From 14437dfb7a1346af37a7b6f220307881abc34737 Mon Sep 17 00:00:00 2001 From: thinkgem Date: Thu, 7 Nov 2024 17:53:43 +0800 Subject: [PATCH] =?UTF-8?q?=E7=99=BB=E5=BD=95=E5=90=8E=E9=87=8D=E5=AE=9A?= =?UTF-8?q?=E5=90=91=E5=9C=B0=E5=9D=80=E9=AA=8C=E8=AF=81=EF=BC=8C=E5=A6=82?= =?UTF-8?q?=E6=9E=9C=E6=98=AF=E9=9D=9E=E6=B3=95=E5=9C=B0=E5=9D=80=EF=BC=8C?= =?UTF-8?q?=E5=88=99=E6=8C=87=E5=AE=9A=E9=BB=98=E8=AE=A4=E7=9A=84=E7=99=BB?= =?UTF-8?q?=E5=BD=95=E6=88=90=E5=8A=9F=E5=9C=B0=E5=9D=80?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../jeesite/common/web/http/ServletUtils.java | 37 ++++++++++++++++++- .../modules/sys/web/LoginController.java | 11 +----- 2 files changed, 37 insertions(+), 11 deletions(-) diff --git a/common/src/main/java/com/jeesite/common/web/http/ServletUtils.java b/common/src/main/java/com/jeesite/common/web/http/ServletUtils.java index 47fc5546..785e32a2 100644 --- a/common/src/main/java/com/jeesite/common/web/http/ServletUtils.java +++ b/common/src/main/java/com/jeesite/common/web/http/ServletUtils.java @@ -17,6 +17,7 @@ import jakarta.servlet.http.HttpServletRequest; import jakarta.servlet.http.HttpServletResponse; import org.apache.commons.lang3.Validate; import org.springframework.http.MediaType; +import org.springframework.util.AntPathMatcher; import org.springframework.web.context.request.RequestContextHolder; import org.springframework.web.context.request.ServletRequestAttributes; @@ -57,6 +58,11 @@ public class ServletUtils { // 是否打印错误信息参数到视图页面(生产环境关闭) private static final Boolean PRINT_ERROR_INFO = PROPS.getPropertyToBoolean("error.page.printErrorInfo", "true"); + // 允许重定向的地址,不设置为全部允许,设置this只允许本项目内部跳转,多个用逗号隔开,例如:this,http://*.jeesite.com + private static final String[] ALLOW_REDIRECTS = PROPS.getPropertyToArray("shiro.allowRedirects", ""); + private static final Boolean SCHEME_HTTPS = PROPS.getPropertyToBoolean("server.schemeHttps", "false"); + private static final AntPathMatcher PATH_MATCHER = new AntPathMatcher(); + /** * 获取当前请求对象 * web.xml: @@ -384,10 +390,15 @@ public class ServletUtils { } /** - * 获取请求的域名(含端口) + * 获取当前请求的域名(含端口) + * @author ThinkGem */ - public static String getRequestDomain(String url) { + public static String getThisDomain(HttpServletRequest request) { + String url = request.getRequestURL().toString(); String scheme = StringUtils.substringBefore(url, "://"); + if (SCHEME_HTTPS && StringUtils.equals(scheme, "http")) { + scheme = "https"; + } String domain = StringUtils.substringAfter(url, "://"); if (StringUtils.contains(domain, "/")) { domain = StringUtils.substringBefore(domain, "/"); @@ -395,6 +406,28 @@ public class ServletUtils { return scheme + "://" + domain; } + /** + * 验证地址是否允许重定向 + * @author ThinkGem + */ + public static boolean isAllowRedirects(HttpServletRequest request, String url) { + if (ALLOW_REDIRECTS == null || ALLOW_REDIRECTS.length == 0) { + return true; + } + boolean allow = false; + for (String pattern : ALLOW_REDIRECTS) { + String p = StringUtils.trim(pattern); + if ("this".equals(p)) { + p = getThisDomain(request); + } + if (PATH_MATCHER.match(p + "/**", url)){ + allow = true; + break; + } + } + return allow; + } + /** * 获得请求参数值 */ diff --git a/modules/core/src/main/java/com/jeesite/modules/sys/web/LoginController.java b/modules/core/src/main/java/com/jeesite/modules/sys/web/LoginController.java index 716fdf66..bb03798a 100644 --- a/modules/core/src/main/java/com/jeesite/modules/sys/web/LoginController.java +++ b/modules/core/src/main/java/com/jeesite/modules/sys/web/LoginController.java @@ -238,15 +238,8 @@ public class LoginController extends BaseController{ if (StringUtils.isBlank(successUrl)){ successUrl = (String)request.getAttribute("__url"); } - if (StringUtils.contains(successUrl, "://")){ - String ctxPath = Global.getCtxPath(); - String domain = ServletUtils.getRequestDomain(successUrl); - successUrl = StringUtils.substring(successUrl, domain.length()); - if (StringUtils.startsWith(successUrl, ctxPath)) { - successUrl = StringUtils.substringAfter(successUrl, ctxPath); - } - } - if (StringUtils.isBlank(successUrl)){ + // 登录后重定向地址验证,如果是非法地址,则指定默认的登录成功地址 + if (!ServletUtils.isAllowRedirects(request, successUrl) || StringUtils.isBlank(successUrl)){ successUrl = Global.getProperty("shiro.successUrl"); }