添加随机数防止请求重放

2026-01-25 07:46:40 +08:00 · 2023-11-29 22:08:01 +08:00
parent f86b1c1890
commit 0076a5adcc
2 changed files with 32 additions and 1 deletions
--- a/src/main/java/cn/lihongjie/coal/common/Constants.java
+++ b/src/main/java/cn/lihongjie/coal/common/Constants.java
@@ -12,10 +12,12 @@ public class Constants {
    public static final String CACHE_RESOURCE_MENU_TREE = "resourceMenuTree";
    public static final String HTTP_HEADER_TOKEN = "X-Token";
    public static final String HTTP_HEADER_CLIENT_SIGN = "X-Client-Sign";
+    public static final String HTTP_HEADER_CLIENT_RANDOM = "X-Client-Random";
    public static final String HTTP_HEADER_TS = "X-TS";
    public static final String RATE_LIMIT_GLOBAL_SESSION_PREFIX = "global-session-rl-";
    public static final String RATE_LIMIT_GLOBAL_USER_PREFIX = "global-user-rl-";
    public static final String CACHE_ADDRESS_TYPE = "addressType";
+    public static final String CACHE_CLIENT_RANDOM_PREFIX = "clientRandom::";
    public static String SYSCONFIG_ENABLE_CAPTCHA = "enable_captcha";
    public static String SYSCONFIG_ENABLE_REQUEST_SIGN = "enable_request_sign";
    public static String SYSCONFIG_SESSION_TIMEOUT = "session_timeout";
--- a/src/main/java/cn/lihongjie/coal/filter/SignFilter.java
+++ b/src/main/java/cn/lihongjie/coal/filter/SignFilter.java
@@ -25,6 +25,7 @@ import org.apache.commons.lang3.ObjectUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.core.annotation.Order;
+import org.springframework.data.redis.core.RedisTemplate;
 import org.springframework.stereotype.Component;
 import org.springframework.web.filter.OncePerRequestFilter;

@@ -32,6 +33,7 @@ import java.io.IOException;
 import java.nio.charset.StandardCharsets;
 import java.time.LocalDateTime;
 import java.util.*;
+import java.util.concurrent.TimeUnit;

 import javax.crypto.Mac;

@@ -40,6 +42,7 @@ import javax.crypto.Mac;
@Order(10)
@Slf4j
 public class SignFilter extends OncePerRequestFilter {
+    public static final int TIME_DIFF_MS = 1000 * 60 * 2;
    @Autowired ObjectMapper objectMapper;
    @Autowired SysConfigService sysConfigService;

@@ -47,6 +50,9 @@ public class SignFilter extends OncePerRequestFilter {
    @Autowired IpQueryService ipQueryService;
    @Autowired LoginUserService loginUserService;

+    @Autowired
+    RedisTemplate<String, String> redisTemplate;
+
    @Override
    protected void doFilterInternal(
            HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
@@ -80,6 +86,13 @@ public class SignFilter extends OncePerRequestFilter {
                        new BizException(Constants.HTTP_HEADER_TS + " 请求头缺失"), response);
                return;
            }
+
+            String random = request.getHeader(Constants.HTTP_HEADER_CLIENT_RANDOM);
+            if (StringUtils.isEmpty(random)) {
+                RequestUtils.writeResponse(
+                        new BizException(Constants.HTTP_HEADER_CLIENT_RANDOM + " 请求头缺失"), response);
+                return;
+            }
            long tsi = 0;

            try {
@@ -93,7 +106,7 @@ public class SignFilter extends OncePerRequestFilter {

            long current = System.currentTimeMillis();

-            if (Math.abs(tsi - current) > 1000 * 60 * 2) {
+            if (Math.abs(tsi - current) > TIME_DIFF_MS) {
                RequestUtils.writeResponse(
                        new BizException(
                                Constants.HTTP_HEADER_TS
@@ -111,6 +124,10 @@ public class SignFilter extends OncePerRequestFilter {

            sb.append(StringUtils.defaultString("\n"));

+            sb.append(StringUtils.defaultString(random));
+
+            sb.append(StringUtils.defaultString("\n"));
+
            String sha256Hex = DigestUtils.sha256Hex(request.getInputStream()).toUpperCase();

            sb.append(StringUtils.defaultString(sha256Hex));
@@ -132,6 +149,18 @@ public class SignFilter extends OncePerRequestFilter {
                        new BizException(Constants.HTTP_HEADER_CLIENT_SIGN + " 请求头签名错误"), response);
                return;
            }
+
+            String cr = redisTemplate.opsForValue().get(Constants.CACHE_CLIENT_RANDOM_PREFIX + random);
+
+            if (StringUtils.equals(cr, "1")){
+                sysLogService.saveSysLog(request, "签名模块", "重复请求", "");
+                RequestUtils.writeResponse(
+                        new BizException("请求已过期, 请刷新页面重试"), response);
+                return;
+            }else {
+                redisTemplate.opsForValue().set(Constants.CACHE_CLIENT_RANDOM_PREFIX + random, "1", TIME_DIFF_MS, TimeUnit.MILLISECONDS);
+            }
+
        }

        doFilter(request, response, filterChain);