diff --git a/common/src/main/java/com/jeesite/common/web/http/ServletUtils.java b/common/src/main/java/com/jeesite/common/web/http/ServletUtils.java index 857a5f47..8fca76fd 100644 --- a/common/src/main/java/com/jeesite/common/web/http/ServletUtils.java +++ b/common/src/main/java/com/jeesite/common/web/http/ServletUtils.java @@ -14,6 +14,7 @@ import com.jeesite.common.mapper.JsonMapper; import com.jeesite.common.mapper.XmlMapper; import org.apache.commons.lang3.Validate; import org.springframework.http.MediaType; +import org.springframework.util.AntPathMatcher; import org.springframework.web.context.request.RequestContextHolder; import org.springframework.web.context.request.ServletRequestAttributes; @@ -57,6 +58,11 @@ public class ServletUtils { // 是否打印错误信息参数到视图页面(生产环境关闭) private static final Boolean PRINT_ERROR_INFO = PROPS.getPropertyToBoolean("error.page.printErrorInfo", "true"); + // 允许重定向的地址,不设置为全部允许,设置this只允许本项目内部跳转,多个用逗号隔开,例如:this,http://*.jeesite.com + private static final String[] ALLOW_REDIRECTS = PROPS.getPropertyToArray("shiro.allowRedirects", ""); + private static final Boolean SCHEME_HTTPS = PROPS.getPropertyToBoolean("server.schemeHttps", "false"); + private static final AntPathMatcher PATH_MATCHER = new AntPathMatcher(); + /** * 获取当前请求对象 * web.xml: @@ -384,10 +390,15 @@ public class ServletUtils { } /** - * 获取请求的域名(含端口) + * 获取当前请求的域名(含端口) + * @author ThinkGem */ - public static String getRequestDomain(String url) { + public static String getThisDomain(HttpServletRequest request) { + String url = request.getRequestURL().toString(); String scheme = StringUtils.substringBefore(url, "://"); + if (SCHEME_HTTPS && StringUtils.equals(scheme, "http")) { + scheme = "https"; + } String domain = StringUtils.substringAfter(url, "://"); if (StringUtils.contains(domain, "/")) { domain = StringUtils.substringBefore(domain, "/"); @@ -395,6 +406,28 @@ public class ServletUtils { return scheme + "://" + domain; } + /** + * 验证地址是否允许重定向 + * @author ThinkGem + */ + public static boolean isAllowRedirects(HttpServletRequest request, String url) { + if (ALLOW_REDIRECTS == null || ALLOW_REDIRECTS.length == 0) { + return true; + } + boolean allow = false; + for (String pattern : ALLOW_REDIRECTS) { + String p = StringUtils.trim(pattern); + if ("this".equals(p)) { + p = getThisDomain(request); + } + if (PATH_MATCHER.match(p + "/**", url)){ + allow = true; + break; + } + } + return allow; + } + /** * 获得请求参数值 */ diff --git a/modules/core/src/main/java/com/jeesite/modules/sys/web/LoginController.java b/modules/core/src/main/java/com/jeesite/modules/sys/web/LoginController.java index a0170ca7..9d5d243f 100644 --- a/modules/core/src/main/java/com/jeesite/modules/sys/web/LoginController.java +++ b/modules/core/src/main/java/com/jeesite/modules/sys/web/LoginController.java @@ -238,15 +238,8 @@ public class LoginController extends BaseController{ if (StringUtils.isBlank(successUrl)){ successUrl = (String)request.getAttribute("__url"); } - if (StringUtils.contains(successUrl, "://")){ - String ctxPath = Global.getCtxPath(); - String domain = ServletUtils.getRequestDomain(successUrl); - successUrl = StringUtils.substring(successUrl, domain.length()); - if (StringUtils.startsWith(successUrl, ctxPath)) { - successUrl = StringUtils.substringAfter(successUrl, ctxPath); - } - } - if (StringUtils.isBlank(successUrl)){ + // 登录后重定向地址验证,如果是非法地址,则指定默认的登录成功地址 + if (!ServletUtils.isAllowRedirects(request, successUrl) || StringUtils.isBlank(successUrl)){ successUrl = Global.getProperty("shiro.successUrl"); }