.fastjson.JSONObject; import com.java110.core.smo.IOwnerGetDataCheck; import com.java110.dto.account.AccountDetailDto; import com.java110.dto.account.AccountDto; import com.java110.dto.app.AppDto; import com.java110.dto.fee.FeeAttrDto; import com.java110.dto.fee.FeeDto; import com.java110.dto.owner.OwnerDto; import com.java110.dto.user.UserDto; import com.java110.intf.acct.IAccountInnerServiceSMO; import com.java110.intf.fee.IFeeInnerServiceSMO; import com.java110.intf.fee.IPayFeeV1InnerServiceSMO; import com.java110.intf.user.IOwnerV1InnerServiceSMO; import com.java110.intf.user.IUserV1InnerServiceSMO; import com.java110.utils.util.StringUtil; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; import java.util.List; /** * 业主 查询安全性校验 */ @Service public class OwnerGetDataCheckImpl implements IOwnerGetDataCheck { @Autowired(required = false) private IUserV1InnerServiceSMO userV1InnerServiceSMOImpl; @Autowired(required = false) private IAccountInnerServiceSMO accountInnerServiceSMOImpl; @Autowired(required = false) private IOwnerV1InnerServiceSMO ownerV1InnerServiceSMOImpl; @Autowired(required = false) private IFeeInnerServiceSMO feeInnerServiceSMOImpl; private boolean isOwner(String appId) { if (!AppDto.WECHAT_OWNER_APP_ID.equals(appId) && !AppDto.WECHAT_MINA_OWNER_APP_ID.equals(appId)) { return false; } return true; } @Override public void checkOwnerAccount(String appId, String loginUserId, JSONObject reqJson) { if (!isOwner(appId)) { return; } UserDto userDto = new UserDto(); userDto.setUserId(loginUserId); List<UserDto> userDtos = userV1InnerServiceSMOImpl.queryUsers(userDto); //todo 没有登录,说明不需要校验 if (userDtos == null || userDtos.isEmpty()) { return; } //todo 如果 包含acctId 校验 ifAcctIdCheck(reqJson, userDtos.get(0)); // todo 如果包含link 校验 ifAccountLinkCheck(reqJson, userDtos.get(0)); String acctId = reqJson.getString("acctId"); String link = reqJson.getString("link"); if (StringUtil.isEmpty(acctId) && StringUtil.isEmpty(link)) { throw new IllegalArgumentException("业主查询条件错误"); } } @Override public void checkOwnerFee(String appId, String loginUserId, JSONObject reqJson) { if (!isOwner(appId)) { return; } UserDto userDto = new UserDto(); userDto.setUserId(loginUserId); List<UserDto> userDtos = userV1InnerServiceSMOImpl.queryUsers(userDto); //todo 没有登录,说明不需要校验 if (userDtos == null || userDtos.isEmpty()) { return; } //todo 查询业主信息 OwnerDto ownerDto = new OwnerDto(); ownerDto.setLink(userDtos.get(0).getTel()); ownerDto.setCommunityId(reqJson.getString("communityId")); ownerDto.setOwnerTypeCd(OwnerDto.OWNER_TYPE_CD_OWNER); List<OwnerDto> ownerDtos = ownerV1InnerServiceSMOImpl.queryOwners(ownerDto); //todo 游客不校验 if (ownerDtos == null || ownerDtos.isEmpty()) { return; } //todo 根据ownerId 查询 ifFeeOwnerId(reqJson, ownerDtos.get(0)); //todo 根据payerObjId 查询 ifFeePayerObjId(reqJson, ownerDtos.get(0)); //todo 根据feeId 查询 ifFeeFeeId(reqJson, ownerDtos.get(0)); String ownerId = reqJson.getString("ownerId"); String payerObjId = reqJson.getString("payerObjId"); String feeId = reqJson.getString("feeId"); if (StringUtil.isEmpty(ownerId) && StringUtil.isEmpty(payerObjId) && StringUtil.isEmpty(feeId)) { throw new IllegalArgumentException("业主查询费用条件错误"); } } private void ifFeeFeeId(JSONObject reqJson, OwnerDto ownerDto) { if (!reqJson.containsKey("feeId")) { return; } String feeId = reqJson.getString("feeId"); if (StringUtil.isEmpty(feeId)) { return; } FeeDto feeDto = new FeeDto(); feeDto.setFeeId(reqJson.getString("feeId")); feeDto.setCommunityId(reqJson.getString("communityId")); List<FeeDto> feeDtos = feeInnerServiceSMOImpl.queryFees(feeDto); if (feeDtos == null || feeDtos.isEmpty()) { return; } String ownerId = FeeAttrDto.getFeeAttrValue(feeDtos.get(0), FeeAttrDto.SPEC_CD_OWNER_ID); if (StringUtil.isEmpty(ownerId)) { return; } if (!ownerDto.getOwnerId().equals(ownerId)) { throw new IllegalArgumentException("业主查询不属于自己的数据"); } } private void ifFeePayerObjId(JSONObject reqJson, OwnerDto ownerDto) { if (!reqJson.containsKey("payerObjId")) { return; } String payerObjId = reqJson.getString("payerObjId"); if (StringUtil.isEmpty(payerObjId)) { return; } FeeDto feeDto = new FeeDto(); feeDto.setPayerObjId(reqJson.getString("payerObjId")); feeDto.setCommunityId(reqJson.getString("communityId")); List<FeeDto> feeDtos = feeInnerServiceSMOImpl.queryFees(feeDto); if (feeDtos == null || feeDtos.isEmpty()) { return; } String ownerId = FeeAttrDto.getFeeAttrValue(feeDtos.get(0), FeeAttrDto.SPEC_CD_OWNER_ID); if (StringUtil.isEmpty(ownerId)) { return; } if (!ownerDto.getOwnerId().equals(ownerId)) { throw new IllegalArgumentException("业主查询不属于自己的数据"); } } private void ifFeeOwnerId(JSONObject reqJson, OwnerDto ownerDto) { if (!reqJson.containsKey("ownerId")) { return; } String ownerId = reqJson.getString("ownerId"); if (StringUtil.isEmpty(ownerId)) { return; } if (!ownerId.equals(ownerDto.getOwnerId())) { throw new IllegalArgumentException("业主查询不属于自己的数据"); } } private void ifAccountLinkCheck(JSONObject reqJson, UserDto userDto) { if (!reqJson.containsKey("link")) { return; } String link = reqJson.getString("link"); if (StringUtil.isEmpty(link)) { return; } if (!userDto.getTel().equals(link)) { throw new IllegalArgumentException("业主查询不属于自己的数据"); } } private void ifAcctIdCheck(JSONObject reqJson, UserDto userDto) { if (!reqJson.containsKey("accId")) { return; } String acctId = reqJson.getString("acctId"); if (StringUtil.isEmpty(acctId)) { return; } AccountDto accountDto = new AccountDto(); accountDto.setAcctId(acctId); List<AccountDto> accountDtos = accountInnerServiceSMOImpl.queryAccounts(accountDto); if (accountDtos == null || accountDtos.isEmpty()) { return; } if (!userDto.getTel().equals(accountDtos.get(0).getLink())) { throw new IllegalArgumentException("业主查询不属于自己的数据"); } } } service-acct/src/main/java/com/java110/acct/api/AccountApi.java
@@ -3,6 +3,7 @@ import com.alibaba.fastjson.JSONObject; import com.java110.acct.bmo.account.IGetAccountBMO; import com.java110.acct.bmo.account.IOwnerPrestoreAccountBMO; import com.java110.core.smo.IOwnerGetDataCheck; import com.java110.dto.account.AccountDto; import com.java110.dto.account.AccountDetailDto; import com.java110.dto.contract.ContractDto; @@ -16,6 +17,7 @@ import com.java110.intf.user.IOwnerRoomRelInnerServiceSMO; import com.java110.po.account.AccountDetailPo; import com.java110.utils.util.Assert; import com.java110.utils.util.BeanConvertUtil; import com.java110.utils.util.StringUtil; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.http.ResponseEntity; @@ -54,6 +56,9 @@ @Autowired private IContractInnerServiceSMO contractInnerServiceSMOImpl; @Autowired private IOwnerGetDataCheck ownerGetDataCheckImpl; /** * 微信删除消息模板 * @@ -70,9 +75,9 @@ AccountDto accountDto = new AccountDto(); accountDto.setPage(page); accountDto.setRow(row); if(!StringUtil.isEmpty(shopId)){ if (!StringUtil.isEmpty(shopId)) { accountDto.setObjId(shopId); }else { } else { accountDto.setObjId(storeId); } return getAccountBMOImpl.get(accountDto); @@ -97,7 +102,10 @@ @RequestParam(value = "acctType", required = false) String acctType, @RequestParam(value = "acctId", required = false) String acctId, @RequestParam(value = "page") int page, @RequestParam(value = "row") int row) { @RequestParam(value = "row") int row, @RequestHeader(value = "user-id") String userId, @RequestHeader(value = "app-id") String appId ) { AccountDto accountDto = new AccountDto(); accountDto.setPage(page); accountDto.setRow(row); @@ -141,6 +149,10 @@ accountDto.setAcctType(acctType); accountDto.setLink(link); accountDto.setAcctId(acctId); //todo 业主账户安全性校验 ownerGetDataCheckImpl.checkOwnerAccount(appId, userId, BeanConvertUtil.beanCovertJson(accountDto)); OwnerDto ownerDto = new OwnerDto(); ownerDto.setOwnerId(ownerId); ownerDto.setCommunityId(communityId); @@ -161,12 +173,16 @@ public ResponseEntity<String> queryOwnerAccountDetail(@RequestParam(value = "objId", required = false) String objId, @RequestParam(value = "acctId", required = false) String acctId, @RequestParam(value = "page") int page, @RequestParam(value = "row") int row) { @RequestParam(value = "row") int row, @RequestHeader(value = "user-id") String userId, @RequestHeader(value = "app-id") String appId) { AccountDetailDto accountDto = new AccountDetailDto(); accountDto.setPage(page); accountDto.setRow(row); accountDto.setObjId(objId); accountDto.setAcctId(acctId); //todo 业主账户安全性校验 ownerGetDataCheckImpl.checkOwnerAccount(appId, userId, BeanConvertUtil.beanCovertJson(accountDto)); return getAccountBMOImpl.getDetail(accountDto); }
@@ -2,12 +2,14 @@ import com.alibaba.fastjson.JSONObject; import com.java110.core.annotation.Java110Cmd; import com.java110.core.context.CmdContextUtils; import com.java110.core.context.ICmdDataFlowContext; import com.java110.core.event.cmd.Cmd; import com.java110.core.event.cmd.CmdEvent; import com.java110.core.factory.CommunitySettingFactory; import com.java110.core.log.LoggerFactory; import com.java110.core.smo.IComputeFeeSMO; import com.java110.core.smo.IOwnerGetDataCheck; import com.java110.dto.floor.FloorDto; import com.java110.dto.room.RoomDto; import com.java110.dto.unit.UnitDto; @@ -82,6 +84,9 @@ @Autowired private IOwnerInnerServiceSMO ownerInnerServiceSMOImpl; @Autowired private IOwnerGetDataCheck ownerGetDataCheckImpl; //域 public static final String DOMAIN_COMMON = "DOMAIN.COMMON"; @@ -98,6 +103,9 @@ public void validate(CmdEvent event, ICmdDataFlowContext cmdDataFlowContext, JSONObject reqJson) { super.validatePageInfo(reqJson); Assert.hasKeyAndValue(reqJson, "communityId", "未包含小区ID"); // todo 业主查询合法性校验 ownerGetDataCheckImpl.checkOwnerFee(CmdContextUtils.getAppId(cmdDataFlowContext), CmdContextUtils.getLoginUserId(cmdDataFlowContext), reqJson); } @Override service-user/src/main/java/com/java110/user/cmd/login/PcUserLoginCmd.java
@@ -97,6 +97,7 @@ Assert.jsonObjectHaveKey(paramIn, "passwd", "用户登录,未包含passwd节点,请检查" + paramIn); AuthenticationFactory.checkLoginErrorCount(reqJson.getString("username")); } @Override @@ -117,6 +118,7 @@ } if (userDtos == null || userDtos.size() < 1) { responseEntity = new ResponseEntity<String>("用户或密码错误", HttpStatus.UNAUTHORIZED); AuthenticationFactory.userLoginError(paramInJson.getString("username")); cmdDataFlowContext.setResponseEntity(responseEntity); return; } service-user/src/main/java/com/java110/user/cmd/owner/EditOwnerCmd.java
@@ -348,7 +348,7 @@ if (ownerAppUser.getUserId().startsWith("-")) { continue; } // todo 删除用户信息 // todo 修改用户信息 UserPo userPo = new UserPo(); userPo.setUserId(ownerAppUserDtos.get(0).getUserId()); userPo.setTel(reqJson.getString("link")); service-user/src/main/java/com/java110/user/cmd/user/UserSendSmsCmd.java
@@ -15,6 +15,7 @@ import com.java110.utils.cache.MappingCache; import com.java110.utils.constant.MappingConstant; import com.java110.utils.exception.CmdException; import com.java110.utils.lock.DistributedLock; import com.java110.utils.util.Assert; import com.java110.utils.util.StringUtil; import com.java110.utils.util.ValidatorUtil; @@ -51,23 +52,32 @@ throw new IllegalArgumentException("手机号格式错误"); } //校验是否有有效的验证码 String smsCode = CommonCache.getValue(reqJson.getString("tel") + SendSmsFactory.VALIDATE_CODE); String requestId = DistributedLock.getLockUUID(); String key = this.getClass().getSimpleName() + reqJson.getString("tel"); try { DistributedLock.waitGetDistributedLock(key, requestId); //校验是否有有效的验证码 String smsCode = CommonCache.getValue(reqJson.getString("tel") + SendSmsFactory.VALIDATE_CODE); if (!StringUtil.isEmpty(smsCode) && smsCode.contains("-")) { long oldTime = Long.parseLong(smsCode.substring(smsCode.indexOf("-")+1, smsCode.length())); long nowTime = new Date().getTime(); if (nowTime - oldTime < 1000 * 60 * 2) { throw new IllegalArgumentException("请不要重复发送验证码"); if (!StringUtil.isEmpty(smsCode) && smsCode.contains("-")) { long oldTime = Long.parseLong(smsCode.substring(smsCode.indexOf("-") + 1, smsCode.length())); long nowTime = new Date().getTime(); if (nowTime - oldTime < 1000 * 60 * 2) { throw new IllegalArgumentException("请不要重复发送验证码"); } } } finally { //清理事务信息 DistributedLock.releaseDistributedLock(key, requestId); } } @Override public void doCmd(CmdEvent event, ICmdDataFlowContext context, JSONObject reqJson) throws CmdException { String tel = reqJson.getString("tel"); String captchaType = reqJson.getString("captchaType"); if(!StringUtil.isEmpty(captchaType) && "ownerBinding".equals(captchaType)){ if (!StringUtil.isEmpty(captchaType) && "ownerBinding".equals(captchaType)) { OwnerDto ownerDto = new OwnerDto(); ownerDto.setCommunityId(reqJson.getString("communityId")); ownerDto.setName(reqJson.getString("appUserName")); @@ -76,21 +86,21 @@ //取出开关映射的值 String val = MappingCache.getValue(DOMAIN_COMMON, ID_CARD_SWITCH); //取出身份证 String idCardErrorMsg =""; String idCardErrorMsg = ""; String idCard = reqJson.getString("idCard"); if ("1".equals(val) && !StringUtil.isEmpty(idCard)) { ownerDto.setIdCard(idCard); idCardErrorMsg="或者身份证号"; idCardErrorMsg = "或者身份证号"; } List<OwnerDto> ownerDtos = ownerInnerServiceSMOImpl.queryOwnerMembers(ownerDto); Assert.listOnlyOne(ownerDtos, "填写业主信息错误,请确认,预留业主姓名、手机号"+idCardErrorMsg+"信息是否正确!"); Assert.listOnlyOne(ownerDtos, "填写业主信息错误,请确认,预留业主姓名、手机号" + idCardErrorMsg + "信息是否正确!"); } //校验是否传了 分页信息 String msgCode = SendSmsFactory.generateMessageCode(6); SmsDto smsDto = new SmsDto(); smsDto.setTel(tel); smsDto.setCode(msgCode); if ("ON".equals(MappingCache.getValue(MappingConstant.SMS_DOMAIN,SendSmsFactory.SMS_SEND_SWITCH))) { if ("ON".equals(MappingCache.getValue(MappingConstant.SMS_DOMAIN, SendSmsFactory.SMS_SEND_SWITCH))) { smsDto = smsInnerServiceSMOImpl.send(smsDto); } else { CommonCache.setValue(smsDto.getTel() + SendSmsFactory.VALIDATE_CODE, smsDto.getCode().toLowerCase() + "-" + new Date().getTime(), CommonCache.defaultExpireTime);
