修复springboot版本、fastjson、shiro版本漏洞

gis_application/src/main/resources/application-dev.properties

@@ -50,7 +50,7 @@ spring.redis.jedis.pool.max-wait=-1ms
 
 
 #log
-logging.path=E:/javaProject/${project.name}_log
+logging.file.path=E:/javaProject/${project.name}_log
 logging.config=classpath:logback-spring.xml
 logging.level.com.gis=debug
 

gis_application/src/main/resources/application-pro.properties

@@ -52,7 +52,7 @@ spring.redis.jedis.pool.max-wait=-1ms
 
 
 #log
-logging.path=/home/data/${project.name}_log
+logging.file.path=/home/data/${project.name}_log
 logging.config=classpath:logback-spring.xml
 logging.level.com.gis=debug
 

gis_application/src/main/resources/application-sit.properties

@@ -52,7 +52,7 @@ spring.redis.jedis.pool.max-wait=-1ms
 
 
 #log
-logging.path=/root/data/${project.name}_log
+logging.file.path=/root/data/${project.name}_log
 logging.config=classpath:logback-spring.xml
 logging.level.com.gis=debug
 

gis_common/pom.xml

@@ -86,10 +86,10 @@
         </dependency>
 
         <!-- shiro -->
-        <dependency>
-            <groupId>org.apache.shiro</groupId>
-            <artifactId>shiro-spring</artifactId>
-        </dependency>
+        <!--<dependency>-->
+            <!--<groupId>org.apache.shiro</groupId>-->
+            <!--<artifactId>shiro-spring</artifactId>-->
+        <!--</dependency>-->
 
 
         <!-- jwt -->

gis_common/src/main/java/com/gis/common/exception/JwtAuthenticationException.java

@@ -1,34 +1,34 @@
-package com.gis.common.exception;
-
-import org.apache.shiro.ShiroException;
-
-public class JwtAuthenticationException extends ShiroException {
-
-    private static final long serialVersionUID = 2899335020273674736L;
-
-    private int code;
-
-    private String msg;
-
-    public JwtAuthenticationException(int code, String msg){
-        super(msg);
-        this.code = code;
-        this.msg = msg;
-    }
-
-    public int getCode() {
-        return code;
-    }
-
-    public void setCode(int code) {
-        this.code = code;
-    }
-
-    public String getMsg() {
-        return msg;
-    }
-
-    public void setMsg(String msg) {
-        this.msg = msg;
-    }
-}
+//package com.gis.common.exception;
+//
+//import org.apache.shiro.ShiroException;
+//
+//public class JwtAuthenticationException extends ShiroException {
+//
+//    private static final long serialVersionUID = 2899335020273674736L;
+//
+//    private int code;
+//
+//    private String msg;
+//
+//    public JwtAuthenticationException(int code, String msg){
+//        super(msg);
+//        this.code = code;
+//        this.msg = msg;
+//    }
+//
+//    public int getCode() {
+//        return code;
+//    }
+//
+//    public void setCode(int code) {
+//        this.code = code;
+//    }
+//
+//    public String getMsg() {
+//        return msg;
+//    }
+//
+//    public void setMsg(String msg) {
+//        this.msg = msg;
+//    }
+//}

gis_service/src/main/java/com/gis/service/aop/WebControllerLog.java

@@ -10,4 +10,7 @@ import java.lang.annotation.*;
 @Documented
 public @interface WebControllerLog {
     String description() default "";
+
+    //是否加入数据库
+    boolean addDb() default false;
 }

gis_service/src/main/java/com/gis/service/aop/WebLogAspect.java

@@ -14,7 +14,9 @@ import org.springframework.stereotype.Component;
 import javax.servlet.http.HttpServletRequest;
 import java.lang.reflect.Method;
 import java.util.Arrays;
+import java.util.HashMap;
 import java.util.List;
+import java.util.Map;
 
 /**
  * Created by owen on 2020/2/25 0025 9:24
@@ -43,6 +45,14 @@ public class WebLogAspect {
         log.info("request IP : {}" , request.getRemoteAddr());
         log.info("request Args : {}" , Arrays.toString(joinPoint.getArgs()));
 
+        Map<String, Object> controllerLog = getControllerLog(joinPoint);
+        if (controllerLog == null) {
+            return;
+        }
+        String description = (String)controllerLog.get("description");
+        log.info("request description : {}", description);
+        log.info("request addDb : {}", controllerLog.get("addDb"));
+
         // 获取token
         String token = request.getHeader("token");
         if (StringUtils.isBlank(token)) {
@@ -62,7 +72,7 @@ public class WebLogAspect {
         }
 
 
-        String description = getControllerLogDescription(joinPoint);
+//        String description = getControllerLogDescription(joinPoint);
 
         if (StringUtils.isNotBlank(description)) {
             log.info("request description : {}", description);
@@ -95,13 +105,36 @@ public class WebLogAspect {
      * @return 方法描述
      * @throws Exception
      */
-    public static String getControllerLogDescription(JoinPoint joinPoint) throws Exception {
+//    public static String getControllerLogDescription(JoinPoint joinPoint) throws Exception {
+//        String targetName = joinPoint.getTarget().getClass().getName();
+//        String methodName = joinPoint.getSignature().getName();
+//        Object[] arguments = joinPoint.getArgs();
+//        Class targetClass = Class.forName(targetName);
+//        Method[] methods = targetClass.getMethods();
+//        String description = "";
+//        for (Method method : methods) {
+//            if (method.getName().equals(methodName)) {
+//                Class[] clazzs = method.getParameterTypes();
+//                if (clazzs.length == arguments.length) {
+//                    WebControllerLog annotation = method.getAnnotation(WebControllerLog.class);
+//                    if (annotation != null) {
+//                        description = annotation.description();
+//                        break;
+//                    }
+//                }
+//            }
+//        }
+//        return description;
+//    }
+
+    public static Map<String, Object> getControllerLog(JoinPoint joinPoint) throws Exception {
         String targetName = joinPoint.getTarget().getClass().getName();
         String methodName = joinPoint.getSignature().getName();
         Object[] arguments = joinPoint.getArgs();
         Class targetClass = Class.forName(targetName);
         Method[] methods = targetClass.getMethods();
         String description = "";
+        Map<String, Object> result = new HashMap<>();
         for (Method method : methods) {
             if (method.getName().equals(methodName)) {
                 Class[] clazzs = method.getParameterTypes();
@@ -109,12 +142,15 @@ public class WebLogAspect {
                     WebControllerLog annotation = method.getAnnotation(WebControllerLog.class);
                     if (annotation != null) {
                         description = annotation.description();
+                        boolean addDb = annotation.addDb();
+                        result.put("description", description);
+                        result.put("addDb", addDb);
                         break;
                     }
                 }
             }
         }
-        return description;
+        return result;
     }
 
     private static List<String> getDetail(String str){

gis_service/src/main/java/com/gis/service/shiro/JWTFilter.java

@@ -1,135 +1,135 @@
-package com.gis.service.shiro;
-
-import com.alibaba.fastjson.JSONObject;
-import com.gis.common.exception.JwtAuthenticationException;
-import lombok.extern.log4j.Log4j2;
-import org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter;
-import org.springframework.http.HttpStatus;
-import org.springframework.web.bind.annotation.RequestMethod;
-
-import javax.servlet.ServletOutputStream;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import java.io.IOException;
-import java.io.PrintWriter;
-
-
-/**
- * 自定义拦截规则
- */
-@Log4j2
-public class JWTFilter extends BasicHttpAuthenticationFilter {
-
-    /**
-     * 执行登录验证
-     */
-    @Override
-    protected boolean executeLogin(ServletRequest request, ServletResponse response) {
-        HttpServletRequest httpServletRequest = (HttpServletRequest) request;
-        String authorization = httpServletRequest.getHeader("token");
-        JWTToken token = new JWTToken(authorization);
-
-        // 提交给realm进行登入，如果错误他会抛出异常并被捕获
-        getSubject(request, response).login(token);
-
-        // 如果没有抛出异常则代表登入成功，返回true
-        return true;
-    }
-
-    /**
-     * 这里我们详细说明下为什么最终返回的都是true，即允许访问
-     * 例如我们提供一个地址 GET /article
-     * 登入用户和游客看到的内容是不同的
-     * 如果在这里返回了false，请求会被直接拦截，用户看不到任何东西
-     * 所以我们在这里返回true，Controller中可以通过 subject.isAuthenticated() 来判断用户是否登入
-     * 如果有些资源只有登入用户才能访问，我们只需要在方法上面加上 @RequiresAuthentication 注解即可
-     * 但是这样做有一个缺点，就是不能够对GET,POST等请求进行分别过滤鉴权(因为我们重写了官方的方法)，但实际上对应用影响不大
-     *
-     * owen:
-     *  return false ,表示全局拦截，必须登录才可以访问接口，除非配置了免拦截
-     *  "" @RequiresAuthentication 现在不需要配置这个注解来免登录
-     *
-     */
-    @Override
-    protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) {
-        try {
-            executeLogin(request, response);
-        } catch (Exception e) {
-            /**
-             * 这个异常需要自己写，全局捕获不了
-             * 认证出现异常，传递错误信息msg
-             */
-            exceptionMsg(e, response);
-        }
-        // return false 前端没有响应，接收不到异常
-        return true;
-
-
-    }
-
-    /**
-     * 对跨域提供支持
-     * 只对需要token验证的有效，不需要验证的还是需要用注解处理一下
-     *
-     */
-    @Override
-    protected boolean preHandle(ServletRequest request, ServletResponse response) throws Exception {
-        HttpServletRequest httpServletRequest = (HttpServletRequest) request;
-        HttpServletResponse httpServletResponse = (HttpServletResponse) response;
-        httpServletResponse.setHeader("Access-control-Allow-Origin", httpServletRequest.getHeader("Origin"));
-        httpServletResponse.setHeader("Access-Control-Allow-Methods", "GET,POST,OPTIONS,PUT,DELETE");
-        httpServletResponse.setHeader("Access-Control-Allow-Headers", httpServletRequest.getHeader("Access-Control-Request-Headers"));
-        // 跨域时会首先发送一个option请求，这里我们给option请求直接返回正常状态
-        if (httpServletRequest.getMethod().equals(RequestMethod.OPTIONS.name())) {
-            httpServletResponse.setStatus(HttpStatus.OK.value());
-            return false;
-        }
-        return super.preHandle(request, response);
-    }
-
-
-    /**
-     * 无需转发，直接返回Response信息
-     *
-     */
-    private void writeResponse(ServletResponse response, JSONObject msg) {
-        response.setCharacterEncoding("UTF-8");
-        response.setContentType("application/json; charset=utf-8");
-        ServletOutputStream outputStream = null;
-        try {
-            outputStream = response.getOutputStream();
-        } catch (IOException e) {
-            e.printStackTrace();
-        }
-        assert outputStream != null;
-        PrintWriter printWriter = new PrintWriter(outputStream, true);
-        printWriter.write(msg.toString());//直接将json输出到页面
-        printWriter.flush();
-        printWriter.close();
-
-    }
-
-    /**
-     * 封装异常信息
-     */
-    private void exceptionMsg(Exception e, ServletResponse response) {
-        // 认证出现异常，传递错误信息msg
-        String msg = e.getMessage();
-        // 获取应用异常(该Cause是导致抛出此throwable(异常)的throwable(异常))
-        Throwable throwable = e.getCause();
-        JSONObject jsonObject = new JSONObject();
-        if (throwable instanceof JwtAuthenticationException) {
-            jsonObject.put("code", ((JwtAuthenticationException) throwable).getCode());
-            jsonObject.put("msg", ((JwtAuthenticationException) throwable).getMsg());
-        } else {
-            log.error(msg);
-            jsonObject.put("code", 5002);
-            jsonObject.put("msg", "token invalid");
-        }
-        // 直接返回Response信息
-        this.writeResponse(response, jsonObject);
-
-    }
-}
+//package com.gis.service.shiro;
+//
+//import com.alibaba.fastjson.JSONObject;
+//import com.gis.common.exception.JwtAuthenticationException;
+//import lombok.extern.log4j.Log4j2;
+//import org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter;
+//import org.springframework.http.HttpStatus;
+//import org.springframework.web.bind.annotation.RequestMethod;
+//
+//import javax.servlet.ServletOutputStream;
+//import javax.servlet.ServletRequest;
+//import javax.servlet.ServletResponse;
+//import javax.servlet.http.HttpServletRequest;
+//import javax.servlet.http.HttpServletResponse;
+//import java.io.IOException;
+//import java.io.PrintWriter;
+//
+//
+///**
+// * 自定义拦截规则
+// */
+//@Log4j2
+//public class JWTFilter extends BasicHttpAuthenticationFilter {
+//
+//    /**
+//     * 执行登录验证
+//     */
+//    @Override
+//    protected boolean executeLogin(ServletRequest request, ServletResponse response) {
+//        HttpServletRequest httpServletRequest = (HttpServletRequest) request;
+//        String authorization = httpServletRequest.getHeader("token");
+//        JWTToken token = new JWTToken(authorization);
+//
+//        // 提交给realm进行登入，如果错误他会抛出异常并被捕获
+//        getSubject(request, response).login(token);
+//
+//        // 如果没有抛出异常则代表登入成功，返回true
+//        return true;
+//    }
+//
+//    /**
+//     * 这里我们详细说明下为什么最终返回的都是true，即允许访问
+//     * 例如我们提供一个地址 GET /article
+//     * 登入用户和游客看到的内容是不同的
+//     * 如果在这里返回了false，请求会被直接拦截，用户看不到任何东西
+//     * 所以我们在这里返回true，Controller中可以通过 subject.isAuthenticated() 来判断用户是否登入
+//     * 如果有些资源只有登入用户才能访问，我们只需要在方法上面加上 @RequiresAuthentication 注解即可
+//     * 但是这样做有一个缺点，就是不能够对GET,POST等请求进行分别过滤鉴权(因为我们重写了官方的方法)，但实际上对应用影响不大
+//     *
+//     * owen:
+//     *  return false ,表示全局拦截，必须登录才可以访问接口，除非配置了免拦截
+//     *  "" @RequiresAuthentication 现在不需要配置这个注解来免登录
+//     *
+//     */
+//    @Override
+//    protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) {
+//        try {
+//            executeLogin(request, response);
+//        } catch (Exception e) {
+//            /**
+//             * 这个异常需要自己写，全局捕获不了
+//             * 认证出现异常，传递错误信息msg
+//             */
+//            exceptionMsg(e, response);
+//        }
+//        // return false 前端没有响应，接收不到异常
+//        return true;
+//
+//
+//    }
+//
+//    /**
+//     * 对跨域提供支持
+//     * 只对需要token验证的有效，不需要验证的还是需要用注解处理一下
+//     *
+//     */
+//    @Override
+//    protected boolean preHandle(ServletRequest request, ServletResponse response) throws Exception {
+//        HttpServletRequest httpServletRequest = (HttpServletRequest) request;
+//        HttpServletResponse httpServletResponse = (HttpServletResponse) response;
+//        httpServletResponse.setHeader("Access-control-Allow-Origin", httpServletRequest.getHeader("Origin"));
+//        httpServletResponse.setHeader("Access-Control-Allow-Methods", "GET,POST,OPTIONS,PUT,DELETE");
+//        httpServletResponse.setHeader("Access-Control-Allow-Headers", httpServletRequest.getHeader("Access-Control-Request-Headers"));
+//        // 跨域时会首先发送一个option请求，这里我们给option请求直接返回正常状态
+//        if (httpServletRequest.getMethod().equals(RequestMethod.OPTIONS.name())) {
+//            httpServletResponse.setStatus(HttpStatus.OK.value());
+//            return false;
+//        }
+//        return super.preHandle(request, response);
+//    }
+//
+//
+//    /**
+//     * 无需转发，直接返回Response信息
+//     *
+//     */
+//    private void writeResponse(ServletResponse response, JSONObject msg) {
+//        response.setCharacterEncoding("UTF-8");
+//        response.setContentType("application/json; charset=utf-8");
+//        ServletOutputStream outputStream = null;
+//        try {
+//            outputStream = response.getOutputStream();
+//        } catch (IOException e) {
+//            e.printStackTrace();
+//        }
+//        assert outputStream != null;
+//        PrintWriter printWriter = new PrintWriter(outputStream, true);
+//        printWriter.write(msg.toString());//直接将json输出到页面
+//        printWriter.flush();
+//        printWriter.close();
+//
+//    }
+//
+//    /**
+//     * 封装异常信息
+//     */
+//    private void exceptionMsg(Exception e, ServletResponse response) {
+//        // 认证出现异常，传递错误信息msg
+//        String msg = e.getMessage();
+//        // 获取应用异常(该Cause是导致抛出此throwable(异常)的throwable(异常))
+//        Throwable throwable = e.getCause();
+//        JSONObject jsonObject = new JSONObject();
+//        if (throwable instanceof JwtAuthenticationException) {
+//            jsonObject.put("code", ((JwtAuthenticationException) throwable).getCode());
+//            jsonObject.put("msg", ((JwtAuthenticationException) throwable).getMsg());
+//        } else {
+//            log.error(msg);
+//            jsonObject.put("code", 5002);
+//            jsonObject.put("msg", "token invalid");
+//        }
+//        // 直接返回Response信息
+//        this.writeResponse(response, jsonObject);
+//
+//    }
+//}

gis_service/src/main/java/com/gis/service/shiro/JWTToken.java

@@ -1,23 +1,23 @@
-package com.gis.service.shiro;
-
-import org.apache.shiro.authc.AuthenticationToken;
-
-public class JWTToken implements AuthenticationToken {
-
-    // 密钥
-    private String token;
-
-    public JWTToken(String token) {
-        this.token = token;
-    }
-
-    @Override
-    public Object getPrincipal() {
-        return token;
-    }
-
-    @Override
-    public Object getCredentials() {
-        return token;
-    }
-}
+//package com.gis.service.shiro;
+//
+//import org.apache.shiro.authc.AuthenticationToken;
+//
+//public class JWTToken implements AuthenticationToken {
+//
+//    // 密钥
+//    private String token;
+//
+//    public JWTToken(String token) {
+//        this.token = token;
+//    }
+//
+//    @Override
+//    public Object getPrincipal() {
+//        return token;
+//    }
+//
+//    @Override
+//    public Object getCredentials() {
+//        return token;
+//    }
+//}

gis_service/src/main/java/com/gis/service/shiro/MyRealm.java

@@ -1,105 +1,105 @@
-package com.gis.service.shiro;
-
-import com.gis.common.constant.TypeCode;
-import com.gis.common.exception.JwtAuthenticationException;
-import com.gis.common.util.JwtUtil;
-import lombok.extern.log4j.Log4j2;
-import org.apache.commons.lang3.StringUtils;
-import org.apache.shiro.authc.AuthenticationException;
-import org.apache.shiro.authc.AuthenticationInfo;
-import org.apache.shiro.authc.AuthenticationToken;
-import org.apache.shiro.authc.SimpleAuthenticationInfo;
-import org.apache.shiro.authz.AuthorizationInfo;
-import org.apache.shiro.authz.SimpleAuthorizationInfo;
-import org.apache.shiro.realm.AuthorizingRealm;
-import org.apache.shiro.subject.PrincipalCollection;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.data.redis.core.RedisTemplate;
-import org.springframework.stereotype.Service;
-
-/**
- * 配置不校验的话，是不会走这个方法的
- */
-@Log4j2
-@Service
-public class MyRealm extends AuthorizingRealm {
-
-
-
-    @Autowired
-    private RedisTemplate<String, String> redisTemplate;
-
-
-
-    /**
-     * 大坑！，必须重写此方法，不然Shiro会报错
-     */
-    @Override
-    public boolean supports(AuthenticationToken token) {
-        return token instanceof JWTToken;
-    }
-
-
-
-
-    /**
-     * 只有当需要检测用户权限的时候才会调用此方法，例如checkRole,checkPermission之类的
-     *
-     * principals： 是token
-     */
-    @Override
-    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
-        String username = JwtUtil.getUsername(principals.toString());
-
-
-        SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo();
-
-//        simpleAuthorizationInfo.addRole(dbUserEntity.getRole());
-        return simpleAuthorizationInfo;
-    }
-
-
-    /**
-     * 默认使用此方法进行用户名正确与否验证，错误抛出异常即可。
-     */
-    @Override
-    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken auth) throws AuthenticationException {
-        String token = (String) auth.getCredentials();
-
-        if (StringUtils.isBlank(token)) {
-            log.error("oken is null ");
-            throw new JwtAuthenticationException(5001, "header token is null");
-        }
-
-
-        // 解密获得username，用于和数据库进行对比
-        String username = JwtUtil.getUsername(token);
-        if (username == null) {
-            log.error("error token username");
-            throw new JwtAuthenticationException(5001, "token invalid");
-        }
-
-//        SysUserEntity userEntity = userService.findByUserName(username);
-//        if (userEntity == null) {
-//            log.error("error token userEntity");
-//            throw new JwtAuthenticationException(5001, "User didn't existed!");
+//package com.gis.service.shiro;
+//
+//import com.gis.common.constant.TypeCode;
+//import com.gis.common.exception.JwtAuthenticationException;
+//import com.gis.common.util.JwtUtil;
+//import lombok.extern.log4j.Log4j2;
+//import org.apache.commons.lang3.StringUtils;
+//import org.apache.shiro.authc.AuthenticationException;
+//import org.apache.shiro.authc.AuthenticationInfo;
+//import org.apache.shiro.authc.AuthenticationToken;
+//import org.apache.shiro.authc.SimpleAuthenticationInfo;
+//import org.apache.shiro.authz.AuthorizationInfo;
+//import org.apache.shiro.authz.SimpleAuthorizationInfo;
+//import org.apache.shiro.realm.AuthorizingRealm;
+//import org.apache.shiro.subject.PrincipalCollection;
+//import org.springframework.beans.factory.annotation.Autowired;
+//import org.springframework.data.redis.core.RedisTemplate;
+//import org.springframework.stereotype.Service;
+//
+///**
+// * 配置不校验的话，是不会走这个方法的
+// */
+//@Log4j2
+//@Service
+//public class MyRealm extends AuthorizingRealm {
+//
+//
+//
+//    @Autowired
+//    private RedisTemplate<String, String> redisTemplate;
+//
+//
+//
+//    /**
+//     * 大坑！，必须重写此方法，不然Shiro会报错
+//     */
+//    @Override
+//    public boolean supports(AuthenticationToken token) {
+//        return token instanceof JWTToken;
+//    }
+//
+//
+//
+//
+//    /**
+//     * 只有当需要检测用户权限的时候才会调用此方法，例如checkRole,checkPermission之类的
+//     *
+//     * principals： 是token
+//     */
+//    @Override
+//    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
+//        String username = JwtUtil.getUsername(principals.toString());
+//
+//
+//        SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo();
+//
+////        simpleAuthorizationInfo.addRole(dbUserEntity.getRole());
+//        return simpleAuthorizationInfo;
+//    }
+//
+//
+//    /**
+//     * 默认使用此方法进行用户名正确与否验证，错误抛出异常即可。
+//     */
+//    @Override
+//    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken auth) throws AuthenticationException {
+//        String token = (String) auth.getCredentials();
+//
+//        if (StringUtils.isBlank(token)) {
+//            log.error("oken is null ");
+//            throw new JwtAuthenticationException(5001, "header token is null");
 //        }
-
-        // 校验请求token是否跟redis token一致
-        String redisToken = redisTemplate.opsForValue().get(TypeCode.REDIS_LOGIN_TOKEN + token);
-
-        if (!token.equals(redisToken)) {
-            log.error("redis token is null");
-            throw new JwtAuthenticationException(5001, "redis token is null");
-
-        }
-
-
-        if (! JwtUtil.isVerify(token, username)) {
-            log.error("error token username or password");
-            throw new JwtAuthenticationException(5001, "token invalid");
-        }
-
-        return new SimpleAuthenticationInfo(token, token, "my_realm");
-    }
-}
+//
+//
+//        // 解密获得username，用于和数据库进行对比
+//        String username = JwtUtil.getUsername(token);
+//        if (username == null) {
+//            log.error("error token username");
+//            throw new JwtAuthenticationException(5001, "token invalid");
+//        }
+//
+////        SysUserEntity userEntity = userService.findByUserName(username);
+////        if (userEntity == null) {
+////            log.error("error token userEntity");
+////            throw new JwtAuthenticationException(5001, "User didn't existed!");
+////        }
+//
+//        // 校验请求token是否跟redis token一致
+//        String redisToken = redisTemplate.opsForValue().get(TypeCode.REDIS_LOGIN_TOKEN + token);
+//
+//        if (!token.equals(redisToken)) {
+//            log.error("redis token is null");
+//            throw new JwtAuthenticationException(5001, "redis token is null");
+//
+//        }
+//
+//
+//        if (! JwtUtil.isVerify(token, username)) {
+//            log.error("error token username or password");
+//            throw new JwtAuthenticationException(5001, "token invalid");
+//        }
+//
+//        return new SimpleAuthenticationInfo(token, token, "my_realm");
+//    }
+//}

gis_service/src/main/java/com/gis/service/shiro/ShiroConfig.java

@@ -1,114 +1,114 @@
-package com.gis.service.shiro;
-
-import lombok.extern.log4j.Log4j2;
-import org.apache.shiro.mgt.DefaultSessionStorageEvaluator;
-import org.apache.shiro.mgt.DefaultSubjectDAO;
-import org.apache.shiro.spring.LifecycleBeanPostProcessor;
-import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;
-import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
-import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
-import org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator;
-import org.springframework.context.annotation.Bean;
-import org.springframework.context.annotation.Configuration;
-import org.springframework.context.annotation.DependsOn;
-
-import javax.servlet.Filter;
-import java.util.HashMap;
-import java.util.Map;
-
-@Log4j2
-@Configuration
-public class ShiroConfig {
-
-    @Bean("securityManager")
-    public DefaultWebSecurityManager getManager(MyRealm realm) {
-        DefaultWebSecurityManager manager = new DefaultWebSecurityManager();
-        // 使用自己的realm
-        manager.setRealm(realm);
-
-        /*
-         * 关闭shiro自带的session，详情见文档
-         * http://shiro.apache.org/session-management.html#SessionManagement-StatelessApplications%28Sessionless%29
-         */
-        DefaultSubjectDAO subjectDAO = new DefaultSubjectDAO();
-        DefaultSessionStorageEvaluator defaultSessionStorageEvaluator = new DefaultSessionStorageEvaluator();
-        defaultSessionStorageEvaluator.setSessionStorageEnabled(false);
-        subjectDAO.setSessionStorageEvaluator(defaultSessionStorageEvaluator);
-        manager.setSubjectDAO(subjectDAO);
-
-        return manager;
-    }
-
-    @Bean("shiroFilter")
-    public ShiroFilterFactoryBean factory(DefaultWebSecurityManager securityManager) {
-        ShiroFilterFactoryBean factoryBean = new ShiroFilterFactoryBean();
-
-        // 添加自己的过滤器并且取名为jwt
-        Map<String, Filter> filterMap = new HashMap<>();
-        filterMap.put("jwt", new JWTFilter());
-
-
-
-
-        factoryBean.setFilters(filterMap);
-
-        factoryBean.setSecurityManager(securityManager);
-        factoryBean.setUnauthorizedUrl("/401");
-
-        /*
-         * 自定义url规则
-         * http://shiro.apache.org/web.html#urls-
-         */
-        Map<String, String> filterRuleMap = new HashMap<>();
-
-        // 不拦截
-        filterRuleMap.put("/login", "anon");
-        filterRuleMap.put("/logout", "anon");
-        filterRuleMap.put("/admin", "anon");
-        filterRuleMap.put("/admin/login", "anon");
-        filterRuleMap.put("/test/**", "anon");
-
-
-        // swagger 不拦截
-        filterRuleMap.put("/swagger-resources/**", "anon");
-        filterRuleMap.put("/webjars/**", "anon");
-        filterRuleMap.put("/v2/**", "anon");
-        filterRuleMap.put("/swagger-ui.html/**", "anon");
-
-
-        // 所有请求通过我们自己的JWT Filter
-        filterRuleMap.put("/manage/**", "jwt");
-
-
-        // 访问401和404页面不通过我们的Filter
-        filterRuleMap.put("/401", "anon");
-        factoryBean.setFilterChainDefinitionMap(filterRuleMap);
-        return factoryBean;
-    }
-
-    /**
-     * 下面的代码是添加注解支持
-     */
-    @Bean
-    @DependsOn("lifecycleBeanPostProcessor")
-    public DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator() {
-        DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator = new DefaultAdvisorAutoProxyCreator();
-        // 强制使用cglib，防止重复代理和可能引起代理出错的问题
-        // https://zhuanlan.zhihu.com/p/29161098
-        defaultAdvisorAutoProxyCreator.setProxyTargetClass(true);
-        return defaultAdvisorAutoProxyCreator;
-    }
-
-    @Bean
-    public LifecycleBeanPostProcessor lifecycleBeanPostProcessor() {
-        return new LifecycleBeanPostProcessor();
-    }
-
-    @Bean
-    public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(DefaultWebSecurityManager securityManager) {
-        AuthorizationAttributeSourceAdvisor advisor = new AuthorizationAttributeSourceAdvisor();
-        advisor.setSecurityManager(securityManager);
-        return advisor;
-    }
-
-}
+//package com.gis.service.shiro;
+//
+//import lombok.extern.log4j.Log4j2;
+//import org.apache.shiro.mgt.DefaultSessionStorageEvaluator;
+//import org.apache.shiro.mgt.DefaultSubjectDAO;
+//import org.apache.shiro.spring.LifecycleBeanPostProcessor;
+//import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;
+//import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
+//import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
+//import org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator;
+//import org.springframework.context.annotation.Bean;
+//import org.springframework.context.annotation.Configuration;
+//import org.springframework.context.annotation.DependsOn;
+//
+//import javax.servlet.Filter;
+//import java.util.HashMap;
+//import java.util.Map;
+//
+//@Log4j2
+//@Configuration
+//public class ShiroConfig {
+//
+//    @Bean("securityManager")
+//    public DefaultWebSecurityManager getManager(MyRealm realm) {
+//        DefaultWebSecurityManager manager = new DefaultWebSecurityManager();
+//        // 使用自己的realm
+//        manager.setRealm(realm);
+//
+//        /*
+//         * 关闭shiro自带的session，详情见文档
+//         * http://shiro.apache.org/session-management.html#SessionManagement-StatelessApplications%28Sessionless%29
+//         */
+//        DefaultSubjectDAO subjectDAO = new DefaultSubjectDAO();
+//        DefaultSessionStorageEvaluator defaultSessionStorageEvaluator = new DefaultSessionStorageEvaluator();
+//        defaultSessionStorageEvaluator.setSessionStorageEnabled(false);
+//        subjectDAO.setSessionStorageEvaluator(defaultSessionStorageEvaluator);
+//        manager.setSubjectDAO(subjectDAO);
+//
+//        return manager;
+//    }
+//
+//    @Bean("shiroFilter")
+//    public ShiroFilterFactoryBean factory(DefaultWebSecurityManager securityManager) {
+//        ShiroFilterFactoryBean factoryBean = new ShiroFilterFactoryBean();
+//
+//        // 添加自己的过滤器并且取名为jwt
+//        Map<String, Filter> filterMap = new HashMap<>();
+//        filterMap.put("jwt", new JWTFilter());
+//
+//
+//
+//
+//        factoryBean.setFilters(filterMap);
+//
+//        factoryBean.setSecurityManager(securityManager);
+//        factoryBean.setUnauthorizedUrl("/401");
+//
+//        /*
+//         * 自定义url规则
+//         * http://shiro.apache.org/web.html#urls-
+//         */
+//        Map<String, String> filterRuleMap = new HashMap<>();
+//
+//        // 不拦截
+//        filterRuleMap.put("/login", "anon");
+//        filterRuleMap.put("/logout", "anon");
+//        filterRuleMap.put("/admin", "anon");
+//        filterRuleMap.put("/admin/login", "anon");
+//        filterRuleMap.put("/test/**", "anon");
+//
+//
+//        // swagger 不拦截
+//        filterRuleMap.put("/swagger-resources/**", "anon");
+//        filterRuleMap.put("/webjars/**", "anon");
+//        filterRuleMap.put("/v2/**", "anon");
+//        filterRuleMap.put("/swagger-ui.html/**", "anon");
+//
+//
+//        // 所有请求通过我们自己的JWT Filter
+//        filterRuleMap.put("/manage/**", "jwt");
+//
+//
+//        // 访问401和404页面不通过我们的Filter
+//        filterRuleMap.put("/401", "anon");
+//        factoryBean.setFilterChainDefinitionMap(filterRuleMap);
+//        return factoryBean;
+//    }
+//
+//    /**
+//     * 下面的代码是添加注解支持
+//     */
+//    @Bean
+//    @DependsOn("lifecycleBeanPostProcessor")
+//    public DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator() {
+//        DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator = new DefaultAdvisorAutoProxyCreator();
+//        // 强制使用cglib，防止重复代理和可能引起代理出错的问题
+//        // https://zhuanlan.zhihu.com/p/29161098
+//        defaultAdvisorAutoProxyCreator.setProxyTargetClass(true);
+//        return defaultAdvisorAutoProxyCreator;
+//    }
+//
+//    @Bean
+//    public LifecycleBeanPostProcessor lifecycleBeanPostProcessor() {
+//        return new LifecycleBeanPostProcessor();
+//    }
+//
+//    @Bean
+//    public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(DefaultWebSecurityManager securityManager) {
+//        AuthorizationAttributeSourceAdvisor advisor = new AuthorizationAttributeSourceAdvisor();
+//        advisor.setSecurityManager(securityManager);
+//        return advisor;
+//    }
+//
+//}

gis_web/src/main/java/com/gis/web/controller/ExceptionController.java

@@ -3,8 +3,8 @@ package com.gis.web.controller;
 import com.gis.common.exception.BaseRuntimeException;
 import com.gis.common.util.Result;
 import lombok.extern.log4j.Log4j2;
-import org.apache.shiro.ShiroException;
-import org.apache.shiro.authz.UnauthorizedException;
+//import org.apache.shiro.ShiroException;
+//import org.apache.shiro.authz.UnauthorizedException;
 import org.springframework.dao.DuplicateKeyException;
 import org.springframework.http.HttpStatus;
 import org.springframework.web.bind.MethodArgumentNotValidException;
@@ -27,13 +27,13 @@ import javax.validation.ValidationException;
 public class ExceptionController {
 
     // 捕捉shiro的异常
-    @ResponseStatus(HttpStatus.UNAUTHORIZED)
-    @ExceptionHandler(ShiroException.class)
-    public Result handle401(ShiroException e) {
-//        return Result.failure(5001, e.getMessage());
-        log.error("没有授权1");
-        return Result.failure(5001, "没有授权");
-    }
+//    @ResponseStatus(HttpStatus.UNAUTHORIZED)
+//    @ExceptionHandler(ShiroException.class)
+//    public Result handle401(ShiroException e) {
+////        return Result.failure(5001, e.getMessage());
+//        log.error("没有授权1");
+//        return Result.failure(5001, "没有授权");
+//    }
 
 
 
@@ -42,12 +42,12 @@ public class ExceptionController {
      *
      * 权限不够，会抛这个异常
      */
-    @ResponseStatus(HttpStatus.UNAUTHORIZED)
-    @ExceptionHandler(UnauthorizedException.class)
-    public Result handle401() {
-        log.error("没有权限");
-        return Result.failure(5003, "没有权限");
-    }
+//    @ResponseStatus(HttpStatus.UNAUTHORIZED)
+//    @ExceptionHandler(UnauthorizedException.class)
+//    public Result handle401() {
+//        log.error("没有权限");
+//        return Result.failure(5003, "没有权限");
+//    }
 
     // 捕捉其他所有异常
     @ExceptionHandler(Exception.class)

gis_web/src/main/java/com/gis/web/controller/WebController.java

@@ -4,6 +4,7 @@ import com.gis.common.util.Result;
 import com.gis.domain.po.QuestionEntity;
 import com.gis.service.AnswerService;
 import com.gis.service.QuestionService;
+import com.gis.service.aop.WebControllerLog;
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
 import lombok.extern.slf4j.Slf4j;
@@ -32,6 +33,7 @@ public class WebController extends BaseController {
      * @param
      * @return
      */
+    @WebControllerLog(description = "展示页-获取答题", addDb = true)
     @ApiOperation("获取答题")
     @GetMapping("list/{type}/{pcs}")
     public Result<List<QuestionEntity>> getQuestion(@PathVariable Integer type, @PathVariable Integer pcs) {

pom.xml

@@ -13,7 +13,7 @@
     <parent>
         <groupId>org.springframework.boot</groupId>
         <artifactId>spring-boot-starter-parent</artifactId>
-        <version>2.1.0.RELEASE</version>
+        <version>2.3.4.RELEASE</version>
         <relativePath/> <!-- lookup parent from repository -->
     </parent>
 
@@ -36,7 +36,7 @@
         <hutool.version>5.3.3</hutool.version>
         <httpclient.version>4.5.12</httpclient.version>
         <lombok.version>1.18.2</lombok.version>
-        <fastjson.version>1.2.51</fastjson.version>
+        <fastjson.version>1.2.75</fastjson.version>
         <lang3.version>3.7</lang3.version>
         <knife4j.version>2.0.2</knife4j.version>
         <mysql.version>8.0.15</mysql.version>
@@ -174,11 +174,11 @@
             </dependency>
 
             <!-- shiro -->
-            <dependency>
-                <groupId>org.apache.shiro</groupId>
-                <artifactId>shiro-spring</artifactId>
-                <version>${shiro.version}</version>
-            </dependency>
+            <!--<dependency>-->
+                <!--<groupId>org.apache.shiro</groupId>-->
+                <!--<artifactId>shiro-spring</artifactId>-->
+                <!--<version>${shiro.version}</version>-->
+            <!--</dependency>-->
 
 
             <!-- jwt -->